Solving the Byzantine Postman Problem
BibTeX
@MISC{Sassaman_solvingthe,
author = {Len Sassaman and Bart Preneel},
title = {Solving the Byzantine Postman Problem},
year = {}
}
OpenURL
Abstract
Abstract. Over the last several decades, there have been numerous systems proposed which aim to preserve the anonymity of the recipient of some data. Some have involved trusted third-parties or trusted hardware; others have been constructed on top of link-layer anonymity systems or mix networks. In this paper, we examine the Pynchon Gate [34], a pseudonymous message system which takes an alternate approach to this problem by using Private Information Retrieval (PIR) as the basis for its pseudonymity properties. We restrict our examination to a flaw in the Pynchon Gate system first described in our technical report [35]; as it was originally presented, the Pynchon Gate detects the presence of (and protects against certain attacks by) Byzantine servers operating in the system, but it fails to identify which server or set of servers is Byzantine, thus opening the door for denial of service attacks as well as other potential anonymity compromises by Byzantine servers. We show a trivial modification to the original PynGP which allows for detection and identification of Byzantine nodes, with no weakening of the security model necessary, at the relatively affordable cost of greater bandwidth requirements during certain communication operations. We demonstrate that this adequately solves the problems raised by [35], and argue that it is the most suitable method of addressing the attack in question yet proposed. We then evaluate an alternate approach to solving to the problem described in [35], proposed by Goldberg in his recent paper [21]. We compare the security and performance trade-offs made in that proposal, and find it less secure against anonymity attacks as compared to the original (but flawed) Pynchon Gate Protocol (PynGP) [24] presented in the first Pynchon Gate paper. We show that this proposal is significantly weaker than the solution offered in this paper, which retains the security properties of the original Pynchon Gate Protocol. 1
Citations
| 1968 | How to share a secret
- Shamir
(Show Context)
Citation Context ... suggests that detection of Byzantine servers in the Pynchon Gate should be addressed using an information-theoretic tprivate v-Byzantine-robust k-out-of-ℓ PIR protocol based on Shamir secret sharing =-=[37]-=-, such as that proposed by Beimel and Stahl [2]. The paper then presents a performance improvement upon the results of [2], and introduces a two-stage Byzantine recovery procedure for its protocol. 8 ... |
| 1317 | Untraceable electronic mail, return addresses, and digital pseudonyms
- Chaum
- 1981
(Show Context)
Citation Context ...the hash tree verification system: a corrupt distributor can, through malice or error, create a denial of service 2 This concern is present in many other anonymity systems, including Chaumian mixnets =-=[6, 28, 12]-=- and systems built on top of them [27, 25].sattack on the system by responding with incorrect data to a client’s query. While the client will detect that the message block is invalid after performing ... |
| 1236 | The sybil attack
- Douceur
- 2002
(Show Context)
Citation Context ...formation about the private information. Of particular concern are the possibilities that a single adversary may operate multiple nodes under different identities, effectively ensuring node collusion =-=[19]-=-, or that significant amounts of the anonymity infrastructure may lack good location independence [20]. Thus, systems which encourage participation by many unaffiliated operators of diverse background... |
| 868 | Tor: The second-generation onion router
- Dingledine, Mathewson, et al.
- 2004
(Show Context)
Citation Context ...sure that the adversary is unable to gain control of any part of the infrastructure, this laissez-faire approach to anonymity service operation taken by some of the more successful anonymity services =-=[17, 28]-=- simply accepts that some nodes will be controlled by an adversary, and accounts for this fact in the design of these systems. 1.2 Background on Nym Servers Pseudonymous messaging services allow users... |
| 713 | Public-key cryptosystems based on composite degree residuosity classes
- Paillier
- 1999
(Show Context)
Citation Context ... with caution if intended to serve as a buildingblock for an anonymity system.)scollude, by proposing a hybrid privacy protection scheme which relies on the Paillier additive homomorphic cryptosystem =-=[30]-=-. This extension gives a PIR protocol with t-private v-Byzantine-robust k-out-of-ℓ information-theoretic protection and ℓ-computational protection. However, as the author states, adding this modificat... |
| 460 | Private information retrieval
- Chor, Goldreich, et al.
- 1995
(Show Context)
Citation Context ...ot defeat the system merely by virtue of being able to perform calculations which reveal the private information. Other PIR protocols merely offer computational security: in Computational PIR systems =-=[7]-=-, the privacy of the PIR query is protected only against an adversary restricted to polynomial-time computational capability. CPIR-based solutions have the significant advantage that they can be perfo... |
| 322 |
Minimum disclosure proofs of knowledge
- Brassard, Chaum, et al.
- 1988
(Show Context)
Citation Context ...s. The revised version of the protocol retains the same security properties set forth in the original design paper. We address the issue of Byzantine nodes by introducing a cut-and-choose methodology =-=[32, 4]-=-. To support this addition, we modify the query algorithm and add a response validation algorithm (to be run if the reconstruction algorithm fails) at the cost of trivial computation expense and a dou... |
| 276 | Untraceable Electronic Cash
- Chaum, Fiat, et al.
(Show Context)
Citation Context ...ficient as it could be. The security implications of a modified validator protocol should be explored, perhaps with inspiration from sister disciplines, such as digital cash authenticity verification =-=[5]-=-, secure secrecy-preserving auctions [31], or randomized partial checking in mix networks for voting applications [22]. Using the PynGP 2.0 protocol, users can detect when a given server has behaved i... |
| 231 | Mixminion: design of type III anonymous remailer protocol
- Danezis, Dingledine, et al.
(Show Context)
Citation Context ...the hash tree verification system: a corrupt distributor can, through malice or error, create a denial of service 2 This concern is present in many other anonymity systems, including Chaumian mixnets =-=[6, 28, 12]-=- and systems built on top of them [27, 25].sattack on the system by responding with incorrect data to a client’s query. While the client will detect that the message block is invalid after performing ... |
| 216 | The Free Haven Project: Distributed anonymous storage service
- Dingledine, Freedman, et al.
- 2001
(Show Context)
Citation Context ...tems can be used for parties to communicate without revealing their identities, or as a building-block for other systems that need a bi-directional anonymous communication channel, such as Free Haven =-=[15]-=-. 1.3 The Pynchon Gate and The Byzantine Postman Problem The most recent proposal for a nym server based on PIR with informationtheoretic security, the Pynchon Gate [34], offers greater robustness, st... |
| 139 | Traffic analysis: Protocols, attacks, design issues, and open problems
- Raymond
- 2001
(Show Context)
Citation Context ...o a different set of users [1]. 2 Background on The Pynchon Gate To address the reliability problems of silent node failure, as well as the serious security problems of statistical disclosure attacks =-=[33, 11, 13]-=- and end-to-end traffic analysis [26], Sassaman, Cohen, and Mathewson propose a complete architectural design of a PIR-based pseudonym service offering information-theoretic protection, called the Pyn... |
| 128 | Making mix nets robust for electronic voting by randomized partial checking
- Jakobsson, Juels, et al.
- 2002
(Show Context)
Citation Context ...nspiration from sister disciplines, such as digital cash authenticity verification [5], secure secrecy-preserving auctions [31], or randomized partial checking in mix networks for voting applications =-=[22]-=-. Using the PynGP 2.0 protocol, users can detect when a given server has behaved in a Byzantine fashion. However, they have no irrefutable way of proving this to a third party. We have considered a sc... |
| 113 |
Chameleon signatures
- Krawczyk, Rabin
- 2000
(Show Context)
Citation Context ...s. The revised version of the protocol retains the same security properties set forth in the original design paper. We address the issue of Byzantine nodes by introducing a cut-and-choose methodology =-=[32, 4]-=-. To support this addition, we modify the query algorithm and add a response validation algorithm (to be run if the reconstruction algorithm fails) at the cost of trivial computation expense and a dou... |
| 84 | Defending anonymous communication against passive logging attacks
- Wright, Adler, et al.
- 2003
(Show Context)
Citation Context ...s, a passive adversary could observe the actions of Byzantine servers not under his control (and perhaps not even behaving maliciously, but simply incorrectly) to help facilitate intersection attacks =-=[38]-=-. Additionally, if a user cannot know with confidence which server is behaving in a Byzantine fashion, she is more likely to change the nodes she uses on a regular basis, both increasing her exposure ... |
| 80 | On the Economics of Anonymity
- Acquisti, Dingledine, et al.
- 2003
(Show Context)
Citation Context ...reased utility of the system; due to the network-effects properties of anonymity systems, denying service to one set of users can effectively weaken the anonymity provided to a different set of users =-=[1]-=-. 2 Background on The Pynchon Gate To address the reliability problems of silent node failure, as well as the serious security problems of statistical disclosure attacks [33, 11, 13] and end-to-end tr... |
| 79 | From a trickle to a flood: Active attacks on several mix types
- Serjantov, Dingledine, et al.
- 2002
(Show Context)
Citation Context ...e reply-block, this would enable the attacker to identify the mixes used in the nym holder’s reply-block path, and increase his chances of successfully linking the nym with the nym holder’s true name =-=[36]-=-.sforth referred to as PynGP 1.0). Described below, our revised PynGP (PynGP 2.0) protocol relies only on additional sets of operations already performed by PynGP 1.0, yet this modified version of Pyn... |
| 71 | Hot or Not: Revealing Hidden Services by Their Clock Skew - Murdoch - 2006 |
| 62 | Practical traffic analysis: Extending and resisting statistical disclosure
- Mathewson, Dingledine
- 2004
(Show Context)
Citation Context ...on The Pynchon Gate To address the reliability problems of silent node failure, as well as the serious security problems of statistical disclosure attacks [33, 11, 13] and end-to-end traffic analysis =-=[26]-=-, Sassaman, Cohen, and Mathewson propose a complete architectural design of a PIR-based pseudonym service offering information-theoretic protection, called the Pynchon Gate [34]. 2.1 Architecture Over... |
| 52 | Anonymity loves company: Usability and the network effect”, Security and Usability
- Dingledine, Mathewson
- 2005
(Show Context)
Citation Context ...infrastructure affect some users differently than others, an attacker may exploit such attacks on components of the system to facilitate an intersection attack against a user of the system as a whole =-=[16]-=-. In the Pynchon Gate, if a Byzantine distributor selectively performed denial of service attacks against certain users by returning garbage results to their queries, but correctly responded to other ... |
| 50 | Preserving privacy in a network of mobile computers
- Cooper, Birman
- 1995
(Show Context)
Citation Context ...on Gate Protocol. 1 Introduction Several proposals have been made for the use of private information retrieval (PIR) [8] primitives to build secure, fault-tolerant pseudonymous mail retrieval systems =-=[10, 3, 23, 34]-=-. PIR-based pseudonym (or nym) servers have several significant advantages over nym servers based on other technologies. PIR protocols can be designed tosoffer information-theoretic security, i.e., as... |
| 50 | Statistical disclosure or intersection attacks on anonymity systems
- Danezis, Serjantov
- 2004
(Show Context)
Citation Context ...o a different set of users [1]. 2 Background on The Pynchon Gate To address the reliability problems of silent node failure, as well as the serious security problems of statistical disclosure attacks =-=[33, 11, 13]-=- and end-to-end traffic analysis [26], Sassaman, Cohen, and Mathewson propose a complete architectural design of a PIR-based pseudonym service offering information-theoretic protection, called the Pyn... |
| 45 | Robust information-theoretic private information retrieval
- Beimel, Stahl
- 2002
(Show Context)
Citation Context ... the Pynchon Gate should be addressed using an information-theoretic tprivate v-Byzantine-robust k-out-of-ℓ PIR protocol based on Shamir secret sharing [37], such as that proposed by Beimel and Stahl =-=[2]-=-. The paper then presents a performance improvement upon the results of [2], and introduces a two-stage Byzantine recovery procedure for its protocol. 8 For n challenge-vector sets, the probability of... |
| 44 |
Oded Goldreich, Eyal Kushilevitz, and Madhu Sudan. Private information retrieval
- Chor
- 1998
(Show Context)
Citation Context ... offered in this paper, which retains the security properties of the original Pynchon Gate Protocol. 1 Introduction Several proposals have been made for the use of private information retrieval (PIR) =-=[8]-=- primitives to build secure, fault-tolerant pseudonymous mail retrieval systems [10, 3, 23, 34]. PIR-based pseudonym (or nym) servers have several significant advantages over nym servers based on othe... |
| 44 | Statistical disclosure attacks: Traffic confirmation in open environments
- Danezis
- 2003
(Show Context)
Citation Context ...o a different set of users [1]. 2 Background on The Pynchon Gate To address the reliability problems of silent node failure, as well as the serious security problems of statistical disclosure attacks =-=[33, 11, 13]-=- and end-to-end traffic analysis [26], Sassaman, Cohen, and Mathewson propose a complete architectural design of a PIR-based pseudonym service offering information-theoretic protection, called the Pyn... |
| 40 | Location diversity in anonymity networks
- Feamster, Dingledine
- 2004
(Show Context)
Citation Context ...ersary may operate multiple nodes under different identities, effectively ensuring node collusion [19], or that significant amounts of the anonymity infrastructure may lack good location independence =-=[20]-=-. Thus, systems which encourage participation by many unaffiliated operators of diverse backgrounds across a wide range of network providers can provide stronger services than those in which infrastru... |
| 40 | The Design, Implementation and Operation of an Email Pseudonym Server
- Mazières, Kaashoek
- 1998
(Show Context)
Citation Context ...distributor can, through malice or error, create a denial of service 2 This concern is present in many other anonymity systems, including Chaumian mixnets [6, 28, 12] and systems built on top of them =-=[27, 25]-=-.sattack on the system by responding with incorrect data to a client’s query. While the client will detect that the message block is invalid after performing the final step of the PIR protocol in Subs... |
| 29 | Improving the Robustness of Private Information Retrieval
- GOLDBERG
- 2007
(Show Context)
Citation Context ...he most suitable method of addressing the attack in question yet proposed. We then evaluate an alternate approach to solving to the problem described in [35], proposed by Goldberg in his recent paper =-=[21]-=-. We compare the security and performance trade-offs made in that proposal, and find it less secure against anonymity attacks as compared to the original (but flawed) Pynchon Gate Protocol (PynGP) [24... |
| 19 | Practical secrecy-preserving, verifiably correct and trustworthy auctions
- Parkes, Rabin, et al.
- 2006
(Show Context)
Citation Context ...lications of a modified validator protocol should be explored, perhaps with inspiration from sister disciplines, such as digital cash authenticity verification [5], secure secrecy-preserving auctions =-=[31]-=-, or randomized partial checking in mix networks for voting applications [22]. Using the PynGP 2.0 protocol, users can detect when a given server has behaved in a Byzantine fashion. However, they have... |
| 18 | The pynchon gate: a secure method of pseudonymous mail retrieval
- Sassaman, Cohen, et al.
- 2005
(Show Context)
Citation Context ...ome data. Some have involved trusted third-parties or trusted hardware; others have been constructed on top of link-layer anonymity systems or mix networks. In this paper, we examine the Pynchon Gate =-=[34]-=-, a pseudonymous message system which takes an alternate approach to this problem by using Private Information Retrieval (PIR) as the basis for its pseudonymity properties. We restrict our examination... |
| 8 | Private keywordbased push and pull with applications to anonymous communication. Applied Cryptography and Network Security
- Kissner, Oprea, et al.
- 2004
(Show Context)
Citation Context ...on Gate Protocol. 1 Introduction Several proposals have been made for the use of private information retrieval (PIR) [8] primitives to build secure, fault-tolerant pseudonymous mail retrieval systems =-=[10, 3, 23, 34]-=-. PIR-based pseudonym (or nym) servers have several significant advantages over nym servers based on other technologies. PIR protocols can be designed tosoffer information-theoretic security, i.e., as... |
| 5 |
Underhill: A proposed type 3 nymserver protocol specification
- Mathewson
- 2005
(Show Context)
Citation Context ...distributor can, through malice or error, create a denial of service 2 This concern is present in many other anonymity systems, including Chaumian mixnets [6, 28, 12] and systems built on top of them =-=[27, 25]-=-.sattack on the system by responding with incorrect data to a client’s query. While the client will detect that the message block is invalid after performing the final step of the PIR protocol in Subs... |
| 3 |
Efficiency improvements of the private message service
- Berthold, Clauß, et al.
- 2001
(Show Context)
Citation Context ...on Gate Protocol. 1 Introduction Several proposals have been made for the use of private information retrieval (PIR) [8] primitives to build secure, fault-tolerant pseudonymous mail retrieval systems =-=[10, 3, 23, 34]-=-. PIR-based pseudonym (or nym) servers have several significant advantages over nym servers based on other technologies. PIR protocols can be designed tosoffer information-theoretic security, i.e., as... |
| 3 |
The TLS Protocol. Request for Comments: 2246
- Dierks, Allen
- 1999
(Show Context)
Citation Context ... 1)-private ℓ-server PIR protocol. 2.2 The Pynchon Gate PIR Protocol The protocol runs as follows: after choosing distributors, the client establishes an encrypted connection to each (e.g., using TLS =-=[14]-=-). These connections must be unidirectionally authenticated to prevent man-in-the-middle attacks, and can be made sequentially or in parallel. The client sends a different “random-looking” bit vector ... |
| 2 |
Attacks on Anonymity Systems: Theory and Practice
- Dingledine, Sassaman
- 2003
(Show Context)
Citation Context ...on a variance in the user’s response to altered versus unaltered data, or by simply recognizing the product of the altered data as it is processed by the system (collectively known as tagging attacks =-=[18]-=-) are ineffective, as TLS protects data integrity on the wire. Thus, any tagging attacks an attacker wished to attempt against a user would have to occur through the use of a corrupt distributor. To p... |
| 2 |
Pynchon Gate Protocol draft specification
- Mathewson
- 2004
(Show Context)
Citation Context ...21]. We compare the security and performance trade-offs made in that proposal, and find it less secure against anonymity attacks as compared to the original (but flawed) Pynchon Gate Protocol (PynGP) =-=[24]-=- presented in the first Pynchon Gate paper. We show that this proposal is significantly weaker than the solution offered in this paper, which retains the security properties of the original Pynchon Ga... |
| 1 | The Byzantine Postman Problem: A Trivial Attack Against PIR-based Nym Servers
- Sassaman, Preneel
- 2007
(Show Context)
Citation Context ...f Byzantine servers only at the cost of reduced overall security as compared to PynGP. PynGP 2.0 requires no such compromise in its security. 8 Conclusions We have reviewed the attack as described in =-=[35]-=-, and found that it has significant impact on the deployability and potential success of the Pynchon Gate, as well as other PIR-based nym server systems that do not account for Byzantine servers. A de... |








