Lecture Notes in Computer Science 3424 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen University of Dortmund, Germany Madhu Sudan Massachusetts Institute of Technology, MA, USA Demetri Terzopoulos New York University, NY, USA Doug Tygar University of California, Berkeley, CA, USA Moshe Y. Vardi Rice University, Houston, TX, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany David Martin Andrei Serjantov (Eds.)
Privacy Enhancing Technologies
4th International Workshop, PET 2004 Toronto, Canada, May 26-28, 2004 Revised Selected Papers
13 Volume Editors
David Martin University of Massachusetts Lowell, Department of Computer Science One University Ave., Lowell, Massachusetts 01854, USA E-mail: [email protected]
Andrei Serjantov University of Cambridge, Computer Laboratory William Gates Building, 15 JJ Thomson Avenue, Cambridge CB3 0FD, UK E-mail: [email protected]
Library of Congress Control Number: 2005926701
CR Subject Classification (1998): E.3, C.2, D.4.6, K.6.5, K.4, H.3, H.4, I.7
ISSN 0302-9743 ISBN-10 3-540-26203-2 Springer Berlin Heidelberg New York ISBN-13 978-3-540-26203-9 Springer Berlin Heidelberg New York
Springer-Verlag Berlin Heidelberg holds the exclusive right of distribution and reproduction of this work, for a period of three years starting from the date of publication. Springer is a part of Springer Science+Business Media springeronline.com Printed in Germany Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper SPIN: 11423409 06/3142 543210 Preface
The first workshop in this series was held at the International Computer Sci- ence Institute in Berkeley and was published as LNCS 2009 under the name “Workshop on Design Issues in Anonymity and Unobservability.” Subsequent Privacy Enhancing Technologies (PET) workshops met in San Francisco in 2002 (LNCS 2482) and Dresden in 2003 (LNCS 2760). This volume, LNCS 3424, holds the proceedings from PET 2004 in Toronto. Our 2005 meeting is scheduled for Dubrovnik, and we hope to keep finding new and interesting places to visit on both sides of the Atlantic – or beyond. An event like PET 2004 would be impossible without the work and dedica- tion of many people. First and foremost we thank the authors, who wrote and submitted 68 full papers or panel proposals, 21 of which appear herein. The Program Committee produced 163 reviews in total. Along the way, they were assisted in reviewing by Steven Bishop, Rainer Bohme, Sebastian Clauß, Claudia D´ıaz, Richard E. Newman, Ulrich Flegel, Elke Franz, Stefan Kopsell, Thomas Kriegelstein, Markus Kuhn, Stephen Lewis, Luc Longpre, Steven Mur- doch, Shishir Nagaraja, Thomas Nowey, Peter Palfrader, Lexi Pimenidis, Klaus Ploessl, Sivaramakrishnan Rajagopalan, Marc Rennhard, Leo Reyzin, Pankaj Rohatgi, Naouel Ben Salem, Sandra Steinbrecher, Mike Szydlo, Shabsi Walfish, Jie Wang, Brandon Wiley, and Shouhuai Xu. We invited two prominent speakers to speak at the workshop: Ross Anderson explained the “Economics of Security and Privacy”, and Andreas Pfitzmann covered “Research on Anonymous Communication in German(y) 1983–1990.” In addition, we held two panel discussions, two lively rump sessions, and we enjoyed a number of memorable social activities. Slides from many of the presentations are available at http://petworkshop.org/ A successful workshop depends not only on an interesting program, but also on a hospitable venue and attention to detail. Alison Bambury did a fantastic job coordinating the local arrangements. Roger Dingledine managed the stipend pool, funded by Microsoft Corporation, the Information and Privacy Commis- sioner’s Office (Ontario), the Centre for Innovation Law and Policy at the Uni- versity of Toronto, and Bell University Labs. The stipend fund helped more than 20 people attend the workshop. Paul Syverson led the committee to determine the recipients of the PET Award for Outstanding Research, also funded by Mi- crosoft Corporation. Finally, Richard Owens, PET 2004’s General Chair, oversaw the whole event and ensured that everything happened as planned and within budget. We offer our thanks to all of you, and to everyone who contributed their time, interest, and resources to the 2004 PET Workshop.
January 2005 David Martin Andrei Serjantov Program Committee Co-chairs Privacy Enhancing Technologies 2004 Toronto, Canada May 26–28, 2004 http://petworkshop.org/
Program Committee
Alessandro Acquisti, Heinz School, Carnegie Mellon University, USA Caspar Bowden, Microsoft EMEA, UK Jean Camp, Kennedy School, Harvard University, USA Richard Clayton, University of Cambridge, UK Lorrie Cranor, School of Computer Science, Carnegie Mellon University, USA George Danezis, University of Cambridge, UK Roger Dingledine, The Free Haven Project, USA Hannes Federrath, Universit¨at Regensburg, Germany Ian Goldberg, Zero Knowledge Systems, Canada Philippe Golle, Palo Alto Research Center, USA Marit Hansen, Independent Centre for Privacy Protection Schleswig-Holstein, Germany Markus Jakobsson, RSA Laboratories, USA Dogan Kesdogan, Rheinisch-Westf¨alische Technische Hochschule Aachen, Germany Brian Levine, University of Massachusetts, Amherst, USA David Martin, University of Massachusetts, Lowell, USA Andreas Pfitzmann, Dresden University of Technology, Germany Matthias Schunter, IBM Zurich Research Lab, Switzerland Andrei Serjantov, University of Cambridge, UK Adam Shostack, Informed Security Inc., Canada Paul Syverson, Naval Research Lab, USA
General Chair
Richard Owens, University of Toronto, Canada
Sponsoring Institutions
Microsoft Corporation Information and Privacy Commissioner’s Office (Ontario) Centre for Innovation Law and Policy at the University of Toronto Bell University Labs Table of Contents
Anonymity and Covert Channels in Simple Timed Mix-Firewalls Richard E. Newman, Vipan R. Nalla, Ira S. Moskowitz ...... 1
Practical Traffic Analysis: Extending and Resisting Statistical Disclosure Nick Mathewson, Roger Dingledine ...... 17
The Traffic Analysis of Continuous-Time Mixes George Danezis ...... 35
Reputable Mix Networks Philippe Golle ...... 51
Secure Outsourcing of Sequence Comparisons Mikhail J. Atallah, Jiangtao Li ...... 63
An Improved Construction for Universal Re-encryption Peter Fairbrother ...... 79
Electromagnetic Eavesdropping Risks of Flat-Panel Displays Markus G. Kuhn ...... 88
On the Anonymity of Banknotes Dennis K¨ugler ...... 108
FLASCHE – A Mechanism Providing Anonymity for Mobile Users Alf Zugenmaier ...... 121
Cryptographically Protected Prefixes for Location Privacy in IPv6 Jonathan Trostle, Hosei Matsuoka, Muhammad Mukarram Bin Tariq, James Kempf, Toshiro Kawahara, Ravi Jain ...... 142
Protecting User Data in Ubiquitous Computing: Towards Trustworthy Environments Yitao Duan, John Canny ...... 167
Synchronous Batching: From Cascades to Free Routes Roger Dingledine, Vitaly Shmatikov, Paul Syverson ...... 186
On Flow Correlation Attacks and Countermeasures in Mix Networks Ye Zhu, Xinwen Fu, Bryan Graham, Riccardo Bettati, Wei Zhao .... 207 VIII Table of Contents
Measuring Anonymity in a Non-adaptive, Real-Time System Gergely T´oth, Zolt´an Horn´ak ...... 226
Panel Discussion — Mix Cascades Versus Peer-to-Peer: Is One Concept Superior? Claudia D´ıaz, George Danezis, Christian Grothoff, Andreas Pfitzmann, Paul Syverson ...... 242
On the PET Workshop Panel “Mix Cascades Versus Peer-to-Peer: Is One Concept Superior?” Rainer B¨ohme, George Danezis, Claudia D´ıaz, Stefan K¨opsell, Andreas Pfitzmann ...... 243
A Formal Privacy System and Its Application to Location Based Services Carl A. Gunter, Michael J. May, Stuart G. Stubblebine ...... 256
Privacy-Preserving Trust Negotiations Elisa Bertino, Elena Ferrari, Anna C. Squicciarini ...... 283
Language-Based Enforcement of Privacy Policies Katia Hayati, Mart´ın Abadi ...... 302
Searching for Privacy: Design and Implementation of a P3P-Enabled Search Engine Simon Byers, Lorrie Faith Cranor, Dave Kormann, Patrick McDaniel ...... 314
Contextualized Communication of Privacy Practices and Personalization Benefits: Impacts on Users’ Data Sharing and Purchase Behavior Alfred Kobsa, Maximilian Teltzrow ...... 329
Panel Discussion — Conforming Technology to Policy: The Problems of Electronic Health Records Richard Owens, Ross Fraser, William O’Brien, Mike Gurski ...... 344
Author Index ...... 345 Anonymity and Covert Channels in Simple Timed Mix-Firewalls
Richard E.Newman1,Vipan R.Nalla1, and Ira S. Moskowitz2
1 CISE Department, University of Florida, Gainesville, FL 32611-6120 {nemo, vreddy}@cise.ufl.edu 2 Center for High Assurance Computer Systems, Code 5540, Naval Research Laboratory, Washington, DC 20375 [email protected]
Abstract. Traditional methods for evaluating the amount of anonymity afforded by various Mix configurations have depended on either measur- ing the size of the set of possible senders of a particular message (the anonymity set size), or by measuring the entropy associated with the probability distribution of the messages possible senders. This paper ex- plores further an alternative way of assessing the anonymity of a Mix system by considering the capacity of a covert channel from a sender behind the Mix to an observer of the Mix’s output. Initial work considered a simple model [4], with an observer (Eve) restricted to counting the number of messages leaving a Mix configured as a firewall guarding an enclave with one malicious sender (Alice) and some other naive senders (Cluelessi’s). Here, we consider the case where Eve can distinguish between multiple destinations, and the senders can select to which destination their message (if any) is sent each clock tick.
1 Introduction
In [4] the idea of measuringthelack of perfect anonymity(quasi-anonymity) via acovert channelwas initiated.This idea was formalized in [5]. Our concernin thispaperistoidentify, andto calculate the capacityof, the covert channels that arise from the use ofaMix [8,6] as an exitfirewall fromaprivate enclave (as briefly addressed in [4–Sec. 4].) In general, we refer to acovert channel that arises, due to a state ofquasi-anonymity, as a quasi-anonymous channel[5].The quasi-anonymous channel also serves the dual role ofbeing a measure ofthelack of perfect anonymity. [1] uses a similar model forstatistical attacks in which Eve correlates senders’ actions with observed output.