An Indistinguishability-Based Characterization of Anonymous Channels

We revisit the problem of anonymous communication, in which users wish to send messages to each other without revealing their identities. We propose a novel framework to organize and compare anonymity definitions. In this framework, we present simple and practical definitions for anonymous channels in the context of computational indistinguishability. The notions seem to capture the intuitive properties of several types of anonymous channels (Pfitzmann and Kohntopp 2001) (eg. sender anonymity and unlinkability). We justify these notions by showing they naturally capture practical scenarios where information is unavoidably leaked in the system. Then, we compare the notions and we show they form a natural hierarchy for which we exhibit non-trivial implications. In particular, we show how to implement stronger notions from weaker ones using cryptography and dummy traffic --- in a provably optimal way. With these tools, we revisit the security of previous anonymous channels protocols, in particular constructions based on broadcast networks (Blaze et al. 2003), anonymous broadcast (Chaum 1981), and mix networks (Groth 2003, Nguyen et al. 2004). Our results give generic, optimal constructions to transform known protocols into new ones that achieve the strongest notions of anonymity.

[1]  Silvio Micali,et al.  The round complexity of secure protocols , 1990, STOC '90.

[2]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[3]  Wolter Pieters,et al.  Provable anonymity , 2005, FMSE '05.

[4]  Avi Wigderson,et al.  Completeness theorems for non-cryptographic fault-tolerant distributed computation , 1988, STOC '88.

[5]  Birgit Pfitzmann,et al.  ISDN-MIXes: Untraceable Communication with Small Bandwidth Overhead , 1991, Kommunikation in Verteilten Systemen.

[6]  Angelos D. Keromytis,et al.  WAR: Wireless Anonymous Routing , 2003, Security Protocols Workshop.

[7]  Masayuki Abe,et al.  Universally Verifiable Mix-net with Verification Work Indendent of the Number of Mix-servers , 1998, EUROCRYPT.

[8]  Markus Jakobsson,et al.  Making Mix Nets Robust for Electronic Voting by Randomized Partial Checking , 2002, USENIX Security Symposium.

[9]  Jens Groth,et al.  A Verifiable Secret Shuffle of Homomorphic Encryptions , 2003, Journal of Cryptology.

[10]  Hugo Krawczyk,et al.  Advances in Cryptology - CRYPTO '98 , 1998 .

[11]  C. Andrew Neff,et al.  A verifiable secret shuffle and its application to e-voting , 2001, CCS '01.

[12]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.

[13]  Ari Juels,et al.  Dining Cryptographers Revisited , 2004, EUROCRYPT.

[14]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[15]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[16]  Robert H. Deng,et al.  Public Key Cryptography – PKC 2004 , 2004, Lecture Notes in Computer Science.

[17]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[18]  Adi Shamir,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999, SIAM J. Comput..

[19]  Dieter Gollmann,et al.  Computer Security – ESORICS 2004 , 2004, Lecture Notes in Computer Science.

[20]  Amos Fiat,et al.  Provable Unlinkability against Traffic Analysis , 2004, Financial Cryptography.

[21]  David Chaum,et al.  Multiparty unconditionally secure protocols , 1988, STOC '88.

[22]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[23]  Joseph Y. Halpern,et al.  Anonymity and information hiding in multiagent systems , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[24]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[25]  Bernhard Plattner,et al.  Practical Anonymity for the Masses with MorphMix , 2004, Financial Cryptography.

[26]  Jun Furukawa,et al.  Efficient, Verifiable Shuffle Decryption and Its Requirement of Unlinkability , 2004, Public Key Cryptography.

[27]  Michael Waidner,et al.  Unconditional Sender and Recipient Untraceability in Spite of Active Attacks , 1990, EUROCRYPT.

[28]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[29]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[30]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[31]  Andrei Serjantov,et al.  On the anonymity of anonymity systems , 2004 .

[32]  Joan Feigenbaum,et al.  A Model of Onion Routing with Provable Anonymity , 2007, Financial Cryptography.

[33]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[34]  Kaisa Nyberg,et al.  Advances in Cryptology — EUROCRYPT'98 , 1998 .

[35]  Nicholas Hopper,et al.  k-anonymous message transmission , 2003, CCS '03.

[36]  Andreas Pfitzmann How to implement ISDNs without user observability---Someremarks , 1987, SGSC.

[37]  Oded Goldreich,et al.  A uniform-complexity treatment of encryption and zero-knowledge , 1993, Journal of Cryptology.

[38]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[39]  Douglas Wikström,et al.  A Universally Composable Mix-Net , 2004, TCC.

[40]  Rafail Ostrovsky,et al.  Cryptography from Anonymity , 2006, 2006 47th Annual IEEE Symposium on Foundations of Computer Science (FOCS'06).

[41]  FeigeUriel,et al.  Multiple NonInteractive Zero Knowledge Proofs Under General Assumptions , 1999 .

[42]  Kazue Sako,et al.  An Efficient Scheme for Proving a Shuffle , 2001, CRYPTO.

[43]  Reihaneh Safavi-Naini,et al.  Verifiable Shuffles: A Formal Model and a Paillier-Based Efficient Construction with Provable Security , 2004, ACNS.

[44]  Frank Stajano,et al.  The Cocaine Auction Protocol: On the Power of Anonymous Broadcast , 1999, Information Hiding.

[45]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[46]  Daniel R. Simon,et al.  Cryptographic defense against traffic analysis , 1993, STOC.

[47]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[48]  Mihir Bellare,et al.  Relations among Notions of Security for Public-Key Encryption Schemes , 1998, IACR Cryptol. ePrint Arch..

[49]  Silvio Micali,et al.  Proofs that yield nothing but their validity and a methodology of cryptographic protocol design , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[50]  Bert den Boer,et al.  Detection of Disrupters in the DC Protocol , 1990, EUROCRYPT.

[51]  Mihir Bellare,et al.  Key-Privacy in Public-Key Encryption , 2001, ASIACRYPT.

[52]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[53]  Silvio Micali,et al.  The Notion of Security for Probabilistic Cryptosystems , 1986, CRYPTO.

[54]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[55]  Gene Tsudik,et al.  Mixing E-mail with Babel , 1996, Proceedings of Internet Society Symposium on Network and Distributed Systems Security.

[56]  Rafail Ostrovsky,et al.  Xor-trees for efficient anonymous multicast and reception , 2000, TSEC.

[57]  Vitaly Shmatikov,et al.  Information Hiding, Anonymity and Privacy: a Modular Approach , 2004, J. Comput. Secur..

[58]  Andreas Pfitzmann,et al.  Networks without user observability , 1987, Comput. Secur..

[59]  Jean-Jacques Quisquater,et al.  Advances in Cryptology — EUROCRYPT ’89 , 1991, Lecture Notes in Computer Science.

[60]  Erik P. de Vink,et al.  A Formalization of Anonymity and Onion Routing , 2004, ESORICS.

[61]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[62]  Colin Boyd,et al.  Advances in Cryptology - ASIACRYPT 2001 , 2001 .

[63]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[64]  Yvo Desmedt Public Key Cryptography — PKC 2003 , 2002, Lecture Notes in Computer Science.

[65]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[66]  Shlomi Dolev,et al.  Buses for Anonymous Message Delivery , 2003, Journal of Cryptology.

[67]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[68]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..