Citation Context

...ithin a larger set of users. In some systems, like DC-Nets [1] and Dissent [2], the message emerges from aggregating all participants’ messages. In other systems, like onion routing [3], mix networks =-=[4]-=-, and peer-to-peer anonymous communication networks [5], messages are routed through volunteer nodes I. Boureanu, P. Owesarski, and S. Vaudenay (Eds.): ACNS 2014, LNCS 8479, pp. 380–400, 2014. c© Spri...

Citation Context

...all this latter class proxy-based ACNs and concentrate on it henceforth. Proxy-based ACNs provide a powerful service to their users, and correspondingly they have been the most successful ACNs so far =-=[6,7]-=-. However the nature of the properties of the technology can sometimes be harmful for the nodes serving as proxies. If a network user’s online communication results in a criminal investigation or a ca...

Citation Context

... Backes et al. pseudonym signatures become particularly useful in our BackRef mechanism, where users utilize them to sign messages without being identified by the verifier. We can employ a CMA-secure =-=[35]-=- signature scheme against a computationally bounded adversary (with the security parameter κ) such that, along with the usual existential unforgeability, the resultant pseudonym signature scheme satis...

Citation Context

...icient and the last mile problem does not exist. 4.3 Cryptographic Details BLS Signatures. For pseudonym and endorsement signatures, we use the short signature scheme of Boneh, Lynn and Shacham (BLS) =-=[38]-=-. Consider two Gap co-Diffie-Hellman groups (or co-GDH group) G1 and G2 and a multiplicative cyclic group GT , all of the same prime order p, associated by a bilinear map [39] e : G1 ×G2 → GT . Let g1...

Citation Context

...aceability, formal verification. 1 Introduction Anonymous communication networks (ACNs) are designed to hide the originator of each message within a larger set of users. In some systems, like DC-Nets =-=[1]-=- and Dissent [2], the message emerges from aggregating all participants’ messages. In other systems, like onion routing [3], mix networks [4], and peer-to-peer anonymous communication networks [5], me...

Citation Context

...m §4 (in a restricted form) in the applied pi calculus [41] and verify its important properties, i.e., anonymity, backward traceability, no forward traceability, and no false accusation with ProVerif =-=[42]-=-, a state-of-the-art automated theorem prover that provides security guarantees for an unbounded number of protocol sessions. We model backward traceability and no false accusation as trace properties...

Citation Context

...his message as a pseudonym for the entry OR node. 6 Security Analysis We conduct a formal security analysis of BackRef. We model our protocol from §4 (in a restricted form) in the applied pi calculus =-=[41]-=- and verify its important properties, i.e., anonymity, backward traceability, no forward traceability, and no false accusation with ProVerif [42], a state-of-the-art automated theorem prover that prov...

Citation Context

...g attacks can be used to correlate flows. Starting with Chaum [4], several ACN technologies have been developed in the last thirty years to provide stronger anonymity not dependent on a single entity =-=[6,3,7,2,1,18,19,20,21]-=-. Among these, mix networks [4,7] and onion routing [6] have arguably been most successful. Both offer user anonymity, relationship anonymity and unlinkability [22], but they obtain these properties t...

Citation Context

... of each message within a larger set of users. In some systems, like DC-Nets [1] and Dissent [2], the message emerges from aggregating all participants’ messages. In other systems, like onion routing =-=[3]-=-, mix networks [4], and peer-to-peer anonymous communication networks [5], messages are routed through volunteer nodes I. Boureanu, P. Owesarski, and S. Vaudenay (Eds.): ACNS 2014, LNCS 8479, pp. 380–...

Citation Context

...in this case requires, at a minimum, that the proxy is trustworthy and not compromised, and this approach does not protect the anonymity of senders if the adversary inspects traffic through the proxy =-=[17]-=-. Even with the use of encryption between the sender and proxy server, timing attacks can be used to correlate flows. Starting with Chaum [4], several ACN technologies have been developed in the last ...

Citation Context

... >>>P@1@1@1 1 >@1[ &RPSURPLVHGIUDFWLRQ RIWKH25QHWZRUN P P P P Fig. 3. Anonymity Game Anonymity. We use observational equivalence to formalize privacy related properties such as in =-=[45]-=-, [46]. We model anonymity as an equivalence relation between two processes that are replicated an unbounded number of times and execute in parallel. In the first process P , users U1 and U2 send two ...

Citation Context

... a single entity [6,3,7,2,1,18,19,20,21]. Among these, mix networks [4,7] and onion routing [6] have arguably been most successful. Both offer user anonymity, relationship anonymity and unlinkability =-=[22]-=-, but they obtain these properties through differing assumptions and techniques. An onion routing (OR) infrastructure involves a set of routers (or OR nodes) that relay traffic, a directory service pr...

Citation Context

...different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols [19,27,28,29,30,31] (except TAP) and mix network protocols =-=[32,33,34,20,7,21]-=- employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authentication challenges or randomization element per node in the pat...

Citation Context

...uple. We choose the BLS signature scheme due to the shorter size of their signatures; however, if signing and verification efficiency is more important, we can choose faster signature schemes such as =-=[40]-=-. Circuit Extension. To extend the circuit 〈U ↔ N1〉 to the next hop N2, the user U chooses x2 ∈R Zp and generates a pseudonym X2 = gx22 , where g2 ∈ G2. U then signs the pseudonym X2 and the current t...

Citation Context

...al verification. 1 Introduction Anonymous communication networks (ACNs) are designed to hide the originator of each message within a larger set of users. In some systems, like DC-Nets [1] and Dissent =-=[2]-=-, the message emerges from aggregating all participants’ messages. In other systems, like onion routing [3], mix networks [4], and peer-to-peer anonymous communication networks [5], messages are route...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

...ets [1] and Dissent [2], the message emerges from aggregating all participants’ messages. In other systems, like onion routing [3], mix networks [4], and peer-to-peer anonymous communication networks =-=[5]-=-, messages are routed through volunteer nodes I. Boureanu, P. Owesarski, and S. Vaudenay (Eds.): ACNS 2014, LNCS 8479, pp. 380–400, 2014. c© Springer International Publishing Switzerland 2014 Accounta...

Citation Context

...g attacks can be used to correlate flows. Starting with Chaum [4], several ACN technologies have been developed in the last thirty years to provide stronger anonymity not dependent on a single entity =-=[6,3,7,2,1,18,19,20,21]-=-. Among these, mix networks [4,7] and onion routing [6] have arguably been most successful. Both offer user anonymity, relationship anonymity and unlinkability [22], but they obtain these properties t...

Citation Context

...tion mechanism inherently requires evidence logs containing verifiable routing information. Encrypting these logs and regularly rotating the corresponding keys can provide us eventual forward secrecy =-=[27]-=-. However, we cannot aim for immediate forward secrecy due to the inherently eventual forward secret nature of the encryption mechanism. 3.2 Design Rationale and Key Idea Fig. 1 presents a general exp...

Citation Context

...isbehaving users to be selectively traced [10,11,12], exit nodes to deny originating traffic it forwards [13,14], misbehaving users to be banned [15,16], and misbehaving participants to be discovered =-=[2,23,24]-=-. All of these approaches either require users to obtain credentials or do not extend to interactive, low-latency, internet-scale ACNs. A number also partition users into subgroups, which reduces anon...

Citation Context

...isbehaving users to be selectively traced [10,11,12], exit nodes to deny originating traffic it forwards [13,14], misbehaving users to be banned [15,16], and misbehaving participants to be discovered =-=[2,23,24]-=-. All of these approaches either require users to obtain credentials or do not extend to interactive, low-latency, internet-scale ACNs. A number also partition users into subgroups, which reduces anon...

Citation Context

...different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols [19,27,28,29,30,31] (except TAP) and mix network protocols =-=[32,33,34,20,7,21]-=- employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authentication challenges or randomization element per node in the pat...

Citation Context

...g attacks can be used to correlate flows. Starting with Chaum [4], several ACN technologies have been developed in the last thirty years to provide stronger anonymity not dependent on a single entity =-=[6,3,7,2,1,18,19,20,21]-=-. Among these, mix networks [4,7] and onion routing [6] have arguably been most successful. Both offer user anonymity, relationship anonymity and unlinkability [22], but they obtain these properties t...

Citation Context

... compromised node can tamper with its logs to intermix two different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols =-=[19,27,28,29,30,31]-=- (except TAP) and mix network protocols [32,33,34,20,7,21] employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authenticati...

Citation Context

...g attacks can be used to correlate flows. Starting with Chaum [4], several ACN technologies have been developed in the last thirty years to provide stronger anonymity not dependent on a single entity =-=[6,3,7,2,1,18,19,20,21]-=-. Among these, mix networks [4,7] and onion routing [6] have arguably been most successful. Both offer user anonymity, relationship anonymity and unlinkability [22], but they obtain these properties t...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

...@1@1@1 1 >@1[ &RPSURPLVHGIUDFWLRQ RIWKH25QHWZRUN P P P P Fig. 3. Anonymity Game Anonymity. We use observational equivalence to formalize privacy related properties such as in [45], =-=[46]-=-. We model anonymity as an equivalence relation between two processes that are replicated an unbounded number of times and execute in parallel. In the first process P , users U1 and U2 send two messag...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

... compromised node can tamper with its logs to intermix two different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols =-=[19,27,28,29,30,31]-=- (except TAP) and mix network protocols [32,33,34,20,7,21] employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authenticati...

Citation Context

... compromised node can tamper with its logs to intermix two different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols =-=[19,27,28,29,30,31]-=- (except TAP) and mix network protocols [32,33,34,20,7,21] employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authenticati...

Citation Context

...h other accountable by refusing to decrypt logs of users who have not violated the traceability policy. Such an entity acts in a similar fashion to the group manager schemes based on group signatures =-=[11]-=-. Non-cooperating Nodes. Given the geographic diversity of the ACNs, it is always possible that some proxy nodes will cooperate with the BackRef mechanism, while others will not. The repudiation prope...

Citation Context

...different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols [19,27,28,29,30,31] (except TAP) and mix network protocols =-=[32,33,34,20,7,21]-=- employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authentication challenges or randomization element per node in the pat...

Citation Context

... compromised node can tamper with its logs to intermix two different ACN paths as there is no cryptographic association between different parts of an ACN path. We observe that almost all OR protocols =-=[19,27,28,29,30,31]-=- (except TAP) and mix network protocols [32,33,34,20,7,21] employ (or can employ1) an element of a cyclic group of prime order satisfying some (version of) Diffie-Hellman assumption as an authenticati...

Citation Context

...spect all outbound traffic for correct signatures and protocol compliance. The inspector has been criticized for centralizing traffic flows, which enables DOS, censorship, and increases observability =-=[25]-=-. Von Ahn et al. [11] also use group signatures as the basis for a general transformation for traceability in ACNs and illustrate it with DC networks. Users are required to register as members of a gr...

Citation Context

...y networks, or a changing political climate, initiate an interest in providing a verifiable trace to users who misuse anonymity networks according to laws or terms of service. While several proposals =-=[10,11,12,13,14,15,16]-=- have been made to tackle or at least to mitigate this problem under the umbrella term of accountable anonymity, as we discuss in the next section some of them are broken, while others are not scalabl...

Citation Context

...tribution of trust but short-term deployment appears infeasible. We believe the involvement of ISPs is the most readily deployable. Such a solution involves an ISP with a packet attestation mechanism =-=[36]-=- which acts as a trusted party capable of proving the existence of a particular communication. We discuss the packet attestation mechanism further in §5. For selected traffic flows,BackRef provides tr...

Citation Context

...s serving as proxies. If a network user’s online communication results in a criminal investigation or a cause of action, the last entity to forward the traffic may become embroiled in the proceedings =-=[8,9]-=-, whether as the suspect/defendant or as a third party with evidence. While repudiation in the form of a partial or full traceability has never been a component of any widely-deployed ACN, it may beco...

Citation Context

... trace properties, and anonymity and no forward traceability as observational equivalence relations. The employed ProVerf scripts as well as an extended version of the paper are available online [43],=-=[44]-=-. Basic Model. We model the OR protocol in the applied pi calculus to use circuits of length three (i.e., one user and three nodes); the extension to additional nodes is straightforward. To prove diff...