[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

header-swap isn't perfectly indistinguishable (was: problem in 3.2 "Replies")




Thanks to George and Nick for answering my mail about 'problem in 3.2 
"Replies"'.

I understand the design now.  I am working on a document which derives the 
current header-swap design by stepwise refinement from a very simple starting 
design, where each step is motivated by an item from a list of explicit 
desiderata.  That document will not be ready in time for the imminent 
submission deadline, and I don't think that the paper needs it.

There is however one detail that this process has revealed which is worth 
looking at right now.

It concerns indistinguishability within a processing node.  Basically, perfect 
(statistical) indistinguishability in the header-swap method is not possible 
without forcing all chains be the same length (which would be twice as long as 
one-way-anonymous chains need to be).


The reason header-swap messages are still partially (statistically) 
distinguishable is that a mutually-anonymous chain is longer (having 2K hops) 
than a sender-anonymous chain (having K hops), but each has exactly one swap 
hop.

Therefore, when your node processes a message and that hop is a swap, then you 
know the message is more likely to be a sender-anonymous ("forward") message.

In addition, if the message is *not* a swap, then you know the message is more 
likely to be a mutually-anonymous message.

I asked my wife^H^H^H^Hmathematics consultant Amber O'Whielacronx to quantify 
this and she says the following.  (Note that I asked her to distinguish 
between sender-anonymous and mutually-anonymous messages, ignoring recipient-
anonymous, although the same argument applies to that kind but with less 
dramatic advantages to the attacker.)

------- begin included math
P(1-way) = p
P(2-way) = 1-p
P(swap | 1-way) = 1/k
P(swap | 2-way) = 1/2k


P(swap) = P(swap | 1-way) P(1-way) + P(swap | 2-way) P(2-way)
              = p/k + (1-p)/2k = (p+1)/2k

P(1-way and swap) = P(1-way) P(swap | 1-way) = p/k

P(1-way | swap) = P(1-way and swap)/P(swap) = (p/k)/((p+1)/2k) = 2p/(p+1)

This is < 1/2 when p < 1/3, and > 1/2 when p > 1/3


P(not swap) = 1 - (p+1)/2k

P(1-way and not swap) = P(1-way) P(not swap | 1-way) = p(1-1/k)

P(1-way | not swap) = P(1-way and not swap)/P(not swap)
                                   = p(1-1/k)/(1-(p+1)/2k) = 2p(k-1)/(2k-p-1)

This approaches p from below as k approaches infinity
------- end included math

I then plugged in a couple of sample numbers:

P(1-way | swap) where P=1/2 is 2/3.  That means that if sender-anonymous and 
mutually-anonymous messages are sent in equal proportion to one another, that 
when your node observes a swap message, there is a 2/3 chance that the message 
is a sender-anonymous message.  This is one of the values of P that yields the 
highest "advantage" -- the node's chance of being right using this technique 
minus the chance of being right by blindly guessing in whichever way P leans.

P(1-way  | not swap) where P=1/2 and K=4 is 0.46.  That means that if sender-
anonymous and mutually-anonymous messages are sent in equal proportion to one 
another, then when your node observes a non-swap message, there is a 0.54
chance that the message is a mutually-anonymous message.


There is one further issue about indistinguishability: the swap occurs at a
semi-predictable point along the chain, so if the attacker can guess anything 
about how many hops a message has already taken from its source or how many 
hops it will take to its destination then this further contributes to the 
distinguishability.

I know that we have a good design for keeping that kind of information hidden 
in the headers themselves, but the paper does not mention whether an attacker 
can learn that kind of information by other means such as traffic analysis.  
(And he *can* learn some such information from traffic analysis, if 
I understand the current design correctly.)


Regards,

Zooko

Zooko.Com -- Security and Distributed Systems Engineering