 So, uh, hi to all of you guys first of all, I would like to know who already is familiar with DC dining crypto girls Okay, a few of you Today I'm going to talk about a technical solution against data retention I will put an emphasis on the current Anomization technologies and which problems they bear inside and Then I will introduce you the dining cryptograph as technology or the idea behind it and then Tell you also about some advanced mechanisms behind this idea and then I will speak about the implementations with which I did and within the last 10 months or so during my diplomatizes and of course also I have an agenda, sorry and Of course, I will give an outlook which is possible. How should the future look like and then we have plenty of time for questions So I hope you brought some Or then you will have some So what is the current approach of anonymization technologies? if people are speaking about anonymization, it's most of the time mixed networks or mixed cascade and the two most famous representatives are Tor on your router and yep and They work as follows more or less the same principle. There is a network or a compound of mixes so-called mixes and Ascender can construct envelope channels encrypted channels through these mixes to hide the Fact who is communicating with whom and if there are different sender a second for example does the same Then from outside it will become very difficult to find out who's who's communicating with whom So I guess everybody of you will already know about this idea So what problems do we have I will first start off with the with the weakest problem Compared to DC networks We have weak encryption as it's only computation theoretically secure So a strong attacker might be able to break the encrypted channels and then unveil the Identities of the users This is not a current problem, but if we keep using stronger and stronger computers This might become a problem very soon But for the time being it's good enough and to be honest. I'm also using Computational a secure keys only. It's just that DC offers the possibility to have better keys the Second problem that I would like to mention is the unknown anonymity set so if you if you speak about anonymity, it's about hiding identities and So sometimes it can be a little bit complicated to to Can seem a bit strange to Think about knowing the other Participants of the identity set would be a good idea, but I think if you want to If you want to keep your anonymity in a good quality, you have to know your anonymity set So you also have to know who other participants or who other users which other users are using the anonymization technologies Because if you don't know them If you don't know the exact anonymity set Intersection texts can be very easy So if you have a strong attacker who can measure who is using an anonymity service or not and then is Regarding the traffic over the anonymity set and then he can maybe detect On Tuesdays, there are two guys speaking about one subject and on Wednesday. There's only one of them speaking And and this kind of subject appears. So it's probably one of them Or it's it's probably the the guy that speaks on Wednesday. So This is the intersection attack and this is possible if you don't know the anonymity set so And now I come to the biggest problem The trust relies in the mixes so normally you have a pass through three mixes and You have to trust at least one of them On that in general the anonymity can be unveiled either if all the Other users are other users of The anonymity servers work together or if all the mixes work together Now the question is are the mixes trustworthy and this is a point where I back to be where I back to defer because What is if we have something like a malicious tor servers net tor servers net is an organization who put a lot of money and effort into Building up tor servers It's a it's a great idea and a great organization. I support them Because what they do I think they are trustworthy because I know them. Yeah, but What they do is they mark their service as a family so they stay The people can choose a pass through different families of mix compounds. So But what if an attacker put a lot of money in Setting up tor nodes without Marking them as one family then the probability would be very high to have a path through untrustworthy notes another problem that we also face probably In Germany also with our next parliament It's data retention law. So if a law would enforce the operators of anonymity services To open up all the connections all the mixing tech techniques That they are doing then the anonymity would be easily unveiled as You can see on this picture. Most of the this depicts the tor nodes and About half of the tor nodes is located are located in in Europe So if we have a European data retention law that would enforce the Operators to open up all the mixings that they are doing Would have a big problem for the tor service so now I would like to come to the DC part of This talk the dining cryptographers Which can be seen as a technical solution to data retention because data retention cannot attack Yeah, the anonymity in DC networks and Officially the DC networks are invented by David Chalm in 1998 88 and it stands for dining cryptographers, but By random it's the initials of his name And it's a round-based Message exchange principle where all the participants take part in one round to accept to exchange exactly one message So to make it even more clear Doing one round one participant can say exchange exchange or send a message and all the other participants that are using the service at the same time help him to anonymize the sending process and The idea behind DC networks offers sender and recipient anonymity So how do we achieve sender anonymity first of all the participants would have to exchange keys among each other Okay, I was the car. Okay so first the participants would have to exchange keys among each other and the more keys I exchanged the better it is because The anonymity set equals the trust the trustworthy participants that share one key graph so Even if you don't know all of the other participants Maybe the probability or not maybe but the probability is high that there are many trustworthy other Participants using the service and it doesn't cost you anything to exchange keys so and if you want to do a DC round You have to use a new key each round So what people do normally is they exchange key generators instead of keys And there they can use a real random or pseudo random bit streams Of course, if you have real random bit streams, then you have very strong Unanimity if you pseudo bit stream run Yeah pseudo random bit streams Then you will face the same problem that it's computationally attackable. So to display to Give you an example how DC round could could work you can here you see three participants p1 p2 and p3 and P1 is pink because he is allowed to send this round You can see it by indicated by the m1. It's the message one which is five So he wants to submit a five in this round And he has exchanged a key with participant number two Which is one and he has exchanged a key with participant number three, which is three and At the same same time you can look at participant number two He doesn't send a message this round because it's number one's Turn to send and the queue at the key that he uses with Participant number one is the inverse Of the key that they exchanged and there's an algorithm to find out which one of the participants uses the inverse and which one uses the normal key and The same for participant number three So what they do is they Add up a local sum. Yeah, it's normal adding five plus one plus three is equals nine and The others do seven and negative eleven and these local sums are transferred to the DC service This is what can be observed by the Data retention, but there is nothing because they these key and these messages these local sums are like one-time pads There is nothing that is is is worthy to be observed and the local DC so the DC service that takes local sums and ups adds them up to a global sum and what comes out is the message that participant number one intended to send To have recipient anonymity the next step would be for the DC service to broadcast this Message this global sum back to the participants This way the probability that the message is Destinated for one of the three participants is equal. So it's perfect So I'll explain to you the send and respond anonymity of normal DC But what I said is like a participant can exchange Change only one message and the other participants have to send zero or the neutral element So what we also I need to to do is to find out which participant is allowed to send in which round and therefore you need a reservation phase or a reservation and Sequence of rounds which is defined by the reservation phase and the sending phase which are both anonymous are defined as work cycles in the DC terminology How does a reservation work there are different methods to do a reservation? The one I chose in my implementation is called collusion resolution method as I already stated it's anonymous and it's Done as such that you have especially formatted DC messages and You send them to to the DC service and observe the result and By doing that several times in a row you can find out when is your turn to send It takes a deterministic amount of rounds for a certain number of participants who find out the order of sending process But are we safe now now and not really if you're only a passive attacker then you can gain no special information By just observing the local or global sums, but if you are an active attacker You can attack the anonymity by delaying or modifying the broadcast So I give you an example the evil DC networks now What's the broadcast the global sum a to Participant one and participant three, but a prime to participant number two and they Like this animation and in round n and if the evil DC networks Observes an answer a prime prime to the global sum a prime And one of the following ones it can only be from participant number two Because all the other participants did not receive a prime, but only a so The evil DC network would know that Participant number two was original or was the real recipient for this message And he also knows that the reply is a prime prime So what is the solution to this problem The solution is to take The old messages the old global sums that each participant receives into account when generating new keys There are two ideas to do this There is this deterministic fail stop Which takes all the old History all the history of receive messages into account and then there's also Probabilistic fail stop which only takes into account the last message and the last key used I'll give you an example how it could work So a key This is probabilistic fail stop a key to the time for the round number T between Participant I and J would consist of Random number for the the random key for the time t and also another random number for the time T which is B and And the key from the old round plus e which is a it's a secret exchange constant It doesn't change and I is the the message character the global sum which was received in the In the round that just happened before Fail stop keys Would have unequally distributed global sums in Into causing result into So unequally distributed global sums would cause junk on the on the global sums So the attack on the anonymity Can be detected by because if you do not observe the your message on the network then You know that somebody attacked or try maybe try to attack the anonymity and Yeah, you can react somehow and the anonymity itself remains the Bad side is that the service becomes unavailable Because if there's one's junk on the global sum it will propagate into the following some so You also need to think about If you design such a protocol how to re-sync Or how to get the service restarted? Yeah, the other attack which can be Next to an attacks on anonymity is the attack on availability We have already seen that anonymity is very strong within the DC networks, but the availability is quite weak on DC networks so Not only that we use a lot of bandwidth to exchange just one message But the participants can send when they are normally not allowed and as I just stated this will cause junk in the global sums and If we have normal DC Keys like in the Animation that you just saw then just one round is disturbed But if you use those advanced key generation mechanisms The following rounds will be disturbed as well There are in theory already algorithms to unveil the Anteca step-by-step And to exclude him, but therefore you need an extra network in parallel with the feature to be highly available and The other Bad thing is that transmission errors have the same appearance as a tax on availability but there the counter measurement is just to sign the messages so you can Detect whether somebody transmitted junk on purpose or whether it was just a transmission error So to recap the the introduction of DC networks DC is Technology which offers very defined anonymity The anonymity that does not rely on trust in the service itself It can provide information theoretical anonymity if you use those real Real random keys and The attacks on integrity and confidant reality are easily detectable of course, I have to mention the cons its scales with difficulties and The availability is easily attackable, but I mean if you want to have anonymous communication sometimes the availability can be put behind the quality of anonymity So now the protocol and the implementations in my Diplomatizes I designed a protocol which defines the reservation and sending phase It allows the participants to join and to leave The service dynamically so all the papers think about permanent participants, but in real reality Participants want to go offline and drive through a tunnel. So you have to think about how to do that and It allows variable message links So people can decide I want to send two characters or three message characters and so on and It's designed to be very low overhead as the the method itself already consumes a lot of bandwidth secondly the Protocols allows on-the-fly key exchange. Of course, then the keys are pseudo random bit streams and They are digitally signed so you can verify other participants identities so you can Consider for yourself other people as trustworthy or not by telling the different signatures apart and The protocol is open for key different key generation methods. So for example the three of Those which I already presented to you The protocol as well resings on attack On the availability. So if somebody is disturbing the Communication as we already saw the protocol is already automatically resinking and All does it as well if Advanced key generation methods are used The flaws of the protocol are that a determination of the attacker is not yet possible as there is no management network available and It's yet based on a central DCU service what I did as well is an Real-time not real-time, but it's an implementation in Java. It's a library Which implements the presented protocol as a service and as well the participants and It automatically maximizes the key exchange graph So you will be as anonymous as you can be within the set of Participants and it offers a nice API. So even if you don't really understand everything what I just said you could use it and Provides some unknown its communication for your applications It provides normal key generation as well as these fail-stop mechanisms, but it's also open to new To new key generation algorithms and it's they are quite easily pluggable If the DC if DC minus minus it's the name of the implementation Sees errors on the Within the communication it retries automatically to to resend so that's also nothing that you have to keep track of and Also here. There is no extra management network. So also here the unveiling of the attacker is not possible yet I also did some other implementations, which is Alan DC It's the same button Alan as I'm a big fan of Alan and it's Maybe less scientific and more heckable and more Suited for this kind of problem and what I also did is a multicast library which adds up Multicast layer above this DC communication because often The participants are not interested in all the global sums, but only in a few so they can pick up a Multicast channel and then only receive those messages For this channel It's transparent what I also did were some measurements I measured it within the planet lab the planet lab is a compound of scientific Organizations they put up computers in the internet and it's more study than a laboratory measurement as I used the real internet and I have only little influence on the participants as they are doing other tasks as well and The only attention I paid to were choosing the participants locally So the latency would be minimized and now there's a big surprise if you have ten participants with fully exchanged key graph One kilobyte message length you have about one kilobyte per second per participant Which is not too much And But you have to compare what what does it mean if you trust those ten participants as you would trust the mixes that you use and tour this means that you take a Route through ten tour mixes so it's the same quality of anonymity and Of course if you take this deterministic probability deterministic fail stop key generation Mechanism Which takes into account all the message history you end up by two bytes per second per participant Which is of course not very good and the other algorithms are within the same magnitude and I found out that it's not a bandwidth problem, but a problem of advanced key generation method and DC networks are Synchronous so it depends on the support of every participant and in general the Participant needed about 40% of a round time for key generation but The slowest participant Always needed around about 80% of the round time. So they were very very slow. So the idea now to counter this This problem would be to install hierarchical DC networks Where you have a Very low quality DC networks where the people could participate and after a certain amount of time if they prove that they can Send the message fast enough they could Step one level up to a DC network of a better quality where they would do Quality contact contracts regarding the the speed in which they send Of course, I didn't mention it in the in the slides, but the the protocol also supports timeouts So you can also define a timeout and after if the participants do not send within the timeout they get kicked kicked out and and the Communication can continue so a little early I come to the future of DC networks It's my great wish to decent relies It's possible, I think I have some ideas from BitTorrents in mind to Distribute the the commentary in the computation of the global sum and What we need as well is the management network to unveil the attackers to be able to exclude them and Of course one could play with hierarchical DC networks and reputation systems to make the quality a little better so What you should take home is There are other anonymity services than only mixed networks This is one of them DC networks can offer a technical defense a day against data retention So if a politician comes and says like data retention would Be the solution to every blah blah blah terrorist attack and so on You just say them they would use DC networks and they would they would be safe. So never mind and DC networks also if they are not suitable for your Daily communication yet. Yeah, I want to emphasize yet They can maybe be a building block within your application design with your Protocol design so you have something that which offers a high and deterministic degree of anonymity And I think I'm already done a little early. Sorry for that So now I'm open for questions. Yes Thank you. Thank you so much for the presentation was really good And if you have questions, just raise your hand and I will get around to you Sorry something that I wanted to to say before the question maybe I think here the this one was the first one No, no, okay. So if you are interested in this research topic I'm on a new material in general Please contact me and help me to to develop this this method and this idea that would be great Okay, now to the first question Could you go into some detail on the on how you Detect attackers through the management through the the management network and Why an attacker wouldn't be able to out the identity of another anonymous participant with With this technique, I didn't get the question one of the the So if you have a you have a malicious participant an attacker who's injecting noise into the system. Yes the There's a management network. Yes, that allows you to reveal Only the malicious participant. How exactly does that work? Okay, the idea behind this? Normally, there's there's nothing on the management network. You would only use it in In times of trouble. Yeah so If you observe some some noise some junk and the global sums people start to you send a traps Trap messages, which are not really a confidential But as the attacker doesn't know when people are sending confidential network messages or not It wouldn't be Maybe he would attack such a trap and then it wouldn't be a problem to open up the the keys for that round and by opening up all the keys On in the management network, it would be able to find out who was the one that betrayed the others and of course There can be two Participants claiming, okay, I use because it's always two participants sharing one key, right? So there can be two participants saying, okay, I use key a and the other one is said yeah But we we said to use key B And the others cannot know so what what they do is just that they stop exchanging keys and by Then they would continue to to communicate and If you observe global sums junk in the global sums again, then again, you would try to to open up the keys On a trap message and then there's again this probably the attacker and another participant and There would also be key a and tb so and over the time the attacker would would Stop exchanging keys with all the participants. So he would result alone and had no more influence That's that's the did you get it more or less? Okay. No problem. Next question, please One question from IRC How does it how well does it scale? Have you tried with a couple of hundreds participants? I scaled up to 30 participants and It became very I mean It's still work, but it became very slow so that and I think to to to perform 70 work cycles I needed 14 hours with The probabilistic key exchange a key generation method so It's not good enough yet Okay, the way I understood you I'm here The more people you have Participating in in message exchanging the lower the bandwidth per person gets is that correct? Like the more people you participate. Yes But as you already hinted you mentioned multicast This disadvantage partly disappears if you have one too many communications. I didn't get the last part Like part of this deficit disappears if you have one too many Communications, so if you have some some sort of broadcast or yeah, yes, because I said so actually wouldn't it be very interesting to use this for stuff like, you know, Twitter or Radio video broadcasting that kind of thing. Have you put any thought into that? Yes I'm of course Twitter is the first thing that comes into your one's mind if if you are designing such a Example program for example So yes, that would be Twitter is a very good application another good application would be anonymous anonymous distribution of files like Exchange pure peer-to-peer Exchange so but therefore it would be even nicer to to decentralize and to remove the central base But yes, you're you're right when you have the Different clients connecting to a DC network and using it like a substitute for tour or yeah, and you have like you know, it's which are providing the entry note and you have like clients using it and you're nothing doing to protect their their IPs because Every client has to change keys with every other peer. So I know all IPs of all peers within the network So I can tell if the client is is using it and then blocking them as an Evil attacker, so okay as I already stated the the services yet central centralized and Key exchange itself also Goes over the server. So the participants Participants do not see each other's IP addresses, but only the key IDs And they are related of the service, but the service itself can of course see all the participants using it and if there are Governance that want to block a certain service and you only have one central DC server Then they block it and then it's gone. Yeah, but that's an availability problem Over there. Okay the next question over here Okay in one slide you have shown P1 to P3 where P1 was sending the number five. Yes, and he has only got Positive numbers and the other ones had the opposite So the question is if he's only allowed to generate positive key numbers then the person with the highest Some is the sender. No that was just the example for Yeah Yeah This one so Here you have the the nine the seven and the negative eleven only one participant has a negative Local sum and this is just to make it easy for you to understand normally everybody would just sum up and then Before our hands calculate the the key a little bit different and use modulo something So there's I only use positive integers Give a limited bandwidth. How many users could you accommodate in one network? as I stated already at the moment the The Problem is not the bandwidth. It's the key generation time. So 80% of around duration is taken by the slowest participant to generate the keys and That's the biggest problem. So I I also have to improve the key generation. Maybe do it and see and not those slow programming languages Okay, any more questions from the audience First of all, thank you for a talk I was wondering you mentioned that there is an attack on the Availability which slightly looks like an error in the package and Your solution or your suggested solution was to use signature on it But as far as I understand the signatures, it would actually fairly reduce your degree of anonymity within the network So how would you sign that what would you suggest as a signature algorithm? That won't reduce the anonymity So what what you already is assigned is are the keys so the users of the service itself Are known yeah are considered to be known This is the advantage also in my in my eyes If they use the same key to to sign the glow at the local sums You can see What a attacker from outside could also see which Sender which participant would transfer which Local sum there is no Additional information. It's just cryptographically verified that kid could not that there is no External attacker in between the line modifying the the data So that's Well, was it good enough there the answer or maybe I didn't get your question, right? Fully about it. Thanks. Okay. Thank you very much Any more questions from the audience If not, I want to thank you all for the patience and Want to thank clubs for the really good presentation and give a big round of applause for him