1. TrustBus 2008
Turin, Italy
5. September 2008
On the Design Dilemma in Dining
Cryptographer Networks
Institute for IT-Security and Security Law
Jens Oberender
Computer Networks & Communications Group
Hermann de Meer
University of Passau
Germany
partly supported by
EuroNGI Design and Engineering of the Next Generation Internet (IST-028022)
EuroNF Anticipating the Network of the Future (IST-216366)

2. Motivation
Connection-level anonymity

 Establish communication privacy
 Hides relationship between initiator and receiver of a message
 Being undistinguishable within the anonymity set
Anonymity evolves in a non-cooperative game

 Strategies := cooperate | defect
 Node strategies -> anonymity set -> anonymity grade
 Nash equilibria indicate best strategy
Does rational behavior have impact on the anonymity?

How can rationality protect reachability?

On the Design Dilemma in DC-nets 2

3. Overview
Does rational behavior have impact on the anonymity?
 1) Modeling rational behavior
 2) Taxonomy of anonymity techniques
 3) Accessible information in Dining Cryptographer (DC) networks
How can rationality protect availability?
 4) Parameterizing games during design
On the Design Dilemma in DC-nets 3

4. Rational acting in Anonymity
Networks
1. What benefit is received ? 2. What cost is involved in
 
participation?
 Sender anonymity
 Effective Throughput
 Anonymity set
enhances  Increase of message delay
grade of anonymity  Increase of traffic
on purpose to
counter traffic
Challenges for design of anonymity systems analysis
Impact of strategic behavior on anonymity

Novel attacks targeting economy of anonymity

On the Design Dilemma in DC-nets 4

5. Requirements of strategic behavior in
anonymity networks
Enable senders to determine anonymity

 1) Rely on trustworthy entities
No abuse of collected system-wide entropy

Trust into computing anonymity grade

2) Neighborhood–based approaches (first-hand experience)

Limited credibility – eclipse attack

Anonymity grade in near future

 1) Based on prediction
 2) Policy enforced
On the Design Dilemma in DC-nets 5

6. Determine anonymity grade
Strategic users consider anonymity of a message in advance

Decentralization: limited system view

Predicted Depdendable
Without
Perceived anonymity Assured anonymity
Pre-
• broadcast responses in a DC-net • queue state in a mixer node
requisites
Relies Reported anonymity Policy-enforced anonymity
• reported number of participants • mixer policy in high-latency
on
Trust e.g. AN.ON mixers, no forwarding,
before anonymity guaranteed
On the Design Dilemma in DC-nets 6

7. Dining Cryptographer (DC) networks
Round-based

Sender broadcasts

message or empty packet
Disruption: message collisions

require retransmission
Security objective: reachability

Coding schemes

Cost in bandwidth, computation effort

Robustness against collisions

Countermeasure to disrupters

On the Design Dilemma in DC-nets 7

8. Apply game theory to Dining Efficient / Robust design
Designer
Cryptographer (DC) networks User Participate / Leave
Adversary Conforming / Disrupt
Design dilemma: efficient or robust

Non-cooperative game Sequential game
 Complete Information  Incomplete information
Payoff functions public Adversaries strategy unknown
 
Imperfect information Perfect information
 
Concurrency Time order
 
Random disruptions

 Disrupter identification removes attacker from network
Disrupt without being identified as disrupter

 Rational behavior, possible to formulate as utility function
On the Design Dilemma in DC-nets 8

9. Resolving dilemma games
Iterated Prisoner’s Dilemma (IPD) -> Mixed strategy solution

Nash Equilibria in iterated games

1
Probability distributions

0.8
Disrupt probability
Non-cooperative
 Different strategies
0.6
p>80% disrupting

0.4
in non-cooperative game
0.2
Ability to identify disrupters (>18%)
 Sequential
0
prevents misbehavior in sequential game
0 0.2 0.4 0.6 0.8 1
Ability to identify disrupter
User’s preference for anonymity
On the Design Dilemma in DC-nets 9

10. Conclusions
Modeling of strategic behavior

 Grade of anonymity relies on behavior of all participants
 For design of anonymity systems
 Risk-prevention of malicious participants
Dilemma games

 Influence rational players through system parameters
 Incomplete knowledge restrict the designer’s payoff,
but parameters hinder malicious collisions
 User perspective on future anonymity:
more research ongoing
On the Design Dilemma in DC-nets 10

11. DC Coding Schemes
Bitwise XOR [Chaum88]

 Not robust against collisions
 Low computation overhead
Bilinear Maps [Golle04]

 Robust against collisions
 Medium computation overhead
Identification of Disrupters [Bos89]

 Robust against collisions
 High computation overhead
 Identifies a disrupter
On the Design Dilemma in DC-nets 11

12. Dining Cryptographers network
Figure out, whether the meal has been paid

by either one at the table

Protocol provides sender anonymity


13. Communication Anonymity
Anonymity := do not disclose communication relationship

between sender and recipient
Technically: being indistinguishable within the anonymity set,

i.e. all current communication participants
Level of anonymity scales with size of anonymity set

If a user leaves system  degrades anonymity

Especially in small systems
DC net

Coding superimposes messages

Simultaneous slot occupation

 communication is disrupted
Effort to receive/decode broadcasts

On the Design Dilemma in DC-nets 13

14. Game Theory and Dilemmas
Models strategic behavior, e.g. in cooperative systems

Game defines players, strategy sets, and utility

 Outcome defined by strategies of all users
 Pay off: effective utility depending on the outcome of the game
Strategic behavior

 Rationally acting, i.e. maximize payoff
 Predict strategy of other players (Non-cooperative game)
 Minimize own losses (Sequential game, incomplete knowledge)
Dilemma: strategic behavior

does not increase payoff for any of the players
On the Design Dilemma in DC-nets 14

15. Stake holders of a DC-net
Send M1
Dining Cryptographers network

Broadcast
Send M2 Send M3
Communicating subjects (=users)

 Anonymous communication with reasonable cost
Adversary

 Disrupt anonymous communications (increase user costs),
but remain unidentified
DC-net designer

 Facilitate high level of anonymity
 Decreasing participation  degrades anonymity (for small sizes)
On the Design Dilemma in DC-nets 15

16. 1) Robust design
against malicious attacks
Design parameters

α 0 none – collision robustness
1 full
Designer Strategy s 1
1
β 0 no –disrupter identification
0.8
1 possible
0.6 Sequential
User (single instance)

0.4 Non-Coop.
γ 0 low – anonymity preference =0
0.2
1 high >0
0
0 0.2 0.4 0.6 0.8 1
Compute Nash equilibria , i.e. best strategy for specified parameters

 Probability for efficient (0) or robust (1) algorithm
On the Design Dilemma in DC-nets 16

17. References
Pfitzmann, A., Hansen, M.: Anonymity, unlinkability, undetectability,

unobservability, pseudonymity, and identity management - a consolidated
proposal for terminology. (2008) Draft
Dingledine, R., Mathewson, N.: Anonymity loves company: Usability and

the network effect. In: Workshop on the Economics of Information
Security. (2006)
Acquisti, A., Dingledine, R., Syverson, P.: On the economics of anonymity.

In Financial Cryptography. Number 2742 in LNCS, Springer (2003)
Golle, P., Juels, A.: Dining cryptographers revisited. In: EUROCRYPT.

Volume 3027 of LNCS, Springer (2004) 456-473
Bos, J.N., den Boer, B.: Detection of Disrupters in the DC Protocol. In:

Workshop on the theory and application of cryptographic techniques on
Advances in cryptology. (1989) 320-327
On the Design Dilemma in DC-nets 17