## Indistinguishability-based Characterization of Anonymous Channels (2008)

Venue: | IN PROC. OF PRIVACY ENHANCING TECHNOLOGIES WORKSHOP – PET ’ 08, VOLUME 5??? OF LNCS |

Citations: | 8 - 0 self |

### BibTeX

@INPROCEEDINGS{Hevia08indistinguishability-basedcharacterization,

author = {Alejandro Hevia and Daniele Micciancio},

title = {Indistinguishability-based Characterization of Anonymous Channels},

booktitle = {IN PROC. OF PRIVACY ENHANCING TECHNOLOGIES WORKSHOP – PET ’ 08, VOLUME 5??? OF LNCS},

year = {2008},

publisher = {Springer-Verlag}

}

### OpenURL

### Abstract

We revisit the problem of anonymous communication, in which users wish to send messages to each other without revealing their identities. We propose a novel framework to organize and compare anonymity definitions. In this framework, we present simple and practical definitions for anonymous channels in the context of computational indistinguishability. The notions seem to capture the intuitive properties of several types of anonymous channels (Pfitzmann and Köhntopp 2001) (eg. sender anonymity and unlinkability). We justify these notions by showing they naturally capture practical scenarios where information is unavoidably leaked in the system. Then, we compare the notions and we show they form a natural hierarchy for which we exhibit non-trivial implications. In particular, we show how to implement stronger notions from weaker ones using cryptography and dummy traffic – in a provably optimal way. With these tools, we revisit the security of previous anonymous channels protocols, in particular constructions based on broadcast networks (Blaze et al. 2003), anonymous broadcast (Chaum 1981), and mix networks (Groth 2003, Nguyen et al. 2004). Our results give generic, optimal constructions to

### Citations

1198 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...g source confidentiality in crime tips, to offering access to medical information to potential patients without fear of embarrassment, or protecting voter privacy in electronic voting [23, 43]. Chaum =-=[14]-=- initiated the modern study of anonymous communication by introducing the concept of mix networks (or mix-nets). A mix-net is a protocol in which messages (say, emails) traverse several routers (or mi... |

1174 |
Probabilistic encryption
- Goldwasser, Micali
- 1984
(Show Context)
Citation Context ...follows from the potentially leaked information. This idea is already present in security definitions of other cryptographic primitives. For example, if E is a semantically secure encryption function =-=[30]-=-, it is standard to assume a ciphertext E(m) hides all partial information about a message m except its length |m|. This is because |m| can only be hidden at the cost of unnecessarily increasing the s... |

1120 | 2001)’Identity-Based Encryption from the Weil Pairing
- Boneh, Franklin
(Show Context)
Citation Context ...ing message. By the simulatability of the NIZK proof, it then follows that their protocol can be proven SA-anonymous under global passive adversaries as long as the Bilinear Diffie-Hellman assumption =-=[9]-=- holds. Notice that this result is not implied by their security proof as the anonymity notion used in [32] is arguably different (see Section 1.4). 5.3 MIX networks: Robust and efficient MIX-net cons... |

832 | A digital signature scheme secure against adaptive chosen-message attacks - Goldwasser, Micali, et al. - 1988 |

771 | Tor: the secondgeneration Onion router
- Dingledine, Mathewson, et al.
(Show Context)
Citation Context ...ince Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see [47, 1, 39, 25, 33, 59] among many others) to very practical protocols based on mix-nets (eg. =-=[29, 34, 40, 17, 51, 19]-=- and references therein). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later im... |

671 |
Completeness theorems for non-cryptographic fault-tolerant distributed computation
- Ben-Or, Goldwasser, et al.
- 1988
(Show Context)
Citation Context ...ategories: (a) they present intuitive but weak definitions (targeted to particular applications with efficiency in mind), or (b) they present strong definitions with often impractical implementations =-=[6, 28, 16]-=-. We seek to bridge this gap by providing strong definitions which can be tailored to specific practical scenarios. We identify factors or conditions that may realistically limit anonymity. These cond... |

658 | Crowds: Anonymity for Web Transactions
- Reiter, Rubin
- 1998
(Show Context)
Citation Context ...ibe a protocol for anonymous communication based on sorting networks, which is shown to satisfy some statistical mixing properties. Relaxations to weaker adversaries were proposed by Reiter and Rubin =-=[50]-=- and Berman et al. [7]. Both works presented alternative notions of anonymity as well as efficient constructions assuming an adversary that does not monitor all communication channels. Camenisch and L... |

613 | Universally composable security: a new paradigm for cryptographic protocols (extended abstract
- Canetti
- 2001
(Show Context)
Citation Context ...d Nguyen et al. [44], in particular, give strong definitions for “proving shuffles” (shuffles are the basic mixing operation) and Wikström [59] presents a formal definition of mix-net in the UC model =-=[13]-=-. These definitions, although helpful in the design and analysis of mix-nets, do not provide a definition of anonymous channels per se. Indeed, the absence of good anonymity definitions that capture r... |

448 | Relations among notions of security for public-key encryption schemes - Bellare, Desai, et al. - 1998 |

437 | The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability
- Chaum
- 1988
(Show Context)
Citation Context ..., 40, 17, 51, 19] and references therein). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum =-=[15]-=- and later improved by many others [10, 57, 58, 32], allow broadcast of messages without disclosing the sender identity. At least initially, most of the effort was put into improving the efficiency an... |

235 | Towards an information theoretic metric for anonymity
- Serjantov, Danezis
(Show Context)
Citation Context ...y has been through the concept of anonymity set [15, 40]. The anonymity set is defined as the set of parties that could have sent a particular message as seen from the adversary [46]. Follow up works =-=[40, 53, 18]-=- have proposed new characterizations of anonymity, mostly in terms of the probability distributions the adversary assigns to each party in order to represent the likelihood such party is the sender of... |

234 |
A practical secret voting scheme for large scale elections
- Fujioka, Okamoto, et al.
- 1993
(Show Context)
Citation Context ...” or guaranteeing source confidentiality in crime tips, to offering access to medical information to potential patients without fear of embarrassment, or protecting voter privacy in electronic voting =-=[23, 43]-=-. Chaum [14] initiated the modern study of anonymous communication by introducing the concept of mix networks (or mix-nets). A mix-net is a protocol in which messages (say, emails) traverse several ro... |

217 | Mixminion: Design of a Type III Anonymous Remailer Protocol
- Danezis, Dingledine, et al.
(Show Context)
Citation Context ...ince Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see [47, 1, 39, 25, 33, 59] among many others) to very practical protocols based on mix-nets (eg. =-=[29, 34, 40, 17, 51, 19]-=- and references therein). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later im... |

202 | Towards measuring anonymity
- Diaz, Seys, et al.
(Show Context)
Citation Context ...y has been through the concept of anonymity set [15, 40]. The anonymity set is defined as the set of parties that could have sent a particular message as seen from the adversary [46]. Follow up works =-=[40, 53, 18]-=- have proposed new characterizations of anonymity, mostly in terms of the probability distributions the adversary assigns to each party in order to represent the likelihood such party is the sender of... |

165 |
Multiple Non-Interactive Zero Knowledge Proofs Under General Assumptions
- Feige, Lapidot, et al.
- 1999
(Show Context)
Citation Context ...ecovered with high probability (and therefore theirs is a message-transmission protocol with high probability). They also show how each party can provide a non-interactive zero-knowledge (NIZK) proof =-=[21]-=- for the correctness of her pad without revealing the underlying message. By the simulatability of the NIZK proof, it then follows that their protocol can be proven SA-anonymous under global passive a... |

161 | Mixing E-mail with BABEL
- Gulcu, Tsudik
- 1996
(Show Context)
Citation Context ...ince Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see [47, 1, 39, 25, 33, 59] among many others) to very practical protocols based on mix-nets (eg. =-=[29, 34, 40, 17, 51, 19]-=- and references therein). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later im... |

159 |
Proofs that yield nothing but their validity and a method of cryptographic protocol design
- Goldreich, Micali, et al.
(Show Context)
Citation Context ...ategories: (a) they present intuitive but weak definitions (targeted to particular applications with efficiency in mind), or (b) they present strong definitions with often impractical implementations =-=[6, 28, 16]-=-. We seek to bridge this gap by providing strong definitions which can be tailored to specific practical scenarios. We identify factors or conditions that may realistically limit anonymity. These cond... |

155 | A verifiable secret shuffle and its application to e-voting
- Neff
- 2001
(Show Context)
Citation Context ...” or guaranteeing source confidentiality in crime tips, to offering access to medical information to potential patients without fear of embarrassment, or protecting voter privacy in electronic voting =-=[23, 43]-=-. Chaum [14] initiated the modern study of anonymous communication by introducing the concept of mix networks (or mix-nets). A mix-net is a protocol in which messages (say, emails) traverse several ro... |

148 | Hiding routing information
- Goldschlag, Reed, et al.
- 1996
(Show Context)
Citation Context |

125 |
Anonymity, unobservability, and pseudonymity - a proposal for terminology
- Pfitzmann, Koehntopp
- 2000
(Show Context)
Citation Context ...ymity, senderreceiver anonymity, and unobservability, giving them new, strong indistinguishability-based formulations without compromising the standard “intuitive” meaning they have in the literature =-=[46]-=-. We also introduce new notions, namely sender unlinkability and receiver unlinkability. These notions, while arguably weak, can be used to implement some of the stronger notions. Then we formally pro... |

119 | Making mix nets robust for electronic voting by randomized partial checking
- Jakobsson, Juels, et al.
- 2002
(Show Context)
Citation Context ...ed” with other messages with the intention that the relation to the original sender be lost. Since Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see =-=[47, 1, 39, 25, 33, 59]-=- among many others) to very practical protocols based on mix-nets (eg. [29, 34, 40, 17, 51, 19] and references therein). But mix-nets are not the only method to implement anonymous communication. DC-n... |

97 | Isdn-mixes: Untraceable communication with very small bandwidth overhead - Pfitzmann, Pfitzmann, et al. - 1991 |

95 | An efficient scheme for proving a shuffle
- Furukawa, Sako
(Show Context)
Citation Context ...ed” with other messages with the intention that the relation to the original sender be lost. Since Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see =-=[47, 1, 39, 25, 33, 59]-=- among many others) to very practical protocols based on mix-nets (eg. [29, 34, 40, 17, 51, 19] and references therein). But mix-nets are not the only method to implement anonymous communication. DC-n... |

93 | Key-Privacy in PublicKey Encryption
- Bellare, Boldyreva, et al.
- 2001
(Show Context)
Citation Context .... We also show that strong sender (resp. receiver) anonymity is not weaker than sender (resp. receiver) anonymity. 2 The assumptions are standard, namely PKI and key-private secure encryption schemes =-=[4]-=-. 3 The reductions are computationally efficient and do not have message overhead – they introduce no new messages – therefore optimal in terms of communication. USING “PADDING”: We conclude showing t... |

90 | The round complexity of secure protocols
- Beaver, Micali, et al.
- 1988
(Show Context)
Citation Context ... then, each party calls ensures it sends |M| messages via π by adding sufficient dummy messages. Even though such a secure multiparty protocol can be computed with constant number of invocations to π =-=[2]-=- (and thus, O(n 2 ) messages), it is likely that invoking π more than once will render the resulting protocol impractical. 5 On the Anonymity of Previous Protocols The ultimate purpose of a definition... |

86 | Stop and go mixes: Providing probabilistic anonymity in an open system
- Kesdogan, Egner, et al.
(Show Context)
Citation Context |

82 |
The Notion of Security for Probabilistic Cryptosystems
- Micali, Rackoff, et al.
- 1988
(Show Context)
Citation Context ...e function (eg. one that computes the set of message values sent per party, their number, or the total number of messages, for example). Our formalisms build on definitional ideas used for encryption =-=[30, 42, 27]-=- and signatures [31]. Regarding adversaries, an often adopted adversarial type is that of honest-but-curious (or passive) adversary, one where the adversary obtains the internal state of the corrupted... |

81 |
Universally Verifiable mix-net with Verification Work Independent of the
- Abe
- 1403
(Show Context)
Citation Context ...ed” with other messages with the intention that the relation to the original sender be lost. Since Chaum’s seminal paper, research in the area has been extensive, from concrete mix-net proposals (see =-=[47, 1, 39, 25, 33, 59]-=- among many others) to very practical protocols based on mix-nets (eg. [29, 34, 40, 17, 51, 19] and references therein). But mix-nets are not the only method to implement anonymous communication. DC-n... |

73 | A Uniform Complexity Treatment of Encryption and Zero-Knowledge
- Goldreich
- 1993
(Show Context)
Citation Context ...e function (eg. one that computes the set of message values sent per party, their number, or the total number of messages, for example). Our formalisms build on definitional ideas used for encryption =-=[30, 42, 27]-=- and signatures [31]. Regarding adversaries, an often adopted adversarial type is that of honest-but-curious (or passive) adversary, one where the adversary obtains the internal state of the corrupted... |

67 | Anonymity and Information Hiding in Multiagent Systems
- Halpern, O’Neill
- 2003
(Show Context)
Citation Context ...e probability distributions the adversary assigns to each party in order to represent the likelihood such party is the sender of a message. Definitions based on formal methods have also been proposed =-=[55, 37, 52, 41, 26]-=-. Finally, it is worth noticing that Hughes and Shmatikov [36] also present a framework to formalize and compare different notions of anonymity as done here. Using the domain-theoretic primitive of fu... |

66 | Group principals and the formalization of anonymity
- Syverson, Stubblebine
- 1999
(Show Context)
Citation Context ...e probability distributions the adversary assigns to each party in order to represent the likelihood such party is the sender of a message. Definitions based on formal methods have also been proposed =-=[55, 37, 52, 41, 26]-=-. Finally, it is worth noticing that Hughes and Shmatikov [36] also present a framework to formalize and compare different notions of anonymity as done here. Using the domain-theoretic primitive of fu... |

63 | A verifiable secret shuffle of homomorphic encryptions
- Groth
- 2003
(Show Context)
Citation Context |

63 | The dining cryptographers in the disco: Unconditional sender and recipient untraceability with computationally secure serviceability
- Waidner, Pfitzmann
- 1989
(Show Context)
Citation Context ...n). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later improved by many others =-=[10, 57, 58, 32]-=-, allow broadcast of messages without disclosing the sender identity. At least initially, most of the effort was put into improving the efficiency and reliability of the constructions, so informal or ... |

52 |
Cryptographic defense against traffic analysis
- Rackoff, Simon
- 1993
(Show Context)
Citation Context ... can be seen as an extension of the DC-net model to more practical graph structures (which partition the parties into k-sized autonomous groups). Another approach was proposed by Rackoff and Simon in =-=[49]-=-. They describe a protocol for anonymous communication based on sorting networks, which is shown to satisfy some statistical mixing properties. Relaxations to weaker adversaries were proposed by Reite... |

49 |
Networks without user observability
- Pfitzmann, Waidner
- 1987
(Show Context)
Citation Context ...nder the strongest notions: senderreceiver anonymity and unobservability. 5.1 Broadcast Networks Broadcast channels can be used as a straightforward approach to obtain some form of receiver anonymity =-=[48]-=-. In general, the most obvious protocol of transmitting a message over the broadcast channel is trivially RAanonymous. Blaze et al. [8] recently suggested a protocol for anonymous routing in the conte... |

38 | Information hiding, anonymity and privacy: a modular approach
- Hughes, Shmatikov
- 1984
(Show Context)
Citation Context ...present the likelihood such party is the sender of a message. Definitions based on formal methods have also been proposed [55, 37, 52, 41, 26]. Finally, it is worth noticing that Hughes and Shmatikov =-=[36]-=- also present a framework to formalize and compare different notions of anonymity as done here. Using the domain-theoretic primitive of function-view they model different notions of anonymity where in... |

37 | A Formal Treatment of Onion Routing
- Camenisch, Lysyanskaya
- 2005
(Show Context)
Citation Context ... et al. [7]. Both works presented alternative notions of anonymity as well as efficient constructions assuming an adversary that does not monitor all communication channels. Camenisch and Lysyanskaya =-=[11]-=- give a formal definition of onion routing [29] (along a provable secure protocol) but they explicitly avoid defining anonymous channels. An alternative characterization of anonymity has been through ... |

37 | Unconditional sender and recipient untraceability in spite of active attacks - some remarks
- Waidner, Pfitzmann
(Show Context)
Citation Context ...n). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later improved by many others =-=[10, 57, 58, 32]-=-, allow broadcast of messages without disclosing the sender identity. At least initially, most of the effort was put into improving the efficiency and reliability of the constructions, so informal or ... |

34 | The cocaine auction protocol: On the power of anonymous broadcast
- Stajano, Anderson
- 1999
(Show Context)
Citation Context ...n is to be used to properly characterize the security of concrete protocols. Accordingly, we revisit the security of known constructions based on broadcast channels [8], DC-nets or anonymous networks =-=[15, 32, 54]-=-, and mix-nets [33, 44, 24]. In Section 5, we examine the basic construction of Blaze et al. [8], which is based on broadcast channels, and we argue it can be shown strong receiver anonymous. We also ... |

30 | Buses for anonymous message delivery
- Beimel, Dolev
(Show Context)
Citation Context ...ather mild) assumption that a known upper bound on the total network flow exists. See Proposition 4.6 and remarks at the end of Section 4.2. 6INDISTINGUISHABILITY-BASED DEFINITIONS: Beimel and Dolev =-=[3]-=- define anonymity in terms of computational indistinguishability of the adversary’s view (i.e. the messages and any extra information obtained by the adversary) in two cases: when party Pi sends a mes... |

27 | Practical anonymity for the masses with morphmix
- Rennhard, Plattner
- 2004
(Show Context)
Citation Context |

20 | XOR-trees for Efficient Anonymous Multicast and Reception
- Dolev, Ostrovsky
(Show Context)
Citation Context ...tains the internal state of the corrupted party, but the party continues to follow the protocol. For simplicity of exposition, we consider passive adversaries with no corruptions (also called outside =-=[20]-=- or global passive adversary [52]) as it captures most of the subtleties of our model. Extensions to allow (passive) corruptions are discussed in Section 6. We also stress that our results apply to pr... |

20 | A Formalization of Anonymity and Onion Routing
- Mauw, Verschuren, et al.
- 2004
(Show Context)
Citation Context ...e probability distributions the adversary assigns to each party in order to represent the likelihood such party is the sender of a message. Definitions based on formal methods have also been proposed =-=[55, 37, 52, 41, 26]-=-. Finally, it is worth noticing that Hughes and Shmatikov [36] also present a framework to formalize and compare different notions of anonymity as done here. Using the domain-theoretic primitive of fu... |

20 | k-anonymous message transmission
- Ahn, Bortz, et al.
- 2003
(Show Context)
Citation Context ... equivalent to sender-receiver anonymity) although it is unclear without a formal statement. A similar concern can be raised on the definition proposed by von Ahn et al. in the context of k-anonymity =-=[56]-=-. (Essentially the same definition for the case of a fixed receiver). Golle and Juels [32] present a definition of anonymity (which they called privacy) in the context of DCnets [15]. In the definitio... |

19 | Multiparty unconditional secure protocols - Chaum, Crepeau, et al. - 1988 |

19 | A universally composable mix-net
- Wikström
- 2004
(Show Context)
Citation Context |

18 |
Detection of disrupters in the DC protocol
- Bos, Boer
- 1990
(Show Context)
Citation Context ...n). But mix-nets are not the only method to implement anonymous communication. DC-nets (also known as anonymous broadcast networks), also proposed also by Chaum [15] and later improved by many others =-=[10, 57, 58, 32]-=-, allow broadcast of messages without disclosing the sender identity. At least initially, most of the effort was put into improving the efficiency and reliability of the constructions, so informal or ... |

18 | Provable anonymity
- Garcia, Hasuo, et al.
- 2005
(Show Context)
Citation Context |

17 | Verifiable shuffles: a formal model and a Paillier-based three-round construction with provable security
- Nguyen, Safavi-Naini, et al.
- 2006
(Show Context)
Citation Context ... informal or ad-hoc definitions were common. Indeed, only recently the need for general (and sound) definitions for these types of primitives has drawn some attention. Furukawa [24] and Nguyen et al. =-=[44]-=-, in particular, give strong definitions for “proving shuffles” (shuffles are the basic mixing operation) and Wikström [59] presents a formal definition of mix-net in the UC model [13]. These definiti... |

16 |
How to implement isdns without user observability - some remarks
- Pfitzmann
- 1985
(Show Context)
Citation Context ...ary trying to determine the sender (resp. receiver) of a message can only narrow the sender’s identity down to no less than k possible senders (resp. receivers). The concept was proposed by Pfitzmann =-=[45]-=- and further developped (along with efficient constructions) by von Ahn et al. [56] as a way to improve the efficiency of DC-nets. We can accommodate the notion of k-anonymity in our framework by furt... |