anonymity analysis of onion routing in the universally composable framework joan feigenbaum aaron...
TRANSCRIPT
![Page 1: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/1.jpg)
Anonymity Analysis of Onion Routing in the Universally Composable Framework
Joan FeigenbaumAaron Johnson
Paul Syverson
Yale University
U.S. Naval Research Laboratory
Provable Privacy WorkshopJuly 9, 2012
![Page 2: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/2.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● […] - How do we apply results in standard
cryptographic models?● [CL05] - “Onion routing” formalized with
Universal Composability (UC) - No anonymity analysis
● [BGKM12] - Onion routing formalized with UC - Our work will
provide anonymity
![Page 3: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/3.jpg)
Solution
● Formalize abstract (black-box) model of onion routing in UC framework
● Focus on information leaked● Anonymity analysis on earlier abstract model
is inherited by UC version
![Page 4: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/4.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● […] - How do we apply results in standard
cryptographic models?● [CL05] - “Onion routing” formalized with
Universal Composability (UC) - No anonymity analysis
● [BGKM12] - Onion routing formalized with UC - Our work will
provide anonymity
![Page 5: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/5.jpg)
I/O-automata model
u
1 2
3
45
d
User u running client Internet destination d
Onion routing relays
Adversary controls relays
Encrypted onion-routing hop
Unencrypted onion-routing hop
![Page 6: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/6.jpg)
I/O-automata model
u
1 2
3
45
d
Main theorem: Adversary can only determine parts of a circuit it controls or is next to.
u 1 2
![Page 7: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/7.jpg)
I/O-automata model
u 1 2
3
45
d
1.
2.
3.
4.
v
w
e
f
![Page 8: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/8.jpg)
I/O-automata model
u 1 2
3
45
d
1. First router compromised
2.
3.
4.
v
w
e
f
![Page 9: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/9.jpg)
I/O-automata model
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3.
4.
v
w
e
f
![Page 10: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/10.jpg)
I/O-automata model
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3. First and last compromised
4.
v
w
e
f
![Page 11: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/11.jpg)
I/O-automata model
u 1 2
3
45
d
1. First router compromised
2. Last router compromised
3. First and last compromised
4. Neither first nor last compromised
v
w
e
f
![Page 12: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/12.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● […] - How do we apply results in standard
cryptographic models?● [CL05] - “Onion routing” formalized with
Universal Composability (UC) - No anonymity analysis
● [BGKM12] - Onion routing formalized with UC - Our work will
provide anonymity
![Page 13: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/13.jpg)
Black-box Abstraction
u d
v
w
e
f
![Page 14: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/14.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
![Page 15: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/15.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
2. Some inputs are observed
![Page 16: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/16.jpg)
Black-box Abstraction
u d
v
w
e
f
1. Users choose a destination
2. Some inputs are observed
3. Some outputs are observed
![Page 17: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/17.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
![Page 18: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/18.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary.
![Page 19: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/19.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary.
![Page 20: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/20.jpg)
Black-box Anonymity
u d
v
w
e
f
• The adversary can link observed inputs and outputs of the same user.
• Any configuration consistent with these observations is indistinguishable to the adversary.
![Page 21: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/21.jpg)
Probabilistic Black-box
u d
v
w
e
f
![Page 22: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/22.jpg)
Probabilistic Black-box
u d
v
w
e
f
• Each user v selects a destination from distribution pv
pu
![Page 23: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/23.jpg)
Probabilistic Black-box
u d
v
w
e
f
• Each user v selects a destination from distribution pv
• Inputs and outputs are observed independently with probability b
pu
![Page 24: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/24.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● […] - How do we apply results in standard
cryptographic models?● [CL05] - “Onion routing” formalized with
Universal Composability (UC) - No anonymity analysis
● [BGKM12] - Onion routing formalized with UC - Our work will
provide anonymity
![Page 25: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/25.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● [FJS12] – Onion-routing UC formalization
- “Free” probabilistic anonymity analysis
● [CL05] - “Onion routing” formalized with Universal Composability (UC)
- No anonymity analysis● [BGKM12] - Onion routing formalized with UC
- Our work will provide anonymity
![Page 26: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/26.jpg)
Onion-Routing UC Ideal Functionality
u with probability bø with probability 1-b
x
y
Upon receiving destination d from user U
d with probability bø with probability 1-b
Send (x,y) to the adversary.
FOR
![Page 27: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/27.jpg)
Black-box Model
● Ideal functionality FOR
● Environment assumptions– Each user gets a destination– Destination for user u chosen from distribution pu
● Adversary compromises a fraction b of routers before execution
![Page 28: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/28.jpg)
UC Formalization
● Captures necessary properties of any crytographic implementation
● Easy to analyze resulting information leaks● Functionality is a composable primitive● Anonymity results are valid in probabilistic
version of I/O-automata model
![Page 29: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/29.jpg)
Anonymity Analysis of Black Box
● Can lower bound expected anonymity with standard approximation: b2 + (1-b2)pu
d
● Worst case for anonymity is when user acts exactly unlike or exactly like others
● Worst-case anonymity is typically as if √b routers compromised: b + (1-b)pu
d
● Anonymity in typical situations approaches lower bound
![Page 30: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/30.jpg)
Future Extensions
● Compromised links● Non-uniform path selection● Heterogeneous path selection● Anonymity over time
![Page 31: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/31.jpg)
Problem● [FJS07a] - Onion-routing I/O-automata model
- Possibilistic anonymity analysis
● [FJS07b] - Onion-routing abstract model - Probabilistic anonymity
analysis● [FJS12] – Onion-routing UC formalization
- “Free” probabilistic anonymity analysis
● [CL05] - “Onion routing” formalized with Universal Composability (UC)
- No anonymity analysis● [BGKM12] - Onion routing formalized with UC
- Our work will provide anonymity
![Page 32: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/32.jpg)
[BGKM12] Ideal Functionality
● Functionality can actually send messages● Needs wrapper to hide irrelevant circuit-building
options● Shown to UC-emulate FOR
![Page 33: Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research](https://reader034.vdocuments.mx/reader034/viewer/2022042702/56649cfa5503460f949cbf52/html5/thumbnails/33.jpg)
References
[BGKM12] Provably Secure and Practical Onion Routing,by Michael Backes, Ian Goldberg, Aniket Kate, and Esfandiar Mohammadi, in CSF12.
[CL05] A Formal Treatment of Onion Routing, by Jan Camenisch and Anna Lysyanskaya, in CRYPTO 05.
[FJS07a] A Model of Onion Routing with Provable Anonymity, by Joan Feigenbaum, Aaron Johnson, and Paul Syverson, in FC07.
[FJS07b] Probabilistic Analysis of Onion Routing in a Black-box Model, id., in WPES07.
[FJS12] A Probabilistic Analysis of Onion Routing in a Black-box Model, id. in TISSEC (forthcoming)