WO2018076013A1 - Systèmes et procédé pour des communications anonymes à faible latence et résistantes au suivi dans un environnement en réseau - Google Patents

Systèmes et procédé pour des communications anonymes à faible latence et résistantes au suivi dans un environnement en réseau Download PDF

Info

Publication number
WO2018076013A1
WO2018076013A1 PCT/US2017/057905 US2017057905W WO2018076013A1 WO 2018076013 A1 WO2018076013 A1 WO 2018076013A1 US 2017057905 W US2017057905 W US 2017057905W WO 2018076013 A1 WO2018076013 A1 WO 2018076013A1
Authority
WO
WIPO (PCT)
Prior art keywords
relay
clients
trustee
client
devices
Prior art date
Application number
PCT/US2017/057905
Other languages
English (en)
Other versions
WO2018076013A8 (fr
Inventor
Bryan Alexander FORD
Ludovic BARMAN
Jean-Pierre Hubaux
Italo DACOSTA
Joan Feigenbaum
Original Assignee
Yale University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yale University filed Critical Yale University
Publication of WO2018076013A1 publication Critical patent/WO2018076013A1/fr
Publication of WO2018076013A8 publication Critical patent/WO2018076013A8/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/065Encryption by serially and continuously modifying data stream elements, e.g. stream cipher systems, RC4, SEAL or A5/3
    • H04L9/0656Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher
    • H04L9/0662Pseudorandom key sequence combined element-for-element with data sequence, e.g. one-time-pad [OTP] or Vernam's cipher with particular pseudorandom sequence generator
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • H04L63/0421Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0825Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/12Transmitting and receiving encryption devices synchronised or initially set up in a particular manner
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
    • H04L9/3242Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • H04W12/033Protecting confidentiality, e.g. by encryption of the user plane, e.g. user's traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/42Anonymization, e.g. involving pseudonyms

Definitions

  • Anonymous communication networks attempt to allow people to share information while being indistinguishable from their peers, and hence untraceable by an eavesdropping entity. While certain forms of encryption may reduce an eavesdroppers ability to ascertain the content of the communications, contextual information (e.g., metadata) associated with the communications may still allow eavesdroppers to efficiently spy and track people on a large scale.
  • contextual information e.g., metadata
  • eavesdroppers can de-anonymize users through traffic- analysis attacks (e.g., global surveillance).
  • Local-Area Networks may be more susceptible to such attacks due to their size and geographic areas.
  • LANs are usually relatively small and geographically- local, an eavesdropper can monitor the entire or a large portion of a LAN with a small resource cost.
  • an adversary can install low-cost equipment, such as rogue access points, near a company's building to eavesdrop on (encrypted) wired or wireless LAN communications and to infer information about specific devices.
  • Such attacks are concrete threats to sensitive workplaces, such as banks and defense organizations. As a result at least some sensitive workplaces choose to have a "no-wireless" policy prohibiting wireless deployments of any kind inside their buildings.
  • Exemplary embodiments of the present disclosure advantageously address problems associated with trade-offs between anonymity and latency in anonymous networks, which arises from a tension between communication latency, bandwidth usage, and traffic-analysis resistance in such anonymous networks.
  • exemplary embodiments can provide cryptographically- strong tracking protection with unnoticeable "single-hop" network latencies by leveraging a client-relay- server architecture, in which the clients, relays (trusted or untrusted), and trustee devices are configured to implement an anonymity protocol where the trustee devices add little to no latency to the network.
  • the trustee devices even if the trustee devices are geographically dispersed around the world, the end-to-end latency of connections between clients and local or remote sites is dominated purely by "single-hop" communication via the relay. Thus, the trustee devices add security to the anonymity of clients, but not to the latency of the network, because the trustee devices are not on the latency-critical path.
  • a group of clients connect to a relay (e.g., a router), and synchronously transmit to the relay, ciphertexts (or cipher streams), where one of the ciphertexts from one of the clients contains a data message to be sent to an external network, such as the Internet, and the remaining ciphertexts include random data.
  • the relay participates with a group of trustee devices in a distributed protocol to facilitate decryption of the data message without understanding which of the clients sent the data message (sender anonymity).
  • the trustee devices can precompute ciphertexts that may otherwise cause a major latency bottleneck in the anonymization process when computed on the fly. These ciphertexts do not depend on the actual communicated content from the clients to the relay. Therefore, the trustee devices can compute the ciphertexts before the ciphertexts are needed by the relay to decrypt the ciphertexts received from the clients to extract the data message from one of the clients. Upon receiving a response/message from the external network, the relay can broadcast the response/message to clients in the group providing receiver anonymity. [0010] Exemplary embodiments of the present disclosure can prevent equivocation attacks by an untrusted relay without adding extra latency.
  • an untrusted relay can equivocate by sending different (inconsistent) downstream messages to the clients to attempt de-anonymize the clients.
  • the untrusted relay can slightly modify the downstream message for each client to send each client a unique message. Then, in the next round, the untrusted relay checks to see what is being requested by one of the clients, and depending on the content requested, the untrusted relay can identify the client requesting the content.
  • Exemplary embodiments of the present disclosure can prevent equivocation attacks without adding extra latency by encrypting clients' upstream messages in such a way that the ciphertext depends on previous downstream message(s).
  • the untrusted relay can only decrypt each upstream message if all clients agree on what they received in the past downstream message(s). This advantageously allows the clients to ensure they are each receiving the same message from the untrusted relay without imposing expensive overhead (e.g., in the form of a consensus protocol).
  • Exemplary embodiments of the present disclosure advantageously provide for quantifiable and formally provable anonymous communication system; security against traffic-analysis attacks; security against malicious attacks; small latency overhead suitable for everyday commercial and personal use; and direct deployability as extensions to open mobile platforms (e.g., Android) and WiFi infrastructures.
  • open mobile platforms e.g., Android
  • FIG. 1 is an exemplary networked environment in accordance with embodiments of the present disclosure.
  • FIG. 2 illustrates a relationship between shared secrets, pads, and ciphertexts.
  • FIG. 3 is an exemplary networked environment including multiple relays in accordance with embodiments of the present disclosure.
  • FIG. 4 is a block diagram of an exemplary client in accordance with embodiments of the present disclosure.
  • FIG. 5 is a block diagram of an exemplary relay in accordance with embodiments of the present disclosure.
  • FIG. 6 is a block diagram of an exemplary trustee device in accordance with embodiments of the present disclosure.
  • FIG. 7 is a graph showing anonymization of traffic and an associated latency in accordance with embodiments of the present disclosure.
  • FIGS. 8A-B show graphs corresponding to a time-to-resynchronization a naive embodiment of the anonymity protocol and an optimized embodiment of the anonymity protocol, respectively, in accordance with embodiments of the present disclosure.
  • FIG. 9 shows a graph illustrating effects of cell size on upstream bandwidth and system latency in accordance with embodiments of the present disclosure.
  • FIGS. 10A and 10B show graphs illustrating effects of windowing on downstream communication speeds and system latency, respectively, in accordance with embodiments of the present disclosure.
  • FIG. 11 is a graph that illustrates network downtime as a result of an abrupt disconnection.
  • FIG. 12 is a graph that illustrates a size of the anonymity set versus time, when using embodiments of the present disclosure in an experimental environment.
  • FIGS. 13A-B are graphs that illustrate an end-to-end latency of experienced by one client and added latency when replaying a dataset with Skype packets, respectively.
  • FIGS. 14A-B are graphs that illustrate round duration.
  • FIG. 15 is a graph that illustrates an effect of pipelining on latency.
  • Exemplary embodiments of the present disclosure are related to systems, methods, and non-transitory computer-readable media for anonymous, low-latency, tracking-resistant communications in a networked environment.
  • a group of clients connect to a relay (e.g., a router), and synchronously transmit to the relay, ciphertexts (or cipher streams), where one of the ciphertexts from one of the clients contains a data message to be sent to an external network, such as the Internet, and the remaining ciphertexts include random data.
  • the relay participates with a group of trustee devices in a distributed protocol to facilitate decryption of the data message without understanding which of the clients sent the data message (sender anonymity).
  • the trustee devices can precompute ciphertexts that may otherwise cause a major latency bottleneck in the anonymization process when computed on the fly. These ciphertexts do not depend on the actual communicated content from the clients to the relay. Therefore, the trustee devices can compute the ciphertexts before the ciphertexts are needed by the relay to decrypt the ciphertexts received from the clients to extract the data message from one of the clients. Upon receiving a response/message from the external network, the relay can broadcast the response/message to clients in the group providing receiver anonymity.
  • Exemplary embodiments of the present disclosure can prevent equivocation attacks by an untrusted relay without adding extra latency.
  • an untrusted relay can equivocate by sending different (inconsistent) downstream messages to the clients to attempt de-anonymize the clients.
  • the untrusted relay can slightly modify the downstream message for each client to send each client a unique message. Then, in the next round, the untrusted relay checks to see what is being requested by one of the clients, and depending on the content requested, the untrusted relay can identify the client requesting the content.
  • Exemplary embodiments of the present disclosure can prevent equivocation attacks without adding extra latency by encrypting clients' upstream messages in such a way that the ciphertext depends on previous downstream message(s). Therefore, the untrusted relay can only decrypt each upstream message if all clients agree on what they received in the past downstream message(s). This advantageously allows the clients to ensure they are each receiving the same message from the untrusted relay without imposing expensive overhead (e.g., in the form of a consensus protocol).
  • Exemplary embodiments of the present disclosure advantageously provide for quantifiable and formally provable anonymous communication system; security against traffic-analysis attacks; security against malicious attacks; small latency overhead suitable for everyday commercial and personal use; and direct deployability as extensions to open mobile platforms (e.g., Android) and WiFi infrastructures.
  • open mobile platforms e.g., Android
  • downstream communication refers to data transmitted from local devices or remote devices (e.g., from the Internet) to a client via a relay device.
  • upstream communication refers to data transmitted from one of the clients to other local devices or remote devices (e.g., to the Internet) via a relay device.
  • FIG. 1 is an exemplary networked environment 100 in accordance with embodiments of the present disclosure.
  • the network environment 100 can include a set of clients 110, a relay 120, and trustee devices 130 (e.g., servers).
  • Each of the clients 110, relay 120, and trustee devices 130 can be configured with an anonymity protocol, or portions thereof, that can be implemented to facilitate anonymous, low-latency, tracking-resistant communications in the networked environment 100, which forms an anonymous network.
  • the clients 110 can be programmed to implement a client component of the anonymity protocol
  • the relay can be programmed to implement a relay component of the anonymity component
  • the trustee devices 130 can be programmed to implement a trustee component of the anonymity protocol.
  • the clients 110, relay 120, and trustee devices 130 can communicate using non-private but authenticated channels, which may be observable by an adversary such that an adversary can observe messages when they are sent by the clients 110, relays 120, and/or servers 130.
  • the clients 110 can be computing devices that are configured with embodiments of the client component of the anonymity protocol of the present disclosure and that are configured to communicate with the relay 120 via wired and/or wireless communication.
  • the clients 110 can include personal computers, workstations, tablets, mobile phones, laptops, and/or servers that are configured with the client component of the anonymity protocol and that communicate with the relay to access a network 140.
  • the trustee devices 130 can be part of or accessible via the network 140.
  • the relay 120 can form an access point (e.g., the access point to a local area network, a wide area network, etc.) that connects the clients 110 (either directly or indirectly) to a network (the local area network or the wide area network) to facilitate communication with other local or remote sites 140 (e.g., to the Internet) via the network.
  • the relay 120 can be a router, a server, a hub, or other device through which other (client) devices connect to a network.
  • the relay 120 can process TCP/IP traffic in addition to implementing embodiments of the relay component of the anonymity protocol of the present disclosure.
  • the relay 120 can be a trusted or untrusted relay.
  • a trusted relay refers to a relay that is generally known as a relay that does not actively attempt to defeat the anonymity of the clients.
  • An untrusted relay refers to a relay for which it is generally unknown whether the relay actively attempts to defeat the anonymity of the clients or which is known to actively attempt to defeat the anonymity of the clients.
  • the trustee devices 130 can be distributed around the world to maximize trustworthiness and can assist the relay in the anonymization process via implementation of embodiments of the anonymity protocol of the present disclosure.
  • the trustee devices 130 are assumed to satisfy requirements of an anytrust model in which at least one of the trustee device 130 is honest, and each of the trustee device are assumed to be available at all times, but the clients 110 need not know which server to trust. That is, exemplary embodiments of the present disclosure are configured to preserve the anonymity of the clients 110 even when all but one of the trustee devices has been compromised by an adversary.
  • the role of the trustees can be played either by dedicated, separate devices (e.g., dedicated trustee devices) or by the client devices themselves (e.g., the operation and function of the trustee can be incorporated in the clients such that there are no separate trustee devices).
  • dedicated trustee devices e.g., dedicated trustee devices
  • client devices themselves
  • This choice represents a tradeoff between performance, scalability, and deployment simplicity concerns.
  • having a separate, small set of trustee devices increases the system's scalability and minimizes computation load on the client devices (which may often be low-power mobile devices).
  • each client device computes only one ciphertext for each of a few separate dedicated trustee devices, rather than one ciphertext for each of the many other clients (e.g., for embodiments where client act as trustees as well).
  • Embodiments in which the clients play a dual role of client and trustee are feasible and equally secure. In such embodiments, there can be exactly as many trustees as clients, and no separate (dedicated) trustee devices are needed. Such an embodiment can be advantageous in terms of making deployment simpler and less costly.
  • dedicated trustee devices may not be needed and the resources on the clients may not be substantially effected (e.g., where the number of clients does not greatly exceed the number of trustee devices that would be implemented in the system anyway).
  • the system remains secure because, from the viewpoint of any client, the trustee that the client itself implements is always “trustworthy” with respect to that client, so the "anytrust" assumption that at least one trustee (its own) is trustworthy is always satisfied from the perspective of any client.
  • Users via their client 110, can perceive embodiments of the anonymity protocol as a low-latency VPN service in that it facilitates receipt of data from, and transmission of data to, the applications running on the clients 110.
  • the relay 120 can act as the other end of the VPN, sending data to other local devices, remote devices (e.g., the Internet), or to the clients 110.
  • the relay 120 may not be trusted and may maliciously (possibly by colluding with other untrusted entities) attempt to de-anonymize the clients 110.
  • the anytrust group of the trustee device 130 can collectively facilitate the protection of the clients 110 from de-anonymization by the VPN service, without adding latency into the critical communication path.
  • the component of the anonymity protocol can be executed jointly by the clients 110, the relay 120, and the trustee devices 130 to anonymize messages sent by the clients to, e.g., the Internet.
  • the components of the anonymity protocol can be executed by the clients 110, the relay 120, and the trustee device 130 in rounds, where one of the clients sends a data message anonymously to another device via the relay in each round.
  • the anonymity protocol facilitate sender anonymity of upstream communications from the clients 110 based on ciphertexts received from the clients 110 and trustee devices 130 for each round and facilitates receiver anonymity of downstream communication by broadcasting the downstream communications from the relay 120 to each of the clients 110 for each round.
  • each of the clients 110 and each of the trustee devices 130 can go through a setup process to establish pairs of public/private keys.
  • the relay 120 stores a roster of all the public keys, which allows the relay 120 to verify the membership of the clients 110 to the relay 120 (as an access node to the network) and verify the authenticity of communications flowing through the relay 120.
  • an anonymization process implemented in response to execution of embodiments of the anonymity protocol of the present disclosure can include three phases: a setup phase, a scheduling phase, and an anonymization phase.
  • the setup phase the clients 110 are authenticated by the relay using their public keys.
  • each of the clients 110 executing the client component of the anonymity protocol agree on a shared secret with each of the trustee devices 130 executing the trustee component of the anonymity protocol.
  • the shared secret between a client and a trustee device is known to both of them, but is secret to other clients and trustee device and is secret to the relays.
  • a client shares a different secret with each of the trustee devices 130 such no trustee device share the same secret with another trustee device for a particular client 110.
  • the secrets are used later to seed a cryptographic pseudo-random generator (PRNG) to obtain a stream of pseudo-random bits, the pads, from which the clients 110 and the trustee devices 130 compute their ciphertexts.
  • PRNG cryptographic pseudo-random generator
  • FIG 2 illustrates a relationship between shared secrets, pads, and ciphertexts.
  • each client ci runs a key exchange protocol with each server sj to agree on a shared secret, rij £ ⁇ 0, 1 ⁇ P, which is only known to both of them.
  • Each shared secret 202 is used to seed a pseudorandom generator (PRNG) 204 to obtain a stream of pseudorandom bits, the pads 206, from which the clients and the servers will compute their ciphertexts 208.
  • PRNG pseudorandom generator
  • the pads 206 and ciphertexts 208 can depend on the round t, which can be input to the PRNG 204. Using this approach, clients and servers do not need to generate a shared secret for every slot.
  • the relay 120 executes the relay component of the anonymity protocol to determine which of the clients 110 gets to transmit a message in which round of communication.
  • the anonymity protocol proceeds in time slots such that only one client - the slot owner - is allowed to send an /-bit anonymous message to the network 140 (e.g., the Internet) in each time slot.
  • a schedule consists of n ordered time slots (one for each client).
  • An epoch is the timespan where the configuration (i.e., share secrets and schedule) of the anonymous network does not change. At the beginning of each epoch, a new schedule is established.
  • Epochs expire after a predetermined period of time (e.g., 10 minutes) to prevent clients from using the same slot for an extended period, thus reducing the chances of adversary linking upstream messages to a particular slot. Epochs can also expire due to network churn, e.g., clients connecting or disconnecting from the system.
  • a round corresponds to one exchange between the clients 110 and the relay (n ciphertexts upstream yielding one upstream message, and one downstream message).
  • each of the clients 110 generates an ephemeral pair of public/private keys that are used instead of his long-term keys in the anonymization phase.
  • the ephemeral keys are transmitted to the trustee devices 130 and are only used for a small number of rounds or an epoch, and they are refreshed by the clients 110 in response to execution of the client component of the anonymity protocol whenever the relay 120 requests to repeat the scheduling phase.
  • the scheduling information (e.g., which client gets to send a message in which round) remains secret to all entities, as otherwise it can completely break the anonymity of the clients.
  • the trustee devices 130 execute the trustee component of the anonymity protocol to randomly and verifiably shuffle a sequence of ephemeral public keys corresponding to the clients 110.
  • the secret permutation of ephemeral public keys is then sent to the clients 110.
  • Each of the clients 110 are only able to recognize their own public key in the sequence of ephemeral public keys, while the other keys look unrelated to any of the other clients without the associated private key.
  • the sequence of public keys defines in which of the rounds a client get to transmit a message.
  • each of the trustee devices 130 continuously computes random ciphertexts for each of the clients 110.
  • Each ciphertext consists of random /-bits, the pads, generated using a PRNG seeded with the secret that a respective one of the trustee devices 130 shares with one of the clients. That is, the shared secret from each of the clients 110 is used by each of the trustee device 130 to generate ciphertexts to be used for each round.
  • Each trustee device combines its set of ciphertexts for a given round (the individual ciphertexts generated by the trustee device for each client) into a trustee combined ciphertext before sending the combined ciphertext to the relay 120.
  • the trustee devices can send the trustee combined ciphertext to the relay for a round.
  • the individual ciphertexts can be combined using one or more techniques.
  • a trustee device can combine the individual ciphertexts using an exclusive-or (XOR) operation. To illustrate this approach, if there are ten clients, each trustee produces a set of ten separate ciphertexts - one based on its shared secret with each client, and then XORs all ten of the ciphertexts together to produce only a single trustee combined ciphertext, which it then sends to the relay.
  • XOR exclusive-or
  • the ciphertexts generated by the trustee devices do not depend on actual communicated content. Therefore, the trustee device 130 can compute their ciphertexts ahead of the time before the ciphertexts are needed by the clients 110 and/or the relay 120 where there is actual communications being sent. This advantageously eliminates an important latency bottleneck from the critical latency path of the anonymity protocol.
  • the trustee devices 130 can continuously transmit freshly-produced ciphertexts to the relay 120 throughout the rounds. For trustee devices 130 with a high throughput link to the relay 120, the arrival of their ciphertexts can outpace the rate of exchanges being performed by the clients 110 and the relay 120, reducing protocol latency.
  • the trustee devices 130 are geographically dispersed around the world, the end-to-end latency of connections between clients and local or remote sites is dominated purely by "single-hop" communication via the relay.
  • the trustee devices add security to the anonymity of clients, but not to the latency of the network, because the trustee devices are not on the critical latency path of the anonymity process.
  • each of clients 110 computes a client combined ciphertext and sends the client combined ciphertext to the relay 120, where one of the clients 110 can send a client combined ciphertext that contains an upstream message to be sent to, e.g., the Internet, and the remaining clients send client combined ciphertexts including an empty message that does not include an upstream message.
  • the client To convert a message into a client combined ciphertext, the client first computes trustee ciphertexts locally using a cryptographic PRNG seeded with the secrets that the client shares with each of the trustee device 130. Then, the client computes a client ciphertext that includes the upstream message.
  • the trustee ciphertexts and the client ciphertext are combined to form the client combined ciphertext.
  • the trustee ciphertexts and the client ciphertext can be combined using an exclusive OR operation that receives each of the trustee ciphertexts and the client ciphertext and outputs an exclusive OR of the inputs which forms the client combined ciphertexts. If the client is not scheduled to transmit an upstream message during a current transmission slot/round, or if the client is scheduled to transmit an upstream message, but has no upstream message to send in the current round, the sends a client combined ciphertext that is formed by combining the trustee ciphertexts alone (i.e., as if the message consisted of all 0 bits).
  • the anonymization phase is repeated several times and the clients 110 take turns sending their upstream messages in a round-robin fashion based on the shuffling information computed in the scheduling phase. If the current round number modulo n points to a client's public key in the shuffled sequence of all public keys, then the round belongs to the client and the client sends an upstream message in a client combined ciphertext to the relay 120 for the round. Otherwise, the client sends a client combined ciphertext representing an empty message to the relay for the round. Each of the trustee devices 130 also sends their trustee combined ciphertext to the relay 120 for the round. The relay 120 then participates in the distributed anonymity protocol jointly with the trustee devices 130 to obtain the upstream message from the collected ciphertexts.
  • Each round can be given a round identifier (ID) such that an upstream message transmitted during a round can be associated with a round ID.
  • ID a round identifier
  • the relay 120 can transmit the downstream message and the associated round ID to each of the clients 110 (i.e. as a broadcast message), and the client that sent the upstream message can use the round ID to determine that the downstream message was intended for the client device (which can allow the client to render the content of the downstream message on a display, store the content of the downstream message in memory, etc.).
  • the remaining clients can ignore the downstream message if the round ID does not correspond to the round in which they sent their upstream message.
  • the relay 120 broadcasts a set-up request to all nodes (e.g., servers and clients connecting to the relay 120).
  • nodes e.g., servers and clients connecting to the relay 120.
  • each node finishes the current anonymization round, and re-runs both the set-up and scheduling phases.
  • a resynchronization signals the start of a new epoch.
  • Churn can significantly affect network performance. For example, the disconnection of a single client invalidates all the ciphertexts in the current round.
  • Two types of client churn can be defined: (1) graceful churn, where a client gracefully announces to the relay their intent to connect or disconnect from relay; and (2) abrupt disconnections, where a client abruptly disconnects from the relay without sending any warning to the relay.
  • the anonymity protocol includes a delay-and-reconfiguration approach to handle graceful churn without communication disruption.
  • a client notifies the relay 120 that it intends to connect or disconnect from the relay 120
  • a resynchronization phase can be triggered at the relay 120, in parallel to the current anonymization phase, thus maintaining the communications in a current round.
  • the joining or disconnecting client sends a request to the relay 120, which starts new setup and scheduling phases with the new set of clients, as a background process, while maintaining the current anonymization phase with the old set of clients.
  • the relay 120 terminates the anonymization phase associated with the old set of clients.
  • This approach enables interruption-less handling of graceful client churn, by temporarily processing two anonymization phases concurrently until the new set of clients has established anonymous communications and until the old set of clients has completed its round.
  • the relay 120 does only one additional signature check, each server has to run an additional verifiable shuffle protocol, and each client has to generate two new pairs of keys, which can be generated in advance, so that the keys are available in case a churn occurs. All the nodes then have to exchange this information over the network, resulting in a total communication of only 0(m + n), where m is the number of servers and n is the number of clients.
  • the relay 120 can attempt to perform equivocation attacks on the clients 110 by sending different (inconsistent) downstream messages to the clients 110 to de-anonymize them. For example, in an unencrypted communication, the relay 120 can slightly modify the downstream message for each of the clients 110, and therefore can send a unique message to each of the clients. Then, in the next round, the relay 120 can check to see what is being requested by the clients 110, and depending on the content requested, the relay 120 may be able to identify some of the clients 110.
  • exemplary embodiments of the present disclosure can prevent such equivocation attacks without adding extra latency to the communication by encrypting each of the clients' messages to the relay 120 in the next round in such a way that the ciphertext generated by the clients 110 according to the client component of the anonymity protocol can depend on previous downstream messages received by the clients 110 from the relay 120. Therefore, the relay 120 can only decrypt each upstream message if each of the clients agree on what they received in one or more past downstream rounds. This allows the clients 110 to ensure they are receiving the same message without imposing the expensive overhead of, e.g., a consensus protocol.
  • the anonymity protocol can be executed by the clients 110, relay 120, and servers 130 to enable clients to subscribe to one or more channels supported by the relay 120 such that the relay can maintain several anonymous phases concurrently (e.g., one or more for each channel).
  • each channel can support a different bitrate.
  • Each channel can be an isolated instance of the anonymity protocol, but can run with different transmission rates and payload sizes.
  • constrained devices e.g., suitable IoT devices, battery-powered devices
  • that require little computation can join channels with lower bitrates (“slow" channels) and more powerful devices can join channels with high or low bitrates.
  • the channels can correspond to categories of traffic, for instance "e-mails", “web browsing”, “VoIP” and "video conferencing”.
  • a client device that has no VoIP capabilities can save resources by joining a channel that does not support or require VoIP capabilities.
  • Client devices can connect to several channels and can participate in the anonymity set of those channels, even if the connected device choose only to communicate using one of channels (e.g., send messages carrying actual requests/data as opposed to dummy messages).
  • This approach can increase the anonymity set of slower channel. Assuming an order of magnitude difference in terms of latency between channels (e.g., web browsing at 100ms, VoIP at 10ms latency), joining an additional slower channel can add 1 message every 10 messages on the fast channel.
  • Exemplary embodiments of the present disclosure can utilize an accountability mechanism configured to be compatible with embodiments of the anonymity protocol to retain low-latency communications via the relay 120.
  • the relay 120 and/or client executing the anonymity protocol can determine which channels the client can use.
  • some client devices may be low-bandwidth, unreliable, and/or have high- latency connections to the relay (remote clients using the relay as a VPN server will be the quintessential examples of this), and putting those "bad” clients in the same channel as "good” (high-bandwidth, reliable, low-latency) clients can limit the performance seen by all clients in the group to the least-common denominator.
  • “bucket” clients into channels so that high-powered clients can get good performance (though anonymity only within the smaller group of similarly high-powered clients), while lower-powered clients can still access the system (and get anonymity within a larger anonymity set including more clients).
  • grouping clients into different channels can also combat a malicious client attempting to render a channel useless by continuously transmitting upstream messages in every round to try to cause an untraceable denial-of-service attack.
  • potential channels include a channel for web browsing, voice-over-IP, video conferencing, or web streaming.
  • embodiments of the anonymity protocol can be implemented by the clients 110, relay 120, and/or trustee devices 130 to permit the clients 110 to only transmit their cleartext in the appropriate channels. This allows embodiments of the anonymity protocol to provide a strong level of anonymity while supporting clients with different constraints (e.g., battery- powered devices).
  • Each client Q generates an ephemeral pair of public/private keys (Z , z ), sends Z to R, and sets the round number r ⁇ — 0;
  • R collects all Z 's as a sequence A and sends it to SI ;
  • Sl-Sm each generate an £-bit random ciphertext for each of Cl-Cn using a PRNG seeded with the secret shared with the each Cl-Cn and sends the ciphertext to R;
  • Each client Ci performs the following: a. For each of Sl-Sm, generate an £-bit random ciphertext using a PRNG seeded with the secret shared with each of Sl-Sm;
  • M ⁇ Client's next £ bits of data. Otherwise, M ⁇ — £ zero bits; c. Xor M with all server random ciphertexts and send the result to R;
  • R collects one ciphertext from each of Sl-Sm and each of Cl-Cn, Xors them together to obtain a plaintext (upstream message), and sends the plaintext to the Internet;
  • R Upon receiving a response from the Internet, R broadcasts the downstream message to all clients; (5) If any client or trustee device disconnects, R broadcasts a Reschedule request to Cl-Cn and Sl-Sm;
  • Exemplary embodiments of the anonymity protocol can implement a disruption- protection protocol that can be executed to prevent or mitigate disruption attacks from the clients 110 and/or the servers 130.
  • a disruption attack a malicious client or server can transmit arbitrary bits to the relay - instead of the XORed ciphertext defined by the anonymity protocol - as an attempt to corrupt the upstream messages of other clients without leaving a trace.
  • affected client(s) can be configured to detect such an attack and switch to a different relay, a moderately powerful adversary can feasibly infiltrate groups of clients at a large portion of relays in a given region such that affected client(s) can be forced to use weaker communication channels.
  • the disruption-protection protocol can be executed by the relay 120 to detect a disruption attack.
  • the relay 120 establishes a shared secret, 3 ⁇ 4, with each of the clients.
  • the relay can generate a unique shared secret for each client and can encrypt the shared secret with the public key of each corresponding client (i.e., the pseudonym used in the schedule).
  • the server broadcasts the encrypted shared secrets and the clients decrypt them with their corresponding private keys.
  • the client owning the current slot uses this shared secret to compute the keyed-hash message authentication code (HMAC) of the upstream message, HMAC(riR, x).
  • HMAC keyed-hash message authentication code
  • the client sends the upstream message and its HMAC to the relay 120.
  • the relay 120 validates the HMAC to find evidence of a disruption attack. If the validation fails, the relay 120 indicates, via a downstream message to the clients 110, that a disruption has been detected and that, in the same slot of the next schedule, a verifiable network, such as a variable DC- net, should be used to prevent further message corruption (for performance reasons, the relay 120 can wait for a few schedules before requesting the use of a verifiable DC-net).
  • a verifiable network such as a variable DC- net
  • the relay 120 By configuring the relay 120 to detect disruption attacks, the work and responsibility of detecting disruption attacks is removed from the clients 110; thereby decreasing operational complexity and resource utilization of the clients 110, which can be particularly beneficial for resource constrained clients (e.g., battery powered, mobile devices). Configuring the relay 120 in this manner is possible because the relay 120 is trusted for availability, i.e., the relay does not perform attacks or collude with other parties to reduce availability of the network (while the relay may be untrusted with respect to de-anonymizing a client).
  • the relay 120 is trusted for availability, i.e., the relay does not perform attacks or collude with other parties to reduce availability of the network (while the relay may be untrusted with respect to de-anonymizing a client).
  • the relay 120 only needs to find one flipped bit to identify and exclude the malicious client or server launching the attack.
  • the relay 120 finds a bit in the pads or ciphertexts that was '0' in an original message, but has been flipped to T (using a bit that was 1 and has been flipped to 0 leaks information about the slot owner).
  • the relay 120 compares the original and corrupted upstream messages to find the position p of a flipped 0- bit (i.e. flipped from 0 to 1) in the corrupted messages.
  • the relay 120 stops communications (i.e., ceases the anonymous protocol) and sends a signed request to the clients 110 and servers 130 to reveal the individual bits from their different pseudorandom pads at position p for the disrupted round.
  • the clients 110 reveal one bit per server and the servers 130 reveal one bit per client corresponding to the position p in their pseudorandom pads.
  • the relay 120 stops the disruption protection protocol of the anonymity protocol and communications are not interrupted, i.e., the attack is detected, but the disruptor cannot be traced without breaking anonymity guarantees.
  • the client can XOR the upstream message with the shared secret 3 ⁇ 4. Therefore, the adversary only has a fifty percent chance of flipping a 1-bit (i.e. flipped from 1 to 0).
  • the relay 120 Upon receiving the bit-revealing messages from the clients 110 and servers 130, the relay 120 proceeds to check whether a client or server revealed values in their respective messages that do not match with the value sent in the bit position p during the disrupted round. If the values do not match, the corresponding client or server is identified by the relay 120 as the disruptor and is excluded from the anonymous network. If no mismatch is found, the relay 120 proceeds to compare the bits revealed by the clients 110 with the bits revealed by the servers 130. There must be, without loss of generality, a difference among one of the bits that one of the clients 110 and one of the servers 130 revealed (otherwise, the round was not disrupted).
  • the relay 120 After the relay 120 identifies a mismatch between a client and server, the relay 120 requests that the client and server reveal their shared secret, ry, along with a zero- knowledge proof showing that it was computed correctly. The relay 120 verifies the proofs and seeds the PRNG with the secrets to generate the pad for the disrupted round. At this point, the relay 120 can determine which one, the client or the server, disrupted the round and can exclude the disruptor from the anonymous network. Since at least one of the client or the server is the disruptor, revealing the shared secrets to the relay 120 does not compromise anonymity, as such revelation never happens between two honest parties.
  • an untrusted relay can equivocate by sending different downstream messages to different clients to de-anonymize them.
  • an unencrypted communication e.g., a DNS request
  • the relay 120 can slightly modify the downstream message for each client. These unique messages might affect the messages sent in subsequent rounds (e.g., the contacted IP in the case of a DNS request), so the relay 120 may be able to determine which client sent the request, based on their subsequent behavior.
  • clients CI and C2 both honest, can connected to a malicious relay, and they collectively run an embodiment of the anonymous communication protocol.
  • the relay 120 decodes a DNS request for a given domain.
  • the sender of the request is anonymous, such that the relay 120 does not know whether client CI or C2 sent the request.
  • the relay 120 can send two different answers to client CI and C2, containing IP1 and IP2, respectively.
  • the relay 120 can decode a request to IP2 and can guess that client C2 made the request (along with the original DNS request), as it is unlikely that client CI has knowledge of IP2.
  • Exemplary embodiments of the anonymity protocol can be implemented to include an equivocation-protection protocol to protect against equivocation attacks launched by a malicious relay without adding extra latency to the network. This is achieved by encrypting clients' upstream messages in such a way that the resulting ciphertexts depend on the history of downstream messages in a epoch.
  • the relay 120 can only decrypt an upstream message if all clients agree on the downstream messages they have received in the current epoch. If the clients disagree, the relay 120 is unable to decrypt the upstream message from the current and future rounds. In such a case, the relay 120 is required to issue a special command to reset the history of all clients and restore the communications. Such a command should be issued rarely by the relay 120 and, the clients 110 should be suspicious of it. Hence, the relay 120 has no incentive to try an equivocation attack, which would be detected by clients and would affect the availability of the service.
  • the client-slot owner encrypts its upstream message with a fresh random key and includes a blinded version of this key in its upstream message.
  • the key is blinded with a value computed by raising the downstream history value to a secret exponent derived from the client' s pads.
  • the downstream history consists of the cryptographic hash of the previous downstream history concatenated with the most recent downstream message, hence, it depends on all past downstream messages.
  • downstream history is "bound" to the client's pads via exponentiation in a cyclic group, where the Discrete Logarithm Problem (DLP) and the Decisional Diffie-Hellman assumption (DDH) hold.
  • DLP Discrete Logarithm Problem
  • DDH Decisional Diffie-Hellman assumption
  • Other clients also send contributions and, if all clients have similar downstream history, the relay 120 is unable to unblind the key and decrypt the upstream message.
  • the relay 120 provides them with the current downstream history value during the setup phase.
  • the downstream history can only be reset by the relay 120 via a reset-history command broadcasted to the clients; thus, the downstream history is kept across epochs.
  • F q denote a finite field of prime order q
  • G denote a multiplicative group of order q with generator g such that the DLP and the DDH assumptions hold in G.
  • Mi denote the message that a client i sends to the relay.
  • H ⁇ 0, 1 ⁇ * -> ⁇ 0, 1 ⁇ 1 be a cryptographic hash function
  • Fl ⁇ 0, 1 ⁇ 1 -> G
  • F2 ⁇ 0, 1 ⁇ 1 -> F q be publicly-known one-to-one functions that are efficiently computable and invertible.
  • the portion of the equivocation protocol implemented by the client can be defined as follows. Consider m servers, n clients and a client Q with a plaintext x ; and an empty downstream history t3 ⁇ 4.
  • aflii sends ( 3 ⁇ 4 » .fei) ⁇ ⁇ i3 ⁇ 4lay .
  • the client Ci encrypts x ; (i.e., the upstream message) as x' i5 and blinds 3 ⁇ 4 with its downstream history.
  • the blinding also uses the hash of the pads (unknown to the relay), so the relay is unable to unblind the key without the contribution (and agreement) of all clients.
  • the server sends an additional value O j to the relay 120, used to unblind 3 ⁇ 4.
  • O j The portion of the equivocation protocol implemented by the server can be defined as follows. Each server S j sends (oj, Sj) to the relay 120, where: n
  • the relay 120 In the portion of the equivocation protocol implemented by the relay 120, the relay 120 unblinds the key and decrypts the upstream message.
  • the portion of the equivocation protocol implemented by the relay 120 can be defined as follows. The relay 120 starts with an empty downstream history denoted by h.
  • a malicious client or relay might try to falsely accuse the other in an attempt to defeat the anonymity of the network.
  • a malicious client can pretend to have received a downstream message different from other clients (i.e., may implicate that the relay 120 has launched an equivocation attack).
  • a malicious relay may pretend that an honest client is sending wrongly-computed ]3 ⁇ 4 to cause a denial-of-service (DoS) attack.
  • DoS denial-of-service
  • Exemplary embodiments of the present disclosure solves these problems by requiring that both the clients 110 and the servers 130 sign every message they send using their public key.
  • honest nodes clients, relay, servers
  • are protected from incorrect blaming (assuming that no node can forge signatures).
  • a malicious client or server may also send a wrongly computed ki to cause an anonymous denial-of-service (DoS) attack.
  • DoS denial-of-service
  • the requirement that each message be signed by the sender cannot prevent such an attack because the relay is unable to validate the correctness of the ki values.
  • the blinding key has a recognizable structure, e.g., a header.
  • the relay 120 can execute the equivocation-protection protocol to detect the DoS attack by checking the structure of the blinding key k obtained. If the blinding key' s structure is incorrect, the relay 120 determines that an attack is in place and follows a procedure similar to the disruption protection protocol described herein.
  • the relay 120 stops the communications and sends a signed request to the clients 110 and servers 130 requesting that the clients 110 and servers 130 reveal the hash of the pads H(pi j ) used to compute their current 3 ⁇ 4 values. If the relay 120 determines that there is a mismatch between a k, and the H(p y ) values sent by a client or server, the relay 120 considers this client or server to be the disruptor. Otherwise, the relay 120 compares the H(pi j ) values revealed by the clients 110 with those revealed by the servers 130. There must be a difference, WLOG, among one of the H(pi j ) values revealed by one client and one server.
  • the relay 120 After the relay 120 identifies a mismatch between a client and a server, the relay 120 requests that the client and server associated with the mismatch reveal their shared secret ry, along with a zero -knowledge proof showing ry was computed correctly. To generate the pads for the disrupted round, the relay 120 seeds the PRG with these secrets. At this point, the relay 120 can determine which one, the client or the server, disrupted the round and can exclude the disruptor from the anonymous network.
  • the anonymity protocol can use an anonymous authentication mechanism, such as the Deniable Anonymous Group Authentication (DAGA) protocol.
  • DAGA Deniable Anonymous Group Authentication
  • client/members prove that they own a private key that corresponds to one of the group public keys, without revealing which one.
  • anonymous authentication an adversary is unable to easily tell whether a client is online; thereby enhancing the tracking-resistance of the anonymous network form using the anonymity protocol.
  • Exemplary embodiments of the anonymity protocol executed by the clients 110, relay 120, and servers 130 can advantageously address the problems associated with trade-offs between anonymity and latency in anonymous networks by providing cryptographically- strong tracking protection for sender anonymity with unnoticeable "single-hop" network latencies by leveraging a client-relay-server architecture, in which the clients 110 execute a client component of embodiments of the anonymity protocol described herein, the relay 120 (trusted or untrusted) executes a relay component of embodiments of the anonymity protocol described herein, and trustee devices 130 execute a trustee component of embodiments of the anonymity protocol described herein.
  • Embodiments of the anonymity protocol are advantageously configured such that trustee device add little to no latency to the network.
  • Exemplary embodiments of the anonymity protocol executed by the clients can also provide for strong receiver anonymity to protect against equivocation attacks.
  • FIG. 3 is an exemplary networked environment 100' including multiple relays in accordance with embodiments of the present disclosure, where each relay can implement embodiments of the anonymity protocol to form separate anonymous networks.
  • the network environment 100 can include the clients 110, relays 120A and 120B, and the trustee devices 130 (e.g., trustee devices).
  • Each of the clients 110, relays 120A-B, and trustee devices 130 can be configured with an embodiment of the anonymity protocol or portions thereof that can be implemented to facilitate anonymous, low-latency, tracking-resistant communications in the networked environment 100 as described herein.
  • the relays 120A and B can be implemented in a wireless access point that has a certain number of radio interfaces that can support a finite number of clients.
  • the relays 120 A and B can be disposed in proximity to one another such that the clients 110 can be within range of the relays 120A and 120B and can connect to the network through either of the relays 120A or 120B.
  • the relays 120A and 120B can use the same trustee devices 130 (e.g., servers) and/or can use different sets of trustee devices. Adding relays in this manner can introduce several issues. As one example, if the two honest clients are connected to different relays (i.e., anonymity sets), they would have no anonymity at all (e.g., each relay is connected to only one honest client). As another example, the relay ability to evict clients can be used to deny service or slow down honest clients to affect the client's anonymity.
  • R is malicious and it has two honest clients connected (i.e., other clients are malicious and colluding with the relay).
  • R evicts one of the honest clients, e.g., claiming that the client is slowing down the network, leaving only one honest client with no anonymity.
  • this attack would be detected (the evicted client is likely to complain), whereas in a multiple-relay scenario, the evicted client is likely to automatically connect to R'.
  • a set of management servers can be utilized to control to which of the relays a client connects.
  • the management servers can be one or more of the trustee devices 130 andor can be a separate set of servers.
  • the management servers can utilize the anytrust model (i.e., at least one of the servers is honest).
  • the management servers can perform an anonymous authentication mechanism, such as the Deniable Anonymous Group Authentication (DAGA) protocol, to assign freshly-authenticated clients to one of the relays.
  • the assignment process can provide each client with a ticket, signed by the management server(s), specifying the relay to which the client can connect.
  • the management servers can use the a distributed randomness in the anytrust model, such as the RandHound protocol, to randomly and securely assign new clients to relays.
  • a relay evicting a client becomes visible, as the client will have to request a new ticket to the management servers.
  • Clients have administrative solutions (e.g., complaining to the IT services) and proofs (i.e., the issued tokens and the signed eviction request from the relay) of the abnormal behavior.
  • the management servers can maintain logs that can be automatically analyzed for abnormal behaviors (e.g., several clients suddenly leaving a relay) and trigger the appropriate administrative responses.
  • FIG. 4 is a block diagram of an exemplary client 400 in accordance with embodiments of the present disclosure.
  • the computing device 400 includes one or more non- transitory computer-readable media for storing one or more computer-executable instructions or software for implementing a client component 405 of the anonymity protocol.
  • the non- transitory computer-readable media may include, but are not limited to, one or more types of hardware memory, non-transitory tangible media (for example, one or more magnetic storage disks, one or more optical disks, one or more flash drives), and the like.
  • memory 406 included in the computing device 400 may store computer-readable and computer-executable instructions or software for implementing exemplary embodiments.
  • the computing device 400 also includes processor 402 and associated core 404, and optionally, one or more additional processor(s) 402' and associated core(s) 404' (for example, in the case of computer systems having multiple processors/cores), for executing computer- readable and computer-executable instructions or software stored in the memory 406 and other programs for controlling system hardware.
  • processor 402 and processor(s) 402' may each be a single core processor or multiple core (404 and 404') processor.
  • Virtualization may be employed in the computing device 400 so that infrastructure and resources in the computing device may be shared dynamically.
  • a virtual machine 414 may be provided to handle a process running on multiple processors so that the process appears to be using only one computing resource rather than multiple computing resources. Multiple virtual machines may also be used with one processor.
  • Memory 406 may include a computer system memory or random access memory, such as DRAM, SRAM, EDO RAM, and the like.
  • Memory 1306 may include other types of memory as well, or combinations thereof.
  • a user may interact with the computing device 400 through a visual display device 418, such as a computer monitor, which may display one or more user interfaces 420 that may be provided in accordance with exemplary embodiments.
  • the computing device 400 may include other I/O devices for receiving input from a user, for example, a keyboard or any suitable multi-point touch interface 408, a pointing device 410 (e.g., a mouse).
  • the keyboard 408 and the pointing device 410 may be coupled to the visual display device 418.
  • the computing device 400 may include other suitable conventional I/O peripherals.
  • the computing device 400 may also include one or more storage devices 424, such as a hard-drive, CD-ROM, or other computer readable media, for storing data and computer- readable instructions and/or software that implement exemplary embodiments of the client component of the anonymity protocol described herein.
  • Exemplary storage device 424 may also store any suitable information required to implement exemplary embodiments.
  • exemplary storage device 424 can store public keys, private keys, previous downstream messages, shared secrets, ciphertexts, round IDs, and/or any other information to be used by embodiments of the client component of the anonymity protocol.
  • the computing device 400 can include a network interface 412 configured to interface via one or more network devices 422 with one or more networks, for example, Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (for example, 802.11, Tl, T3, 56kb, X.25), broadband connections (for example, ISDN, Frame Relay, ATM), wireless connections, controller area network (CAN), or some combination of any or all of the above.
  • LAN Local Area Network
  • WAN Wide Area Network
  • the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (for example, 802.11, Tl, T3, 56kb, X.25), broadband connections (for example, ISDN, Frame Relay, ATM), wireless connections, controller area network (CAN), or some combination of any or all of the above.
  • the network interface 412 may include a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 400 to any type of network capable of communication and performing the operations described herein.
  • the computing device 400 may be any computer system, such as a workstation, desktop computer, server, laptop, handheld computer, tablet computer (e.g., the iPadTM tablet computer), mobile computing or communication device (e.g., the iPhoneTM communication device), or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein.
  • the computing device 400 may run any operating system 416, such as any of the versions of the Microsoft® Windows® operating systems, the different releases of the Unix and Linux operating systems, any version of the Android operating systems, any version of the MacOS® for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, or any other operating system capable of running on the computing device and performing the operations described herein.
  • the operating system 416 may be run in native mode or emulated mode.
  • the operating system 416 may be run on one or more cloud machine instances.
  • FIG. 5 is a block diagram of an exemplary relay 500 in accordance with embodiments of the present disclosure.
  • the relay 500 forms an access point to a network through which other devices can connect to the network.
  • the relay 500 can operate as a wireless and/or wired access point, a multi-port network switch, and an IP router.
  • the relay 500 includes one or more non-transitory computer-readable media for storing one or more computer-executable instructions or software for implementing lower levels of communications protocol for receiving and transmitting data between devices including, for example, one or more layers of the TCP/IP protocol, and/or for implementing a relay component 505 of the anonymity protocol.
  • the non-transitory computer-readable media may include, but are not limited to, one or more types of hardware memory, non- transitory tangible media (for example, one or more magnetic storage disks, one or more optical disks, one or more flash drives), and the like.
  • memory 506 included in the relay 500 may store computer-readable and computer-executable instructions or software for implementing exemplary embodiments.
  • the relay 500 can be a network appliance that is operatively coupled to an existing, conventional switch or router, where the network appliance can be programmed to implement the client component of the anonymity protocol to add anonymization capability (for compatible client devices) without modifying or upgrading a network's existing access points, switches, or routers.
  • the anonymization appliance may include a single port (or multiple ports) to connect to an existing switch/router, in the same way as a conventional server or other network appliances are often attached to networks. Such an embodiment may be less optimal from a performance perspective, but advantageous from a cost and ease-of-deployment perspective.
  • the relay 500 can include ports/channels 508 to facilitate wired and/or wireless communication between clients of the relay 500.
  • the one or more ports 508 can operate as local area network ports through which the clients connect to the local area network to which the relay 500 belongs.
  • the relay 500 can also include port(s) 510 for connecting the relay to another network (e.g., a wide area network, the Internet, etc.) to facilitate communication between the clients of the local area network and remote computing devices (e.g., webservers) on the wide area network, the Internet, etc.
  • the ports 508 and 510 can been associated with transceivers 512 that with transmitters configured to transmit data and receivers configured to receive data.
  • the transceivers 512 can be realized as radiofrequency transceivers having antennas, optical transceivers, and/or electrical transceivers.
  • the relay 500 can also include switches 514 routing the data between the ports 508 and 510 and devices connected to the ports 508 and 510.
  • a processor/controller 502 and associated core 504, and optionally, one or more additional processor(s) 502' and associated core(s) 504' can execute computer-readable and computer-executable instructions or software stored in the memory 506 and other programs for controlling relay hardware including the ports 508, 510, transceivers 512, and switches 514 based on the communication protocols and the relay component 505 of the anonymity protocol.
  • Processor 502 and processor(s) 502' may each be a single core processor or multiple core (504 and 504') processor.
  • Memory 506 may include a computer system memory or random access memory, such as DRAM, SRAM, EDO RAM, and the like.
  • Memory 406 may include other types of memory as well, or combinations thereof.
  • the relay device 500 may also include one or more storage devices 524, such as a hard-drive, CD-ROM, mass storage flash drive, or other computer readable media, for storing data and computer-readable instructions and/or software that can be executed by the processing device 502 to implement exemplary embodiments of the relay component 505 described herein.
  • the storage 524 can store public keys associated with clients, ciphertexts received from clients and/or trustee devices, upstream messages, downstream messages, and/or any other suitable information for implementing the relay component of the anonymity protocol.
  • FIG. 6 is a block diagram of an exemplary trustee device 600 in accordance with embodiments of the present disclosure.
  • the computing device 600 is configured as a server that is programmed and/or configured to execute a trustee component 605 of the anonymity protocol.
  • the computing device 600 includes one or more non-transitory computer-readable media for storing one or more computer-executable instructions or software for implementing exemplary embodiments.
  • the non-transitory computer-readable media may include, but are not limited to, one or more types of hardware memory, non-transitory tangible media (for example, one or more magnetic storage disks, one or more optical disks, one or more flash drives), and the like.
  • memory 606 included in the computing device 600 may store computer-readable and computer-executable instructions or software for implementing exemplary embodiments of the trustee component 605 or portions thereof.
  • the computing device 600 also includes configurable and/or programmable processor 602 and associated core 604, and optionally, one or more additional configurable and/or programmable processor(s) 602' and associated core(s) 604' (for example, in the case of computer systems having multiple processors/cores), for executing computer-readable and computer-executable instructions or software stored in the memory 606 and other programs for controlling system hardware.
  • processor 602 and processor(s) 602' may each be a single core processor or multiple core (604 and 604') processor.
  • Virtualization may be employed in the computing device 600 so that infrastructure and resources in the computing device may be shared dynamically.
  • a virtual machine 614 may be provided to handle a process running on multiple processors so that the process appears to be using only one computing resource rather than multiple computing resources, to provide an environment that emulates clients, and/or to perform functions and operations for and/or on-behalf of clients. Multiple virtual machines may also be used with one processor.
  • Memory 606 may include a computer system memory or random access memory, such as DRAM, SRAM, EDO RAM, and the like. Memory 606 may include other types of memory as well, or combinations thereof.
  • the computing device 600 may also include one or more storage devices 624, such as a hard-drive, CD-ROM, mass storage flash drive, or other computer readable media, for storing data and computer-readable instructions and/or software that can be executed by the processing device 602 to implement exemplary embodiments of the trustee component 605 described herein.
  • storage devices 624 such as a hard-drive, CD-ROM, mass storage flash drive, or other computer readable media, for storing data and computer-readable instructions and/or software that can be executed by the processing device 602 to implement exemplary embodiments of the trustee component 605 described herein.
  • the computing device 600 can include a network interface 612 configured to interface via one or more network devices 622 with one or more networks, for example, Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (for example, 802.11, Tl, T3, 56kb, X.25), broadband connections (for example, ISDN, Frame Relay, ATM), wireless connections (including via cellular base stations), controller area network (CAN), or some combination of any or all of the above.
  • LAN Local Area Network
  • WAN Wide Area Network
  • the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (for example, 802.11, Tl, T3, 56kb, X.25), broadband connections (for example, ISDN, Frame Relay, ATM), wireless connections (including via cellular base stations), controller area network (CAN), or some combination of any or all of the above.
  • LAN Local Area Network
  • WAN Wide Area Network
  • the network interface 612 may include a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 600 to any type of network capable of communication and performing the operations described herein. While the computing device 600 depicted in FIG. 6 is implemented as a server, exemplary embodiments of the computing device 600 can be any computer system, such as a workstation, desktop computer or other form of computing or telecommunications device that is capable of communication with other devices either by wireless communication or wired communication and that has sufficient processor power and memory capacity to perform the operations described herein.
  • the computing device 600 may run any server application 616, such as any of the versions of server applications including any Unix-based server applications, Linux-based server application, any proprietary server applications, or any other server applications capable of running on the computing device 600 and performing the operations described herein.
  • An example of a server application that can run on the computing device includes the Apache server application.
  • An experimental embodiment implementing the anonymity prototype was set up. The experimental embodiments relied on NIST P-256 elliptic curve for asymmetric cryptographic versus cell size operations, along with AES 128 bits for symmetric cryptography and SHA-256 as a hash function.
  • An embodiment of the anonymity protocol was deployed to a lab environment infrastructure with all nodes (clients, relay, trustee devices) running on different machines with the same specifications: 2.4 GHz Intel Xeon X3 processor with 16 GB of RAM.
  • the machines were deployed in two LANs, one for the trustee devices, with a latency of 100 ms, and one for the clients, with a latency of 10 ms.
  • the measured latencies are 106 ⁇ 0.5 ms and 16 ⁇ 1 ms both over 10 samples, respectively.
  • the relay belongs to both LANs. All network links were 100 Mbps full duplex.
  • the total anonymized upstream throughput was evaluated when varying the upstream cell size corresponding to the number of bytes sent to the relay per round and per client.
  • the upstream speed at which the client transmits was measure.
  • the latency was measure as the round-trip time from the client to the relay, and back to the client.
  • the anonymity protocol can be executed by the clients, relay, and trustee devices to anonymize up to about 20 Mbps of traffic with a latency of 40 ms.
  • a standard network pipelining was used to reach the maximal throughput of 100 Mbps with almost the same latency.
  • the time when no upstream traffic can be processed which happens when one client abruptly disconnects or times out, was also evaluated (e.g., the time to reset/resynchronize).
  • the time to resynchronize can be managed by leveraging more computational resources, e.g., the anonymity protocol can continue to run, and a new instance can be ran in parallel to facilitate a resynchronization, where the pre-existing protocol can stopped when the new instance has been synchronized and is ready to communicate.
  • the number of clients and trustees can be varied, and measuring can begin when the upstream traffic stops being processed and can stop when the traffic restarts. Measurements can start with two clients, and more clients can be progressively added; this also handles the case of client disconnection, as the resync protocol depends on the final number of clients (e.g. adding 1 client to a setup with n clients result in the same time-to-resync than 1 disconnection in a setup of n + 2 clients). Results are visible in FIG. 8A, which shows that the time-to-resync increases both with the number of clients and trustees. For a given number of clients, FIG.
  • Exemplary embodiments of the anonymity protocol can be executed in parallel, for example, by connecting to any relay (and exchanging public parameters such as: the cell size, the number of clients, etc.), and collecting the public keys from the clients in parallel. Results are shown in FIG. 8B. In the optimized embodiments, the time is mostly spent on the network communication with the trustees, and is close to the theoretic minimum
  • the total upstream anonymized throughput of the anonymity protocol was measured when varying the upstream cell size, or the number of bytes sent per round and per client. To test the system capacity, one client and three trustees were run, and the upstream speed that the client got was measured. In addition, the latency (defined as the round-trip time from the client, to the relay, and back to the client) was measured.
  • FIG. 9 shows that more throughput with bigger upstream cell sizes are obtained; reaching about 21 Mbps of throughput, along with the latency of about 40ms. After a cellsize of 110 KB, not only does the throughput stop increasing, but the latency increases drastically, as do the variance of the latency; this may a point of saturation of the experimental embodiment of the anonymity protocol.
  • exemplary embodiments of the present disclosure can utilize windowing.
  • Upstream and downstream traffic are not independent: clients need to make sure that a malicious relay is not trying to distinguish them by sending different pieces of information to different clients. For that purpose, clients usually share a hash of the history of the received messages.
  • This means that the default way to send up and down cells is usually in lock-step: one cell upstream, one cell downstream, and so on.
  • FIGS. 10A and 10B show that by introducing a window mechanism downstream traffic can be processed at around 85 Mbps, close to the network limit of 100 Mbps; hence, given the appropriate parameters, execution of the anonymity protocol is not the bottleneck on the global downstream (e.g. a video stream from a web server).
  • Each device (dis)connection induces a re-synchronization (i.e Setup + Schedule) time of D milliseconds, where D depends on the number of servers M and clients N, and the latency needed to contact them We use the following approximation: 10ms for the clients (i.e. emulating a busy LAN), and 100ms for servers (located outside the LAN).
  • FIG. 11 show typical values for D, which is in the order of seconds. Depending on the strategy, this time D is either direct downtime, or not if the re-synchronization happens in background.
  • the naive approach kills the communication for every churn, and devices experience a downtime of D
  • the abrupt disconnections approach uses the graceful approach presented above for connections (which can be enforced by the relay), yielding 0 downtime for connections, but assumes a worse-case scenario where all nodes disconnect abruptly (e.g they do not cooperate, or they experience some network failure), yielding a downtime of D
  • Table 1 provides three metrics for each of these strategies: the first metric is the raw number of communication interruptions, which directly comes from the node mobility in the dataset.
  • the second metric is the network availability percentage, computed as 1 - downtime divided by total time.
  • the last metric is the maximum continuous downtime, the longest network interruption if the anonymity protocol is used with the aforementioned dataset. This last metric has direct impact on usability.
  • FIG. 12 is a graph that shows the size of the anonymity set versus the time, i.e., among how many participants a user is anonymous at any point in time. This is an essential anonymity metric that quantifies anonymity.
  • the variations are interesting, as they show user mobility. A high variance means that while connected, a user risks being less anonymous if unlucky (and many people disconnect suddenly); should the size of the anonymity set drop to 1, anonymity would be lost.
  • a prototype using an embodiment of the anonymity protocol was implemented in the Go programming language from Google, Inc. The performance of the prototype was evaluated on the Deterlab infrastructure (Deterlab: Cyber-defense technology experHmental research laboratory, 2016. URL www.isi. deterlab.net).
  • FIG. 13A shows the latency of the system using an embodiment of the anonymity protocol, i.e., the time needed for an anonymized packet to be sent by the client, decoded by the relay, and sent back to this same client.
  • the anonymity protocol i.e., the time needed for an anonymized packet to be sent by the client, decoded by the relay, and sent back to this same client.
  • one random user is responsible for measuring those "pings", while others only participate in the protocol without sending data (i.e., the number of active user is 1, anonymous among all users).
  • the latency increase linearly, from 40ms for 30 users (e.g., a small company) to 120ms for 100 users, and scales well with the number of clients.
  • a major component of the latency is the buffering of messages by the clients; having only one slot per schedule, clients must wait this slot before transmitting data. This waiting time is depicted by the lower curve in FIG 13(a).
  • the scheduling mechanism was altered to allows slots to be closed.
  • a periodic reservation map allowed clients to anonymously specify if they want to send data; if not, the round is defined as closed.
  • the relay skips the closed rounds, which allows for shorter, more frequent schedules. For instance, if only one user wants to transmit, the relay alternates between reservation map and 1-slot schedules.
  • This reservation mechanism improves the situation where many users are idle. It induces additional delay in some cases, as the client needs to wait for the next reservation to open his slot, and wait again for his slot.
  • Other scheduling mechanisms e.g., embedded in each packet, or removing the schedule and allowing collisions
  • FIG 13(a) shows slightly higher latencies (upper line in graph) than Figure 13(b), because in the first scenario, the client has to reserve a slot and wait for it for each packet.
  • the anonymity protocol packs as many buffered packets as possible, using more efficiently the upstream payload.
  • FIGS. 14A-B shows the benefits of using UDP Broadcast instead of unicasting to provide receiver anonymity. It can be seen that time spent sending data increasing linearly with the number of clients in FIG. 14A, while remaining negligible in FIG. 14B. Shorter round durations translate directly into lower latency for the clients. This experiment depicts how WLANs, which achieve broadcast naturally, compose well with anonymous communication systems providing receiver anonymity.
  • FIG. 15 is a graph that illustrates how pipelining can be used to reduce latency in systems where nodes wait on each other (e.g., DC-nets).
  • nodes wait on each other (e.g., DC-nets).
  • increasing the pipelining factor allows for decreases in the experienced latency by 2.25 at no other cost.
  • Exemplary flowcharts are provided herein for illustrative purposes and are non- limiting examples of methods.
  • One of ordinary skill in the art will recognize that exemplary methods may include more or fewer steps than those illustrated in the exemplary flowcharts, and that the steps in the exemplary flowcharts may be performed in a different order than the order shown in the illustrative flowcharts.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

Des modes de réalisation de la présente invention, donnés à titre d'exemple, fournissent une protection de suivi à forte résistance cryptographique avec des latences de réseau «à bond unique» non visibles par l'exploitation profitable d'une architecture client-relais-serveur, dans laquelle les clients, les relais (de confiance ou non), et des dispositifs fiduciaires sont configurés pour mettre en œuvre un protocole d'anonymat distribué, la fonction d'anonymisation ajoutant peu ou pas de latence au réseau.
PCT/US2017/057905 2016-10-21 2017-10-23 Systèmes et procédé pour des communications anonymes à faible latence et résistantes au suivi dans un environnement en réseau WO2018076013A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662411334P 2016-10-21 2016-10-21
US62/411,334 2016-10-21

Publications (2)

Publication Number Publication Date
WO2018076013A1 true WO2018076013A1 (fr) 2018-04-26
WO2018076013A8 WO2018076013A8 (fr) 2018-12-20

Family

ID=62019075

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2017/057905 WO2018076013A1 (fr) 2016-10-21 2017-10-23 Systèmes et procédé pour des communications anonymes à faible latence et résistantes au suivi dans un environnement en réseau

Country Status (1)

Country Link
WO (1) WO2018076013A1 (fr)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768815A (zh) * 2019-01-18 2019-05-17 北京邮电大学 非信任双向中继多天线协作通信方法及装置
CN110784250A (zh) * 2019-09-23 2020-02-11 天津大学 一种基于非阻塞式容错解码转发的不可信中继传输网络安全传输方法
CN110784866A (zh) * 2019-09-23 2020-02-11 天津大学 一种基于阻塞式容错解码转发的不可信中继网络安全传输方法
CN114422210A (zh) * 2021-12-30 2022-04-29 中国人民解放军战略支援部队信息工程大学 基于AnoA理论的匿名网络被动流量分析评估方法及系统
US20220158842A1 (en) * 2019-03-20 2022-05-19 DFINITY Stiftung Distributed network with blinded identities
CN115941269A (zh) * 2022-11-04 2023-04-07 西安电子科技大学 一种基于cMix匿名网络实现接收方匿名的方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130052996A1 (en) * 2007-07-20 2013-02-28 Apple Inc. Group Key Security in a Multihop Relay Wireless Network
US20150249515A1 (en) * 2012-10-29 2015-09-03 Qualcomm Incorporated Device registration and sounding in a time-division multiple access network
US9130744B1 (en) * 2014-09-22 2015-09-08 Envelope, Llc Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary
US9432342B1 (en) * 2011-03-08 2016-08-30 Ciphercloud, Inc. System and method to anonymize data transmitted to a destination computing device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130052996A1 (en) * 2007-07-20 2013-02-28 Apple Inc. Group Key Security in a Multihop Relay Wireless Network
US9432342B1 (en) * 2011-03-08 2016-08-30 Ciphercloud, Inc. System and method to anonymize data transmitted to a destination computing device
US20150249515A1 (en) * 2012-10-29 2015-09-03 Qualcomm Incorporated Device registration and sounding in a time-division multiple access network
US9130744B1 (en) * 2014-09-22 2015-09-08 Envelope, Llc Sending an encrypted key pair and a secret shared by two devices to a trusted intermediary

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109768815A (zh) * 2019-01-18 2019-05-17 北京邮电大学 非信任双向中继多天线协作通信方法及装置
CN109768815B (zh) * 2019-01-18 2020-11-03 北京邮电大学 非信任双向中继多天线协作通信方法、装置及存储介质
US20220158842A1 (en) * 2019-03-20 2022-05-19 DFINITY Stiftung Distributed network with blinded identities
CN110784250A (zh) * 2019-09-23 2020-02-11 天津大学 一种基于非阻塞式容错解码转发的不可信中继传输网络安全传输方法
CN110784866A (zh) * 2019-09-23 2020-02-11 天津大学 一种基于阻塞式容错解码转发的不可信中继网络安全传输方法
CN114422210A (zh) * 2021-12-30 2022-04-29 中国人民解放军战略支援部队信息工程大学 基于AnoA理论的匿名网络被动流量分析评估方法及系统
CN115941269A (zh) * 2022-11-04 2023-04-07 西安电子科技大学 一种基于cMix匿名网络实现接收方匿名的方法
CN115941269B (zh) * 2022-11-04 2024-03-12 西安电子科技大学 一种基于cMix匿名网络实现接收方匿名的方法

Also Published As

Publication number Publication date
WO2018076013A8 (fr) 2018-12-20

Similar Documents

Publication Publication Date Title
Van Den Hooff et al. Vuvuzela: Scalable private messaging resistant to traffic analysis
US9237133B2 (en) Detecting matched cloud infrastructure connections for secure off-channel secret generation
WO2018076013A1 (fr) Systèmes et procédé pour des communications anonymes à faible latence et résistantes au suivi dans un environnement en réseau
CN112425136B (zh) 采用多方计算(mpc)的物联网安全性
KR101343248B1 (ko) 교환 세션의 총체적 보안
Cheikhrouhou et al. A lightweight user authentication scheme for wireless sensor networks
Lazar et al. Yodel: strong metadata security for voice calls
Liu et al. CCBKE—Session key negotiation for fast and secure scheduling of scientific applications in cloud computing
Sani et al. Xyreum: A high-performance and scalable blockchain for iiot security and privacy
Tiloca et al. On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake
Hu et al. Cryptanalysis and enhancement of a chaotic maps-based three-party password authenticated key exchange protocol
Li et al. A lightweight identity authentication protocol for vehicular networks
Zeng et al. Deniable-based privacy-preserving authentication against location leakage in edge computing
Castiglione et al. An efficient and transparent one-time authentication protocol with non-interactive key scheduling and update
CN113973007A (zh) 基于广播加密和洋葱路由的时控性加密匿名查询方法和系统
Barman et al. PriFi: Low-latency anonymity for organizational networks
Furukawa et al. Highly secure communication service architecture using SDN switch
Barman et al. Prifi: A low-latency local-area anonymous communication network
Zhu et al. MIC: An efficient anonymous communication system in data center networks
Barman et al. PriFi: a low-latency and tracking-resistant protocol for local-area anonymous communication
Nelson et al. With a Little Help from My Friends: Transport Deniability for Instant Messaging
Imran et al. D4GW: DTLS for gateway multiplexed application to secure MQTT (SN)-based pub/sub architecture
Naik et al. Towards secure quantum key distribution protocol for wireless LANs: a hybrid approach
Pohly et al. MICSS: A realistic multichannel secrecy protocol
Bakiras et al. An anonymous messaging system for delay tolerant networks

Legal Events

Date Code Title Description
DPE1 Request for preliminary examination filed after expiration of 19th month from priority date (pct application filed from 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17861331

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17861331

Country of ref document: EP

Kind code of ref document: A1