kAnonymous Message Transmission

About This Presentation

Title:

kAnonymous Message Transmission

Description:

Definition: 'having no known name or identity or known source' Better: ... Bob can send a love letter to Alice, and Alice can't figure out who sent it... – PowerPoint PPT presentation

Number of Views:59

Avg rating:3.0/5.0

Slides: 35

Provided by: andrew90

Category:

more less

Transcript and Presenter's Notes

Title: kAnonymous Message Transmission

1
k-Anonymous Message Transmission

Andrew Bortz
Carnegie Mellon University
abortz_at_andrew.cmu.edu
Luis von Ahn Nicholas J. Hopper

2
Introduction

Anonymous
Definition having no known name or identity or
known source
Better hidden within a group
Anonymous Communication

3
Prototypical Example
From Unknown I love you, Alice
Bob
Alice

Bob can send a love letter to Alice, and Alice
cant figure out who sent it even if Alice is
the network administrator, and can see all the
traffic on the network!

4
Anonymous Communication

Two properties
Sender anonymity hiding the actual sender of a
message
Receiver anonymity hiding the intended recipient
of a message
We will focus primarily on sender anonymity

5
Underlying Communication

Reliable
More specifically, the network is not
adversarially unreliable
Point-to-Point
Messages can only be sent to individuals.
PKI
Message encryption and authenticity.
Traceable

6
Adversary Power

Who are we hiding from?
Adversaries vary in

Eavesdropping
None
Global
Private Knowledge
None
Everyone
(A Fraction)
Malicious Interference
None
Everyone
Computational Power
Practical
Unbounded
Our adversary is in red.
(Polynomial)
7
Adversary Goals

Knowledge
Find out anything about who is communicating with
whom
Interference
Stop anyone from communicating using the protocol
As a last resort, try to slow the protocol down

8
Previous Solutions

Mix-Nets (Chaum 81) and others
Send messages through chains of nodes
DC-Nets (Chaum 88, Waidner 89)
Massive secure multiparty computation
Problems
Either operate against less powerful adversaries
than we would like,
Or have inadequate anonymity, robustness or
efficiency

9
k-Anonymity

k-anonymity is quantified anonymity
Not always hidden with respect to the entire
network of users,
But always hidden in a group of at least k honest
users
k is a parameter for anonymity

10
Advantages of Flexibility

If we set k n, then we get full anonymity
If we set k o(n), then we might get faster and
better solutions
If we set k to a constant, we can get great
solutions, which are still quite useful!
For example, in the absence of other evidence,
3-anonymity is sufficient to invalidate a civil
charge in a U.S. court.

11
k-AMT

A protocol for k-anonymous communication in a
strong adversarial model that is correct, robust,
and efficient.
Remember The adversary controls a constant
fraction of the participants, can act
arbitrarily, and is a global eavesdropper!

12
Secure Multiparty Sum

This is a basic building block of our protocol
(as with DC-Nets)
Each user has a private input Xi.
At the end, each user learns X X1 X2
Xn, but learns nothing of any other users input
Xj beyond what he can infer from X.
This can be accomplished directly with secret
sharing and commitment

13
Example
3
Alice
ArithmeticMod 10
XA 7
5
X XA XB XC 6
To split a secret, choose random shares that add
up to the secret
8
4
6
6
2
4
2
1
Carol
Bob
5
3
9
XC 6
XB 3
Split XB 3 4 6 3
14
Our Anonymous Channel

We can use secure multiparty sum as an anonymous
broadcast channel
Your private input is the message you want to
send, or zero if you dont want to send a message
At the end, everyone knows the sum, but no one
knows who sent what
If only one person tried to send, then the sum is
that message

15
Problem Collisions

What if two users wanted to send a message?
Collision! Have to try again
What if an adversary always sends a random
message?
The protocol fails (not robust)
We need a way to manage this shared channel
DC-Nets use a complicated reservation protocol

16
Our Solution

We will have many parallel secure multiparty sums
To send a message, a sender chooses a parallel
sum at random and sets his private input for that
sum to the message, and all others to zero
At the end of a round, everyone knows each sum
We will ensure that each user only transmits in
one

17
Keeping Users Honest

We will have twice the number of sums as users
If more than half of the sums are zero, then
everything went well
Even if there were collisions, they were
accidental, and with low probability
If not, then someone cheated!
Execute a zero-knowledge sub-protocol for each
user to prove they only transmitted in one sum

18
Zero-Knowledge Protocol

Follows standard cut-and-choose
At the beginning of each sum, every participant
was required to commit to their shares
A prover in this ZK proof randomly permutes these
commitments
The verifier then asks the prover to either show
that they were correctly permuted, or that all
but one of the commitments was to zero

19
High Level System

The users are broken down into groups of size M,
where M O(k)
Each group has k honest users w.h.p.

20
Group Protocol

Execute parallel secure multiparty sums
If only one user in a group chose a particular
sum to transmit in, then that sum is a message
The group sends that message to every member of
the destination group

21
Anonymity

Each secure multiparty sum serves as a shared
anonymous channel
Therefore, the sender cannot be isolated further
than to his group, which has k honest users
Since every member of the destination group
receives the message, the receiver is also hidden
within his group, also with k honest users

22
Efficiency

Asymptotically, the complexity is independent of
the size of the network (only on k)
Perfect scalability!
In terms of the parameter k
Constant rounds!
O(k2) protocol messages per anonymous message
O(k3) protocol bits per anonymous bit sent

23
Robustness
(Almost)

Guarantee each sender has at least a 50 chance
over his own choices to succeed in sending a
message
If less than half of the parallel sums were used,
then the chance of a collision was
If more were used, then someone didnt follow the
protocol, and the zero-knowledge sub-protocol
will expose them

24
Non-Participation

What if an adversary doesnt send required
messages, or pretends he didnt get them?
Typically the hardest problem to solve!
Two different solutions to this produce two
complete k-AMT protocols
1) Intelligently retransmit protocol messages
2) Dynamically change the protocol to use
multi-round broadcasts
Both have very minor impacts to robustness and
efficiency

25
Open Questions

What is the actual performance of k-AMT?
Requires actual implementation, instrumentation
and testing
Can we do better?
Can k-AMT be further optimized?
Are the additional restrictions on anonymity that
can get similar speedups?

26
Thats it! Any questions?
27
About Me

Name Andrew Bortz
Favorite Color Blue
Hobbies Reading Sci-Fi, Biking, Squash

Im applying to graduate schools this semester to
start my PhD. Please take me!
28

29
Forming Groups

Group size is chosen so that the probability of
less than k honest members is low
Assumes known bound on the size of the adversary
Groups are formed pseudo-randomly by hashing
identities and the use of a secure group
membership protocol

30
Choice of Adversary

Any stronger is likely impossible!
We cant give the adversary more than a fraction,
then hed have everything
If we give an eavesdropper control over the
underlying network, then robustness is impossible
Well what about?
Adaptively corrupting users
Bounded interference in the underlying network,
but we need a model that is realistic!

31
Efficiency (2)

Group transmission strategies
Every member of the sending group broadcasts to
the receiving group
Inefficient, but perfectly robust
Every member of the sending group sends to some
of the receiving group
More efficient
Can make probability of failure arbitrarily low
Every member sends to a single member of the
receiving group, and gets an acknowledgement

32
Efficiency (3)