On the Design Dilemma in Dining Cryptographer Networks

TrustBus 2008
Turin, Italy
5. September 2008

On the Design Dilemma in Dining
Cryptographer Networks
Institute for IT-Security and Security Law
Jens Oberender
Computer Networks & Communications Group
Hermann de Meer
University of Passau
Germany

partly supported by
EuroNGI Design and Engineering of the Next Generation Internet (IST-028022)
EuroNF Anticipating the Network of the Future (IST-216366)

Motivation

Connection-level anonymity


 Establish communication privacy

 Hides relationship between initiator and receiver of a message

 Being undistinguishable within the anonymity set

Anonymity evolves in a non-cooperative game


 Strategies := cooperate | defect

 Node strategies -> anonymity set -> anonymity grade

 Nash equilibria indicate best strategy

Does rational behavior have impact on the anonymity?


How can rationality protect reachability?


On the Design Dilemma in DC-nets 2

Overview

Does rational behavior have impact on the anonymity?
 1) Modeling rational behavior

 2) Taxonomy of anonymity techniques

 3) Accessible information in Dining Cryptographer (DC) networks

How can rationality protect availability?
 4) Parameterizing games during design


Rational acting in Anonymity
Networks

1. What benefit is received ? 2. What cost is involved in
 

participation?
 Sender anonymity

 Effective Throughput
 Anonymity set

enhances  Increase of message delay

grade of anonymity  Increase of traffic

on purpose to
counter traffic
Challenges for design of anonymity systems analysis
Impact of strategic behavior on anonymity


Novel attacks targeting economy of anonymity



Requirements of strategic behavior in
anonymity networks

Enable senders to determine anonymity


 1) Rely on trustworthy entities

No abuse of collected system-wide entropy


Trust into computing anonymity grade


2) Neighborhood–based approaches (first-hand experience)


Limited credibility – eclipse attack


Anonymity grade in near future


 1) Based on prediction

 2) Policy enforced


Determine anonymity grade

Strategic users consider anonymity of a message in advance


Decentralization: limited system view


Predicted Depdendable
Without
Perceived anonymity Assured anonymity
Pre-
• broadcast responses in a DC-net • queue state in a mixer node
requisites

Relies Reported anonymity Policy-enforced anonymity
• reported number of participants • mixer policy in high-latency
on
Trust e.g. AN.ON mixers, no forwarding,
before anonymity guaranteed


Dining Cryptographer (DC) networks

Round-based


Sender broadcasts


message or empty packet
Disruption: message collisions


require retransmission
Security objective: reachability


Coding schemes


Cost in bandwidth, computation effort


Robustness against collisions


Countermeasure to disrupters



Apply game theory to Dining Efficient / Robust design
Designer

Cryptographer (DC) networks User Participate / Leave

Adversary Conforming / Disrupt
Design dilemma: efficient or robust


Non-cooperative game Sequential game
 Complete Information  Incomplete information

Payoff functions public Adversaries strategy unknown
 

Imperfect information Perfect information
 

Concurrency Time order
 

Random disruptions


 Disrupter identification removes attacker from network

Disrupt without being identified as disrupter


 Rational behavior, possible to formulate as utility function


Resolving dilemma games

Iterated Prisoner’s Dilemma (IPD) -> Mixed strategy solution


Nash Equilibria in iterated games

1
Probability distributions

0.8

Disrupt probability
Non-cooperative
 Different strategies
0.6
p>80% disrupting

0.4
in non-cooperative game
0.2
Ability to identify disrupters (>18%)
 Sequential
0
prevents misbehavior in sequential game
0 0.2 0.4 0.6 0.8 1
Ability to identify disrupter
User’s preference for anonymity


Conclusions

Modeling of strategic behavior


 Grade of anonymity relies on behavior of all participants

 For design of anonymity systems

 Risk-prevention of malicious participants

Dilemma games


 Influence rational players through system parameters

 Incomplete knowledge restrict the designer’s payoff,

but parameters hinder malicious collisions
 User perspective on future anonymity:

more research ongoing


DC Coding Schemes

Bitwise XOR [Chaum88]


 Not robust against collisions

 Low computation overhead

Bilinear Maps [Golle04]


 Robust against collisions

 Medium computation overhead

Identification of Disrupters [Bos89]


 Robust against collisions

 High computation overhead

 Identifies a disrupter


Dining Cryptographers network

Figure out, whether the meal has been paid


by either one at the table



Protocol provides sender anonymity


Communication Anonymity

Anonymity := do not disclose communication relationship


between sender and recipient
Technically: being indistinguishable within the anonymity set,


i.e. all current communication participants
Level of anonymity scales with size of anonymity set


If a user leaves system  degrades anonymity


Especially in small systems
DC net


Coding superimposes messages


Simultaneous slot occupation


 communication is disrupted
Effort to receive/decode broadcasts



Game Theory and Dilemmas

Models strategic behavior, e.g. in cooperative systems


Game defines players, strategy sets, and utility


 Outcome defined by strategies of all users

 Pay off: effective utility depending on the outcome of the game

Strategic behavior


 Rationally acting, i.e. maximize payoff

 Predict strategy of other players (Non-cooperative game)

 Minimize own losses (Sequential game, incomplete knowledge)

Dilemma: strategic behavior


does not increase payoff for any of the players


Stake holders of a DC-net
Send M1
Dining Cryptographers network


Broadcast

Send M2 Send M3
Communicating subjects (=users)


 Anonymous communication with reasonable cost

Adversary


 Disrupt anonymous communications (increase user costs),

but remain unidentified
DC-net designer


 Facilitate high level of anonymity

 Decreasing participation  degrades anonymity (for small sizes)


1) Robust design
against malicious attacks

Design parameters


α 0 none – collision robustness

1 full

Designer Strategy s 1
1
β 0 no –disrupter identification
0.8
1 possible
0.6 Sequential
User (single instance)

0.4 Non-Coop.
γ 0 low – anonymity preference =0
0.2
1 high >0
0
0 0.2 0.4 0.6 0.8 1

Compute Nash equilibria , i.e. best strategy for specified parameters


 Probability for efficient (0) or robust (1) algorithm


References

Pfitzmann, A., Hansen, M.: Anonymity, unlinkability, undetectability,


unobservability, pseudonymity, and identity management - a consolidated
proposal for terminology. (2008) Draft
Dingledine, R., Mathewson, N.: Anonymity loves company: Usability and


the network effect. In: Workshop on the Economics of Information
Security. (2006)
Acquisti, A., Dingledine, R., Syverson, P.: On the economics of anonymity.


In Financial Cryptography. Number 2742 in LNCS, Springer (2003)
Golle, P., Juels, A.: Dining cryptographers revisited. In: EUROCRYPT.


Volume 3027 of LNCS, Springer (2004) 456-473
Bos, J.N., den Boer, B.: Detection of Disrupters in the DC Protocol. In:


Workshop on the theory and application of cryptographic techniques on
Advances in cryptology. (1989) 320-327


On the Design Dilemma in Dining Cryptographer Networks

Recommended

Recommended

More Related Content

Similar to On the Design Dilemma in Dining Cryptographer Networks

Similar to On the Design Dilemma in Dining Cryptographer Networks (20)

More from Jens Oberender

More from Jens Oberender (17)

Recently uploaded

Recently uploaded (20)

On the Design Dilemma in Dining Cryptographer Networks