scispace - formally typeset

Proceedings ArticleDOI

On the Trade-Off between Relationship Anonymity and Communication Overhead in Anonymity Networks

05 Jun 2011-pp 1-6

TL;DR: The results show that, contrary to expectations, increased overhead does not always improve anonymity and the proposed anonymity network, Minstrels, achieves close to optimal anonymity under certain conditions.
Abstract: Motivated by applications in industrial communication networks, in this paper we consider the trade-off between relationship anonymity and communication overhead in anonymity networks. We consider two anonymity networks; Crowds that provides unbounded communication delay and Minstrels, proposed in this paper, that provides bounded communication delay. While Crowds hides the sender's identity only, Minstrels aims to hide the receiver's identity as well. However, to achieve bounded message delay it has to expose the sender's identity to a greater extent than Crowds. We derive exact and approximate analytical expressions for the relationship anonymity for these systems. While Minstrels achieves close to optimal anonymity under certain conditions, our results show that, contrary to expectations, increased overhead does not always improve anonymity.
Topics: Crowds (62%), Anonymity (59%), Overhead (computing) (50%)

Summary (2 min read)

Introduction

  • Many communication systems, for example modern industrial networks [1], [2], require high availability between a fixed set of nodes on a pairwise basis.
  • Due to the often long life-cycles of industrial systems software corruption is a threat, and the complexity of the code-base makes corruption hard to detect.
  • Corrupted nodes that are part of the mix network can perform inside attacks to determine the senderreceiver pair for messages that are relayed through them.
  • Anonymity networks can provide some level of relationship anonymity against inside attackers (e.g., [5], [6]) by hiding the sender or the receiver from the relay nodes.
  • Minstrels has bounded message delivery delay.

II. SYSTEM MODEL AND METRICS

  • The nodes act as sources, destinations and as relay nodes for each others’ messages.
  • The underlying communication network is a complete graph.
  • The inside attacker is in control of C nodes, and can observe the messages traversing those nodes and the protocol specific information contained in the messages.
  • Its goal is to identify the source and the destination of the messages that it observes.
  • The authors quantify the relationship anonymity by the probability Prel(s,r) that the attacker assigns to a sender-receiver pair (s,r) for a message.

III. MINSTRELS SYSTEM DESCRIPTION

  • Minstrels, described below, uses nodes as message relays in the same way as Crowds [6] with the difference that the number of nodes visited by a message is bounded.
  • The message, or part of it, is encrypted with the receiver’s public key.
  • To control the maximum path length (i.e., delay) the sender can initialize the list of visited nodes with a number M ∈ {0, ...,N−1} of the nodes in the system.
  • These initialized nodes are considered as visited so that the message can not be relayed to them.
  • Fig. 1 shows another case when the list is initialized with the sender and node C, and the message is forwarded to node B. Node B adds itself to the list and decides to which of the remaining nodes (D,E) to forward the message.

IV. OVERHEAD AND ANONYMITY

  • In the following the authors derive expressions for the communication overhead and the anonymity provided against inside attackers for Crowds and for Minstrels.

A. Communication Overhead

  • The authors start with calculating the communication overhead of Crowds and Minstrels.
  • The mean number of hops depends on the distribution P(M) and can be expressed as E[K] = N−1 ∑ M=0 P(M)(N−M). (3).

B. Relationship Anonymity Against Inside Attackers

  • The authors consider attackers without any a priori knowledge of the system traffic matrix.
  • For a given attacker on the path, P(I|H1+) is the probability that the attacker’s predecessor is the sender.
  • Let us now turn to the calculation of the probabilities that the attacker correctly identifies the sender-receiver pair (s,r) used in (7).
  • The corresponding probability P(Ωr,Ωs, ||L ||= 0,MC = 0,H1+|S(a),R(b)) is given in Table V.
  • The attacker can receive a message with only one node in the list of visited nodes (||L ||= 1), in which case the node in the list is the predecessor.

V. NUMERICAL RESULTS

  • In the following the authors use the analytical models described above to get insight into the overhead-anonymity trade-off.
  • Hence, for C = 3 the probability that the attacker can assign to the sender decreases faster than the probability P(H1+) of having an attacker on the path increases.
  • Figs. 2, 3, 4, and 5 also show the lower bounds for the probabilities Prel(s,r) for Crowds and for Minstrels.
  • P ro ba bi lit y as si gn ed to s − r pa ir (P re l(s ,r )) Crowds Crowds − Lower bound Minstrels Minstrels − Lower bound UA−NPK Asymptote Fig. 5. Relationship anonymity vs. overhead for N = 50, C = 5 bounds converge to an asymptote, which corresponds to the case when there is always an attacker on the path (P(H1+) = 1), and the attacker assigns Prel(s,r) = 1(N−C)(N−C−1) to every possible sender-receiver pair.
  • In general, the best possible relationship anonymity might not be provided by the highest allowable overhead.

VI. CONCLUSIONS AND FUTURE WORK

  • In this paper the authors made a first attempt to analyze the tradeoff between relationship anonymity and communication overhead in anonymity networks.
  • The authors considered two anonymity networks, Crowds proposed in [6] and Minstrels proposed in this work.
  • The authors expressed the relationship anonymity for these networks, and provided simple lower bounds on the probability assigned to a senderreceiver pair.
  • While intuition says that increased overhead should lead to improved relationship anonymity, their results show this is not the case in general.
  • Instead, anonymity is often easiest to provide at medium levels of overhead, when attackers are still unlikely to be on the path, but the sender-receiver identity is already reasonably well protected.

Did you find this useful? Give us your feedback

Content maybe subject to copyright    Report

(c) 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media,
including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or
lists, or reuse of any copyrighted component of this work in other works. The definitive version of this paper is published in Proc. of IEEE ICC, Jun 2011.
On the Trade-off between Relationship Anonymity
and Communication Overhead in Anonymity
Networks
Ognjen Vukovi
´
c
School of Electrical Engineering
KTH, Royal Institute of Technology,
Stockholm, Sweden
Email: vukovic@ee.kth.se
Gy
¨
orgy D
´
an
School of Electrical Engineering
KTH, Royal Institute of Technology,
Stockholm, Sweden
Email: gyuri@ee.kth.se
Gunnar Karlsson
School of Electrical Engineering
KTH, Royal Institute of Technology,
Stockholm, Sweden
Email: gk@kth.se
Abstract—Motivated by protection and privacy in industrial
communication networks, in this paper we consider the trade-
off between relationship anonymity and communication over-
head. We consider two anonymity networks: Crowds, which
has unbounded communication delay and Minstrels, proposed in
this paper, which provides bounded communication delay. While
Crowds hides the sender’s identity only, Minstrels aims at hiding
the receiver’s identity as well. However, to achieve bounded
communication delay it has to expose the sender’s identity to
a greater extent than Crowds. We derive exact and approximate
analytical expressions for the relationship anonymity for these
systems. While Minstrels achieves close to optimal anonymity
under certain conditions, our results show that, contrary to expec-
tations, increased overhead does not always improve anonymity.
I. INTRODUCTION
Many communication systems, for example modern indus-
trial networks [1], [2], require high availability between a
fixed set of nodes on a pairwise basis. The nodes can be the
subsidiaries of an enterprise connected by a virtual private
network over the public Internet, or they can be sensors,
actuators and operation centres in a wide area industrial control
system, e.g., in a supervisory control and data acquisition
(SCADA) network. Cryptography may provide authentication,
confidentiality and data integrity for the communication, but
source and destination addresses could still be visible to an
outside attacker who is able to observe one or more network
links. The outside attacker may identify traffic patterns: who
is communicating with whom, when and how often. Using
this information the attacker can infer the importance of the
messages, and may perform targeted attacks on the communi-
cation between any two nodes. These targeted attacks might
be hard to detect and can lead to incorrect system operation.
Mix networks [3] are a way to mitigate outside attacks
by providing relationship anonymity, i.e., by making it un-
traceable who communicates with whom [4]. Nodes in a mix
network relay and delay messages such that an outside attacker
cannot trace the route of the individual messages through the
mix. While relaying renders outside attacks more difficult, it
introduces the possibility of inside attacks. Due to the often
long life-cycles of industrial systems software corruption is a
threat, and the complexity of the code-base makes corruption
hard to detect. Corrupted nodes that are part of the mix
network can perform inside attacks to determine the sender-
receiver pair for messages that are relayed through them.
Anonymity networks can provide some level of relationship
anonymity against inside attackers (e.g., [5], [6]) by hiding the
sender or the receiver from the relay nodes. Good sender (or
receiver) anonymity in itself does not necessarily lead to good
relationship anonymity [8], hence we focus on relationship
anonymity in this paper.
The relationship anonymity provided by mix networks and
anonymity networks comes at the price of delay and commu-
nication overhead. Excessive delays can negatively impact the
system performance, while overhead leads to high resource
requirements, so that in practice both have to be kept low.
Our goal in this paper is to investigate the trade-off between
the communication overhead introduced and the level of
relationship anonymity provided by anonymity networks.
Intuition says that increased overhead should result in
increased anonymity. In this paper we show that this is not
necessarily the case. We use two anonymity networks for
our study. First, Crowds, proposed in [6], which hides the
sender by introducing unbounded message delivery delay (it
still exposes the receiver’s identity). Crowds was shown to
provide optimal sender anonymity for given overhead [7], i.e.,
path length. Second, Minstrels, described in this paper, which
provides both sender and receiver anonymity, i.e., relationship
anonymity. Minstrels has bounded message delivery delay. We
do not consider long term intersection attacks, such as [8],
[9], [10], which exploit cases when the sender’s anonymity is
not beyond suspicion, i.e., the sender is distinguishable from
other nodes. These attacks consider that the receiver is outside
the anonymity network, and they exploit the distribution of
message destinations to decrease the relationship anonymity.
In our system the receiver is part of the anonymity network,
and message destinations can have an arbitrary distribution;
but an attacker does not have a-priori knowledge of the traffic
matrix.

The rest of the paper is organized as follows. Section II
describes our system model and the anonymity metrics. Sec-
tion III provides a description of the Minstrels anonymity
network. In Section IV we develop analytical models of the
relationship anonymity provided by Crowds and Minstrels, and
we show numerical results based on the models in Section V.
Section VI concludes the paper.
II. SYSTEM MODEL AND METRICS
We consider an anonymity network with N nodes. The
nodes act as sources, destinations and as relay nodes for each
others’ messages. The underlying communication network is
a complete graph. The inside attacker is in control of C nodes,
and can observe the messages traversing those nodes and
the protocol specific information contained in the messages.
Its goal is to identify the source and the destination of the
messages that it observes.
We quantify the relationship anonymity by the probability
P
rel
(s,r) that the attacker assigns to a sender-receiver pair
(s,r) for a message. In general, the relationship anonymity
depends on two factors. First, on the probability of having
an attacker on the path. Second, on the probability that the
attacker assigns to the sender (that it sent the message) and to
the receiver (that it is the destination) when it gets the message.
These probabilities are a function of the anonymity protocol,
the number of nodes N and the number C of inside attackers
P
rel
(s,r) =
i=1
P(
ˆ
S(s),
ˆ
R(r)|H
i
,S(s),R(r))P(H
i
|S(s),R(r)),
(1)
where S(s) and R(r) denote the events that the sender is
node s and the receiver is node r, respectively;
ˆ
S(s) and
ˆ
R(r) denote the events that the attacker correctly identifies
node s as the sender and node r as the receiver, respectively;
P(H
i
|S(s),R(r)) is the probability that the position of the first
attacker on the path is i given that (s,r) is the sender-receiver
pair, and P(
ˆ
S(s),
ˆ
R(r)|H
i
,S(s),R(r)) is the probability that the
attacker identifies (s,r) as the sender-receiver pair given its
position on the path.
Finally, we define the overhead of the anonymity network
as the average path length (number of relay hops) E[K] of the
messages.
III. MINSTRELS SYSTEM DESCRIPTION
Minstrels, described below, uses nodes as message relays
in the same way as Crowds [6] with the difference that the
number of nodes visited by a message is bounded.
Consider the system described in Section II. When a node s
wants to send a message to a node r it picks a node uniformly
at random among the other N 1 nodes (excluding s) and
forwards the message. The next node forwards the message
to one of the other N 2 nodes (excluding itself and the
sender node s) chosen uniformly at random. Every subsequent
forwarder picks one of the non-visited nodes to forward the
message. When node r receives the message, it will send the
message further in order to improve the receiver anonymity.
The path ends when all N nodes have been visited.
Fig. 1. A simple example of Minstrels with ve nodes.
The message, or part of it, is encrypted with the receiver’s
public key. When a node receives the message, it checks if it
is the receiver by trying to decrypt the encrypted part of the
message. If the decrypted part of the message represents valid
data, the node is the receiver. Note that a node does not know
who is the receiver, it can only check whether it is the receiver
itself (unlike in Crowds).
To bound the path length, the messages record a list of
the visited nodes in the header. The list can be implemented,
for example, using a Bloom filter, to keep its size small.
When a relaying node receives a message, it will relay the
message only to non-visited nodes. To control the maximum
path length (i.e., delay) the sender can initialize the list of
visited nodes with a number M {0,...,N 1} of the nodes in
the system. These initialized nodes are considered as visited
so that the message can not be relayed to them. Hence, a
message traverses all nodes except for the initialized nodes in
the list. The sender picks the number of initialized nodes at
random: it initializes the list with M nodes with probability
P(M), where
N1
M=0
P(M) = 1. For M = 0 the list is empty,
for M = 1 the list is initialized only with the sender and for
M > 1 the list is initialized with the sender and M 1 other
nodes. The sender must not initialize the list with the receiver.
The distribution of P(M) is a system parameter, and we use it
to explore the anonymity-overhead trade-off. Fig. 1 shows two
simple examples with ve nodes, node A as sender and node D
as receiver. Fig. 1 (left) shows a case when the list is initialized
with the sender node A and the message is forwarded to node
C. Node C checks if it is the receiver, puts itself in the list
and chooses the next hop uniformly at random among nodes
(B,D,E). The next hop, node D, follows the same procedure
with only two forwarding options (B,E). Fig. 1 (right) shows
another case when the list is initialized with the sender and
node C, and the message is forwarded to node B. Node B
adds itself to the list and decides to which of the remaining
nodes (D,E) to forward the message. Node C is considered as
already visited.
IV. OVERHEAD AND ANONYMITY
In the following we derive expressions for the communi-
cation overhead and the anonymity provided against inside
attackers for Crowds and for Minstrels.
A. Communication Overhead
We start with calculating the communication overhead of
Crowds and Minstrels. The mean number of hops for Crowds
2

is the expected value of a geometric distribution with success
probability 1 p
f
, i.e.,
E[K] =
p
f
1 p
f
+ 2 (2)
where p
f
is the probability that a node will relay a message.
For Minstrels for a given number M of initialized nodes in the
list the path length is equal to K = N M. The mean number
of hops depends on the distribution P(M) and can be expressed
as
E[K] =
N1
M=0
P(M)(N M). (3)
B. Relationship Anonymity Against Inside Attackers
We consider attackers without any a priori knowledge of the
system traffic matrix. All nodes are equally likely to be senders
or receivers. The attacker can only decrease the relationship
anonymity by knowing the protocol and by observing traffic
that goes over the nodes it controls. In order to calculate
the relationship anonymity in the following we express the
probabilities in (1) for Crowds and for Minstrels.
1) Crowds: For Crowds the first attacker is on position i if
the message is first relayed i 1 times through trusted nodes
but the last hop is an attacker. We denote this event by H
i
.
The probability P(H
i
|S(s),R(r)) can be expressed as
P(H
i
|S(s),R(r)) = P(H
i
) = p
i1
f
N C 1
N 1
i1
C
N 1
. (4)
Let I denote the event that the first attacker on the path is
immediately preceded on the path by the sender. Note that
H
1
I but the opposite is not true since the sender may appear
multiple times on the path. For a given attacker on the path,
P(I|H
1+
) is the probability that the attacker’s predecessor is
the sender. P(
¯
I|H
1+
) is the probability that another node (i.e.,
not the predecessor) is the sender. The probability that the
attacker assigns to the actual sender of the message can be
expressed as
P(
ˆ
S(s)|H
i
,S(s),R(r)) = P(I|H
i
)P(I|H
1+
) + P(
¯
I|H
i
)P(
¯
I|H
1+
),
(5)
where P(I|H
i
) is the probability that for a given position i of an
attacker on the path the sender appears as the predecessor (on
position i 1). For i = 1 we have P(I|H
1
) = 1 while for i > 1
we have P(I|H
i
) = P(I|H
2+
) =
1
NC1
. Intuitively, P(
¯
I|H
i
) is
the probability that for a given position i of an attacker on the
path, some other node, a relay, appears as the predecessor. For
i = 1 we have P(
¯
I|H
1
) = 0, while for i > 1 we have P(
¯
I|H
i
) =
NC2
NC1
.
The expression for P(I|H
1+
) is given in [6] for the case
when there are n possible relays (including the sender). Since
in our case there are n = N 1 possible relays the expression
for P(I|H
1+
) becomes P(I|H
1+
) =
N1p
f
(NC2)
N1
. P(
¯
I|H
1+
)
can be expressed as P(
¯
I|H
1+
) =
1P(I|H
1+
)
NC2
.
The receiver is exposed in Crowds, hence
P(
ˆ
S(s),
ˆ
R(r)|H
i
,S(s),R(r)) = P(
ˆ
S(s)|H
i
,S(s),R(r)).
2) Minstrels: For Minstrels we rewrite (1) as
P
rel
(s,r) = P(
ˆ
S(s),
ˆ
R(r)|H
1+
,S(s),R(r))P(H
1+
|S(s),R(r)),
(6)
where P(H
1+
|S(s),R(r)) is the probability of having an
attacker on the path for sender-receiver pair (s,r), and
P(
ˆ
S(s),
ˆ
R(r)|H
1+
,S(s),R(r)) is the probability that the attacker
identifies (s, r) as the sender-receiver pair. We consider coor-
dinated attackers that keep track of the received messages, so
that every attacker knows whether a particular message was
already received by an attacker. Hence, when the first attacker
on the path gets the message, it knows the number m
C
of
attackers that the list of visited nodes was initialized with by
the sender. m
C
is a realization of the random variable M
C
,
whose distribution depends on the value of M.
In Minstrels the probability that the attacker assigns to a
sender-receiver pair does not only depend on the node that
the message is received from, i.e., the predecessor p, but also
on the contents of the list of visited nodes (L ) that the message
carries. Consequently, the attacker distinguishes between three
disjoint sets of nodes: the predecessor node ({p}), nodes in
the list of visited nodes except the predecessor (L \{p}), and
nodes not in the list of visited nodes (L {p}). These sets
form a partition of the set of all trusted nodes in the system,
and nodes belonging to the same set are equally likely to be
the sender (and the receiver). As a shorthand for the universe
of distinguishable events we use the notation
s
= {s = p,s
L \ {p}, s L {p}}, where, for example, s = p is the event
that the predecessor is the sender. Similarly, we define
r
=
{r = p,r L \{p},r L {p}} for the distinguishable events
regarding the receiver.
Given the information on L , m
C
, and p available to the
attacker, we can use the law of total probability to expand (6)
conditional on the list length ||L || = l, ω
s
s
, ω
r
r
, and
M
C
= m
C
,
P
rel
(s,r) =
m
C
l
ω
s
ω
r
P(
ˆ
S(s),
ˆ
R(r)|ω
r
,ω
s
,m
C
,H
1+
,l,S(s),R(r)) (7)
·P(ω
r
,ω
s
,m
C
,H
1+
,l|S(s),R(r)). (8)
The summands in (7) are the probabilities that the attacker
correctly identifies the sender-receiver pair of the message that
contains the information (||L || = l, ω
s
s
, ω
r
r
, and
M
C
= m
C
), and are independent of S(s),R(r). Eq. (8) is the
probability that a message with (s, r) as sender-receiver pair is
received by an attacker and carries particular information.
Before we turn to the calculation of the probabil-
ity P(ω
r
,ω
s
,l,m
C
,H
1+
|S(s),R(r)) we introduce the notation
H(l, m
C
|M) for the joint event ||L|| = l, H
1+
, and M
C
= m
C
for a given number of initialized nodes M. Clearly, l M. The
probability of this event can be expressed as
P(H(l, m
C
|M)) =
C
N1
l = 0,M = 0
P(M
C
= 0|M)
NC1
N1
C
Nl
l1
z=1
NCz
Nz
l 1,M = 0
P(M
C
= m
C
|M)
Cm
C
Nl
l1
z=M
NC+m
C
z
Nz
l 1,M > 0,
(9)
3

TABLE I
P(
r
,
s
,||L || = 0,M
C
= 0, H
1+
|S(s),R(r))
s
,
r
s = p, r L {p} P(M = 0)P(H(0, 0|M = 0))
where P(M
C
|M) is the probability that the list of visited nodes
is initialized with M
C
attacker nodes, given that it is initialized
with M nodes by the sender. Due to the rules of prefilling,
M
C
{max(0,M 1(N 2C)),min(M 1,C)}. For M = 0
and M = 1 there cannot be any initialized attackers, hence
P(M
C
= 0|M {0,1}) = 1 and P(M
C
> 0|M {0,1}) = 0.
For M > 1 we have
P(M
C
|M) =
M 1
M
C
MM
C
k=2
(N C k)
M
C
1
k=0
(C k)
M
k=2
(N k)
. (10)
We now turn to the calculation of the probability
P(ω
r
,ω
s
,l,m
C
,H
1+
|S(s),R(r)), i.e., the probability that the
attacker would receive a particular message sent by s to r. If
the sender is the predecessor (s = p) the receiver cannot be the
predecessor, hence P(r = p, s = p, l, m
C
,H
1+
|S(s),R(r)) = 0.
For the rest of the cases we show the probabilities in a tabular
form to improve readability.
For ||L || = 0 and ||L|| = 1 there can be no attackers in
the list of visited nodes (when received by the first attacker),
because if the sender prefills the list of visited nodes it has
to include itself in the list. Hence, for ||L || = 0 and ||L || = 1
we have M
C
> 0 with probability 0. Furthermore, for ||L || = 0
the sender must be the predecessor (s = p) and the receiver
cannot be in the list of visited nodes (r L {p}), every other
tuple in {(ω
s
,ω
r
) : ω
s
s
,ω
r
r
} has probability 0. Table I
shows the corresponding probability, i.e., the probability that
the sender initializes the message with an empty list, and
chooses the attacker as next hop. For ||L || = 1 the sender
and the receiver cannot both be in the list of visited nodes.
Furthermore, if the sender or the receiver is in the list of
visited nodes, it must be the predecessor, hence s L \{p} and
r L \{p} have probability 0. Table II shows the probabilities
for the remaining cases for ||L || = 1. As an example, the
second row in the table is the probability that the sender
initializes the list empty, forwards the message to the receiver,
which then forwards the message to the attacker.
For ||L || > 1 there may or may not be attackers in the list of
initialized nodes. Table III shows the probabilities for ||L || > 1
when there are no attackers in the list of initialized nodes
(M
C
= 0). When there are attackers in the list of initialized
nodes (M
C
> 0), the sender has to be in the list of visited
nodes. Furthermore, if the sender is the predecessor (s = p)
then the receiver cannot be in the list of visited nodes (r
L \ {p}), because this could only happen if the sender had
prefilled the list of visited nodes with the receiver, but then the
receiver would never receive the message. The corresponding
probabilities for ||L|| > 1 and M
C
> 0 are shown in Table IV.
Let us now turn to the calculation of the probabilities that
TABLE II
P(
r
,
s
,||L || = 1,M
C
= 0, H
1+
|S(s),R(r))
s
,
r
s = p, r L {p} P(M = 1)P(H(1, 0|M = 1))
s L {p}, r = p P(M = 0)P(H(1,0|M = 0))
1
NC1
s L {p}, r L {p} P(M = 0)P(H(1, 0|M = 0))
NC2
NC1
TABLE III
P(
r
,
s
,||L || > 1,M
C
= 0, H
1+
|S(s),R(r))
s
,
r
s = p, r L \{p} P(M = 0)P(H(l,0|M = 0))
l1
(NC1)
2
s = p, P(M = 0)P(H(l,0|M = 0))
(NCl)
(NC1)
2
r L {p} +P(M = l)P(H(l,0|M = l))
s L \ {p}, P(M = 0)P(H(l,0|M = 0))
l2
(NC1)
2
r = p +
l1
k=1
P(M = k)P(H(l, 0|M = k))
1
NCk
s L \ {p}, P(M = 0)P(H(l,0|M = 0))
(l2)
2
(NC1)
2
r L \ {p} +
l2
k=1
P(M = k)P(H(l, 0|M = k))
lk1
NCk
s L \ {p}, P(M = 0)P(H(l,0|M = 0))
(NCl)(l2)
(NC1)
2
r L {p} +
l1
k=1
P(M = k)P(H(l, 0|M = k))
NCl
NCk
s L {p}, r = p P(M = 0)P(H(l,0|M = 0))
(NCl)
(NC1)
2
s L {p}, r L \ {p} P(M = 0)P(H(l,0|M = 0))
(l1)(NCl)
(NC1)
2
s L {p}, r L {p} P(M = 0)P(H(l, 0|M = 0))
(NCl)(NCl1)
(NC1)
2
TABLE IV
P(
r
,
s
,||L || > 1,M
C
> 0, H
1+
|S(s),R(r))
s
,
r
s = p, r L {p} P(M = l)P(H(l,m
C
|M = l))
s L \ {p}, r = p
l1
k=m
C
+1
P(M = k)P(H(l, m
C
|M = k))
1
NC+m
C
k
s L \ {p},
l2
k=m
C
+1
P(M = k)P(H(l, m
C
|M = k))
lk1
NC+m
C
k
r L \ {p}
s L \ {p},
l1
k=m
C
+1
P(M = k)P(H(l, m
C
|M = k))
NC+m
C
l
NC+m
C
k
r L {p}
the attacker correctly identifies the sender-receiver pair (s, r)
used in (7). Given a message received by an attacker that
contains information (||L || = l, ω
s
s
, ω
r
r
, and M
C
=
m
C
) the attacker would identify (s,r) as the sender-receiver
pair with probability
P(
ˆ
R(r),
ˆ
S(s)|ω
r
,ω
s
,m
C
,H
1+
,l) =
P(ω
r
,ω
s
,l,m
C
,H
1+
|S(s),R(r))· P(R(r)|S(s))· P(S(s))
(a,b)
P(ω
r
,ω
s
,l,m
C
,H
1+
|S(a),R(b)) · P(R(b)|S(a)) · P(S(a))
(11)
where the summation in the denominator is over all possible
non-attacker sender-receiver pairs (a,b). P(S(s)) is the (a pri-
ory) probability that node s sends a message, and P(R(r)|S (s))
is the probability that node s selects node r as the destination
of a message. Since the traffic matrix is homogeneous and
attackers are informed about each other, all trusted nodes are
equally likely to be the sender, P(S(s)) =
1
NC
, and any trusted
node (except the sender) is equally likely to be chosen as
the receiver, i.e., with probability P(R(r)|S(s)) =
1
NC1
. The
same observation holds for P(S(a)) and P(R(b)), so that these
probabilities cancel out each other in (11).
We already calculated the numerator of (11), so in or-
der to finish our calculations we only have to express
4

TABLE V
P(
r
,
s
,||L || = 0,M
C
= 0, H
1+
|S(a),R(b))
s
,
r
,a,b
s = p, r L {p}, a = s, b P(M = 0)P(H(0,0|M = 0))
TABLE VI
P(
r
,
s
,||L || = 1,M
C
= 0, H
1+
|S(a),R(b))
s
,
r
,a,b
s = p, r L {p}, a = s, b P(M = 1)P(H(1, 0|M = 1))
s = p, r L {p}, a 6= s, b P(M = 0)P(H(1, 0|M = 0))
1
NC1
s L {p}, r = p, a = r, b P(M = 1)P(H(1,0|M = 1))
s L {p}, r = p, a 6= r, b P(M = 0)P(H(1,0|M = 0))
1
NC1
s L {p}, r L {p}, P(M = 0)P(H(1, 0|M = 0))
NC2
NC1
a {s,r}, b
s L {p}, r L {p}, P(M = 0)P(H(1, 0|M = 0))
NC3
NC1
a / {s, r}, b +P(M = 1)P(H(1,0|M = 1))
P(ω
r
,ω
s
,l,m
C
,H
1+
|S(a),R(b)) and only for the cases when
the numerator of (11) is non-zero, and when a 6= s or b 6= r.
The attacker can receive a message with an empty list of vis-
ited nodes (||L || = 0,M
C
= 0) only if the sender is the prede-
cessor, hence, P(ω
r
,ω
s
,||L || = 0,M
C
= 0,H
1+
|S(a),R(b)) > 0
only for a = s. Nevertheless, the receiver of the message can
be any trusted node b 6= s (we use b as a shorthand nota-
tion). The corresponding probability P(
r
,
s
,||L || = 0, M
C
=
0,H
1+
|S(a),R(b)) is given in Table V.
The attacker can receive a message with only one node in
the list of visited nodes (||L || = 1), in which case the node in
the list is the predecessor. The list could have been sent by the
predecessor (a = p) or by a node not in the list (a L {p}),
but in either case there cannot be any attacker node prefilled in
the list (M
C
= 0). The receiver could be any other node (b).
The probability of receiving such a message P(
r
,
s
,||L || =
1,M
C
= 0,H
1+
|S(a),R(b)) is given in Table VI.
For brevity, we omit the calculation of the probabilities for
||L || > 1, they can be obtained following a similar reasoning,
and can be found in [11].
3) A Bound For Relationship Anonymity: In order to obtain
a lower bound of the probability assigned to a sender-receiver
pair we use (1) for Crowds and (6) for Minstrels. If there is
an attacker on the path, it would assume that any of the N C
trusted nodes is equally likely to be the sender, and any other
trusted node is equally likely to be the receiver,
P(
ˆ
S(s),
ˆ
R(r)|H
1+
) =P(
ˆ
S(s),
ˆ
R(r)|H
i
) =
1
(N C)(N C 1)
.
(12)
The probability P(H
1+
), from (6), is expressed as
P(H
1+
) =
N1
M=0
NM
i=0
min(max(0,M1),C)
M
C
=0
P(H
i
|M
C
,M)P(M
C
|M)P(M),
(13)
where for M = M
C
= 0 we have P(H
1
) =
C
N1
and
P(H
i
|M
C
,M) =
(N C 1)C
(N 1)(N i + 1)
i2
k=1
N C k
N k
(14)
for i > 1, and for M > 0 we have
P(H
i
|M
C
,M) =
C M
C
N M i + 1
i1
k=1
N M C + M
C
k + 1
N M k + 1
.
(15)
We use these bounds in the following as a baseline for com-
parison for the relationship anonymity provided by Crowds
and by Minstrels.
V. NUMERICAL RESULTS
In the following we use the analytical models described
above to get insight into the overhead-anonymity trade-off.
To explore the trade-off we use p
f
(0, 1) for Crowds,
and various uniform and binomial distributions for P(M) for
Minstrels.
Fig. 2 shows the probability P
rel
(s,r) assigned to a sender-
receiver pair as a function of the overhead (i.e., the mean
path length) for C = 1 and N = 10. A higher value of
P
rel
(s,r) means that the sender-receiver pair is more exposed,
i.e., has less relationship anonymity. One would expect that
high overhead provides good relationship anonymity (i.e., low
assigned probability), but surprisingly this is not the case.
Above a certain point more overhead (more relaying) has a
negative effect on anonymity for both anonymity networks.
The reason is that as the number of relays increases the
probability P(H
1+
) of having an attacker on the path increases
faster than the certainty of the attacker about the identity of
the sender-receiver pair decreases.
Fig. 3 shows results obtained with N = 10 nodes and C =
3 attackers. Interestingly, while for Minstrels the relationship
anonymity decreases above a certain level of overhead, for
Crowds the relationship anonymity improves monotonically.
Hence, for C = 3 the probability that the attacker can assign
to the sender decreases faster than the probability P(H
1+
) of
having an attacker on the path increases.
Fig. 4 shows results for N = 50 and C = 1. The figure has
a logarithmic scale on the vertical axis to make the small
probabilities easily distinguishable. For this scenario, in which
the system size is bigger than in Fig. 2 but the number of
attackers is smaller than in Fig. 3, it is now Crowds for which
relationship anonymity deteriorates above a certain overhead.
For Minstrels the probability P
rel
(s,r) decreases monotonically
with increasing overhead. The reason is that for N = 50 the
attacker appears later on the path than for N = 10 so the sender
does not appear as predecessor that often. Hence the attacker
assigns the same probability to the sender as to any other node
in the list. This does not apply to Crowds. The sender can be
revisited and may appear as predecessor at any position on
a path and the predecessor is always more likely to be the
sender than any other node [6].
Finally, Fig. 5 shows results for N = 50 nodes and C = 5
attackers. It is only the results shown in this figure that coin-
cide with what one would expect, that is, increased overhead
provides better relationship anonymity.
Figs. 2, 3, 4, and 5 also show the lower bounds for the
probabilities P
rel
(s,r) for Crowds and for Minstrels. The lower
5

Citations
More filters

Journal ArticleDOI
Gy #x F1, rgy D #x E1, Henrik Sandberg, Mathias Ekstedt1  +2 moreInstitutions (1)
01 Jul 2012
TL;DR: Achieving all-encompassing component-level security in power system IT infrastructures is difficult, owing to its cost and potential performance implications.
Abstract: Achieving all-encompassing component-level security in power system IT infrastructures is difficult, owing to its cost and potential performance implications.

37 citations


01 Jan 2014
TL;DR: This research presents a meta-modelling system that automates the very labor-intensive and therefore time-heavy and expensive and therefore expensive and expensive process of manually winding up and shutting down power systems.
Abstract: Society is increasingly dependent on the reliable operation of power systems. Power systems, at the same time, heavily rely on information technologies to achieve efficient and reliable operation. ...

2 citations


Cites background from "On the Trade-Off between Relationsh..."

  • ...In this thesis, in Paper E which extends our earlier work [64], we study how anonymity networks could be used to improve the data availability if face of gray hole attacks....

    [...]


01 Jan 2013
TL;DR: Mix networks and anonymity networks provide anonymous communication via relaying, which introduces overhead and increases the end-to-end message delivery delay, but in practice overhead and delay must be controlled.
Abstract: Mix networks and anonymity networks provide anonymous communication via relaying, which introduces overhead and increases the end-to-end message delivery delay. In practice overhead and delay must ...

1 citations


Cites background from "On the Trade-Off between Relationsh..."

  • ...Minstrels, described in [6], uses nodes as message relays in the same way as Crowds with the difference that the number of nodes visited by a message is bounded....

    [...]

  • ...A detailed description of calculating Prel(s,r) can be found in [6]....

    [...]

  • ...Second, Minstrels, proposed in [6], which provides bounded message delivery delay by limiting the maximum number of visited nodes for each message, and hides the sender and the receiver among all anonymity network users....

    [...]


References
More filters

Journal ArticleDOI
David Chaum1Institutions (1)
TL;DR: A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication - in spite of an unsecured underlying telecommunication system.
Abstract: A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication - in spite of an unsecured underlying telecommunication system. The technique does not require a universally trusted authority. One correspondent can remain anonymous to a second, while allowing the second to respond via an untraceable return address. The technique can also be used to form rosters of untraceable digital pseudonyms from selected applications. Applicants retain the exclusive ability to form digital signatures corresponding to their pseudonyms. Elections in which any interested party can verify that the ballots have been properly counted are possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters. Another use allows an individual to correspond with a record-keeping organization under a unique pseudonym, which appears in a roster of acceptable clients.

3,953 citations


David Chaum1Institutions (1)
01 Jan 2003
Abstract: A technique based on public key cryptography is presented that allows an electronic mail system to hide who a participant communicates with as well as the content of the communication - in spite of an unsecured underlying telecommunication system. The technique does not require a universally trusted authority. One correspondent can remain anonymous to a second, while allowing the second to respond via an untraceable return address. The technique can also be used to form rosters of untraceable digital pseudonyms from selected applications. Applicants retain the exclusive ability to form digital signatures corresponding to their pseudonyms. Elections in which any interested party can verify that the ballots have been properly counted are possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters. Another use allows an individual to correspond with a record-keeping organization under a unique pseudonym, which appears in a roster of acceptable clients.

2,815 citations


Journal ArticleDOI
Michael K. Reiter1, Aviel D. Rubin2Institutions (2)
TL;DR: The design, implementation, security, performance, and scalability of the Crowds system for protecting users' anonymity on the world-wide-web are described and degrees of anonymity as an important tool for describing and proving anonymity properties are introduced.
Abstract: In this paper we introduce a system called Crowds for protecting users' anonymity on the world-wide-web. Crowds, named for the notion of “blending into a crowd,” operates by grouping users into a large and geographically diverse group (crowd) that collectively issues requests on behalf of its members. Web servers are unable to learn the true source of a request because it is equally likely to have originated from any member of the crowd, and even collaborating crowd members cannot distinguish the originator of a request from a member who is merely forwarding the request on behalf of another. We describe the design, implementation, security, performance, and scalability of our system. Our security analysis introduces degrees of anonymity as an important tool for describing and proving anonymity properties.

1,998 citations


"On the Trade-Off between Relationsh..." refers background or methods in this paper

  • ...We considered two anonymity networks, Crowds proposed in [6] and Minstrels proposed in this work....

    [...]

  • ...First, Crowds, proposed in [6], which hides the sender by introducing unbounded message delivery delay (it still exposes the receiver’s identity)....

    [...]

  • ..., [5], [6]) by hiding the sender or the receiver from the relay nodes....

    [...]

  • ...The expression for P(I|H1+) is given in [6] for the case when there are n possible relays (including the sender)....

    [...]

  • ...Minstrels, described below, uses nodes as message relays in the same way as Crowds [6] with the difference that the number of nodes visited by a message is bounded....

    [...]



Proceedings ArticleDOI
04 May 1997
TL;DR: A detailed specification of the implemented onion routing system, a vulnerability analysis based on this specification, and performance results are provided.
Abstract: Onion routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Unmodified Internet applications can use these anonymous connections by means of proxies. The proxies may also make communication anonymous by removing identifying information from the data stream. Onion routing has been implemented on Sun Solaris 2.X with proxies for Web browsing, remote logins and e-mail. This paper's contribution is a detailed specification of the implemented onion routing system, a vulnerability analysis based on this specification, and performance results.

928 citations


"On the Trade-Off between Relationsh..." refers background in this paper

  • ...Anonymity networks can provide some level of relationship anonymity against inside attackers (e.g., [ 5 ], [6]) by hiding the sender or the receiver from the relay nodes....

    [...]


Network Information
Performance
Metrics
No. of citations received by the Paper in previous years
YearCitations
20141
20131
20121