<%BANNER%>

Anonymity and Covert Channels in Mix-Firewalls

xml version 1.0 encoding UTF-8
REPORT xmlns http:www.fcla.edudlsmddaitss xmlns:xsi http:www.w3.org2001XMLSchema-instance xsi:schemaLocation http:www.fcla.edudlsmddaitssdaitssReport.xsd
INGEST IEID E20110114_AAAAGA INGEST_TIME 2011-01-15T04:30:29Z PACKAGE UFE0007303_00001
AGREEMENT_INFO ACCOUNT UF PROJECT UFDC
FILES
FILE SIZE 5364 DFID F20110114_AADSNS ORIGIN DEPOSITOR PATH nalla_v_Page_71thm.jpg GLOBAL false PRESERVATION BIT MESSAGE_DIGEST ALGORITHM MD5
5b9f2a560ea942535b04f79826f967c3
SHA-1
eff717895a2808f1e9c88610115f20e48e471741
6458 F20110114_AADSNT nalla_v_Page_73thm.jpg
98dcb51307db006e98643c6f6fe647b8
d2398e2f6ebe41fb4a97c7a61e44c28d45e0823e
3464 F20110114_AADSNU nalla_v_Page_74thm.jpg
0df63097d77f4085ac7c27ae96911dec
562bdd4d547794d4d4330cdbb8a4d678c8c77d4e
6428 F20110114_AADSNV nalla_v_Page_76thm.jpg
10b75445279ffa9f2ccfce7a709c5e58
1aef3bc56fadf02f60f6b4ace941a2072104f61e
22999 F20110114_AADSNW nalla_v_Page_79.QC.jpg
892d44b43807b23565b995177b5a1391
ff01bb89b08ea5a3b8a23beca3f3359fcbefc790
29659 F20110114_AADSNX nalla_v_Page_82.QC.jpg
0641f11e761456c95a1cb3bc032d4855
fce6fa5db5f20641c544bfae90399909d828f4e5
4847 F20110114_AADSNY nalla_v_Page_85.QC.jpg
a7d85baac819d61a96244513faeaafb5
cf4b070e2ff2679c7e418a5127fd3a35f7412fb8
32321 F20110114_AADSNZ nalla_v_Page_87.QC.jpg
fcaac97c10ceeb18362467304b9e5529
b889598a4d3d290c31609b067724e789a1a7f310
713131 F20110114_AADRQA nalla_v_Page_41.jp2
b24960f22e9307f3384d62ed091c9ec0
04ccaeb5106b92531be51730dae7da27c378bc83
24687 F20110114_AADRQB nalla_v_Page_62.QC.jpg
ad9e7793af77647f794324d569102355
447f891ffab94623b162f9ddc647c007eebe4a81
1070 F20110114_AADRQC nalla_v_Page_30.txt
d8c528aee13e38872cdea935d575e30e
f5de9d8f0bb347835fe8ce26b2ed0ab6e6f24e0a
6553 F20110114_AADRQD nalla_v_Page_17thm.jpg
0b085f905ffec6c7eb8bf4af5afadbda
04a6e33c86c1880ae4797017b557967fafff109a
993 F20110114_AADRQE nalla_v_Page_07.txt
7d035a09f7f5a59e9c3f80b40a344084
cebfb0b7f4c132671f40846d4f1d1e83845384a7
28397 F20110114_AADRQF nalla_v_Page_28.QC.jpg
3a2c7980c2c5e181e490101870573d46
bf64a08aa02104c5560274df7d682a8371be548d
1087877 F20110114_AADRQG nalla_v_Page_36.jp2
ddae20ec928d7daa42aa2cf1dfc00265
773acaba43b84b3248c03f37d2b0680159467a1d
9951 F20110114_AADRQH nalla_v_Page_75.QC.jpg
bd74242b8699ca34fe5d7c56fc0d67dd
755f843f48ba296f0e08991996456c349c13b08a
19180 F20110114_AADRQI nalla_v_Page_42.QC.jpg
fce3cb5b59482c043b6e22325590e789
22419a55901feeea792be5cc2c1b81b66a8401d5
7491 F20110114_AADRQJ nalla_v_Page_44.QC.jpg
1dceb70d248cc29caa157e0331a086a1
fbed2d5904642d3600e1849c9da1c65d34faef2b
81073 F20110114_AADRQK nalla_v_Page_67.jp2
4ed0f1486c73e91abd7f336ccc304c0e
114c3158946f65db5c4d5c77d39dbe7892a29842
19517 F20110114_AADRQL nalla_v_Page_88.jpg
0f43225b2949892321c4b06374128ba5
cf283790127d9a6af594b177506013da4d5c2087
1087900 F20110114_AADRPX nalla_v_Page_86.jp2
87fcc6a3f9ff7689460a9512e1618bec
3aba9a50869bec62f455ac64df1ca4167f01113d
28864 F20110114_AADRRA nalla_v_Page_38.QC.jpg
d00d90cd77fd0fec8d7a00b627d0946b
82115559e1d21c6a2de04099479701c1e304eabe
15364 F20110114_AADRPY nalla_v_Page_64.QC.jpg
578777e0f8b53bbbaf79fd1023178d03
4a05f81aee5fa2881611ea74180171534c936bdf
6248 F20110114_AADRRB nalla_v_Page_06thm.jpg
f9a254862479ec6142826a9676445674
d5f8df4aabf7c66bdf64434271cc5cded9ed2222
77664 F20110114_AADRQM nalla_v_Page_76.jpg
cb3af7efdeffbb7b696f6d1690e12ad6
044859ff3794a09c5e20bb6f46cba00d6e58b970
61577 F20110114_AADRPZ nalla_v_Page_10.jpg
148cafbff5acb80264bee11919ef8172
5954566f17374eaf863ffcd9a95d9a573c491fe4
26135236 F20110114_AADRRC nalla_v_Page_87.tif
fa8e456208dfaec8d1ffc7257471d931
a7cd018a4381947c8b7e287f827ebffacfcebe00
F20110114_AADRQN nalla_v_Page_49.tif
f7dfe69a4a9864ac0e4e9036d88274ce
03c94e53313b32fa85a8031e08517200710487a7
73142 F20110114_AADRRD nalla_v_Page_48.jpg
98c18598417b2b54db186ecba2565f0d
538a4d3470ce3789f423b386ef7e7a7b21ca0108
5253 F20110114_AADRQO nalla_v_Page_42thm.jpg
adfb2907bcb9591180d538c76435456f
42e75a300cd05ef3c62b3d14eeb42023af5a6bde
27071 F20110114_AADRRE nalla_v_Page_26.QC.jpg
c91c9478bf5c32225030c35ac4a40132
b6f9e880147bac193ff583f5ed7b9541d5c09da2
1087895 F20110114_AADRQP nalla_v_Page_31.jp2
26e5e3e5d88ffe0dc5a3c090815b5ddf
0dd68a783ff90031189b7f5bb7bf6901145fae23
1087894 F20110114_AADRRF nalla_v_Page_59.jp2
b0e62d2939a20c06f04426b57c0c96c1
facfae82b8422844f1edd4fd9d4b7e3d3a163646
7155 F20110114_AADRQQ nalla_v_Page_49thm.jpg
09ddcefa9b5827fe01875b52a1210f89
793063d67032f20153fb2e0ef4e74044a17e0a5c
89259 F20110114_AADRRG nalla_v_Page_84.jpg
edf7f1c76cb0ed650311f71cadd6f747
15fe6b86fabf80150db202241cc8b691635284eb
2388 F20110114_AADRQR nalla_v_Page_06.txt
76bd3466f30a04bd864d3a29398efb2f
113ae14e169758c4c94b5e21e2e93eeebb13e028
2232 F20110114_AADRRH nalla_v_Page_51.txt
3089db49c9954127065fd44e8d45d52c
65f3d5acf2646c67905fb82fe7f8e6abdddcd9e4
3750 F20110114_AADRQS nalla_v_Page_60thm.jpg
bfcdef602b44342cf800503f0d277672
be75147e94499345eba0148399196e4a49a54ae5
1087893 F20110114_AADRRI nalla_v_Page_13.jp2
916fe9ef5b0bfaa1e02f1c458544a99a
d7522c84213b10f22e450b83b37fc253674d5422
77784 F20110114_AADRQT nalla_v_Page_77.jpg
7b13adffc193189dd3f0c7a20f7c179c
1f18abd7ccb671d1ae46a4bda61329457b2e0e0b
5237 F20110114_AADRRJ nalla_v_Page_08thm.jpg
9fcfbfcaba5bbd5c1774845973ceddc6
6581bcfb466d523c1586db07a91ca215858bfbb0
24090 F20110114_AADRQU nalla_v_Page_44.jpg
40d25912b8e884b92c642d235ead694b
c0001351c2622a9baa4bddeba6dfd9f3257dca2f
725 F20110114_AADRRK nalla_v_Page_60.txt
5792c63b01ca4a814cc1bdc5ce1e832a
894d5e5747a8efc76345e1d9b2c0073e6fe27959
109138 F20110114_AADRQV nalla_v_Page_14.jpg
cc98ce8b70f3857ddeebebb378a13550
eaa65d90f3f49fdf1c4c1fddacb3310c9b42b683
117712 F20110114_AADRRL nalla_v_Page_87.jpg
bf7f38a6c843cdc204781f4fbc6c7ebd
6d7ab2706ae6914cd8d6299d663db925d73aff05
109409 F20110114_AADRQW nalla_v_Page_70.jp2
119b9dda90c150691e06dc60da18fb9a
2bad40fc44ceab9b9c4b5270bc9e0dbf148db32c
540 F20110114_AADRSA nalla_v_Page_74.txt
a43707b46a50f98bc0df3cfc462cc81e
5a7bf2b923e24a0ffaa90ca9c2cc04770c7ff310
F20110114_AADRQX nalla_v_Page_64.tif
89dfcbbee222f62e05dbc531e82d0f29
73e07bedfaaad2fa472b775f8fc333370382bed4
52659 F20110114_AADRSB nalla_v_Page_67.jpg
1286148c382c9f94d62132324edae9a7
dc10e599499baea2d847ac9e8628060c00de6ca5
29542 F20110114_AADRRM nalla_v_Page_61.pro
57671433af359db53673057e70d5253e
33305a0154515bfab18f81879032ae1d8af954b7
98028 F20110114_AADRQY nalla_v_Page_19.jpg
ba446b7f3fc3030ab25d025656de1d67
cafedc09f98cafbca53f871170a4f8dd6f3f0072
1087892 F20110114_AADRSC nalla_v_Page_32.jp2
5c98bdf44d3c0b4ee5a403d23f052253
eea5b90aae5bf06445180893d54cc7f04ad84b29
17558 F20110114_AADRRN nalla_v_Page_41.QC.jpg
e932b311b3611b3bc5a7a30a337127bc
898647e069697443988c1d4f8593141a93f7932f
5145 F20110114_AADRQZ nalla_v_Page_67thm.jpg
710b70ed83dc0cf560100e3dbc66e3b4
556cfd1d0c3da1938569c4eaf65872124555e7dc
82812 F20110114_AADRSD nalla_v_Page_06.jpg
cdcb0a6c5c9c9d15b51e2acc179ff2ae
a8ab6ecd78c8489ab5a31a4a3a3440d29a46fba2
F20110114_AADRRO nalla_v_Page_28.tif
66fabb43496537a3ca2bb6c657b07f99
c5b776fdf73a95608cd9db95b61f761db3df1808
29984 F20110114_AADRSE nalla_v_Page_14.QC.jpg
1c9e9c88308e34d4da1119c2f7c0786f
4bf7f636fa746023569b135de2aa92736f08b727
1395 F20110114_AADRRP nalla_v_Page_02thm.jpg
ee5c2ee5e83265ad67a232c9b4d21bc9
010ac0b16315d113d4233cd7683fae6cb8e012e7
F20110114_AADRSF nalla_v_Page_68.jp2
3eb42b455d102d67fc1362a0536485fc
cbc8ca831999349f3e6dfd77d38a121e1f37807f
101569 F20110114_AADRRQ nalla_v_Page_33.jpg
014537f5300029db9dcd12e3cc4d7211
59343aa3208011f3939271e4a0ddce94cef9179e
27098 F20110114_AADRSG nalla_v_Page_03.jpg
167b96bdff06979092e409e7dbecd70b
a99bab88df0c9eb7d0574e67b54f9867d6b99001
43306 F20110114_AADRRR nalla_v_Page_80.pro
0e5affa67c99fe760b59104bf1ed1989
6a6b0dabb0eae5785c90754d6ea4e5aaee64a0ff
95953 F20110114_AADRSH nalla_v_Page_18.jpg
c7d8b554c8da546c5b7a542d55e95ace
8e91a19cc4519edcb1462e2bb0ffb8fc685f4db0
1076501 F20110114_AADRRS nalla_v_Page_79.jp2
f28e7f235a6699a05da1922f675677c8
e66eae970eb9ae5d6052dbcc5879f26de374e098
108842 F20110114_AADRSI nalla_v_Page_40.jp2
b1ed7bde1117b69cc920b8d44c000346
b5494044c497bd024b089ffad58a45862c5de824
F20110114_AADRRT nalla_v_Page_45thm.jpg
7491a2b9b2e25fe8e8370bd3e9afb80a
9e4c06a16f8ffcb2b112430f2f325669a05e86f9
10113 F20110114_AADRSJ nalla_v_Page_81.QC.jpg
1b7c196068bfb97fc05ab558a7719832
20561318f8fe9a9b37b60646a7cc14b2a219f9ed
121760 F20110114_AADRRU nalla_v_Page_17.jp2
5211d5d873eacb03c5bf05f449c29cf2
d5608b4668510ef0b3a3ba3d28bde4dcfb2687c1
40778 F20110114_AADRSK nalla_v_Page_71.pro
63c325ae12a5890ad8a10b0b937a23ec
0b3e4f0c5e94e7231262818efae21f4b4e93fe4c
1089068 F20110114_AADRRV nalla_v_Page_61.tif
dd7b6e9a113c13c8c4fa0f5e8d5b03f5
f3f778fbdc5e0fd8be4854caa96a2168a3743603
F20110114_AADRSL nalla_v_Page_66.tif
b990f1129e6009f2ed596602551674c6
3fc78fee58843ad3cbfe765956db4ffcdb0c02e8
F20110114_AADRRW nalla_v_Page_73.tif
77cacf3c6f56f74ec5f158560d3cb3d3
9faad62117c27e3e90212fd4ad1b37f525c84c20
2371 F20110114_AADRSM nalla_v_Page_86.txt
56cd147e2addc40e9e22b8876d4f351e
077d26c3ba64ab8a8749690f62c79493c261a942
6976 F20110114_AADRRX nalla_v_Page_39thm.jpg
917a6934a4c51047a846230175e12bca
08b435a031c4c7533c9815f57e5a84296650e90b
111489 F20110114_AADRTA nalla_v_Page_53.jp2
cd786ca9ba1d3a43916e8922081b5230
bd809794044ce6a8a62b48832b33ae9b87d928a4
F20110114_AADRRY nalla_v_Page_83.tif
b3473dfe63afdcece2bbd5f01e6d01c8
c1c078cd243cd98248bd5de5ad6d0a0a4fee28ab
F20110114_AADRTB nalla_v_Page_67.tif
0cbe2162f20089dea683e5d5f760e809
3428c10508593d57ea2749db759ce298986ff837
54644 F20110114_AADRSN nalla_v_Page_65.pro
754bbf46daffef43f792cf814c90381b
2d2860968ef5f187caa97922fd0c0e8099dd94ec
2293 F20110114_AADRRZ nalla_v_Page_15.txt
6b6b477023450ff4ed6d19b9cff7e688
9d2bec63847af5657c813ac6c349abd77705f73e
58275 F20110114_AADRTC nalla_v_Page_15.pro
9a65672f08ec8b9157fb576d967c1f0b
ecb563160c00b3a82cb43dd6eb756d42c9b2da94
32678 F20110114_AADRSO nalla_v_Page_75.jpg
ffa7ffa9ca30ffd3c7de114cd2de46e2
19a0749219e4c40e65a2c7afaea50ab8015e102f
27848 F20110114_AADRTD nalla_v_Page_44.jp2
8aa53c4fd5e35bcad58a48cdc676f4cb
6ef0481c7a8e992c1b79c3f0f40cf6c93ce90c4d
F20110114_AADRSP nalla_v_Page_50.tif
56cc7275065073e2cadcb951bb05eec8
fd85ad71eb5c501251292424ed58bd4b892cd28e
61064 F20110114_AADRTE nalla_v_Page_13.pro
7c5f65ac4dca86cb1fba4b868738b06a
4d37e082db8aa70cf510ceb8f93c5202b8582c9f
1753 F20110114_AADRSQ nalla_v_Page_64.txt
e61702d984e2e5777c17bdcb03f3b5eb
f79314bc017255d591492f10f0cebee5eb65b020
32240 F20110114_AADRTF nalla_v_Page_03.jp2
6b8172e95369b1cb1fd754c8f57a8f12
3d2201f061d706b5c28d7ace283b41c5a12b4dcb
29398 F20110114_AADRSR nalla_v_Page_18.QC.jpg
8abf4c00930a01dc43e047e42bf70580
910089f9cccca99da24df03c4cf9fd381b30500b
27587 F20110114_AADRTG nalla_v_Page_37.QC.jpg
7ba83d033e368416fef918395df86d00
e8a54069ed8b407af1701e009215ebabe832a238
40402 F20110114_AADRSS nalla_v_Page_63.jpg
d2178e7874ee64bf15f09856a18b57bc
44cecbfa8685f25f76af1292bdc1b8332451ea0c
2098 F20110114_AADRTH nalla_v_Page_77.txt
e59e3d52a6cf783909a33957ff6302d3
cf0db83e46a81e7ab7bb22c9b5b915709c2cce42
F20110114_AADRST nalla_v_Page_82.tif
1eead2983772ace8db3744ee36e83d57
62753aaadece303c4443f82d34b23493c5346b51
10759 F20110114_AADRTI nalla_v_Page_74.QC.jpg
d30fc4f3fa29bc471d189ba5377fde9a
bd72d7c5b6350cc52993b899c762d8f9508655a1
31101 F20110114_AADRSU nalla_v_Page_33.QC.jpg
1113dacbbfc4f53bad74a160e28ea871
f2afb914d5a0b39f4c6d6a5f89267578251e27ab
F20110114_AADRTJ nalla_v_Page_25.tif
03e081dfac540abbae345261a140ea2b
49801f2b254cab3a988ab3314960e6dba15b0c5d
F20110114_AADRSV nalla_v_Page_37.tif
6ea054b57296cea74a737d25d9b1e101
d2fb9a1a9b854145a4a85fd2a3445330363ae117
F20110114_AADRTK nalla_v_Page_29.tif
e831cd5ba4a85fb4e9c25a3a59d05747
8fc5f829563a424b0216de31fdbb82310261ddb0
1080257 F20110114_AADRSW nalla_v_Page_52.jp2
c3cb8dd7d985c27bdab23f4a1f10f8a6
04ce184dc211ed643deb94dfd75abc752d0f6f28
77818 F20110114_AADRTL nalla_v_Page_04.jpg
8754701560ceb22b22ed1991d00fe9f1
c69ac665f551aa05060c20ceffe2cc57504ac01a
24847 F20110114_AADRSX nalla_v_Page_35.QC.jpg
ad3b019f3c23a12fc878408c45eac6b6
a0eab088d7802cc3d07aa47c9827bfd047d3d452
613563 F20110114_AADRUA nalla_v_Page_50.jp2
b7487718a3d940c8eb3c71b801b2966f
3ca90fbc70c3b53e9da1ea95905fc1db0eba8a68
49651 F20110114_AADRTM nalla_v_Page_52.pro
552d4787bc39f634f4be9bb3506c77d6
85f75836ee556426463116e3300431edfe5d3ebc
30173 F20110114_AADRSY nalla_v_Page_19.QC.jpg
94f9f261cf607bce019acc48680e2945
cc4645b818a53b45c664533ac42c7437031bac93
1087880 F20110114_AADRUB nalla_v_Page_16.jp2
77b24d030597c7044345af1c4100dc34
ae2ad8dd546a4c51081d0d1f9d54ca1b5e715c13
60005 F20110114_AADRTN nalla_v_Page_28.pro
78ea4aa47edc07cb4f774ae58986dd86
093fb287cee356d20eb1080d7252e675d9d65faa
36104 F20110114_AADRSZ nalla_v_Page_10.pro
f6246245b63d9640cc67cc426e46723c
750927a8d3c40d5af4b0ad274fa9f9818d956612
F20110114_AADRUC nalla_v_Page_62.tif
83d88ede579dcb3193a5f88d527f52cb
1921393525a10f30adf42df49a7f42abdf23798c
39211 F20110114_AADRUD nalla_v_Page_47.pro
d57fa3c364d28d96e683a44e8459b9c1
769d602231be8cca36ec88cd53d2cd91065e0e39
1890 F20110114_AADRTO nalla_v_Page_05.txt
5a01ecad95c5b6dbb3fa274e33941244
f60b93fd2f05cb59414f32379d35cc49b8bb7bc9
5612 F20110114_AADRUE nalla_v_Page_47thm.jpg
a6b3d8912c991a13d257f276db174ec5
714026f655491ef5a9326658548fdbca7a3596f4
26682 F20110114_AADRTP nalla_v_Page_59.QC.jpg
0d7d4eb76bb6564b37e762769f4bc086
75648f2c356d86bc235b4172e6503e47a8f6b3f2
64252 F20110114_AADRUF nalla_v_Page_26.pro
877ae1aed54ea1dab0036aa28b0fec21
abccd0cc29abcccbe8bca612b818bda704a7181c
35533 F20110114_AADRTQ nalla_v_Page_74.jpg
314392745868d537b321aa181833db3e
ae615630c0204aa591a56d587fbb40a0f53f70c4
6113 F20110114_AADRUG nalla_v_Page_11thm.jpg
2da1d2737ca15b6adf0e82a2caaec5df
27beed035b4c7eacb6fe4bebc7c0f8ab60f275d7
40804 F20110114_AADRTR nalla_v_Page_43.pro
80d257b406eecd377df020fd16f13af1
cb460bae9984549fa5b47944c3a0cbcbc4e707b8
F20110114_AADSAA nalla_v_Page_04.tif
4351f4c90066d4f1d7eaa41efc027a31
a24590e38a58a89e9f721c99f43f54991b858e45
40495 F20110114_AADRUH nalla_v_Page_30.jpg
d114a7d1fd149d3e95d5fac3804c8376
cfd79a4e66035f326e25343c21f6f41da2042f3d
F20110114_AADRTS nalla_v_Page_43.tif
242e5ff2726cd49cdc0a1cf94ed1245d
1c2d5fed2b401b8c876fd784ae3677cb59e4ffe4
F20110114_AADSAB nalla_v_Page_05.tif
ad14da0bc38311b070508275a2db1beb
76303943187eb20d0cc54d97d20a948078f9e421
2928 F20110114_AADRUI nalla_v_Page_87.txt
3628fe7fb9f2a286fa16a5c0b01cebb3
cef2e5b604632e1203368d2bb95daed9c4a2b076
103117 F20110114_AADRTT nalla_v_Page_86.jpg
748e4600777fb04ef72bb2612b2389ea
0f7bfac207280b325b12a8e2741d8aecbb063469
F20110114_AADSAC nalla_v_Page_06.tif
5ec11b87b808787cb3d133935acaf3e1
de534ed4d114621c64479bac0d79dbe7ff6d5e99
7792 F20110114_AADRUJ nalla_v_Page_82thm.jpg
bee12fb28bc061db85881b38395392eb
673f22203533636cab8ad6a97fc92b49c598951e
49128 F20110114_AADRTU nalla_v_Page_11.pro
31d51d3edf04296811ab2026c7afcf63
ff1d068a6ac6d2920e3951fbde63d609e11a51e4
F20110114_AADSAD nalla_v_Page_07.tif
d5b98f1ed6915cbec6d9f188e864f937
b68cc3ca4b40813d02037089cca7ba67480f8733
81974 F20110114_AADRUK nalla_v_Page_72.jp2
62a80dbf69ce7c32ea7604a8d518d306
3a0ac080622302cab67d23f882d0548919e773ac
2350 F20110114_AADRTV nalla_v_Page_21.txt
3dac46830c497d1bfcc969218043ba0b
9af93b1602ee5d5a22255bcbd991af50de096d28
F20110114_AADSAE nalla_v_Page_08.tif
48cfa7e728c8052de39853f0c76362af
b056de40818c28ed7ba54a18dfb45399433233db
F20110114_AADRUL nalla_v_Page_75.tif
32318cfb8fd1384d29f829d8dde8e323
9511cbad5a88c037c7c3010c8529a5b885cd0f0d
26874 F20110114_AADRTW nalla_v_Page_50.pro
45d8cb1b98ea6c28ac58a28f2f077a14
40ee9c1a931e63711592002f1fa135bd96465bc6
F20110114_AADSAF nalla_v_Page_09.tif
d0c498e474853df6608ea37fd35492e2
bc0a93edfcc0fc1d953020e95bd7b55128791383
102626 F20110114_AADRVA nalla_v_Page_16.jpg
feaffcd22bf44070ef6818bd61141905
5e6ac640c67eedbe0a7b5bedadb67cecb78950e5
32153 F20110114_AADRUM nalla_v_Page_58.pro
051795d8e3f043ff3a0c9467e11e76ef
5d7a7cce1e80824a75c08e1d9ac5bf4372311622
1301 F20110114_AADRTX nalla_v_Page_02.pro
984a2f41cd26f55dd3b5df9770ca198c
0a8a5064073989dece1a2fb4090da586c9e91896
F20110114_AADSAG nalla_v_Page_10.tif
e7f18caf191b794e8ea3ab8d1f120f27
cec4413fdaa0aaa3a6ef6ec786de8ed52c9ae6f6
79585 F20110114_AADRVB nalla_v_Page_17.jpg
ff0bd0dbfc52f33300c18a4789bf35e8
e465dcd3e1a630349fb315fb258db290c3802f16
103258 F20110114_AADRUN UFE0007303_00001.mets FULL
e27de1e427a1f955c1f8d1b6bb07a848
fecf766e4f82cb93220b26e06cc5a29edfca4cee
F20110114_AADRTY nalla_v_Page_31.tif
cfbda2d0c566b4778752487028ba7dc0
b2eccee54ec1a89b86e32834894b38a8a48327c0
F20110114_AADSAH nalla_v_Page_11.tif
9d5a317d8b6b361a460e7d8f24d64508
f88015718ab7bed156772fcb2ad58b66cfe196d8
101950 F20110114_AADRVC nalla_v_Page_20.jpg
3f902a0e0e2793ef00e3298fcf00b3fd
913551abab9309a7bcdfd01befd3bb37cc052d63
4902 F20110114_AADRTZ nalla_v_Page_72thm.jpg
7cf6692ce5abf74689ecd64d8682df91
b4985bce6bb2b2663f8bcd034ef31064f38755ea
F20110114_AADSAI nalla_v_Page_12.tif
ab736b216dccd63856d4ef6b30dee256
fb20064cfe51ce85d01719ad5486cd464bf4cf87
95834 F20110114_AADRVD nalla_v_Page_21.jpg
94634c0528a119f08112f4af7f170996
5eec95a3808a57bb578dbce215ba658c7ad85600
F20110114_AADSAJ nalla_v_Page_13.tif
e4468fbb20b5f25d74bc312a7886bb9d
a0b1600bd1ab65aa7331d9a05ae456bc7445b936
93439 F20110114_AADRVE nalla_v_Page_22.jpg
3bb000c272fbcf26e5f8909c6aaf77cf
2aefe604c29a8be47466d3073637a6c06e6f96bd
F20110114_AADSAK nalla_v_Page_14.tif
8498186f083f6ea2262ed382c6a31ab0
4f696fae9ea624abd769b901e8d29f994f6d03cd
51474 F20110114_AADRVF nalla_v_Page_23.jpg
0fc12590911d8e5d4fc8234fb64ab92b
fbebdd6acb3e53dfdded250b6308fec577f36cb4
22766 F20110114_AADRUQ nalla_v_Page_01.jpg
8d6159b1523396d29a000a46bf8bdfc1
e7b8dc30e263f2345cb68d7457b7b2cd2d2df955
F20110114_AADSAL nalla_v_Page_15.tif
2d4addf93028f71e40a9129aff7682d9
28cc420ae27e66cf24924a1f3900dd11d1a47f73
79896 F20110114_AADRVG nalla_v_Page_24.jpg
cd5f9bebe2024d59525bcb0400deb747
efe53b21e7be876ef6bab55d56e61495f8ede973
11192 F20110114_AADRUR nalla_v_Page_02.jpg
98f37d1ee220eb717266466cc829c78c
f705ed48bab91be09d6d956effbc7b3c4fac6527
F20110114_AADSBA nalla_v_Page_34.tif
5d6bf1fe84dbe82d488f560e250632f2
92f38da8156c356b7485a50b97efd94cfec4871e
F20110114_AADSAM nalla_v_Page_16.tif
40c505b307e6881b8b7a6053fcc284b5
017b16430e28f395fb9245931488488830c89389
87778 F20110114_AADRVH nalla_v_Page_25.jpg
70f4f1a7f1047ae19a18fce5beec1570
37a2e09827bf54ed67f270f0cacb8cf07a54886c
83471 F20110114_AADRUS nalla_v_Page_05.jpg
e2d5a4dfe4d858d8b72c31532ac12793
6ce420225c722fb28078e1344c2f777f8b4251e9
F20110114_AADSBB nalla_v_Page_35.tif
d71b689262ceed932c2e05fd61a8a6dc
b9960da0b9524cfe4009c379aa1928f842b767b3
F20110114_AADSAN nalla_v_Page_17.tif
6344033be5e9e8b4b33c492757eb13bf
f8aaf29381e94c785d36f3be3e659073caafd244
88706 F20110114_AADRVI nalla_v_Page_26.jpg
1abbc94f75dc2611aeea8bac2742f709
332a232f0e7605161f7d6a98044c1fc1ea1e2436
44633 F20110114_AADRUT nalla_v_Page_07.jpg
fcc7d951d6ca7e9170eddb8011a979c6
97076aca3613e0f1bb77c79cf254fc5eff905a04
F20110114_AADSBC nalla_v_Page_36.tif
f6e180d6a6d390e9551de59cdf848b11
be592b6e1c925407cde4d2f685a10c9f8a753097
F20110114_AADSAO nalla_v_Page_18.tif
13f891160a9100419f813f1b826cf710
f1ae0be8aa0b1cb888abfec9fda697beba73ee25
99550 F20110114_AADRVJ nalla_v_Page_27.jpg
389c44529e6cf880da58f486ba3a760e
9558f7e0737288d255ad7f41c0587a8f96429fd4
65095 F20110114_AADRUU nalla_v_Page_08.jpg
a78be9b3a375818525e3911821acd89e
ead6332a127c791036c51122872fc94ce8cc21ca
F20110114_AADSBD nalla_v_Page_38.tif
be928611595f698185a2033b84495aee
cce26cd6b9188d2088282bab3c5fc52a8d4edf87
F20110114_AADSAP nalla_v_Page_19.tif
5cd2eb445274ea5c608a45318272ae08
4664b052582573603e4c914bbe0927c0b54552a4
86847 F20110114_AADRUV nalla_v_Page_09.jpg
6b98e50083357ea7abed3b462942a9b1
418eeb60632e9fa4169199fec29879ba1741f586
F20110114_AADSBE nalla_v_Page_39.tif
3414c9797b1efd8402e52c9fcf6bc530
cc737bd08333519c12b0a72985304406bc877475
F20110114_AADSAQ nalla_v_Page_20.tif
e3f5ee136632213c44720056abdb8dba
6d254b7190381e9af76506d8ca003aacc350adc7
95087 F20110114_AADRVK nalla_v_Page_28.jpg
5b457324c053e1ea8a47018341f3d5c8
d1ea76d79ff5c2efd0978bf9103e458a31051418
77552 F20110114_AADRUW nalla_v_Page_11.jpg
efcbb9f90e2663a57c9ba2f930a8113f
4ec78ce41902e6fd77efe3fee504df7653cd242a
F20110114_AADSBF nalla_v_Page_40.tif
22cadaeac121ab5f3a5569681de3d6cc
b656e18c4ce67ff00e18231488d7f7b6f81d7656
F20110114_AADSAR nalla_v_Page_21.tif
52cae67a74cc886cb83b8ee218a7e663
1d534ba81131f7850ae67c8129bb2d1ae709a04d
100807 F20110114_AADRVL nalla_v_Page_29.jpg
fa0b526eba6b84a0f2885e72829d299c
2136f697f4b94ea1a6d95bfa97972a0150ff70dd
104079 F20110114_AADRUX nalla_v_Page_12.jpg
8c9617326522a22ed00ef3e4dedd18fd
e057295fa6b507ffc014845135485dfad4f4e741
F20110114_AADSBG nalla_v_Page_41.tif
06561467c45dd621daa378f4de5d8a2c
2bf562566de75bfa977387bfa75ec0d769c642ca
66497 F20110114_AADRWA nalla_v_Page_47.jpg
4ded4b94470b1d38d0051a0f2fde5a0b
1af5f3cac4d176d3e70d118a9fb126c229a96b25
F20110114_AADSAS nalla_v_Page_22.tif
4a137f8127f510bce7bc09358d14fc6a
65b74de33e158ff48943f8020f47f622488a0e19
79563 F20110114_AADRVM nalla_v_Page_31.jpg
a18b9fde5a50d0ee3ce433cebf2ea7f6
752a912cb56eceeb2991638401e75442c1a89597
93314 F20110114_AADRUY nalla_v_Page_13.jpg
d32edb0ffd1460aa8f68987d3a5ee14d
41dedafdf3ef8c6d62c52500451c253530563e1e
F20110114_AADSBH nalla_v_Page_42.tif
3a2aa01223e388eb70fb99678f855fae
8e5a2d7a4da75487c5a93dffdedc23ad06d2ff39
93322 F20110114_AADRWB nalla_v_Page_49.jpg
9f8085686f13628142c13f80f2f7b532
a96eaef21a0915e6330b63a5829ba028786e8965
F20110114_AADSAT nalla_v_Page_23.tif
94baf17231a68e29178f3f2e5a806c1b
12c3cd0f19f25c86ab6aca58b8125ed7c4780732
93436 F20110114_AADRVN nalla_v_Page_32.jpg
67dfd6943ba82a68a913f84df7c13e73
6db2f9d050b0a32dfcc946d02ace8064b050ee2b
94774 F20110114_AADRUZ nalla_v_Page_15.jpg
a347ba171efc9116f6c4705a9849c02f
944315d38bffc9adc061be39b4cfc443ea292fd3
F20110114_AADSBI nalla_v_Page_44.tif
d18e64c776f24610ece7a993b329291a
fc9b3fbb08252fa92d542653841757e9388777bc
48699 F20110114_AADRWC nalla_v_Page_50.jpg
ca085f857450f76a3e17728eab0114bd
53ebf90b31b326c5ffee464508feb01621ae3b9c
F20110114_AADSAU nalla_v_Page_24.tif
d56316b67f911caa97b49962c80838c0
7b699d4f5e40b6d5c5bbb619a056b57fecafc5ec
63274 F20110114_AADRVO nalla_v_Page_34.jpg
29b164bedb29078e82574116524e90be
246097525a849c6c0813ba662121c4fbc3f71124
F20110114_AADSBJ nalla_v_Page_45.tif
7ec0c519d1b9a765649f7f124dee05ec
85935fef2df824a7b0494012854ca011fce76f93
88750 F20110114_AADRWD nalla_v_Page_51.jpg
04fe2e94b5c01f3203ff25c4c4780f6c
657b97c2cb2cf6c320741fa073b2f1cc5d5ea62d
F20110114_AADSAV nalla_v_Page_26.tif
1c85ea32b2cf700322a025ae7ee6b18b
ea51fece70b94f7bb6746be8411be59a21b04026
81437 F20110114_AADRVP nalla_v_Page_35.jpg
876f1e37d09044a936cfa0f2a037ac44
9446bf37fd60cf013cd76b93a3e6662e84d44ccf
F20110114_AADSBK nalla_v_Page_46.tif
9372ab8a0f724b5d59165a7f5f259c57
5c7417a4203bcbd95deaae3242e01cf25a2a4cfb
79137 F20110114_AADRWE nalla_v_Page_52.jpg
f30200b3c2c325d85c52b3d811db6793
8d3351d6a6b3992e2932bc76ec4bab6ff84ff1b3
F20110114_AADSAW nalla_v_Page_27.tif
0447723092dfce4badd05b07c1487afb
8a329a7cd4ac902081becb14c7cc94b0471a37fd
F20110114_AADSBL nalla_v_Page_47.tif
d0bc4cc08056c2b7581327cfde415381
c535701c6475c6d7b239e406ec42d5982277c972
73852 F20110114_AADRWF nalla_v_Page_53.jpg
97ac18e5b4950534a9e9f6bdbd653782
346dcf7fdba9b42807b43e6f1abeec6adefd5cca
F20110114_AADSAX nalla_v_Page_30.tif
4a21609405c723ab9566018c58265574
738a42c4555e6f875b78fa176d2f7865fe73f9da
92234 F20110114_AADRVQ nalla_v_Page_36.jpg
82e746664d0200351be96f6c902dcf0c
755d0f34caa853595e4f9cc41bafed5b73eaf34c
F20110114_AADSCA nalla_v_Page_69.tif
4e8c914f7129072b52d57f6c69e22263
a591fd142082a992fbacc435e99b9087fe9d69b8
F20110114_AADSBM nalla_v_Page_48.tif
9bcaa3ee6f4ce35c104449164ce530c2
5d20c32752a3b762c612cc38d76f7dfc5c6d3634
75574 F20110114_AADRWG nalla_v_Page_54.jpg
e2d1d1d2a7266805cdc3534f775b977c
0da2593407b3e484e4fff6e5f4ad006e00331bd4
F20110114_AADSAY nalla_v_Page_32.tif
45500f19bba0a32d921fe6653e039f19
079be4df2287da81262d6969c49d4ce9989835e5
87247 F20110114_AADRVR nalla_v_Page_37.jpg
159e60fe120f07e114e1def6e2aed3e3
23fbd87a6d28e2e71055075abc25a131bb4361d5
F20110114_AADSCB nalla_v_Page_70.tif
8e32db7c3906fcdf33cb925698dcf9b4
9fed62a94fcbd8fe8268f074e0d3cfe11c4722b0
F20110114_AADSBN nalla_v_Page_51.tif
68e45e132e2c1c52e9daec23a81457f5
084ddbfe74782031fd40d02c2c5cf90e86daad30
67017 F20110114_AADRWH nalla_v_Page_55.jpg
adb1f9dea91c9bfa1a920972230c449f
56c0fce3eac82f347a2558e6a56bf23a543b7141
F20110114_AADSAZ nalla_v_Page_33.tif
d1347534b63e5e182baf2af0b51ffcd6
6c890a1a2569ae2171703be8464985bb7d9058e0
94753 F20110114_AADRVS nalla_v_Page_38.jpg
4f7da41938ce9e1c71f160975dfcb987
d3972d9ca89f8d6963aa918e660d16c9f780140d
F20110114_AADSCC nalla_v_Page_71.tif
8882dd724f7851943a8914a8caeea278
db1037b75ad53675ee9d672e8bca178dcb610fa3
F20110114_AADSBO nalla_v_Page_52.tif
f9635921fb51b076df07ca236bd5564e
98d4b766720be64474863645868ef775c49cdc50
50303 F20110114_AADRWI nalla_v_Page_56.jpg
9ef57f3a6d54f5f0f05de9d92dee4e4e
bdc0725bb51bcd117ca7dca975eb3fa9706d3fda
89060 F20110114_AADRVT nalla_v_Page_39.jpg
7a43a005d9c19baf02dcaa24454806a3
1c7a4ae36a70166e59fc9ebe56c0cf98dfea8d97
F20110114_AADSCD nalla_v_Page_72.tif
e570710f2e8f73613169930974a896c4
f2179f57f924152ebed36fb60017beef9a946c58
F20110114_AADSBP nalla_v_Page_53.tif
e1291c0861fe136b8278f684b13ce5f0
43b405302090e62512a72a0e82d66d625d3a88ca
38114 F20110114_AADRWJ nalla_v_Page_57.jpg
c41462d62bec10d7c1e695e80575a62e
5521635a050f405ac254167eed4995f11d8b402e
70416 F20110114_AADRVU nalla_v_Page_40.jpg
77f8dfd4c34b2523e42a775f068c9207
0e88d42f7e928936444f0acb16fcf6338628d751
F20110114_AADSCE nalla_v_Page_74.tif
d36ee225ad3487edadc44de7cb805df2
162d2bee622ff6f9b5876ebd140ca8f33cb3939f
F20110114_AADSBQ nalla_v_Page_54.tif
6111c50c7a7ded38af3f50f2d14091eb
5161d24b80bffc0a05daccec22aa6db09d4f0ddb
55308 F20110114_AADRWK nalla_v_Page_58.jpg
5bcfdabc3c4ced3c98dd4864dfce5a90
f5a654b1c0af65fa995bfa7c1ba451079de56dd8
56936 F20110114_AADRVV nalla_v_Page_41.jpg
37711cae16aff4968704a1fd469362bc
ed8cfd37cf8c9203600fb376a31778059b2eb359
F20110114_AADSCF nalla_v_Page_76.tif
6156c9166efd09094fe5ef92a3ccaf54
0e230ca87062d8b19a0c43cecafb80ccc9f45d1e
F20110114_AADSBR nalla_v_Page_55.tif
c0b6fa58f841627b4bfc25d02948d0e9
1443099bb9da70d93e74023e9f776d923d9ef9be
84336 F20110114_AADRWL nalla_v_Page_59.jpg
0a4fb31746f5d89fea38d6d795aa0d9b
47576b9756a3fd7c77a55ffc30860ec996b5748a
59058 F20110114_AADRVW nalla_v_Page_42.jpg
c981f5b3f601cd556a539de53605077a
4502787b1499d186c006601cf5564141547bd21c
F20110114_AADSCG nalla_v_Page_77.tif
98a7ae98beba2e5a4dddf5709b711b38
66866096e7a887b28a14a5457de08722cec0eeca
73469 F20110114_AADRXA nalla_v_Page_80.jpg
5e34e4ce54359e1832e7dfc835370aaf
ee4018bdeea73e5ac0a5ee954116cddb2823f2b7
F20110114_AADSBS nalla_v_Page_56.tif
9d479dddbb2a0e688f923d1e954df5b2
72181a839e956dfefd6e10613da3b5e522837765
34911 F20110114_AADRWM nalla_v_Page_60.jpg
5b418a308bfcf50ac5c756520e473a99
adb3ff88a941cc77a14c6817b1d380acb57f9563
67287 F20110114_AADRVX nalla_v_Page_43.jpg
11d38090c43b43b6042192a698f5aa6a
585c21f072326886f21ae59c0845521545736665
33204 F20110114_AADRXB nalla_v_Page_81.jpg
3530f7f89c68ba65ecabae1a36406744
d6b1ea3fda958734b6f8458fff2e65887a9e81cd
F20110114_AADSBT nalla_v_Page_57.tif
f5bb02e66bb66be98ca699d4fcbd67ce
05b4ab2b4b7511bcd1de9ae2a965797a96c7adae
43888 F20110114_AADRWN nalla_v_Page_61.jpg
05a15384e7447d915512d6963f6f5591
0375b57ffbbb8119f41a72959a90d253a3539af1
80021 F20110114_AADRVY nalla_v_Page_45.jpg
880e4e93966c2348b414725a98cb5cb8
f9a460eae353edd09f6eb4e2982c3d20bed0bd52
F20110114_AADSCH nalla_v_Page_78.tif
36a653ddff229fc13b665a409689908b
4f3d235a06b4c1ec4ce673ec2f2ff4acf1d5a010
100355 F20110114_AADRXC nalla_v_Page_82.jpg
5302daad0049f9a8f023263368f5ad5a
370bc70a439627d941d55963c2abc74745d3ce50
F20110114_AADSBU nalla_v_Page_58.tif
e8a6780507f4a398f85ea58dddd35538
e0380494f49469ab6b00d55119e90f0043a938bc
79590 F20110114_AADRWO nalla_v_Page_62.jpg
bcda94fa79ee88dc7757a3c6e21a0f2e
4080c007ab39119b4f196e5e739a284a8789e22a
50198 F20110114_AADRVZ nalla_v_Page_46.jpg
19396fc646b365a2758500ca7bfff66f
55a74a191693ffb739f7940a672e4590b62deed3
F20110114_AADSCI nalla_v_Page_79.tif
0c8a99f855c55e4821908e9803bf16f2
4acd2f991ab9181afcb94eca598226dbe3b48508
20440 F20110114_AADRXD nalla_v_Page_83.jpg
8ef45c038d13c6c73bb60ea700f667a8
ff745d579dad8eb139fadcaec6b9495ec380f1cd
F20110114_AADSBV nalla_v_Page_59.tif
45f3f24dde4491eb39d0d84263ab3baf
883b2f4afc9b1295b8c98aa7a88a0d42e9d7ed2c
50609 F20110114_AADRWP nalla_v_Page_64.jpg
a8412e55c459e94c87b5d6b91e2aa397
ec5d84955269f9ed71c3280f719660088a7e1de1
F20110114_AADSCJ nalla_v_Page_80.tif
45a7b5d0e2f22dc0580bfecd4ac88050
417ae544777434797c42e00f2607ca735b75a75a
15850 F20110114_AADRXE nalla_v_Page_85.jpg
fd86e60941f5c7dfdbf933afe6021b3d
6395c2309b2875e5660dbfcfb9a53c47e6a62ac7
F20110114_AADSBW nalla_v_Page_60.tif
60607cddd77d518b0e8d306162d28785
f737cf6abbc2de2c783516adbe6a27423736bcf2
60959 F20110114_AADRWQ nalla_v_Page_65.jpg
a962a6a00794091529a05506d90455fe
58eef3c5213f939eeda4986efb7f0eb19ca94004
F20110114_AADSCK nalla_v_Page_81.tif
a7d1837e613d1a9b2d27964c132a985f
b914bc5af1b80c9f3080b367f0690328f24fd205
25804 F20110114_AADRXF nalla_v_Page_89.jpg
d41326546f5825f54bdfd8252a41b0c0
ac2d77bf33d34e96fe360ffffdf6b51a2d8b5b46
F20110114_AADSBX nalla_v_Page_63.tif
e868d0303e7725c38af1b6d5fdbda739
0896bc8806e4c314ae5349a20cea21a7f74096f9
F20110114_AADSCL nalla_v_Page_84.tif
2f2f300310b657a10fabf1e290bdf2a9
f1630ef5bd7557f18b10ca1bf083055d48b450dc
22452 F20110114_AADRXG nalla_v_Page_01.jp2
42253406a59bb63e007fcbfbde2e4b4d
5877c7dac2f20418b33e5311671fe37a79ac756c
F20110114_AADSBY nalla_v_Page_65.tif
ee9c01a89037f10e7f6f9806d318de35
1c63af4ebd82d3a4fb2e14437dde3a9ccafc1ec5
65747 F20110114_AADRWR nalla_v_Page_66.jpg
d30d6ec68435d742afedc2435328a8d7
798cfde2ca5c08e0c0f7521f0e55fff39f8af7b2
66391 F20110114_AADSDA nalla_v_Page_16.pro
2d19a9261cfef899133b32aedaab71cd
49fc76f854c1aee80d7feef21e8aa997d115e8dd
F20110114_AADSCM nalla_v_Page_85.tif
6b6ddf943f7095fb970c44585c046d29
01835198931ec19e45f8bd5f7c95bfd14ee5d5d2
6013 F20110114_AADRXH nalla_v_Page_02.jp2
fadb4ca4c7863407e95f0e0e3b50345d
47bc0c118815932eaa0560cc7350ef24d8c5ba51
F20110114_AADSBZ nalla_v_Page_68.tif
71e484c2f1a51daa1b53c43f3c22aec7
8c25338b85cae01a9d2a5f206c51eb519fe0d2b3
90422 F20110114_AADRWS nalla_v_Page_68.jpg
acc3097199732cfda1a9b882179b4749
5b47cbcda8dbc656aa3329ff6f033acbf94dc268
58369 F20110114_AADSDB nalla_v_Page_17.pro
deac062f7b0c9219baf397783fdb7e81
f800e30304e914da981284653be70eb0ec2c0079
F20110114_AADSCN nalla_v_Page_86.tif
53e68b3a40bd97e27a53651dc4b07759
d065bdf154ba1841d18ec52235a2f130da0179df
1087883 F20110114_AADRXI nalla_v_Page_04.jp2
a725c560d468028702e41c7e4f7599c8
803ac929745c5ca1f59c30e4aa09b3d86b6ed0a0
67357 F20110114_AADRWT nalla_v_Page_69.jpg
65926cdaab866adac8eb8e258fdc3398
1a9e0e4f9daded4e732470e85c4f64064fb6e60c
60602 F20110114_AADSDC nalla_v_Page_18.pro
92b7420a5b2df1fc898919b47ee8abd4
c139bb7f2ea2a87d0681ddef1bd06e1151d1241c
F20110114_AADSCO nalla_v_Page_88.tif
78f366aa96cff20d225bcf8ec6066821
7156aca892474dbbee10b14ee97b8ca4e2c3d153
F20110114_AADRXJ nalla_v_Page_05.jp2
c3e9dea4f1150a20adb5cffb1afb457f
641ee965b546a85bbf205ff898d8c68c766e6eb5
80231 F20110114_AADRWU nalla_v_Page_70.jpg
a83a8a767ee58eacab2d6640c0ed15e9
f3590a60244993288c5d4e4ced45c6d193e48581
61971 F20110114_AADSDD nalla_v_Page_19.pro
c50a8a3c052cb508b6973620b34b72ca
aac8857b3c9c5b6669fe15d9e08dac2f5829b753
F20110114_AADSCP nalla_v_Page_89.tif
b9102eb7a572247ea6fa38d405b3e2b0
2e513cb5a0dcac87808b3670a6421680fcfcf03c
F20110114_AADRXK nalla_v_Page_06.jp2
7b8dc578f9899d4ec4195ebc691641e4
b426a8fd77e457d99b249cefff38b8a6c08e7c09
58423 F20110114_AADRWV nalla_v_Page_71.jpg
719d57a318ba41c64e69e548264849d2
a2475a83ca60b1a60ca25ff21e6f86e4c550a3df
65870 F20110114_AADSDE nalla_v_Page_20.pro
a47902533aac9e037855451fe34dff5e
67ec081ab8e33d3bbf2474316790a92653ad4175
7308 F20110114_AADSCQ nalla_v_Page_01.pro
db3891460c018fc4d7bb17d51038f922
9b0107a9da5d57bf9125bd7adaaa2816a8bcfd14
995228 F20110114_AADRXL nalla_v_Page_07.jp2
9dfefe8df517fa9c0e22761d6e23c421
c81ca744d8260915560dfdd4eba8de4206dc722c
55473 F20110114_AADRWW nalla_v_Page_72.jpg
5a018a4a64f10f14a136d14f990a6606
1ee43a1b0496cb9b5c36f8f8634020231c4f9dcb
60183 F20110114_AADSDF nalla_v_Page_21.pro
25b5db5956bc8256f07dcb53e94175b9
8bedee210eeb1f869edcebb7cad2c6840d19a1a3
13570 F20110114_AADSCR nalla_v_Page_03.pro
9440fb51e961f686cba050a20d54373d
31c25c1b03659fc29639c31fe6c00c9eb9dc6424
94817 F20110114_AADRXM nalla_v_Page_08.jp2
1dd8cc5d7d3933c404bd2bb74f70d7b8
605606b077075a0fcb546724491149b447ded429
80688 F20110114_AADRWX nalla_v_Page_73.jpg
27e637b9b4b7b85bc8771210da03055e
ef6baa617eba4b2bdd2c07f74c29bae93aef76b4
58202 F20110114_AADSDG nalla_v_Page_22.pro
5f355f8de7a328771558ca863f06dbb6
bf4001dd544092789e669547c3edf5612e826798
1087898 F20110114_AADRYA nalla_v_Page_25.jp2
f9cdebefa8939e35834e1eddc7713c7c
40d6f46baada9e05028dd41650179191df43a5dd
59211 F20110114_AADSCS nalla_v_Page_04.pro
a191dc78b9f247b74fb3010d4ef29e06
f77418d15f327a7896af39627b2f540f3eab065b
1087876 F20110114_AADRXN nalla_v_Page_09.jp2
8104becc7c52afce47f1cfa6de7a8286
72d57d87ff0afa5a62ff795ebdd8db4d3486ad88
35482 F20110114_AADRWY nalla_v_Page_78.jpg
f2a1291f81331719d06a57e29ce432e8
ddd33033b18f87d833f584e6b896afa86cd4102d
33364 F20110114_AADSDH nalla_v_Page_23.pro
047b25954409150f9eaa25b75002fafa
97faddc6bc3956285d004e0dd5874f2c2c480468
130099 F20110114_AADRYB nalla_v_Page_26.jp2
9aef4dfe2c87ee4b32a7151513d6d4d7
a268016fb7bc4874fc29bcf56c7c54503f3d8771
43771 F20110114_AADSCT nalla_v_Page_05.pro
7ce27b20d92a6ad8576e3544bb73ef10
31e03df3bb2d5c867054af1459ac4e95bfe3facd
790750 F20110114_AADRXO nalla_v_Page_10.jp2
4831428360c627245d08b3628003d866
6e752d4c6b37a8aab07430a00eb0645c9c2d1b2b
78329 F20110114_AADRWZ nalla_v_Page_79.jpg
0605e9d3a5815f6f2d88ceec292bd064
669767fc0122e94d813a6d9eb4820cc9fcb75eef
47748 F20110114_AADSDI nalla_v_Page_24.pro
e449e91adc911cc4710cfed62bf67e8a
8cdb50d853df5042e0a60d9cf8e159ca58786cab
1087901 F20110114_AADRYC nalla_v_Page_27.jp2
5d94a54eb273b6a917be25c322d6acad
7518e8d1dfa27d94841d0a8dc26b1c08e99f5df2
56464 F20110114_AADSCU nalla_v_Page_06.pro
b31a3af04ae4ffd98e0d5ed309387861
ea1f6d76a2b10fcf033e5b2fc54521aea314911a
1068376 F20110114_AADRXP nalla_v_Page_11.jp2
b11611324c78cb1b4cc7034fae97658f
eb277dc69727ef88ea9d7cbf1a72f7aebddcb051
56781 F20110114_AADSDJ nalla_v_Page_25.pro
955a20b75d565b4469aea6d391abd53d
bac9ccbf7055003e88df2a1f584351b8b1792f44
1087879 F20110114_AADRYD nalla_v_Page_28.jp2
56860f379b449487a303b0708667ec86
ca3c5e66b33e4e08b29673065ec3a46a4f7a738b
24143 F20110114_AADSCV nalla_v_Page_07.pro
b5c9e71452c5a99e2bd366aae4e3a940
3b02d525497cc5df975c78873a56f142606aaaa0
154081 F20110114_AADRXQ nalla_v_Page_12.jp2
d0021d274fe2eec42c490bcd7dcb8a94
e97e6623f4fb89004715086140b0361c8196f2b2
64572 F20110114_AADSDK nalla_v_Page_27.pro
ccc607d4338d77f909c2345d5c970cff
f7e7b0738271ac9d8a7eddeec6c07989203f1b68
1087832 F20110114_AADRYE nalla_v_Page_29.jp2
d09e3c3a3077791f5ee69762411d148e
21841a60bd23357610b2395030daa3fe1c9977d5
44140 F20110114_AADSCW nalla_v_Page_08.pro
17a7a9f91ad523e0c3073d72d6c19ae5
536f4deb70107a78e4f82d59fb87fa0d0cdd8bd2
F20110114_AADRXR nalla_v_Page_14.jp2
7ac5a123c55b3590b67d416c7fe5d8a3
7d2b1f26c9fd5191141fa989039b2c6e814ecc52
62891 F20110114_AADSDL nalla_v_Page_29.pro
37f0b0671d03dcef525ece25587dc215
b627423488d0a4984e0d4e4d5aa3768a79134018
57190 F20110114_AADRYF nalla_v_Page_30.jp2
6c557658a5c7a5b46704e2c571ca0248
2ff9de6eedaf26430637bdeaa8cdf0f86f0b42f0
54932 F20110114_AADSCX nalla_v_Page_09.pro
0d886391aa8c828445634b7a3ed95b24
ba49789801c7d58535439139ff7b5e256361a6a5
49661 F20110114_AADSEA nalla_v_Page_45.pro
af8f36cc1134a4408d07a3750a15019f
ad85516afad5b4f038004ef596ffb2b7067c7d16
25583 F20110114_AADSDM nalla_v_Page_30.pro
d32d27a3e9e8dec2baabb206bea224b1
0db4697509d50fa885dcdb1ae67307bc05197c28
1087864 F20110114_AADRYG nalla_v_Page_33.jp2
71955f94bac27d2ad0d716813c8117ef
dcf5065804c9ce2972f50860cb965abac6505eca
78813 F20110114_AADSCY nalla_v_Page_12.pro
833dfae9d91d38b4f8445b5d0cf01d4b
80e8abfc7c4b4df62217aac4928b25a831bcbe90
1087872 F20110114_AADRXS nalla_v_Page_15.jp2
048478a8fb18f6e9c83aecc66372ffca
639d8d219865fccb8073136f5ea0f99db033b9aa
26450 F20110114_AADSEB nalla_v_Page_46.pro
54a9872add325ec91085d8183cf10ad0
c174145efb97955ef532a8f1ce3f8d2122833b06
49509 F20110114_AADSDN nalla_v_Page_31.pro
489c6e448c971779da7d7fc0e846efa2
41a1fe9117774134b65019791c1141bd06c179c3
801738 F20110114_AADRYH nalla_v_Page_34.jp2
43fcad62d1493b71a093c15e1d522cd4
5e3f48bf3148aad49ea7f5c7762320ab22255dd0
69764 F20110114_AADSCZ nalla_v_Page_14.pro
ab20376ddb0b76b38c2df856c517affa
234e128492362cc04e93e959cb3d46d0c63f0dfb
1087875 F20110114_AADRXT nalla_v_Page_18.jp2
48060f0ef19389b58398283beb16cc91
aa24dc1c3e004e39da145764d139cb3bcb6ae334
47166 F20110114_AADSEC nalla_v_Page_48.pro
802f3c9772928e1d98344e17627286c6
9b5b0eee1982a24da4a89cc5f898726727985cd5
58095 F20110114_AADSDO nalla_v_Page_32.pro
e7524cb4b07615c4cd50600d4d130ea1
f28d337be51b97e7f5a2d9ec79fe199ca3746d64
F20110114_AADRYI nalla_v_Page_35.jp2
f5d151014e690015462ac10dcf7ced5a
7b544351b9f235d34c5e5474f9e217b1e517114a
1087897 F20110114_AADRXU nalla_v_Page_19.jp2
46836f15cc39ff8335c8016ff41c89ab
f478926bda94fedf5b593c78c6ae3bda6817ed14
60374 F20110114_AADSED nalla_v_Page_49.pro
778167d24e1736f81992ad248c0ac7b4
d5d4f72013a5e9e0ae2cedcb45350a7c8d49ff3d
64332 F20110114_AADSDP nalla_v_Page_33.pro
2a4dc1725e433753544e0d121fd6a5fd
0250a274191c8e0433d0cdea1e06a91f0fe03daf
130978 F20110114_AADRYJ nalla_v_Page_37.jp2
da7388c67b43bbd233c82e471db2918a
5c6d2ad09057f2a9046235489306a05bd77e8481
1087891 F20110114_AADRXV nalla_v_Page_20.jp2
ae9cfc627f0b941fce7c4144d740aa9b
fc2bb364dd93a8bcf20b66eb10550caf9cfcfcc9
55419 F20110114_AADSEE nalla_v_Page_51.pro
24d3fa880d0d6377a79815f05b1164cc
d0091c0c1017c3e8a703bbfcc8688b16e1667076
32952 F20110114_AADSDQ nalla_v_Page_34.pro
1ebcfa47c6812b921d1dcb75de0e0cae
0911e8bc968578f22e2af489356fe9b48fe4708e
1087834 F20110114_AADRYK nalla_v_Page_38.jp2
5598830d12a3e0c5c6bcc6caf44e223e
0e9dd3d9baaeaf90663ce682d981e8f39d073585
1087881 F20110114_AADRXW nalla_v_Page_21.jp2
20146be0243893eee63d5b544184a068
64285cff9a34897242a5b4e356189677ee60f8a9
53037 F20110114_AADSEF nalla_v_Page_53.pro
14fc69a387c61c466b307de3a7d5263f
5d30e5919edc0ef5cd1607cb687b110ec0e0785e
50906 F20110114_AADSDR nalla_v_Page_35.pro
5b555a0c69d032dfc5229b3af27fede9
9ec4d44e523c33dd6c51169c79e72ae783e931a9
F20110114_AADRYL nalla_v_Page_39.jp2
ac61dbac6e77935cced8494e044fdf1d
1b2e22785ac345bb676ec96e7136ded59b375f70
1087838 F20110114_AADRXX nalla_v_Page_22.jp2
16253ae47fb4a52232c070d20649b977
387a06c44b52bc23c0d5f2edcac7fe90dca2d81d
48786 F20110114_AADSEG nalla_v_Page_54.pro
9034842621fec6cfe2459c1f775ea333
8a52bbbff200fc89461ebdb3d44070625349b62c
59530 F20110114_AADRZA nalla_v_Page_61.jp2
1a77d3a6e5fb3284632fe63b7c9af9d2
f585fffdcbd1414457f499f7639c58c9992d8751
57891 F20110114_AADSDS nalla_v_Page_36.pro
81f9d3a43d8c36c0d4af0ce55a2c81c0
d19b5b1ee7f17ce2a0b6cbb2aec33bfe341657ac
84519 F20110114_AADRYM nalla_v_Page_42.jp2
5fe61d67051efbefadc085c95f311b47
c3df53eb478ca02265614bcc93482a2d4782ff57
72152 F20110114_AADRXY nalla_v_Page_23.jp2
2ab58f838a7815870b015e999842b6db
7576d02beb8ff84639825b61adc64226585d8759
41475 F20110114_AADSEH nalla_v_Page_55.pro
8ad8260ecbda66ad474dd21450400592
5a6836f747332113647a99a8078ff6b2a391adbb
1072940 F20110114_AADRZB nalla_v_Page_62.jp2
9ff6e607e6a391ee3acdeec60f775fdf
f64a5db6466e2a8f978d1bf897dd61df473fab6c
64258 F20110114_AADSDT nalla_v_Page_37.pro
ef4b3df3f946037372168fc17a904def
8921b348c8dd419eee7d2fc95893e4dc653017a8
897899 F20110114_AADRYN nalla_v_Page_43.jp2
1a46ce0720acfcca7e56bbe6ceaee4af
d7ee23503ba276f2246fb5ab4dd1e11b43b5bf92
1063078 F20110114_AADRXZ nalla_v_Page_24.jp2
66817ab46b45ace6f0e6a11ffaa034e9
e386b7333f19618b8fce468ea60b1a5d3c62bbea
33861 F20110114_AADSEI nalla_v_Page_56.pro
bb2801a21198167fc79b776edc2cc760
a9913f0b794b554e896d3f7fc6f192a70a6053f3
54774 F20110114_AADRZC nalla_v_Page_63.jp2
3e4eaad02f7d8589659b3ac165225e2a
d81fdfa73898bd6542e70320f176cf1391831642
59494 F20110114_AADSDU nalla_v_Page_38.pro
fcfe6a3d307d94ee10252e3d2d9c37b4
b2ec905b25bb7eed5d66508c93c46b3f1eabe81e
F20110114_AADRYO nalla_v_Page_45.jp2
af3be97db2f73b64ddd97b6faa2aa7a8
aaba66f5e681c38a5515d9360952dd43a7c43dda
22544 F20110114_AADSEJ nalla_v_Page_57.pro
f3a0bf38d06d73745fc4cb2eed873762
a60928635971fe30029827eae512ae104424ffd8
624492 F20110114_AADRZD nalla_v_Page_64.jp2
9f67ef43bc9e55d28b1596eca361b625
98a6165dd2ac0023c64848709f606f50c74cdadf
55872 F20110114_AADSDV nalla_v_Page_39.pro
c1cefdfc2a187bf7147f7e08c122a5fe
1e408a4852a7f78e3c35a73768855466ffd83573
608703 F20110114_AADRYP nalla_v_Page_46.jp2
49e82d43929218f891f9b10a3cb6b1e8
150fd334ec80b5f545ce8985802edb472b9044f9
54781 F20110114_AADSEK nalla_v_Page_59.pro
6c99547543bb365c3572339da0913103
d1ca877999736a25cc140f00f2bfe6d85033f248
85874 F20110114_AADRZE nalla_v_Page_65.jp2
7372ca6470406e2313206728a455d760
4d735f9c145ace37a0e5ed7e33d234ff7e45827f
49067 F20110114_AADSDW nalla_v_Page_40.pro
8555e969e2b768adcb9b4e62b34145e4
5ad4a81f48e6f084efbb4101251c7530064de1f0
843803 F20110114_AADRYQ nalla_v_Page_47.jp2
d8a64ce5038469cae09ea0083a7230d9
17aa1b072823601b6413ac3752f97054a8cb4de0
15274 F20110114_AADSEL nalla_v_Page_60.pro
0f1dc3ca772ff5422bcdf1f093ecfc20
888328d3e59b753b59484dfd15f3eb67f695a5f7
92997 F20110114_AADRZF nalla_v_Page_66.jp2
2c9a66cfa0468dcf7bda0d16b7c7411d
ef4547d2c96c8e42aa798481ba8783632109f06e
31323 F20110114_AADSDX nalla_v_Page_41.pro
25f164d8daaa168fb654ba4bd75c327e
120fb52d0fc0293865cce6851e24ee23503bd0d9
1004641 F20110114_AADRYR nalla_v_Page_48.jp2
8ac122f4db251bbd0d0e80a250150300
b0843ffce75f15f3e8ae7d99aac49993c97698e8
63050 F20110114_AADSEM nalla_v_Page_62.pro
4c8477cee5a6fa5e5ad15b57eeef5ed1
be69c807f5eb7de5ac24a4fb620ebe80033978ff
95764 F20110114_AADRZG nalla_v_Page_69.jp2
03d1321f4f1b2aa383e9af3678b9d9eb
369f947145fc88282bdd77aba1941d203ef1ffc3
41976 F20110114_AADSDY nalla_v_Page_42.pro
baaf87270bde8a48015078246d61450e
0f1c06568f2ad91b8a192552391e99b038587026
F20110114_AADRYS nalla_v_Page_49.jp2
8cfaa03781a6be978a6ed8deb3488282
f3048f2f59881635630aeabc2c587cad1a6f88ab
11065 F20110114_AADSFA nalla_v_Page_78.pro
332b4a201992d9a01b1b683d03559d67
f8303edab0177586422fdc575b7690a27072b49f
26706 F20110114_AADSEN nalla_v_Page_63.pro
c5b8ca6a5a3ccc3612e6b2c3dfd19c78
a33182e13698b2eab050da794984989a2b791c8b
88254 F20110114_AADRZH nalla_v_Page_71.jp2
4c6af5c7f7bf95c66994ef5931b04831
820339c5390dfe5201f2167538ef64ef476e3044
11418 F20110114_AADSDZ nalla_v_Page_44.pro
b1f0dc75e4504722a8d90b5ef6779105
2fceb723e8f935c0c4ffaf529d07fc8018c0d8b1
41574 F20110114_AADSFB nalla_v_Page_79.pro
ff50f7be60df5d2019d56185efa1659a
c3778f3ba37ddf44416c1f53cae2a6ca363c66db
28476 F20110114_AADSEO nalla_v_Page_64.pro
9ad29995c26b0a2356b42f370e366b1c
5c267d0cc9f1f432f6d7552e7b125519273b16a1
1087884 F20110114_AADRZI nalla_v_Page_73.jp2
30cf1b1e8eb1cf4ff0e1c04514137b22
746a811d28feb6e16da340090be6020790bba941
F20110114_AADRYT nalla_v_Page_51.jp2
86ece73707b82bcab1bd36f5e4420ebf
970407d021a151d164b0adafea7441845765b9e1
11464 F20110114_AADSFC nalla_v_Page_81.pro
06f13b3a3a8bc0a7e8d6485d0d06cf7e
ccf782b05ad77e65494889e95c80457b2845c5e1
52553 F20110114_AADSEP nalla_v_Page_66.pro
06b1ea54337b07b1a45e5daabc8737a1
c2b67c6839cf6f73d775e237ba5e53263e236c07
52672 F20110114_AADRZJ nalla_v_Page_74.jp2
95e45aa45cd47c6768f48e794c9c0cc3
20cd8e1b45392c653990db5e0a8b9bc7db7d13be
1055829 F20110114_AADRYU nalla_v_Page_54.jp2
493c442d320a6f62a2cf94201447fcfe
ce91ad80c3d68c7108cadbde3f57ae81e9a0d06d
65383 F20110114_AADSFD nalla_v_Page_82.pro
ee830cca4f50dbd52c9ca29f4fc0fe08
66243a712ef3b298d8d9558eb50b8574bdba685e
32498 F20110114_AADSEQ nalla_v_Page_67.pro
07940fda96bf0ab1d8e1a8a0531a29e9
6b520c7c31c2fef5347003514a84bc18e287f14d
50525 F20110114_AADRZK nalla_v_Page_75.jp2
fd6710868848e5c1fb30ca4fa0aec71a
57b98a5be0a79a68f8b118d6e76cecee601a9451
873702 F20110114_AADRYV nalla_v_Page_55.jp2
a505c2491267608e6814742f09cbbac0
05412c9f770a8d9f2d55e4e00d962b5177297838
8328 F20110114_AADSFE nalla_v_Page_83.pro
f10c01773321694b0311190969fd41f5
1942326da7eea0e23c811cc0cb741121cc9fab97
57706 F20110114_AADSER nalla_v_Page_68.pro
df5f45dcbec6b8371e6943b997be721f
6000c6faaacc764d2c10b675a142f0845762b6fe
1041626 F20110114_AADRZL nalla_v_Page_76.jp2
9f13bd85ce556fb5c13476a9a60675cb
bc14bfadf6cdc82c2bc3a03e585f537a8fe73cdd
72818 F20110114_AADRYW nalla_v_Page_56.jp2
5415c44f79f957c84bc061ef6f8d44f9
d56250281bd5a941a6de93e13f45c3c1bdbed369
57401 F20110114_AADSFF nalla_v_Page_84.pro
a777afd6c9c5e1b1c7756eed2c98351d
0226b2fe5d882b8a8fd779696ca6294adf3ee1b3
46199 F20110114_AADSES nalla_v_Page_69.pro
3f83a3ab2631f0e05bb81c84c62f1a33
199b92d6dde95f1d872f93560e724a42709e4f2e
1071492 F20110114_AADRZM nalla_v_Page_77.jp2
69a2b18ca0101878ccc0fcbaf8a58be0
22013769714a37ef5a2e5b328ef2358100f3ea5d
52687 F20110114_AADRYX nalla_v_Page_57.jp2
fbd2751f9f2a28869d81c3dc07b41699
df6fe4d14bfe54500a3efd9cf300b813dcf51e19
4797 F20110114_AADSFG nalla_v_Page_85.pro
4c85b92cfdf3505a0c8dacd08a71835a
7ed441720bb79a496f693f45d4c03425d176e240
57853 F20110114_AADSET nalla_v_Page_70.pro
8d3851121fa2b4576c4c30de437579dd
90853c5a61fb7674d654273a361449eca3bd1acf
50685 F20110114_AADRZN nalla_v_Page_78.jp2
aecc5dfb40761b1f7f429b50e6ab70ac
4e99a455b30339a08d6aeb068612ed3e202d8aad
716242 F20110114_AADRYY nalla_v_Page_58.jp2
6d61b310125dcded9826daff33f6b7ee
4fc4038faa0056f3febc18ea6b4aa7cdc8e7ba90
58941 F20110114_AADSFH nalla_v_Page_86.pro
c08aa3e3168c47813d39203cfcd845cd
e9b63e1d55f0fa4b80feb1debbed90c99c868524
37428 F20110114_AADSEU nalla_v_Page_72.pro
c7fc9f5ef7ad16babfe6750ef632b797
4c74e81f2a8fa28dfdf5c94c5e6e28f6220b6d81
1015511 F20110114_AADRZO nalla_v_Page_80.jp2
bf2364e5921368493e3cd1ffdf54f5b7
57f7ab71762e468ed339aef009793644aae3fc08
48828 F20110114_AADRYZ nalla_v_Page_60.jp2
ad94870e79971a57377692dc6c5d75e6
ae4e345872b61dcd816462f391ae7d01791dc250
73689 F20110114_AADSFI nalla_v_Page_87.pro
0ae6ec1a58a3b9c19dddb24d7bb21a36
4a8b1e9d4867ad0c6bbc4f316a74e70cf21ab4b9
51180 F20110114_AADSEV nalla_v_Page_73.pro
2fa56bdb9ceecf60caddda2bbe9f0025
6975c5c759c45a8385051e59a2fbb766576cf3d2
50581 F20110114_AADRZP nalla_v_Page_81.jp2
de8994a5009a956ef6368f745aff4d4f
6c25458aa3fe18d1cb04fc15aeebbd5243d7f2c9
8428 F20110114_AADSFJ nalla_v_Page_88.pro
ee3385e1807daeee3ff90a58555f1c1d
7838a138dee1d4e34c827b9562ea9fee2d7ff8ca
10157 F20110114_AADSEW nalla_v_Page_74.pro
362b1fec14a455a7e4039c220701f0f7
2b298f3d381898ed7cba4089a1d3189dc962e51c
1087887 F20110114_AADRZQ nalla_v_Page_82.jp2
30e12d090a272885220b38508bbbf14d
d1938edc110ad4a0f81f9961ade5ad55d3aa21ed
12437 F20110114_AADSFK nalla_v_Page_89.pro
5a15033a7621ec9b0220bf037a530438
4d2f852c777c1edc485946805bef5db4408b7d4f
7238 F20110114_AADSEX nalla_v_Page_75.pro
86c8e49da20c76c9cfe5d855732b5979
9e0090579b3eacf04d965e608abbdc9582046533
20612 F20110114_AADRZR nalla_v_Page_83.jp2
421f2e21cf6082ce194b6b5b11f6db96
226446b8878ebd468b48a652bdfa1dd16b8287f5
405 F20110114_AADSFL nalla_v_Page_01.txt
0fc11f6075a447bdb91e235ce7b854aa
cac8a432edb36893d82e88327d0fcea94cae190b
44190 F20110114_AADSEY nalla_v_Page_76.pro
770f56775b6841809f00cca60c05e6ca
db4c7ddccf527d94dcbcb0df32c1633a7f3553bd
F20110114_AADRZS nalla_v_Page_84.jp2
de7ca2bd0d1ca034e115cba0f3793977
52840cf938a05ae56e2858dff0861510913c16a5
2567 F20110114_AADSGA nalla_v_Page_20.txt
a457d50078b53c36512296a982676b31
0e65b6fa917ba0bab1a1a372c6c84658c213036b
127 F20110114_AADSFM nalla_v_Page_02.txt
22bec8d639c2e76dd42c408403fe13fd
ed482dfb7a80e23e8a34b00936d8a388aac348fe
47391 F20110114_AADSEZ nalla_v_Page_77.pro
97ecb14cd58562df4db5660dafdba147
e0d749b816c0cd605baf578476b62a94180987d3
13416 F20110114_AADRZT nalla_v_Page_85.jp2
d6a4d59250fd5bbef1913db4bea012e9
172f403d4816b586018ac8c1b70cbc22fccfa828
2287 F20110114_AADSGB nalla_v_Page_22.txt
e2c5cff24c95ea0609fc4d38733bc391
7edd856775e7d69a7f7159c9c35551d7ef092c7b
594 F20110114_AADSFN nalla_v_Page_03.txt
5195bee7969d8a66de51f8d9ca569ce8
3199a34058f8b3b254bcdb6eae8f161164b64079
1380 F20110114_AADSGC nalla_v_Page_23.txt
10b7a6e68bc8a3079ec200916476d3c5
20a7b356b9c9db1ac047c819cadbdc236ebbf64f
2681 F20110114_AADSFO nalla_v_Page_04.txt
8e118585f293d31d1b4ae9f27a05e5c0
cca0f9ca25313777a4cf7125d83ef6a695b8761b
F20110114_AADRZU nalla_v_Page_87.jp2
17d0faee7a83c115e708c7f62490980a
969177c25f42e8b738413c1512240c86928ae4d0
2015 F20110114_AADSGD nalla_v_Page_24.txt
29c8683b92741d5b85da8b520a31776b
c16e5f4b8c219ee666db54c2e9faebfedf53ae85
1910 F20110114_AADSFP nalla_v_Page_08.txt
fd1f37b603a006339e4b7ee6e79d0421
d13a5e38388f92c38eccaca96995a810335097f5
22210 F20110114_AADRZV nalla_v_Page_88.jp2
00a0148a5b3d5960b831294f8cbc63e0
7d1a0e05f751f67eabbe56de011712be142b513b
2263 F20110114_AADSGE nalla_v_Page_25.txt
4817e385eefbc9f3568f196ea243a1ba
09315c5531da50317677fc163ea4c0d71cf6ee1a
2230 F20110114_AADSFQ nalla_v_Page_09.txt
7271c23e06835e4cee7aba59dc008e47
14a530514ee97e0d9c645be69da6165ae605b2cd
30901 F20110114_AADRZW nalla_v_Page_89.jp2
de5d3b024e71fee1c1a3d5e441014823
6aabf9d2300ca3233d7accc107bca335812b8ea7
2542 F20110114_AADSGF nalla_v_Page_26.txt
3403946a8f30b3f01c1fe5bb708db048
46584ab97ffa00b7592a19ae7aef1d0cd058f26c
1441 F20110114_AADSFR nalla_v_Page_10.txt
c24ec4da27c2537d138ac1ae380e973d
6b598cae4a32556395e75f652b41dfb2aa8526e4
F20110114_AADRZX nalla_v_Page_01.tif
1b4cab3c8ccd2d91dd73bf43a756a4b0
cf6df8ac36d4f7293894abe1f4d3c4e6cd6bb374
2555 F20110114_AADSGG nalla_v_Page_27.txt
5675866801cce8d83d2efe3d8c84df39
b21407ff59be90df780a7b84a61b88c468f1002b
2130 F20110114_AADSFS nalla_v_Page_11.txt
a3ebc104995dbe6d298c8ce39fa8a464
ce51a7c056d34782806faf1c12410f2291dc3d87
F20110114_AADRZY nalla_v_Page_02.tif
5f3fad6643b1c82d81110b522b838193
685a3b719ecfdae2f8c95551815886ed07a64dc5
2358 F20110114_AADSGH nalla_v_Page_28.txt
921da1940b2154f155005c6124f80a5a
5572b7a5aa6ad03c01cf64f8e87257ddc07b03b4
3072 F20110114_AADSFT nalla_v_Page_12.txt
6d068800e3b02ca735120a354fcc96f1
5ed8bbe0c8716775d45a976fb68b6383b365502e
F20110114_AADRZZ nalla_v_Page_03.tif
d0552bdbed24c5f0bf022b432ce39160
38846c438f734d55cfb052adf1c391601118eff1
2470 F20110114_AADSGI nalla_v_Page_29.txt
9118e8037de78ce09f8188de70c55857
92334d196ba82219ce92b20d7a4416acf9aa602c
2547 F20110114_AADSFU nalla_v_Page_13.txt
b072b4cafa20eea4eefc738750659e58
3816194e60cef62e4bb4fa3c811820ca6b3edb2e
2087 F20110114_AADSGJ nalla_v_Page_31.txt
e66a767f633aabd94917878ff8b5f473
d800a1267151f904dbd4a3bc30dd525d50816662
2868 F20110114_AADSFV nalla_v_Page_14.txt
660ae39fa5c707b324f3b452da440bc1
ed837289d3fbd479e9989fd043ab086db72e9cfc
2319 F20110114_AADSGK nalla_v_Page_32.txt
97c88e94daa41598dda28ff16c0ec80b
78e752d7a5f99ecccd8cde5d1de293cb39d5dce9
2631 F20110114_AADSFW nalla_v_Page_16.txt
40ee196725584a4badd55b45783154ef
0bb04888e7eb0c24dade2cdfc1d9bd27bc180431
2132 F20110114_AADSHA nalla_v_Page_48.txt
60482db95a454e1101880cec810418c5
680f3490f3e52405717c30efbfd15ac6e9f90352
2527 F20110114_AADSGL nalla_v_Page_33.txt
04fe198c4177c64000357e8085cfe266
3ad42fd00f2476b21f87fb3f2a1a3216db7d2fcc
2311 F20110114_AADSFX nalla_v_Page_17.txt
866020adf2113a5584a2059519e0f791
8c3e70feb840e8cfe37730e5378bf6075ba09817
1324 F20110114_AADSGM nalla_v_Page_34.txt
bae994f986d50abd79bc325c913604ca
a880d00a6848f94c8d4f7adcb6ad94ad52fd18ee
2401 F20110114_AADSFY nalla_v_Page_18.txt
41e40736ac31bcc59df59cc6533e7589
f075c8fdd2eaacead38a30776edde4053c827af4
2453 F20110114_AADSHB nalla_v_Page_49.txt
8ce1d75852f17966ff7ea3bc7a6bb7ce
46858313151a927b804e71eaa9209edd0389e870
2074 F20110114_AADSGN nalla_v_Page_35.txt
7dc959a3c0a8a955c4b5c85496749f96
3d7f67a697424d9c1b2f8310b6554610b77945a7
2428 F20110114_AADSFZ nalla_v_Page_19.txt
97c398b406506827793e0d4af38be923
aed8ce646d182b70b1f3bb3991385322a9031308
1220 F20110114_AADSHC nalla_v_Page_50.txt
33fdbd658fd440cf289e5546637dd22f
ecb8fc2b24ea3966f2df33e415d937fd272bdebb
2290 F20110114_AADSGO nalla_v_Page_36.txt
952ea5195681db9098bf82471c9390a7
e718457f6f0d92c95b52f53eb02739a4cdc59e14
2155 F20110114_AADSHD nalla_v_Page_52.txt
5d57d2fc38b57a20fc61d95e7d2d25e1
678cd74c4d300a2c0747ad29aa330510e293ac50
2553 F20110114_AADSGP nalla_v_Page_37.txt
5847fd00e52d198d122b71312b818834
ac75e4469f310722daebcf96786d3ef1d81d41b3
2346 F20110114_AADSGQ nalla_v_Page_38.txt
9ccb75ec1feb252ebed11a28cbc9542f
4b3d56ee9f9c030633601ee08b0610923e9ee9fb
2216 F20110114_AADSHE nalla_v_Page_53.txt
335a0add92d616e52a86fb90b205822e
d2f9a49b2d5be239efd5b3600edbd75c12c6a392
2245 F20110114_AADSGR nalla_v_Page_39.txt
7bc935203443656d407f129d2ff7e2ce
a9a7855c7a8807485da6335a6c3388b9f62efced
2102 F20110114_AADSHF nalla_v_Page_54.txt
cb106558357f45489260ca07a4530ce9
4bdc1a6b5fe56585cc9f0ba48e2d678cc1895b0a
2021 F20110114_AADSGS nalla_v_Page_40.txt
5e38cfb8cb47b39d202e4ba72de82d07
baa8afd591df6ea9b6c1feb0cdd3e465997a1332
1956 F20110114_AADSHG nalla_v_Page_55.txt
1e8ae817e5a885a9448f068239e5d0ab
3eea4c2c9f2276b37058b10bff2890f8bbb0d3e2
1461 F20110114_AADSGT nalla_v_Page_41.txt
522f948b606482a8aa84e72a4093c003
994f7db6ba243bae56e270659c8298773e40e980
1790 F20110114_AADSHH nalla_v_Page_56.txt
2bbf554ffe40ba19c633914d0ad37146
a2a0d6a9097acb8f2fcaa36dbf88a66c35eb18d3
2046 F20110114_AADSGU nalla_v_Page_42.txt
55b4eb4671d26827e6e224a50774900f
6e7287d701832117f0bfd1bc757917a4995b24d7
1336 F20110114_AADSHI nalla_v_Page_57.txt
9497311fe0f7b129fdc7cedbd32e45b0
a50f2661db58b525614cc1b25ad4742c12234adf
1985 F20110114_AADSGV nalla_v_Page_43.txt
94af3c9bd4bc47b8407c3b8f33bcf6cf
776885859b5c67091b83c1e44b247722e2e7e785
1563 F20110114_AADSHJ nalla_v_Page_58.txt
0c398716ebef4c6633988410351122c6
b30fd1669900eac20f64f9dc9dae0648b47a57cb
461 F20110114_AADSGW nalla_v_Page_44.txt
6a12926b43ac5125dcd7b70e15fef1b9
c7bb18fdb5512b4a9026ecf64f32bf1a207b1158
2305 F20110114_AADSHK nalla_v_Page_59.txt
0de98a1e7ce35f841bc0ac309f337e3e
73819497670308947c498684d1897e8f8ce723da
2036 F20110114_AADSGX nalla_v_Page_45.txt
c2660ad3028b8b6e37f14181a7f48863
191b831d9a6e96466352827e855db915bbf83bcb
1717 F20110114_AADSIA nalla_v_Page_79.txt
89c0b0332af887b65afa59013bdb6fb9
f96605d43135e0c9a5999ab5b8aa39429cb81bda
1405 F20110114_AADSHL nalla_v_Page_61.txt
02216fa6a4a8eb362cb445d915cdf0dd
b8401284909a0aa09a4aa891a18eec7620e92ff7
1642 F20110114_AADSGY nalla_v_Page_46.txt
c589e67f5a8f3fd8fff15c85e0f6fc47
8e8059d737af57aea16172215ef3e9fca6b85c5b
1815 F20110114_AADSIB nalla_v_Page_80.txt
a9e10eb85db14ec0773d5d96525bba09
c0086b722f53a4d40342231f9b399766bf6749f2
2639 F20110114_AADSHM nalla_v_Page_62.txt
cdffefd97796cbe69ef13b3c3469c9de
91eda597c898125b8a4a5df2dd8d6f1cfc9b062b
1920 F20110114_AADSGZ nalla_v_Page_47.txt
9e5e72b6e106fc67aba472f2606551aa
49577a3fce1e830d2a8fdd0ef969114b170a8167
1588 F20110114_AADSHN nalla_v_Page_63.txt
2c248ad266f55ab64ac997b40551f714
6a7d2a9a41695adc53b54049cc1bcb879451dbe3
523 F20110114_AADSIC nalla_v_Page_81.txt
af5d878283cfe6efc2bd1ab26a23472e
18e96e3e23e7dc6df669de9bb318308848a62b5c
2408 F20110114_AADSHO nalla_v_Page_65.txt
9196aeda153318362ff174eef94170c6
dfadfb62e8e707028b3639385546c84ac9ef20aa
2633 F20110114_AADSID nalla_v_Page_82.txt
1aa93bbe72c0104a5f3d21cb841d2e01
f2ca68d16f65ef20455306f478939308da397adc
2303 F20110114_AADSHP nalla_v_Page_66.txt
6e4de6d94652e44f86afa2cdd787dfd7
2281399fa5cfdef4f64dad1e920bb0ff61782e59
417 F20110114_AADSIE nalla_v_Page_83.txt
3768bd334bae31b8d35d462e16bc0f40
21a385e3d3f2f73b058a98687a2e140408f97b8d
1437 F20110114_AADSHQ nalla_v_Page_67.txt
cc54d238dbf9e28a1d21ecc9723361e2
2925a092cad841cd6efff3751cf733cb5c954178
2349 F20110114_AADSIF nalla_v_Page_84.txt
737ff91985bc6be2f916868c18e66d78
12b15b020b1b8173b5fd4c2cd13975e0446fc888
2280 F20110114_AADSHR nalla_v_Page_68.txt
f5ba36d745c91464fe429885472582bd
1c30c74832a89b5b0307177ab2608a7f82d8099f
280 F20110114_AADSIG nalla_v_Page_85.txt
67deba11239d9aa33ec14b13e43c4cda
8c7fc5a86fa82040953d34d3f799a7e8b5c8cf38
2019 F20110114_AADSHS nalla_v_Page_69.txt
fd5682196c744c778d6ba512b71be5c8
be344126d20790a5d8179403338b8e341258e64c
346 F20110114_AADSIH nalla_v_Page_88.txt
9fe98e77de24ccf4702e7a532c41493b
28946f6c9336cba42baafb36e83172a80b8e3fd2
2469 F20110114_AADSHT nalla_v_Page_70.txt
f2dc4bc2c34d46bf80ef8e5134a26a73
5d070558f4206c49cd442b3e0af7aae977cfaf05
546 F20110114_AADSII nalla_v_Page_89.txt
effddd98944c786393af3024102b2fee
44fdbbbef7842278997fa974873f54835f383f4a
1916 F20110114_AADSHU nalla_v_Page_71.txt
ea8ebc9b0418bd4d2814be3c761cd27c
9accd330d320e8b1e664577c79a411e981b8f005
2295 F20110114_AADSIJ nalla_v_Page_01thm.jpg
a2c7dc4e4a21b74d4793a7bd93c95dbd
70aa1fc5033bf2801d7d4dacd2976277bc4ac1d5
2158 F20110114_AADSHV nalla_v_Page_72.txt
496eea8b683b5e6ccbc64c7e2f742db5
35619654756ca543c08c1e8c02c88d2d349a99ce
743075 F20110114_AADSIK nalla_v.pdf
36767f4de2d5f332ee97dfa04ad1f924
a000300c4bf1e21357d69e750e0185316199972d
2178 F20110114_AADSHW nalla_v_Page_73.txt
94d8d860f7102ba4d22f3cba1b3f02eb
84c581a661add02278a4bd608cc42fd7463d6600
6922 F20110114_AADSJA nalla_v_Page_26thm.jpg
b99a829eb8f2dd300b6973ae4149b492
2e4205ac35609cd290e402cb2f70c03b1d3adddb
2494 F20110114_AADSIL nalla_v_Page_89thm.jpg
7c0dbb58b86c6f9d38aa5e9a3c745860
d5346b4ad80e2951ed60cdc7ea7039cd4650a30f
365 F20110114_AADSHX nalla_v_Page_75.txt
362456c5e5269c33a0a14a6f94da2530
b54b6aad25c895161d9ee88742b0c932998b3659
6374 F20110114_AADSJB nalla_v_Page_53thm.jpg
da469dd34d2d26f85b2eca0c2c948e3a
08209b0ffc4246ce32e05923179347394af76625
20135 F20110114_AADSIM nalla_v_Page_47.QC.jpg
54301221678def8c55e1f547978254d2
49deb347bd125a0daa14e21e4d7d1c4a5cb55577
1937 F20110114_AADSHY nalla_v_Page_76.txt
07734ee23446e342bc33fe31357ecf97
1cbe7a50e8a7fde1c91fb2720e0560b0f61962ad
6220 F20110114_AADSJC nalla_v_Page_35thm.jpg
1623f32254eb414738dac228329ec3a6
8efec3000abfe191060ec959992128071726dc7e
13203 F20110114_AADSIN nalla_v_Page_63.QC.jpg
af1ff5aeb0718906c7b53c5fdb480222
f32afe278214f760cadc17cddd16a59ab71448f1
606 F20110114_AADSHZ nalla_v_Page_78.txt
f74d7233658a65b892dd29d78e75fe7e
9859206eb196f9b93a223f9954f29fc22573ec6f
27398 F20110114_AADSIO nalla_v_Page_84.QC.jpg
ec8fb6ab6d3283679f3ea2c4d644e95e
75d7a73ffdde1979283a1cd1836eb4a187a5ec73
5375 F20110114_AADSJD nalla_v_Page_65thm.jpg
cd1bd852f2bfb228353d8b3fb8e42925
c3d4dfd8d00237d8f0d63593d39f15dd38333a47
29546 F20110114_AADSIP nalla_v_Page_27.QC.jpg
29b14fe4b67571dcd6627c27c0540bca
8b4be2f519aa04d345d5f19b30b5705119bad96b
23488 F20110114_AADSJE nalla_v_Page_54.QC.jpg
c66565c7d5f6ff003e14eb7aabda40a9
e6fa46be2a39cc27e4c32df70a54bf6448196b10
27237 F20110114_AADSIQ nalla_v_Page_86.QC.jpg
3314f35d199dfe1a361afeaf58f45435
8fbeb0224aee448044be78772747568a1d0b8bff
7888 F20110114_AADSJF nalla_v_Page_87thm.jpg
d7fcc7fda69a87336f588af37060be55
e335aa6f40b8bc8ffeade4679386b74d73fb899a
6894 F20110114_AADSIR nalla_v_Page_84thm.jpg
154b0d7a040151cbda2cdc9dfb0ea173
7de5ad0c1bccdd41175971c3ceb8a5a7ef49a64d
16378 F20110114_AADSJG nalla_v_Page_56.QC.jpg
e3e21218a04408a3fe1eed8ac78b764a
ee177e56e6f9eaf6c2f5b7ede1be9120e801aa52
17523 F20110114_AADSIS nalla_v_Page_72.QC.jpg
4f8ada99ffcf1a4d2d9362ffb910c8a1
aaaa690e4a871d40401b8f901b4c49cfeb3d699d
6747 F20110114_AADSJH nalla_v_Page_59thm.jpg
d2f8ca6da974ee0791b01e521371806d
a85e6519bf96368f20c12bc8f7174cddbb3dd146
20104 F20110114_AADSIT nalla_v_Page_08.QC.jpg
5fe1b8ade2f6952e62aa3d3fc234c4f2
a08da9b223fb1a55c3bcf5c0bb74c403486af161
3060 F20110114_AADSJI nalla_v_Page_81thm.jpg
6ec94f8d6e05f98ff8ff90689d08ad9f
5f00960d830f7642ae6de7281b3cfcca15bdb8e6
26432 F20110114_AADSIU nalla_v_Page_51.QC.jpg
aa673525642d6baa731f7150ad3325c3
7dfdb77f972f17f081db02dbbed661883cd72af7
6111 F20110114_AADSJJ nalla_v_Page_80thm.jpg
6fcb3ff140f29eb284690b15a13443eb
67b3ad1406bc4b21ec1421e208cce8f72632e64f
17358 F20110114_AADSIV nalla_v_Page_58.QC.jpg
9aa5ae23a1672d60860c5fd2188b3ce6
c593609f6b2f39815f6a3ad9c743a6d474e7a11f
21618 F20110114_AADSJK nalla_v_Page_69.QC.jpg
a4f3fc8c311e206da608963456495815
978316182a3c0db72a25bc8f7183d62c41560df3
7762 F20110114_AADSIW nalla_v_Page_20thm.jpg
36517bae48a5168a6f0990c573b338f2
74999a658760e75b1f360c6950670d264aceaa93
6294 F20110114_AADSJL nalla_v_Page_01.QC.jpg
3b55b71c5b0d9e4b98f15d9315168c13
0f9e08b014e0bc950461887ddd00c7089dabe7b0
27896 F20110114_AADSIX nalla_v_Page_12.QC.jpg
4ddb8d6e1019a3e2c536d179b01b66df
8e4ba7036fad15319057194789573dd70a6037a4
29137 F20110114_AADSKA nalla_v_Page_21.QC.jpg
fe27b1d7dc62a428b7c3d8c966f46126
12b3f8e2db0037f833754451e082e680772dd214
26101 F20110114_AADSJM nalla_v_Page_13.QC.jpg
d63aa393c7664195dbd9c7972b9fbf0e
1189f3e492e89a1f55c21c9e52b9724a60d9cd48
4851 F20110114_AADSIY nalla_v_Page_56thm.jpg
d1dce1f98bcc84e9a99a016133c0b092
dc471e0d61338b33965a43e90b3d320b30e8dddc
6511 F20110114_AADSKB nalla_v_Page_62thm.jpg
7c35a00a6cb94b7f7bbcf6fa641be9d2
d8c320f002f4df8c5c442232f9e637b26f8390f6
6260 F20110114_AADSJN nalla_v_Page_31thm.jpg
8517b3bd1b4bfdadb113d56e6ff26e89
b9849ce638d7fb509eca5657ae92f6f42132f4df
12305 F20110114_AADSIZ nalla_v_Page_57.QC.jpg
f7ac986e2348e19450e6eb85e8452e9b
557c444b350f6c4b0b324457ae332366fb1d2892
12682 F20110114_AADSKC nalla_v_Page_30.QC.jpg
be40547b69f4c333f8ebfa684546455e
d3e1fc51f1c8de2814b4f5bf7f191f4fc4a3d463
14318 F20110114_AADSJO nalla_v_Page_61.QC.jpg
2030c9e64f35c8303e648cfde1f0f5be
10ff0fe583c24df6ae9556ebf59b03524f5b0354
6422 F20110114_AADSKD nalla_v_Page_79thm.jpg
bd02ce2a4f94e6ad52f261de2b0e2c5a
50ce3e36b26621d84058383c9c6aabe5394896c7
23506 F20110114_AADSJP nalla_v_Page_77.QC.jpg
14354c368afc140bbea804b86e95ba9a
fb40fae6c74055e0c1122685d6657d5aa78f05ad
6135 F20110114_AADSJQ nalla_v_Page_77thm.jpg
ee239cd24170bfbe6f4e3e1981c18fe6
91c7c420bb6b765aa9c040290d21bb4ae73c8a61
5471 F20110114_AADSKE nalla_v_Page_34thm.jpg
4b06d283e11c88a6fc0a1fc9c235ecd1
4ccd7b180b7731ba5cdea3f73a2a0b59bcebbdbe
2703 F20110114_AADSJR nalla_v_Page_03thm.jpg
fcd43a2ac429ed5e27ca6a8de3e0574a
c4cfad5114d6377be43f05c3aebc92d719e939d6
22693 F20110114_AADSKF nalla_v_Page_48.QC.jpg
d5c30dd0dc3732fd3c037d12e4caac17
5b0646acb3b5c77998a404bb31cf763014e0ae0f
22547 F20110114_AADSJS nalla_v_Page_40.QC.jpg
cb37834b6c66062b0f38142812a1e462
f8eab69e8952cb9e41142c62e64162f128743a2e
7033 F20110114_AADSKG nalla_v_Page_68thm.jpg
ae5fd222b96681917b309db2173856c5
5e3a8f3b748c247d7b435ad008b3504bf96adf8c
24372 F20110114_AADSJT nalla_v_Page_24.QC.jpg
eb9cd4265e57bced5432d88a3cdd8d73
40a33bc88c58ed6b30d14706baed22ffe345c5f4
5855 F20110114_AADSKH nalla_v_Page_69thm.jpg
b94c95656b6ee3af99dde631076c751e
04e84da8025e8791df996c40d1cb364d52c93c61
24840 F20110114_AADSJU nalla_v_Page_45.QC.jpg
e5e816f1adbcfd510accdcaf129a831d
092c1a70569d25c9c8e5416c2addb4eed7ec050b
25052 F20110114_AADSKI nalla_v_Page_73.QC.jpg
ee7c72c516dcad6264c1c60162cf9a3c
4b7db80ef79478692292c835e8ba28d5549c0f73
6926 F20110114_AADSJV nalla_v_Page_12thm.jpg
7da5d402b39ff64639882aa986ee314d
3c18659958848856b24d8d7777941428941e26fc
11047 F20110114_AADSKJ nalla_v_Page_60.QC.jpg
57161dc434037ce127505332067e5c36
33cc61ed59ee6983f5d34ad80182b97d251bdd93
2116 F20110114_AADSJW nalla_v_Page_83thm.jpg
029ee799ef0b9d54f575756c84236027
e5088e46bef31c6cbe91cfe504cbc2b0803a1e32
23615 F20110114_AADSKK nalla_v_Page_11.QC.jpg
cbbc751dfb42df29893b0f9f4793da9c
369608e706076019164a56b10b244e675bd13d3b
7279 F20110114_AADSJX nalla_v_Page_15thm.jpg
912f3a36188beb384edfd88b24c8eb4b
7f663c454b533dd91585283710e2a5392b717ca1
7158 F20110114_AADSLA nalla_v_Page_86thm.jpg
678bc708bd1b1e9d7770010fd663bbfa
e088a4dbe397fa3fddeabc708e90ce1f221d6ee0
27614 F20110114_AADSKL nalla_v_Page_25.QC.jpg
0140df3a379087f370db4db73d5ad78e
ed296a270efd61b212de141577d7c5843fb648dc
6890 F20110114_AADSJY nalla_v_Page_51thm.jpg
0ea0740342aad68eebe41f6157a3a68c
c05ac3c5339a62551415cac0ab9c69e277d398c0
4385 F20110114_AADSLB nalla_v_Page_50thm.jpg
3efb7869951b6c5b9ba45580fe3cbc56
79aca494e7c0f7d09b04d5d3ed2e058a6bcc6844
5192 F20110114_AADSKM nalla_v_Page_04thm.jpg
2719fbf2c047aa2d942dcf019b747a53
25fb7600fa32a10b66f98463fe7f7d4075c2b3c9
29656 F20110114_AADSJZ nalla_v_Page_16.QC.jpg
f4ac08b17d427b6de565acc86461a258
cdf49aabbc45bb30dbd6ab80b926808675ede83f
23923 F20110114_AADSLC nalla_v_Page_70.QC.jpg
9161738586fa689f6fd76c8aa5622eea
a854035423895eaf4f05aae483a77f93d4d3ae22
F20110114_AADSKN nalla_v_Page_36thm.jpg
93bb873c9a347b8d7f0cc85eed26a877
75aab44c161e834cd8e9df789edde79676783501
25469 F20110114_AADSLD nalla_v_Page_17.QC.jpg
dfba8ca5260207a6dfd9f4d162e40aa9
44c8cc4489474500873ac6515fd209f85f37b940
12553 F20110114_AADSKO nalla_v_Page_07.QC.jpg
1a84fc1081950b437ae15cf2f536f24d
f116d962803fa750fe32e9685827b8c918a616f6
6362 F20110114_AADSLE nalla_v_Page_83.QC.jpg
0afe546bc769be724c4ba46da5ff9941
cecf7860f232d1ad841e00cfe678af3abe2b3a79
7318 F20110114_AADSKP nalla_v_Page_21thm.jpg
d3011faf09f668b216d70e37c3c7db1d
e04ed042e761c3ef3b234eb0706922f161357a0e
7417 F20110114_AADSKQ nalla_v_Page_19thm.jpg
a2133c920a185c416a100ca5d74eba9d
8be9d1bc14cce5840466b1a95c06e5759bf3d6b2
5888 F20110114_AADSLF nalla_v_Page_40thm.jpg
e04078fa0ae0a424161c2b45b9bb3b34
3046e50ad64482cb47f544644c78e2945ac58bd4
7368 F20110114_AADSKR nalla_v_Page_16thm.jpg
2102e11712540fdd84d5270c57c39cd8
5d0bfad26edc4a77eaf98279ae6e836d800e1683
23195 F20110114_AADSLG nalla_v_Page_53.QC.jpg
27d0dbda83890a9b3301b339debdbfed
f8fe69ba2203a1f7897fd9e05015a2215b38953f
18726 F20110114_AADSKS nalla_v_Page_10.QC.jpg
e5912bca65cd2ce020ce903923679976
bd1ac9ca3b05b80b580e4115182a2d5449f99696
5698 F20110114_AADSLH nalla_v_Page_66thm.jpg
1e893fa14e45e998a958b008aa2eef53
524fc5e57ac527b1fb821e72263ee16f9740537f
14758 F20110114_AADSKT nalla_v_Page_50.QC.jpg
360890c1b31d15b3983f5a730d67abb7
a61e635b362fb5bfd260310151a6e859366994bd
6444 F20110114_AADSLI nalla_v_Page_52thm.jpg
d9779464b1c82ce7f4f8d18fd0c35c25
02cdd953e0d13960d6b1805bd91fe9012334edbe
7217 F20110114_AADSKU nalla_v_Page_18thm.jpg
4ba138abecc38e3c3db0406bed0d09ee
8b467f3f6543b5c263a61ae366163b7824318050
2282 F20110114_AADSLJ nalla_v_Page_44thm.jpg
2cee5db62a947a0d9db886c9825920db
650126dc432de126db2dc7611b0ea402f76ef71c
7487 F20110114_AADSKV nalla_v_Page_29thm.jpg
b8f5fc37799156b6308749fd3a4555e4
b681eb28aaaf037e305924e796e2a03f980f8c05
28032 F20110114_AADSLK nalla_v_Page_68.QC.jpg
07e99fe8e2a9f09b711221a1a73c98ef
98a5ea10073ea4d1587f87b0e37a0e5f6e1f0a92
1786 F20110114_AADSKW nalla_v_Page_85thm.jpg
55fa97eb4515bea9f98a3ffede60a3b3
2a323383ec7bd81612b02295278ed305b25c1fb5
20580 F20110114_AADSMA nalla_v_Page_55.QC.jpg
d6b7fe196995cd0db4061b286e7c4412
35e927283bd106fcf6e58f25169f8cbca6a7f630
23137 F20110114_AADSLL nalla_v_Page_76.QC.jpg
b8165bfff126c75a9ffb9745ac7d2dad
b21b37a5c26646a321b674582920a88e1057b3a8
7139 F20110114_AADSKX nalla_v_Page_38thm.jpg
27a6159089b56d9c7ed9862d4b921eda
064d0ad8f616097cc4ce34db0b10e2041e926767
22289 F20110114_AADSMB nalla_v_Page_80.QC.jpg
22b7ac606846e5e2a56b7cddc44fecb1
f35624cc68c9ccbcb31da503b5b3f007512e81a0
19199 F20110114_AADSLM nalla_v_Page_65.QC.jpg
5697c8dfca4f7d876df5d02b950e357f
174791bbf72b093727d82a5bcb6a45deb986609d
7473 F20110114_AADSKY nalla_v_Page_27thm.jpg
44372f1dd6e88c8a0a238a007b06c552
4432dd64d76a84467bee369f19df29685d487ee3
3218 F20110114_AADSLN nalla_v_Page_78thm.jpg
87bf36d416f0fa1752047ab7e080e074
86d81880f19e428a1f6267576d67f51568b9f46c
5935 F20110114_AADSKZ nalla_v_Page_55thm.jpg
beb0496efaf593846501548dfeb8d8da
638cb53394bd82b4abdcffb234a9dc5a83af4b08
4266 F20110114_AADSMC nalla_v_Page_61thm.jpg
31653418ca8b35005c941c820802fe31
3b7f817a533c478bee9064aa042250b87abd814b
3109 F20110114_AADSLO nalla_v_Page_75thm.jpg
4cb70e64c04bf3377286956819151bec
d23ff8c30815ce383bfbc7f6c276b5e9c2c3baf5
6822 F20110114_AADSMD nalla_v_Page_37thm.jpg
85a7518e3bf1d6b7ac52d9be9fbeb8bb
4287abcae46cb961f83455b1a522cefdc3d064c4
4520 F20110114_AADSLP nalla_v_Page_64thm.jpg
ce146ac15a043ee4a0268e3cee6f63c9
bdd1c2fa441fb82b1013390547b3c44608b37b3b
6034 F20110114_AADSME nalla_v_Page_48thm.jpg
f5e8b0d4c60b51f54aafc9469e5f4e3a
7e75fc43d3914b36fb96c24863c00ee756e04289
24638 F20110114_AADSLQ nalla_v_Page_06.QC.jpg
70e68bc264f29262299ee6ffd7a15533
f01964f7d1edd55fda1b624e77978f1bad630d2e
26759 F20110114_AADSMF nalla_v_Page_09.QC.jpg
ee472d0b3e514713a240e65f76564c20
bb2ef858b5c908d8f94e51c6d2c1c425288cd27c
5773 F20110114_AADSLR nalla_v_Page_88.QC.jpg
eb9e36623bbfba2846a6c601ef788d91
5c26f91203beb2ecf1fdae5ffacb12f601ed9cff
4958 F20110114_AADSLS nalla_v_Page_10thm.jpg
e893191992b2e420c4426471a75e01ca
299c8a96baf183058c9a9ef234791ebae8da6a59
7400 F20110114_AADSMG nalla_v_Page_14thm.jpg
187f7e986792542420f35bfa45127a28
5a237fe5f2a1b2616027cc3207757a0c68f965bc
30879 F20110114_AADSLT nalla_v_Page_29.QC.jpg
10cc7b1098b4cc7ac426e24ef8b572a8
fe3e72cf76215e892878e60c808d4898867c2158
F20110114_AADSMH nalla_v_Page_88thm.jpg
c61cbff3a60d6bfb9c7304583e65ff05
ac2d7a349a7ab0d48abb650f31ea5c77f79db735
20504 F20110114_AADSLU nalla_v_Page_66.QC.jpg
9606ea06e3d77d760b654bdd59f3bd3d
f48cb03083d4bd67aa2b9b0c29c9b81196923b6e
6189 F20110114_AADSMI nalla_v_Page_54thm.jpg
e10a1b2d7cbe0d42357dbf38dc510fff
a63f7b772fd258ebfa478291f5744a0ff53165ac
10784 F20110114_AADSLV nalla_v_Page_78.QC.jpg
1df96514386c4822e5e356eeac29b43c
c690516041da86a435b78cddab25f7c809a410bc
7767 F20110114_AADSMJ nalla_v_Page_33thm.jpg
52861f0485e0b9bec3ab5fa95135c273
d8eb723f34cd2d0829872d2ae12e59858049ef6e
5956 F20110114_AADSLW nalla_v_Page_43thm.jpg
881b662b1aafa932ce2a98817904b2b0
d270dbd95f7a0cc376b7bf03dc66b476a0f06aeb
4077 F20110114_AADSMK nalla_v_Page_63thm.jpg
64c53c9abbf87b9fe6b934d350d0ff31
a7f4e609be6fb729733dc49d53395b42ec610ab0
23906 F20110114_AADSLX nalla_v_Page_52.QC.jpg
93b23ce36a8df7bc2109531f7ecc3499
39d416e6ac4245f12975365365efc21beed8aa8d
6825 F20110114_AADSNA nalla_v_Page_25thm.jpg
f05dc2e3bd26fd99a42b08cd4fed8ac6
0f240a766d3793830c3e0cdd3a727b1484fbc6c5
133421 F20110114_AADSML UFE0007303_00001.xml
235b4bff7c87227e55b2e45e7d5b9c7c
0f4ed9d600e0ab0d8d365973ed05c94d286c40f3
6595 F20110114_AADSLY nalla_v_Page_09thm.jpg
2e56cf3a0eb6c27949ce0d02e7c6d1b1
94bfdc61b0ee8b3640f561a77513d213c1ba7dbb
7475 F20110114_AADSNB nalla_v_Page_28thm.jpg
6e76eef35604f5786d6d72b5d969d533
fae15cb16e55cc935741c02ffd5abd3cd14a8a67
3495 F20110114_AADSMM nalla_v_Page_02.QC.jpg
de0aa8eb508c731ff30669863aec49b3
765c7bf0426d15814ad7f0ebe60bf1e6d206644b
15766 F20110114_AADSLZ nalla_v_Page_46.QC.jpg
aeb49a19fdfb9d34eaa00205ffc435e8
44f1eb1cd2490e3f387659f7a5f9430c80c70f7b
3592 F20110114_AADSNC nalla_v_Page_30thm.jpg
c2178385bf79e6760865a544ba47baf2
881f7f7d9b487163a1f1985894b7a423c9b58ca6
8400 F20110114_AADSMN nalla_v_Page_03.QC.jpg
948e5c9c5c3ffc330eda7fc8204a290b
c86ba62cd07ed0749d2b26b66e9c877e2426d285
24222 F20110114_AADSND nalla_v_Page_31.QC.jpg
300acdd089e7d7b6a296ed734150a21e
e04992e03d3449352684bd311e41646b3142778a
21854 F20110114_AADSMO nalla_v_Page_04.QC.jpg
04e5b6bd8820eb93ddf649b8385985a0
bd450f63a4f108c9651b88b76821465b8dac1661
28295 F20110114_AADSNE nalla_v_Page_32.QC.jpg
2216231c0554e29c2451431dd281d2e6
ebb23fa8010d302c2b16315903b61430f8c6d68a
22494 F20110114_AADSMP nalla_v_Page_05.QC.jpg
d4679cc4282e3a387be7cf0c89b0d856
9d914990e6cb7407669bc10ff40007133d64aa46
7067 F20110114_AADSNF nalla_v_Page_32thm.jpg
2314aa1619b988833c63ff9e1dd1ef17
27de44585d5ceb0a92e3631eb09d33fe1f50844c
5407 F20110114_AADSMQ nalla_v_Page_05thm.jpg
bd397d8613b7e50db238ad4dca7127cc
1fe7af8152c41de68f9214d1d14a41fdab93c051
19234 F20110114_AADSNG nalla_v_Page_34.QC.jpg
d40b9e4f86e738ff64446199d2609733
bcf7a9ecf422733b4ae23b3c82c7b10b5ab7e3c7
3533 F20110114_AADSMR nalla_v_Page_07thm.jpg
8181b930d7758f660e71e01b252a87c8
7ce8536561ad8f01e4009a36a18bdd1eb0f81ae1
6555 F20110114_AADSMS nalla_v_Page_13thm.jpg
db01fb4067b780190c2a6d85f7773bcf
0f7321415988ba6bff57779870645742a62a2004
28490 F20110114_AADSNH nalla_v_Page_36.QC.jpg
1eed08df4f45646879bbfaaea42a625f
cebe63a5d6d3642c33e22d3098be668beb91f517
28702 F20110114_AADSMT nalla_v_Page_15.QC.jpg
54b3c1e1b142b4d5cb036bdb35fc5d07
f46b640490ea743792cae4d8691c15e9f464a5c5
26972 F20110114_AADSNI nalla_v_Page_39.QC.jpg
2aa7eb252c2bb0e0fe0d3153ff60c75f
f39ce980caa13fbd148ae8f67b997138db448a93
31499 F20110114_AADSMU nalla_v_Page_20.QC.jpg
7ed534deefa73b01d8ce0ad7fdbeb8d0
1cb4d0fce1b208087f79ed6103cc74b67babf443
4857 F20110114_AADSNJ nalla_v_Page_41thm.jpg
62684f367f99f1d823176de283e4d9f2
5345ee6d2334bbe14e14d5bafce7e17b5efb0027
28217 F20110114_AADSMV nalla_v_Page_22.QC.jpg
ffed5f8de2f14bb68caad4e3e9b08a3c
be9d4a937a90fec644ae79f9a04f27c6eedae16b
21422 F20110114_AADSNK nalla_v_Page_43.QC.jpg
6d10f41f988974c92ea212eec59ff2fd
6e5d1098231b30bd6492c645944d162bf63c5cc1
6996 F20110114_AADSMW nalla_v_Page_22thm.jpg
46ec4c66d1356538d68f12cb860cec0b
689cc53d6913e404dcd6be86d7d114350d57b18a
8029 F20110114_AADSOA nalla_v_Page_89.QC.jpg
d3222a8664d9401544358669c95d6063
095123e93246f96398bb2e53c76b19f2ad038115
4469 F20110114_AADSNL nalla_v_Page_46thm.jpg
fba780daaa254e6e29825eaa90f64fb6
95887916f7b04eb93d35c6581e7f3b547d564aec
16284 F20110114_AADSMX nalla_v_Page_23.QC.jpg
225328a9b7ecde1f6934961083aace30
ffe2eab3590ceb04d2ab7af62305ee7139e4e33f
28669 F20110114_AADSNM nalla_v_Page_49.QC.jpg
230d156ff2bbff7edccdc4507aa8b12c
d62ed16316cca7d65cb9b681a8a71c9e1f971991
4427 F20110114_AADSMY nalla_v_Page_23thm.jpg
c0c100d011884e25804d7fdd70a0858e
31da76cfff2ce8fb73d2f55debbe0740d7b0dde3
3902 F20110114_AADSNN nalla_v_Page_57thm.jpg
998e2145e7159a7c7b1b1a45a0fbf842
460aea34f88ba6b551a8ae8c88ce44d254b8ae76
6093 F20110114_AADSMZ nalla_v_Page_24thm.jpg
76b9dcf6c31695dff32d9efdf4a6718f
28140263de7a12ed5ff387fb488ee774f41cb376
4915 F20110114_AADSNO nalla_v_Page_58thm.jpg
d1f83a62c4bcbd0f7d271daa124cc6fb
16b05566bf79b78f7d2b3588c6f72106419206cc
16687 F20110114_AADSNP nalla_v_Page_67.QC.jpg
5e54a7dfde6449faef9963ed64979bd2
7eaf181ebd99ae6be9bf8efa12eb8b2cb08ff3a0
6361 F20110114_AADSNQ nalla_v_Page_70thm.jpg
9bb355f2b72a4d50b3c4899375412d6b
f0b1b7b439a254a3535903dcb91465b3c22bcef6
F20110114_AADSNR nalla_v_Page_71.QC.jpg
d9557c8b1636e9bda9e20cb85bb8364e
12eacad4c6dcaf0b7571fcf9e3398d4d19369f3b



PAGE 1

ANONYMITYANDCOVERTCHANNELSINMIX-FIREWALLS By VIPANREDDYR.NALLA ATHESISPRESENTEDTOTHEGRADUATESCHOOL OFTHEUNIVERSITYOFFLORIDAINPARTIALFULFILLMENT OFTHEREQUIREMENTSFORTHEDEGREEOF MASTEROFSCIENCE UNIVERSITYOFFLORIDA 2004

PAGE 2

Copyright2004 by VipanReddyR.Nalla

PAGE 3

ACKNOWLEDGMENTS IwouldliketogratefullyacknowledgethegreatsupervisionofDr.Richard Newmanduringthiswork.IthankDr.JosephWilsonandDr.ShigangChenfor servingonmycommitteeandforreviewingmywork. IwouldliketothankIraMoskowitzandNavalResearchLabsforfundingme throughresearchgrants.Iamgratefultoallmyfriendswhohelpedmedirectlyor indirectlyinpreparingthiswork.Finally,Iamforeverindebtedtomyparentsfor helpingmetoreachthisstageinmylife. iii

PAGE 4

TABLEOFCONTENTS page ACKNOWLEDGMENTS ................................ iii LISTOFFIGURES ................................... vi ABSTRACT ....................................... viii 1INTRODUCTION ................................. 1 2MIXESANDMIXNETWORKS ......................... 3 2.1Mix ...................................... 3 2.2TypesofMixes ............................... 3 2.2.1SimpleMixes ............................. 3 2.2.2PoolMixes .............................. 5 2.3MixNetworks ................................ 6 2.3.1DesignIssuesinMixNetworks ................... 6 2.3.2ClassicationofMixNetworks ................... 9 2.4Real-timeMixNetworks .......................... 10 2.4.1Crowds ................................ 10 2.4.2OnionRouting ............................ 11 2.4.3Babel ................................. 11 2.4.4MixMaster .............................. 12 2.4.5Freedom ............................... 13 2.4.6PipeNet ............................... 13 2.4.7Stop-And-GoMixes ......................... 14 2.4.8Tarzan ................................ 14 2.5Summary .................................. 15 3ADVERSARYMODELSANDATTACKSONMIXES ............. 16 3.1AdversaryModels .............................. 16 3.1.1InternalandExternalAdversary .................. 16 3.1.2ActiveandPassiveAdversary ................... 16 3.1.3Local,RestrictedandGlobalAdversary .............. 16 3.1.4StaticandAdaptiveAdversary ................... 17 3.2AttacksonMixes .............................. 17 3.2.1ActiveAttacks ............................ 17 3.2.2PassiveAttacks ........................... 20 3.3Summary .................................. 22 4ANONYMITYMETRICSANDANALYSISTECHNIQUE ........... 23 4.1Anonymity ................................. 23 4.2AnonymityMetrics ............................. 24 4.2.1AnonymitySets ........................... 24 iv

PAGE 5

4.2.2ProblemswithAnonymitySetSize ................. 24 4.2.3Entropy ............................... 26 4.2.4RouteLength ............................ 27 4.2.5CovertChannels ........................... 28 4.2.6CovertChannelsinMixNetworks ................. 30 4.2.7CovertChannelCapacityasAnonymityMetric .......... 31 4.3AnalysisTechnique ............................. 31 4.3.1Scenarios ............................... 31 4.3.2ChannelMatrix ........................... 33 4.4Summary .................................. 35 5PREVIOUSWORKANDTHEEXIT-MIXMODEL .............. 37 5.1CapacityAnalysisforIndistinguishableReceiversCase ......... 37 5.1.1Case0:AliceAlone ......................... 37 5.1.2Case1:AliceandOneAdditionalCluelessTransmitter ..... 38 5.1.3Case2:Aliceand N AdditionalTransmitters ........... 41 5.2Exit-MixModel ............................... 43 5.2.1Scenario ............................... 43 5.2.2ChannelMatrixProbabilities .................... 44 5.3CapacityAnalysisforExit-MIXScenario ................. 45 5.3.1OneReceiver( M =1) ........................ 45 5.3.2SomeSpecialCasesforTwoReceivers( M =2) ......... 46 5.3.3SomeSpecialCasesforThreeReceivers( M =3) ........ 51 5.3.4SomeGeneralizedCasesof N and M ............... 56 5.3.5Non-UniformMessageDistributions ................ 63 5.4Summary .................................. 64 6DISCUSSIONOFRESULTS ........................... 65 6.1Capacityvs.CluelessTransmitters .................... 65 6.2Capacityvs.NumberofReceivers ..................... 65 6.3Capacityvs.MutualInformationat x 0 =1 = ( M +1) .......... 69 6.4Capacityvs.MessageDistributions .................... 71 6.5CommentsandGeneralizations ...................... 72 6.6Summary .................................. 74 7CONCLUSIONSANDFUTUREWORK ..................... 76 REFERENCES ...................................... 78 BIOGRAPHICALSKETCH ............................... 81 v

PAGE 6

LISTOFFIGURES Figure page 4{1VulnerabilityofAnonymitySets ........................ 26 4{2RestrictedPassiveAdversaryModel ...................... 32 4{3GlobalPassiveAdversaryModel ........................ 33 5{1ChannelModelforSubsection5.1.1.A)Channelblockdiagram.B)Channeltransitiondiagram ............................ 38 5{2PlotofCovertChannelCapacityasaFunctionof p ............. 40 5{3ChannelforCase3,thegeneralcaseof N cluelessusers.A)Channeltransitiondiagram.B)ChannelMatrix ..................... 42 5{4ExitMix-rewallModelwith N CluelessSendersand M Distinguishable Receivers ................................... 44 5{5Case4:Systemwith N =1CluelessSenderand M =2Receivers ..... 48 5{6Capacityfor N =1CluelessSenderand M =2Receivers .......... 49 5{7Case5:Systemwith N =2CluelessSendersand M =2Receivers ..... 50 5{8Capacityfor N =2cluelesssendersand M =2receivers .......... 52 5{9Case6:Systemwith N =1CluelessSendersand M =3Receivers ..... 52 5{10Capacityfor N =1cluelesssenderand M =3receivers .......... 53 5{11Capacityfor N =2cluelesssendersand M =3receivers .......... 55 5{12Case7:SystemWith N =2CluelessSendersand M =3Receivers .... 56 5{13Case8:Systemwith N =1CluelessSenderand M Receivers ........ 56 5{14Case9:Systemwith N CluelessSendersand M =2Receivers ....... 59 6{1Capacityfor N =1to4CluelessSendersand M =2Receivers ....... 66 6{2Capacityfor N =1 ; 2 ; 4CluelessSendersand M =3Receivers ...... 66 6{3MutualInformationvs. x 0 for N =1CluelessSenderand M =2Receivers,for p =0 : 25 ; 0 : 33 ; 0 : 5 ; 0 : 67 ...................... 67 6{4MutualInformationvs. p for N =2CluelessSendersand M =2Receivers 67 6{5MutualInformationvs. p for N =2CluelessSendersand M =3Receivers 68 vi

PAGE 7

6{6Valueof x 0 thatMaximizesMutualInformationfor N =1 ; 2 ; 3 ; 4Clueless Sendersand M =3ReceiversasaFunctionof p .............. 69 6{7NormalizedMutualInformationwhen x 0 =1 = 4for N =1 ; 2 ; 3 ; 4Clueless Sendersand M =3Receivers ........................ 70 6{8Capacityfor N =1CluelessSenderand M =1to5Receivers ....... 70 6{9Capacityfor N =0to9CluelessSendersand M =1to10. ......... 71 6{10CapacityforUniform,Zipf,and80 = 20DistributionsforCluelessTransmitterandUniformDistributionforCluelessTransmitter ......... 72 6{11CapacityforUniform,Zipf,and80 = 20DistributionsforAliceandUniformDistributionforCluelessTransmitter ................. 73 6{12CapacityforUniform,Zipf,and80 = 20distributionsforAliceandZipf DistributionforCluelessTransmitter .................... 73 vii

PAGE 8

AbstractofThesisPresentedtotheGraduateSchool oftheUniversityofFloridainPartialFulllmentofthe RequirementsfortheDegreeofMasterofScience ANONYMITYANDCOVERTCHANNELSINMIX-FIREWALLS By VipanReddyR.Nalla December2004 Chair:RichardE.Newman MajorDepartment:ComputerandInformationScienceandEngineering PrivacyisbecomingacriticalissueontheInternet.Somepeoplewanttokeep theirpurchasesprivate.Theydonotwanttohavethirdparties(orevenmerchants) knowtheiridentity.Thisconcernmayarisebecausethecustomerisbuyingagoodof questionablesocialvalue(e.g.,pornography);orbecausethecustomerdoesnotwantto havehisnameaddedtoamarketingormailinglist;orforillegalreasons(e.g.,toevade taxes);orsimplybecausethecustomerpersonallyvaluesprivacy. Mixnetworksarethemostpromisingapproachtoanonymizecommunicationin theInternet.Originallydesignedtoanonymizee-mailcommunication,variationsofthe basicdesignhaveledtosystemsthatprovideanonymityforlow-latencyapplications suchaswebbrowsing. Traditionalmethodsforevaluatingtheamountofanonymityaordedbyvarious mixcongurationshavedependedoneithermeasuringthesizeofthesetofpossible sendersofaparticularmessage(theanonymitysetsize),orbymeasuringtheentropy associatedwiththeprobabilitydistributionofthemessagesofpossiblesenders.Our studyfurtherexploresanalternativewayofassessingtheanonymityofamixsystem byconsideringthecapacityofacovertchannelfromasenderbehindthemixtoan observerofthemix'soutput. viii

PAGE 9

CHAPTER1 INTRODUCTION PrivacyisbecomingacriticalissueontheInternet.Somepeoplewanttokeep theirpurchasesprivate.Theydonotwanttohavethirdparties(orevenmerchants) knowtheiridentity.Thisconcernmayarisebecausethecustomerisbuyingagoodof questionablesocialvalue(e.g.,pornography);orbecausethecustomerdoesnotwantto havehisnameaddedtoamarketingormailinglist;orforillegalreasons(e.g.,toevade taxes);orsimplybecausethecustomerpersonallyvaluesprivacy.Electionsconstantly remindusthatoneofthemostimportantbarrierstoelectronicvotingisusers'fearof havingtheirprivacyviolated.Unfortunately,thisisjustied,asmarketersandnational securityagencieshavebeenveryaggressiveinmonitoringuseractivity. Mixnetworks[ 3 ]arethemostpromisingapproachtoanonymizecommunicationin theInternet.Originallydesignedtoanonymizee-mailcommunication,variationsofthe basicdesignhaveledtosystemsthatprovideanonymityforlow-latencyapplications suchaswebbrowsing.Alltheseanonymitynetworkswere not designedwithcovert channelthreatinmind.Thegoalofthisworkistoshowthateveninwhatappearsto beabenignformofcommunication,informationmaystillleakoutofthenetwork. Overview.Ourstudyaddressedanonymityandcovertchannels.Themajorcontributionofourstudyisidentication,analysis,andcapacityestimationof,thecovert channelsthatarisefromtheuseofaMix[ 3 21 ]asanexitrewall. Mixesarespecialnodesinanetworkthatrelaymessageswhilehidingthecorrespondencebetweentheirinputandtheiroutput.Acarefulexplanationofmixes andadetailedclassicationofmixesispresentedinchapter2.Severalmixescanbe chainedtorelayamessageanonymously.Thesesystemsprovidethebestcompromise betweensecurityandeciencyintermsofbandwidth,latency,andoverheads.Design issuesrelatedtomixnetworksarealsopresentedalongwithexamplesofsomereal-time 1

PAGE 10

2 mix-basedanonymizingsystems.Chapter3presentsvariousadversarymodels,followed byacomprehensivelistingofattacksagainstmixesandmixnetworks. Anonymityisanimportantissueinelectronicpayments,electronicauctions, electronicvoting,andalsoforemailandwebbrowsing.Acommunicationcanneverbe trulyanonymous,butrelativeanonymitycanbeachieved.Chapter4denesanonymity andpresentsvarioustypesanonymity.Italsodescribesgeneralizedmethodstomeasure anonymityandthetechniqueusedforanalysis.Wemeasuredthelackofperfect anonymityviaacovertchannel.Covertchannelanalysisincludesndingsecurityaw, developmentofcovertchannelscenariosanditscapacityanalysis.Chapter4givesa briefdescriptionofaparticularavorofcovertchannelsarisinginmixnetworks. Chapter5presentsadversarymodelwithdetailsofterminologyandmodelsetup. Italsopresentsinitialworkinvolvingasimplemodel[ 13 ]witharestrictedadversary (RPA),alongwithresultsandconclusions.Italsopresentsthemainanalysisdonein thethesis.Thisincludesanalyzingthecapacityofthecovertchannelsfordierentcases ofsendsandreceivers.AdetaileddiscussionofresultsofthisanalysisformtheChapter 6.Chapter7presentsconclusionsandsuggestsfuturework,neededinthisarea.

PAGE 11

CHAPTER2 MIXESANDMIXNETWORKS 2.1 Mix DavidChaumrstintroducedmixnetworksforuntraceableelectronicmail[ 3 ]. Amixserverrandomlypermutesanddecryptsinputmessages.TheKeypropertyof themixnetworkisthatwecan'ttellwhichciphertextcorrespondstoagivenmessage. Chaum'soriginalsystemusedaverysimplethresholdmixmodel,butsincethenmany dierenttypesofmixeshavebeenproposedinliterature,andsomeofthemarebeing usedinpractice. Amixserverisclassiedbythebatchingstrategyused.Thebatchingstrategy involvescollectingmessages,mixingthemwell,andushingthemessageswhencertain conditionsaremet.Theushingalgorithmusedinthemixcanbeexpressedasa function P : N (0 ; 1)fromthenumberofmessagesinsidethemixtothefractionof messagestobeushed.Theushingconditionisexpressedintermsoftimeinterval t thresholdofmessages n collectedinthemix,oracombinationofboth. 2.2 TypesofMixes Basedontheushingalgorithmused,mixescanbedividedintosimplemixesand poolmixes. 2.2.1 SimpleMixes Asimplemixushes all themessagesitcontain,whentheushingconditionsare met.Hence,thevalueofthefunction P ( n )isequaltoone.Thesemixescanbefurther classied,dependingontheushingconditionused. Thresholdmix. FlushingConditionParameters :thresholdonmessagescollectedinthemix, n FlushingAlgorithm :themixresallthemessageswhen n messagesarecollected. Messagedelay :Theminimumdelayis (thishappenswhenmixalreadycontained n -1messagesbeforethetargetmessagearrives).Themaximumdelay canbeinnite,ifnomoremessagesarriveafterthetargetmessage.Assuminga messagearrivalrate r ,theaveragemessagedelayisgivenby n 2 r 3

PAGE 12

4 Anonymity :Assumingallthemessagesinthemixarefromdierentsendersand gotodierentreceivers,theprobabilitythatanoutgoingmessagecorrespondsto aparticularincomingmessageisgivenby 1 n .Thisprobabilityalwaysequalto 1 n sincethethreshold n isconstant. Timedmix. FlushingConditionParameters :timeinterval, t FlushingAlgorithm :Themixushes(allthemessagesinthemix)every t time units(generallyseconds). Messagedelay :Theminimumdelayis ,whenthetargetmessagearrivesjust beforetheushingtimeperiodofthemix.Themaximumdelayis t ,when thetargetmessagearrivesjustafterthemixhasred.Hence,themeandelayis t 2 units. Anonymity :Theanonymityofthemixdependsonthenumberofmessages arrivinginaparticularushinginterval.Theminimumanonymityiszero,when nomessagearrivesinthetimeinterval.Themaximumanonymityistheoretically innite,butislimitedtothenumberofmessagesthemixcanhold.Assuminga messagearrivalrateof r ,atotalof rt messagesarered.Sotheprobabilityofan outgoingmessagecorrespondstoaparticularincomingmessageisgivenby 1 rt Thresholdortimedmix. FlushingConditionParameters :timeinterval, t ;thresholdonmessages, n FlushingAlgorithm :Themixushes(allthemessagesinthemix)every t time units(generallyseconds)orwhen n messagesaccumulateinthemix. Messagedelay :Theminimumdelayis ,whenthetargetmessagearrivesjust beforetheushingtimeperiodorwhenthemixalreadyhas n -1messages.The maximumdelayis t ,whenthetargetmessagearrivesjustafterthemixhas redandnumberofmessagesarrivedinthenextintervalislessthan n Anonymity :Theanonymityofthemixdependsonthenumberofmessages arrivinginaparticularushinginterval.Theminimumanonymityiszero,when nomessagearrivesinthetimeinterval.Themaximumanonymityisnotinnite asinthepreviouscasebecauseofthethreshold n .Theminimumprobabilityof anoutgoingmessagecorrespondstoaparticularincomingmessageisgivenby 1 n Thresholdandtimedmix. FlushingConditionParameters :timeinterval, t ;thresholdonmessages, n FlushingAlgorithm :Themixushes(allthemessagesinthemix)every t time units(generallyseconds)butonlywhenatleast n messageshaveaccumulatedin themix. Messagedelay :Theminimumdelayis ,whenthetargetmessagearrivesjust beforetheushingtimeperiod.Themaximumdelaycanbeinnite,ifnumberof messagesaccumulatedislessthan n Anonymity :Theminimumanonymityforthismixisnomorezero,sincethe mixdoesn'treuntilithas n messages.Themaximumanonymityisintheory innite,butislimitedinpracticebythenumberofmessagesthemixcanhold. Themaximumprobabilityofanoutgoingmessagecorrespondstoaparticular incomingmessageisgivenby 1 n .

PAGE 13

5 2.2.2 PoolMixes Inpoolmixes,themixretainssomemessagesandhencethevalueoftheushing function P ( n )islessthenone.Poolmixescanbefurtherdividedintoconstantand dynamicpoolmixes,dependingonwhetherthevalueoffunction P isconstantover successiveushesbythemix. Constantpoolmixes.Thesimplemixesdescribedearliercanbemodiedtoretain aconstantpoolofmessagesforthenextround. Thresholdpoolmix. FlushingConditionParameters :numberofmessagesretained(pool), f ;threshold onmessages, n FlushingAlgorithm :Themixres n messageswhenitaccumulates n + f messages.Thepoolofmessagestoberetained( f )areuniformlychosenat randomfromthe n + f messagescollectedinthemix. Messagedelay :Theminimumdelayis andthemaximumdelayistheoretically innite.Serjantov,SyversonandDingledine[ 20 ]analyzethethresholdpoolmixes indetail.Theycalculatethemeandelaybytakingintoaccountthefactthata messagecanberetainedinthemixforarbitrarylongtime.Theprobabilityofa messagebeingretainedisaparticularroundisgivenby f n + f .Themeandelayis1 +( f n + f )rounds.Ifthemessagearrivesatarateor r messagespertimeunit,the averagedelayis(1+ f n + f ) n r Anonymity :Theanonymityofthemessagegoingthroughapoolmixdependson theentirehistoryofeventsthathappenedinthemix.Theminimumanonymity ofthemixisatleastequaltothesimplethresholdmix.SerjantovandNewman [ 20 ]carriedouttheanalysisandhavecalculatedthemaximumanonymityin termsofnumberofpossiblesets. A max = (1 f n )log( n + f )+ f n log( f ) Timedpoolmix. FlushingConditionParameters :numberofmessagesretained(pool), f ;time interval, t FlushingAlgorithm :Themixresevery t timeunits.Apoolof f messages chosenuniformlyatrandomisretainedinthemix.Iftherethenumberof messagesaccumulatedislessthanofequalto f ,thenthemixdoesn'tre. Messagedelay :Theminimumdelayis andthemaximumdelayisinnite(when nomessagearrivesforalongtime,themessagesretainedinthepoolneverleave themix).Likeinthethresholdpoolmix,thereisanon-zeroprobabilitythata messageisretainedforarbitrarilylongtime.

PAGE 14

6 Dynamicpoolmixes.Dynamicpoolmixesarerepresentedbythefunction P and thisfunctioncanbemodiedtomaximizetheanonymityobtained.Cottrellmix[ 5 ]and Binomialmix[ 20 ]aresomeexamplesofdynamicpoolmixes. Timeddynamicpoolmix(Cottrellmix). FlushingConditionParameters :numberofmessagesretained(pool), f ;time interval, t ; ,fractionofmessagestobesent;threshold, n FlushingAlgorithm :Themixresevery t timeunits,providedthereareatleast n + f messagesinthemix;However,insteadofring n messages,itresmax(1, b m c )messages,where m + f isthenumberofmessagesinthemix( m n ). Messagedelay :Likethetimedpoolmix,theminimumdelayis .Themaximum delayisatleastashighasthatoftimedconstantpoolmix.Theaveragedelay dependsonthefuturerateofarrivalofthemessages. Anonymity :Theanonymityprovidedbythismixishigherthantheconstant poolmixes.Thisisbecauseasthethenumberofmessagescollectedgoesup, the keepsthechanceofmessageremaininginthedynamicpoolmixconstant. Foraconstanttimedpoolmix,thisquantitydecreaseswithincreaseinmessages collectedandincaseofthresholdpoolmix,themixhastoushfrequently,hence reducingthechanceofamessageremaininginthemixperunittime. Binomialmix. FlushingConditionParameters :timeinterval, t ;threshold, n FlushingAlgorithm :Wecanimaginetheushingfunction P ( n )asaprobability. Forallthemessagescollected,themixtossesacoin.Aheadindicatesthatthe messagewillbesentandatailindicatesitwillremaininthemix.Onanaverage, thenumberofmessagessent, s = nP ( n ). s followsthewellknownbinomial distributionwithavarianceequalto np (1 p ),whereis p istheresultofthe function P ( n ). Messagedelay :Theminimumdelayis andmaximumdelaydependsonthe randombinomialfunction P ( n ). Anonymity :Theanonymityprovidedbythemixismuchmorethanthatof previouslydiscussedmixtypes.thisisbecausetheattackercan'teasilydetermine thenumberofmessagesinthemix, n byobservingthevalueof s 2.3 MixNetworks Thechainofmixesfromaclienttoaserveriscalledanonymoustunnelora mixnetwork.Asingleencryptedconnectionisusedtotransportthedataofmultiple anonymoustunnelsbetweentwomixes. 2.3.1 DesignIssuesinMixNetworks AMixNetworkischaracterizedbythetypeofanonymityprovided,packetsizes, dummytrac,routing,andthenode-ushingAlgorithmusedatindividualnodes.We willdiscusseachoftheseissuesbriey.

PAGE 15

7 Anonymity.Probablythemostimportantdesignissueisthatofanonymityversus pseudonymity.Pseudonymitymeanthatsomenode(s)knowstheuserspseudonym(it can'tlinkapseudonymwithareal-worldidentity).Anotheroptionistohavetheuser beanonymousinthemixnetworkbutbepseudonymousinitsdealingswithotherusers (half-pseudonymity). Anonymityprovidesbettersecuritysinceifapseudonym(nym)islinkedwith auser,allfutureusesofthenymcanbelinkedtotheuser.But,pseudonymityhas manyotheradvantageswhencomparedtocompleteanonymity.Pseudonymityprovides thebestofbothworlds:privacyprotectionandaccountability(andopenness).Since pseudonyms(nyms)haveapersistentnature,longtermrelationshipsandtrustcanbe cultivated.Authentication(verifyingthatsomeonehastherighttousethenetwork)is easierwithpseudonymitybecauseChaumianblinding[ 4 ]needstobeusedwhenusing anonymity. Packetsizes.Themessages(e.g.webrequests/replies)arechoppedinxed-length packetsandaredeliveredinaparticularorder(lexicographicetc.).Thiseliminates thetracanalysisatamixbasedonthepacketlength.Butinmanysituations,using dierentmessagesizesyieldsubstantialperformanceimprovements.Forexample TCP/IPconnectionsrequireonaverageonesmallcontrolpacketforeverytwo(large) datapackets.Itmightbeinecientforsmallmessagestobe5paddedorlargepackets splitupinordertogetamessageofthecorrectsize.So,wehaveatradeobetween securityandperformance:usingmorethanonemessagesizegivesbetterperformance butworsesecurity. Dummytrac.Dummypacketsarenormallyintroducedtoreducetracpattern basedattacksandtosomeextentotherpassiveattacksdiscussedin 3.2.2 .Dummy messagescontainrandombitstringsandareindistinguishablefromrealpackets. Messagescanbeintroducedbetweentwomixesbetweenclientandtherstmixina tunnel,betweentheclientandthelastmixinthetunnel,orend-to-enddummies.This resultsinconstant,bi-directionalpacketstreamsbetweenanytwomix-nodesorthe usersandtheirentrynode.

PAGE 16

8 Dummytracisoftenusedinanunstructuredmannerintothemix-networksand mightnotbeaseectiveasitcouldbe,somestudies[ 15 16 18 26 27 ]havediscussed andanalyzedtheuseofdummytracfortracanalysisprevention. Ifamixnodesendsitsmessagetolessthan t nodes,dummymessagesshouldbe sentinsuchawaythat t nodesreceivemessages.Thelarger t ,theharderitistomount thebrutesearchattacksandintersectionattacks. Eachmixnodeshouldsendmessagestoatleast t destinationsoutsidethemix network(dummymessagesshouldbeusedtollthegaps).Thelarger t ,theharderitis tomountthebrutesearchattack.Furthermore,thistechniquealsocomplicatesattacks inwhichtheadversarymonitorstheexitnodes. Dummymessagescanalsobeusedtorandomizetheuserscommunicationpatterns bymakingtheusertosenddummytractotheentrynode.Thechallengehereisto havegoodsecurityandminimizetheamountofdummymessagesused. Finally,dummymessagescouldalsobeusedtoreducetheamountoftimemessagesstayatagivennode.Itseemsthatwaitingfor s messagestoenteramixnode beforesending t ( t>s )hassimilarsecuritypropertiesaswaitingtoreceive t messages beforereleasingthem.Thistrickcouldbeusedtoreducethetimemessageswaitat nodes[ 18 ]. Routing.Routingcanbeeitherstatic,inwhichapreassignednumberroutesare used,ordynamic,wheretheuserchoosesthenodesinhisrouterandomly.Forlarge Internetbasedsystemsespecially,havingtheuserchoosethenodesinhisrouteisa viableoptionbecauseofthefollowingreasons. Thenodesandusersmust\know"eachothernode,whichmightbeimpractical. Someserversarefarfromeachotheranditdoesn'tmakesensefromaperformanceviewpointtohave,forexample,arouteconsistingofnodesinAustralia, Canada,SouthAfricaandChina. Nodesshouldbe\socially"independent.Ideally,thenodesinarouteshould belongtodierentorganizationsandbelocatedindierentlegaljurisdictions. Thewholeideabehindusingmorethanonenodeisthatnoneofthemhave enoughinformationtodeterminesender-recipientmatchings.Hence,ifallnodes inaroutebelongtothesameorganizationwemightaswelljustuseasingle node.Themotivationforhavingnodesindierentlegaljurisdictionisthatmore thanonesubpoenaneedstobeobtainedtocompromisenodeslegally.

PAGE 17

9 Normally,systemsusestaticroutesthatallowmixnodestoassociateeachmessage withaconnectionidentier,whichhelpsreducingthenumberofpublickeyoperations executed.Butonthenegativeside,itismoresusceptibletoattacksbecausehaving xedroutesmakessomeoftheattacksaloteasiertobecarriedout. Creatinggoodnetworktopologiesandroutendingalgorithmswithrespectto securityandeciencyisnotatrivialtaskandneedslotofanalysisondesigner'spart. Node-FlushingAlgorithm.AsseeninSection2.2,therearemanydierentapproachestoushingnodes.Again,thereisasecurity/practicalitytradeo:thelonger messagescanstayinmix-nodesthebetterthesecurity(inmostsettings). moreusers(inthesameanonymityset.Themixserversinanyanonymoustunnel arenotknowntotheadversary, inaparticularorder(lexicographicetc..) usedtoencryptthemix-network-internalprotocolheadersbetweentwoadjacent mixservers.Thisdefeatstraconthepatternofpackets. theyareforwarded.Thisbeatstracanalysisbylookingatthesequenceof incomingandoutgoingpackets stringsand-foranobserver-areindistinguishablefromrealpackets.Messages canbeintroducedeitherbetweenclientandrstmixinthetunnelorend-to-end dummiesbetweentheclientandthelastmixintheconstant,bi-directionalpacket streamsbetweenanytwomixesortheclientsandtheirrstmixlengthofmessagesis nolongerpossible. 2.3.2 ClassicationofMixNetworks Wecanclassifymixnetworksbasedonthenumberofserversas staticmixnetworks and dynamicmix-networks .Staticmix-networksaremadeupofarelatively smallnumberofhighlyavailable,powerfulmixeswithgoodnetworkconnectivitythat serveamuchlargernumberofusers(e.g.100mixes,100,000users).Thesenetworks caneitherbeoperatedcommerciallyorbyvolunteers.Dynamicmix-networksare peer-to-peerbasednetworksandeveryclientisalsoamixserver. Thedynamicmixnetworkshaveseveraladvantagescomparedtostaticmixnetworks.Intheory,therearenolimitsinthenumberofusersitcansupport,and

PAGE 18

10 sinceitisapeer-to-peersystem,thebarriertojoinislow.Entrypoints(connections betweenclientandrstmix)arenolongervisible,whichmakesend-to-endtrac analysisattacksmorediculttomount.Withtheseadvantagescomenewdiculties. Dynamicmeansnodescanjoinandleaveatanytime,sotheanonymoustunnelsare lessstableandmayneedtobeestablishedfrequently.Discoveringanodeisaproblem andsomenodes(usingdialup)oerpoorservice,whichdegradesthequalityofservice ofatunnel. attacker)becomesexpensive. Wecanalsoclassifythemixnetworkintotwotypesbasedonthecryptographic alternativeused:DecryptionMixNets[ 3 ]andRe-encryptionMixNets.Decryption MixNetstakeciphertextsasinputanddecryptthemtogetbacktheplaintextatthe end-node.Re-encryptionMixNetsuseElGamalcryptosystem'sMalleabilityproperty forre-encryption.Sotheciphertextisre-encryptedtoobtaintheoriginaltext. 2.4 Real-timeMixNetworks Onthepracticalside,severalsystemshavebeenimplementedtoprovidefast, secureandanonymouscommunication.Thesesystemsdierintermsofinfrastructure costs,typeofprotectionprovidedandthetransparencyprovidedtousers. 2.4.1 Crowds Crowds[ 19 ]wasdevelopedbyReiterandRubinattheATTLaboratories.It aimstoprovideaprivacypreservingwayofaccessingtheweb,withoutwebsites beingabletorecognizewhichindividualsmachineisbrowsing.Crowdsconsistsofa numberofnetworknodesthatarerunbytheusersofthesystem.Webrequestsare randomlychainedthroughanumberofthembeforebeingforwardedtothewebserver hostingtherequesteddata.Theserverwillseeaconnectioncomingfromoneofthe Crowdsusers,butcannottellwhichofthemistheoriginalsender.Inaddition,Crowds usesencryption,sothatsomeprotectionisprovidedagainstattackerswhointercept auser'snetworkconnection.However,thisencryptiondoesnotprotectagainstan attackerwhocooperateswithoneofthenodesthattheuserhasselected,sincethe encryptionkeyissharedbetweenallnodesparticipatinginaconnection.Crowdsis alsovulnerabletopassivetracanalysis:sincetheencryptedmessagesareforwarded

PAGE 19

11 withoutmodication,tracanalysisistrivialiftheattackercanobserveallnetwork connections.Aneavesdropperinterceptingonlytheencryptedmessagesbetweenthe userandtherstnodeinthechainaswellasthecleartextmessagesbetweenthenal nodeandthewebservercanassociatetheencrypteddatawiththeplaintextusingthe datalengthandthetransmissiontime. 2.4.2 OnionRouting OnionRouting[ 7 17 24 25 ]isthemostfamousofallanonymizingnetworks. Inthissystem,ausersendsencrypteddatatoanetworkofso-calledOnionRouters (ChaumMixes).Atrustedproxychoosesaseriesofthesenetworknodesandopens aconnectionbysendingamultiplyencrypteddatastructurecalledan\onion"tothe rstofthem.Eachrouterisastore-and-forwarddevicewhichreceivesmessagesofxed lengthfromdierentsources,removesonelayerofencryption,whichrevealsparameters suchassessionkeys,andforwardstheencryptedremainderoftheoniontothenext networknode.Anonionroutercanstoremessagesforindeniteamountoftimewaiting fortheadequatenumberofmessages,butthisispracticallynotafeasiblesolution. Theonionrouterswaitforaxedamountoftime,whichweakenstheprotectionin presenceoflowtrac.Oncetheconnectionissetup,anapplicationspecicproxy forwardsHTTPdatathroughtheOnionRoutingnetworktoaresponderproxywhich establishesaconnectionwiththewebservertheuserwishestouse.Theusersproxy multiplyencryptsoutgoingpacketswiththesessionkeysitsentoutinthesetupphase; eachnodedecryptsandforwardsthepackets,andencryptsandforwardspacketsthat containtheserversresponse.Thenetworkmodelconsistsofcoreonionrouters,the end-proxyroutersandthelinksbetweenthem,throughwhichtherouterspassmessages ofxedlength.Theroutersformacompletegraphamongthemselvessothatevery messagehasequalprobabilityofbeingforwardedtoanyoftherouters.Allthelinkstry tomaintainsamebandwidthandthisisachievedbysendingdummypacketstopadthe low-bandwidthlinks. 2.4.3 Babel Babel[ 8 ]wasdesignedinthemid-nineties.Babeloerssenderanonymity,called the\forwardpath"andreceiveranonymity,throughrepliestravellingoverthe\return

PAGE 20

12 path".Theforwardpartisconstructedbythesenderofananonymousmessageby wrappingamessageinlayersofencryption.messagecanalsoincludeareturnaddress tobeusedtoroutethereplies.Thesystemsupportsbidirectionalanonymityby allowingmessagestouseaforwardpath,toprotecttheanonymityofthesender, andforthesecondhalfofthejourneytheyareroutedbythereturnaddresssoasto hidetheidentityofthereceiver.Whilethesecurityoftheforwardpathisasgood asinthesecuredoriginalmixnetworkproposals,thesecurityofthereturnpathis slightlyweaker.Theintegrityofthemessagecannotbeprotected,therebyallowing taggingattacks,sincenoinformationinthereplyaddress,whichiseectivelytheonly informationavailabletointermediatenodes,cancontainthehashofthemessagebody. Thereasonforthisisthatthemessageisonlyknowntothepersonreplyingusingthe returnaddress.Babelalsoproposesasystemofintermixdetours.Messagestobemixed couldbe\repackaged"byintermediarymixes,andsentalongarandomroutethrough thenetwork.Itisworthobservingthateventhesenderofthemessages,whoknows allthesymmetricencryptionkeysusedtoencodeanddecodethemessage,cannot recogniseitinthenetworkwhenthisisdone. 2.4.4 MixMaster Mixmasterhasbeenanevolvingsystemsince1995[ 5 11 ].Itisthemostwidely deployedandusedremailersystem.Itfollowsamessage-basedapproach,namelyit supportssendingsinglemessages,usuallyemail,thoughafullyconnectedmixnetwork. Mixmastersupportsonlysenderanonymity.Messagesaremadebitwiseunlinkable byhybridRSAandEDE3DESencryption,whilethemessagesizeiskeptconstantby appendingrandomnoiseattheendofthemessage.Inversiontwo,theintegrityofthe RSAencryptedheaderisprotectedbyahash,makingtaggingattacksontheheader impossible.Inversionthreethenoisetobeappendedisgeneratedusingasecretshared betweentheremailer,andthesenderofthemessage,includedintheheader.Sincethe noiseispredictabletothesender,itispossibletoincludeintheheaderahashofthe wholemessagethereforeprotectingtheintegrityoftheheaderandbodyofthemessage. Thistrickmakesrepliesimpossibletoconstructsincethebodyofthemessagewould notbeknowntothecreatorofananonymousaddressblocktocomputeinthehash.

PAGE 21

13 Beyondthesecurityfeatures,Mixmasterprovidesquiteafewusabilityfeatures.It allowslargemessagestobedividedinsmallerchunksandsentindependentlythrough thenetwork.Ifallthepartsendupatacommonmix,thenreconstructionhappens transparentlyinthenetwork.Solargeemailscanbesenttouserswithoutrequiring specialsoftware.Recognisingthatbuildingrobustremailernetworkscouldbedicult (andindeedtherstversionsoftheMixmasterserversoftwarewerenotoriously unreliable)italsoallowedmessagestobesentmultipletimes,usingdierentpaths.It isworthnotingthatnoanalysisoftheimpactofthesefeaturesonanonymityhasever beenperformed. 2.4.5 Freedom TheFreedom[ 2 ]networkconsistsofasetofnodescalledAnonymousInternet Proxies(AIPs)whichrunontopoftheexistingInternetinfrastructure.Theuser communicatesbyrstselectingaseriesofnodes(aroute),andthenusingthisroute toforwardIPpacketsthatarestrippedofidentifyinginformation.Thissystemis secureagainstdenial-of-serviceattacksbutisvulnerabletosomegeneraltracanalysis attackssuchaspacketcountingattack,wie-die'sattack,latencyattackand,clogging attack. 2.4.6 PipeNet Pipenetwasoneoftheearlysystemstobeimplemented.Itisasynchronous networkimplementedontopofanasynchronousnetwork.Routesarecreatedthrough thenetworkbychoosingtheintermediatehopsuniformlyatrandom.Forproviding furtheranonymity,acertainnumberofroutecreationrequestsarecollectedbyanode, shuedandthenactedupon.Theuserestablishesasharedkeywitheachnodeon itsrouteaspartoftheroutecreationprocess,usingakeynegotiationalgorithm.The routesarepaddedendtoendfortheirduration.End-to-endpaddingmeansthatthe originatorcreatesallofthepaddingandtherecipient(orexitnode)stripsthepadding, eachoftheintermediatenodesisunabletodistinguishpaddingfromnormaltrac, andjustprocessesitasnormal.Thissystemprovidedprotectionagainstgeneraltrac analysisbutisvulnerabletoDenial-of-Serviceattacks,whicharemorecatastrophicin naturethanthenormaltracanalysiskindofattacks.

PAGE 22

14 2.4.7 Stop-And-GoMixes Stop-and-Gomixes[ 9 ](sg-mix)presentamixingstrategy,thatisnotbasedon batchesbutdelays.Itaimsatminimizingthepotentialfor( n 1)attacks,wherethe attackerinsertsagenuinemessageinamixalongwithaoodofhisownmessagesuntil themixprocessesthebatch.Itisthentrivialtoobservewherethetracedmessageis going. Eachpackettobeprocessedbyansg-mixcontainsadelayandatimewindow. Thedelayischosenaccordingtoanexponentialdistributionbytheoriginalsender, andthetimewindowscanbecalculatedgivenallthedelays.Eachsg-mixreceivinga message,checksthatithasbeenreceivedwithinthetimewindow,delaysthemessage forthespeciedamountoftime,andthenforwardsittothenextmixornalrecipient. Ifthemessagewasreceivedoutsidethespeciedtimewindowitisdiscarded.Avery importantfeatureofsg-mixesisthemathematicalanalysisoftheanonymitythey provide.ItisobservedthateachmixcanbemodeledasaM/M/ 1 queue,anda numberofmessageswaitinginsideitfollowthePoissondistribution.Thedelayscan thereforebeadjustedtoprovidethenecessaryanonymitysetsize. 2.4.8 Tarzan FreedmandesignedTarzan[ 19 ],apeer-to-peernetworkinwhicheverynodeisa mix.Anodeinitiatingthetransportofastreamthroughthenetworkwouldcreatean encryptedtunneltoanothernode,andaskthatnodetoconnectthestreamtoanother server.Byrepeatingthisprocessafewtimesitispossibletohaveanonionencrypted connection,relayedthroughasequenceofintermediatenodes. AninterestingfeatureofTarzanisthatthenetworktopologyissomewhatrestricted.Eachnodemaintainspersistentconnectionswithasmallsetofothernodes, formingastructurecalledamimics.Thenroutesofanonymousmessagesareselected insuchawaythattheywillgothroughmimicsandbetweenmimicsinordertoavoid linkswithinsucienttrac.Aweaknessofthemimicsschemeisthattheselection ofneighboringnodesisdoneonthebasisofanetworkidentieroraddresswhich, unfortunately,iseasytospoofinreal-worldnetworks.

PAGE 23

15 2.5 Summary Inthischapter,wehavepresentedindetaildierenttypesofmixesbasedon blendingstrategiesandushingconditionsused.Themixesaredividedintosimpleand poolmixesdependingonwhetherthemixushesallthemessagesornot.Thesetwo categoriesarefurthersubdividedintotimedandthresholdmixesbasedontheushing conditionbeingatimeintervalorathresholdonnumberofmessages.Wecanalsohave hybridmixtypes,whichhavebothtimedor/andthresholdproperties. Wehavealsodescribedanonymouscommunicationsystemsbasedonmixnetworks. Variousissuesinvolvedindesignofmix-networksarepresented.Thisincludesthethe mostimportantissueofhowmuchanonymitythenetworkprovidesandwhichtypeof mixisusedtoassuresuchanonymity. Finally,wediscussdierentrealtimemixsystemsdeployedsuchasCrowds, Onion-Routing,MixMasteretc.andthefunctionalitiesprovidedinthosesystems. Dierentadversarymodelsandattacksonmixnetworksarepresentedinnext chapter.Thenextchapteritdiscussestheanonymitymetricsusedinpracticeto measurethelevelofanonymityprovidedbyaanonymizingsystem.Italsodescribesthe analysistechniqueusedtoanalyzepassiveattacksonmixes.

PAGE 24

CHAPTER3 ADVERSARYMODELSANDATTACKSONMIXES Inthischapter,wediscussthevariousadversarymodels,followedbydierent typesofattacks.Theattacksincludeactiveattackssuchastimingattacksanddenial ofserviceattacks,andpassiveattackswhicharemainlyaccomplishedthroughtrac analysis. 3.1 AdversaryModels Theadversarymodelsdiscussedbelowarehighleveldescriptionsoftheattacker's powersandlimitations[ 6 ]. 3.1.1 InternalandExternalAdversary Anadversarycanbeausercompromisingcommunicationmediaandnetwork resources(external).Anadversarycanalsobeacompromisedmixnode,senderora recipienttryingtoleakinformationtooutsiders(internal). 3.1.2 ActiveandPassiveAdversary Anactiveadversarycanarbitrarilymodifythemessagesandcomputations,cause interruptionofservice,fabricatenewmessages,andinterceptthemessages.Denialof serviceandlossofdataareexamplesofinterruption,spoongandforgingareexamples offabricationandmodication.Apassiveadversarycanonlylistentothetrac. Thisistypicallydonebyeavesdroppingthenetworkconnectionsbywiretapping,or signalcatchingincaseofwirelesstransmissions.Wecanalsohaveacombinationof activeandpassiveadversaries.Forexample,anactiveexternaladversarycaninsert secretmessagesandapassiveinternaladversarycancorrelatethemessagescomingina compromisednodewithmessagesgoingout. 3.1.3 Local,RestrictedandGlobalAdversary Aglobaladversaryhastheabilitytoseelinktraconeverylinkandcontroleach andeverresourceinthenetwork,whereasalocaladversarycanobservetraconlyon certainlinksinthenetwork.Dependingonwhethertheadversaryhascompletecontrol 16

PAGE 25

17 overfewlocallinksorrestrictedcontroloveracertainareainthenetwork,heiscalled alocalorarestrictedadversary. 3.1.4 StaticandAdaptiveAdversary Astaticadversarychoosesthetoolsrequiredbeforetheattackprotocolstarts andcan'tchangethemlaterinthemiddleoftheattack.Mostofthebruteforce attacks(eg.passwordcrackers)comeunderthiscategory,sincetheattackerexhausts allcombinationsofinputsusinganautomatedtool,whichnormallyisnotadaptive. Adaptiveadversariesusedierenttoolsandresourcesdependingontheresponsethey receivefromthepreviousstageofattack.Theycan,forexample,\follow"messages thataretaggedwiththeoriginalmessage. 3.2 AttacksonMixes Theattacksdescribedbelowarehighleveldescriptionsoftheattacker'sschemes andnotdependentonanyspecicimplementation[ 18 ].Weassumethatthereare noknownimplementationweaknessesinthesystem.Theattackercanhaveany combinationofadversarypowersdiscussedintheprevioussection.Inthesecurity literature,theattacksarebroadlyclassiedintotwomaincategories{activeand passiveattacks. 3.2.1 ActiveAttacks Anactiveattackisoneinwhichtheintrudermaytransmitmessages,replayold messages,modifymessagesintransit,ordeleteselectedmessagesfromthewire.Atypicalactiveattackisoneinwhichanintruderimpersonatesoneendoftheconversation, oractsasaman-in-the-middle.Activeattacksoftenhaveasymmetriccharacteristicsin thattheattacker'slocationmakesoneofthecommunicatingpartiesmorevulnerable. Someofthecommonactiveattackschemesusedarediscussedbriey. BruteForceAttack:.Thisthesimplestandmostinecientoftheattacks.Brute forceattackisanattackthatrequirestryingall(oralargefractionofall)possible valuesuntiltherightvalueisfound.Incaseofmixes,theadversarymaywanttofollow everypossiblepaththemessagecouldhavetaken(passiveexternaladversary).Using thisattack,theattackerisabletoconstructalistofpossiblerecipientsforaparticular

PAGE 26

18 messageinmostcases.Butifthemixormix-networkisnotdesignedwell,theattacker maybeabletoestablishthesender-receivercorrespondence. Toillustratetheworkingofbruteforceattack,letusconsideramixnetworkwith individualnodesasthresholdmixwithathreshold n .Letusalsoassumethatthe messagegothroughexactly d mixnodes. Theattackerfollowsamessagefromthesendertotherstmixnode. Theattackerthenfollowseachofthe n messagesbeingushedfromtherstmix node.Todothis,theattackerneedstoobserve n dierentlinks,ifallthesecond levelmixesaredierent. Theattackercontinuesthiswaytilltheroutelengthis d nodes.Atthispoint, theattackerwouldhavebeenfollowing n d messages.Fromthese n d message,the attackernowhastochooseonlythosemessagesthatleavethemixnetwork. Intheworstcase,theattackercanlearntheexactreceiverfromthisattack.Ifthe mixisdesignedforperfectanonymity,theattackermayenduphaving n d possibilities. Dummymessagesarenormallyusedasthecountermeasureagainstbruteforceattack. Denial-of-serviceattack.Adenialofservice(DoS)attackisanincidentinwhicha userororganizationisdeprivedoftheservicesofaresourcetheywouldnormallyexpect tohave.Network-ooding,spamming,porthammering,synattack(incaseofTCP protocol),diskormemoryexhaustionaresomewellknowntechniquesofmountinga DoSattack.Byrenderingsomemix-nodesinoperational,theadversarytriestogain informationabouttherouteschosenbytheremainingnodesincaseofstaticnetworks andbycertainsendersincaseofdynamicmixnetworks. Message-delayingattack.Inthisscheme,theattackercanwithholdmessages untilhecanobtainenoughresources(i.e.,links,nodes)oruntilthenetworkbecomes easiertomonitor(ortoseeifthepossiblerecipientsreceiveothermessages,etc.).In defenseofthisattack,themixnodesshouldbeequippedtoverifyauthenticatedtiming information. Message-taggingattack:.Forthistypeofattack,anactiveinternaladversarywith controlovertherstandlastnodeinamessagerouteisneeded.Tolaunchtheattack, theattackercansimplytagmessagesattherstnodeinsuchawaythattheexitnode canspotthem.Sincetheentrynodeknowsthesenderandtheexitnodetherecipient,

PAGE 27

19 thesystemisbroken.Topreventthisattack,measuresshouldbetakentominimizeor eliminatethepossibilityofmessagetagging. Node-ushingorblendingattack.ThisattackwasrstmentionedbyDavidChaum [ 21 ]inhisseminalpaper.Theushingattackisveryeectiveandcanbemountedby anactiveglobaladversary.Aspammingattackor n -1attackisaverygoodexample forthistypeofattack.Thecapabilitiesoftheadversaryincludedelaying(removing) messages,insertingarbitrarilymanymessagesintothesysteminashorttime.The attackisillustratedincaseofasimplethresholdmix( n ). Theattackerobservesthetargetmessageleavingthesenderanddelaysit. Theattackernowsendsfabricatedmessagesuntilthemixres. Assoonasthemixres,hestopsallothermessagestothemixandsendsthe targetmessagealongwith n -1ofhisownmessages. Afterthemixres,theattackercaneasilyrecognizehis n -1messagesand thereforedeterminethedestinationofthetargetmessage. Thisisanexactattack{thatis,itprovidestheadversarywiththeexactreceiver ratherthanasetofreceiversasincaseofthebruteforceattack.Alsonotethatthis attackismixspecicanddoesnotdependontherestofthemix-network. Timingattack.Inthisattack,theadversaryusesthefactthatdierentroutescan takedierentamountsoftime.Giventhesetofmessagescomingintothemix-network andthesetofoutgoingmessages,theadversaryusestheroutetimeinformationto establishacorrelationbetweenacertainsetofincomingandoutgoingmessages. Theattackerdoesn'tneedtocarrytheexpensivebruteforceorushingattacks todeterminetheroutetaken.Iftheattackerhasaccesstooneofthecommunicating parties,hemightbeabletoinferwhichrouteistakenbysimplycomputingtheround triptime(thatis,calculatingthetimeittakestoreceiveareply). Thisattackcanbepreventedbyusingvariabledelaymixes,whichwaitfora randomamountoftimebeforering.Thiswouldcauseuncertaintyinestimatingthe routelengthsifthetimetakenisverycloseinmagnitude. WieDie'sAttack.Inthisattack,theattackerwishestodefeatthetracshaping mechanisms[ 1 ]thatattempttohidetherealvolumesoftraconananonymous channel.Theattackercreatesarouteusingthelinkthathewishestoobserve,and

PAGE 28

20 slowlyincreasesthetraconit.Therouterwillnotknowthatthestreamorstreams areallunderthecontroloftheattacker,andatsomepointwillsignalthatthelinkhas reacheditsmaximumcapacity.Theattackerthensubtractsthevolumeoftrache wassendingfromthemaximumcapacityofthelinktoestimatethevolumesofhonest trac. Disclosureattack.Theformalmodelonwhichthedisclosureattackisbasedis quitesimple.Asinglemixisusedby b participantseachround,oneofthemalways beingAlice,whiletheother( b 1)arechosenrandomlyoutofatotalnumberof N 1 possibleparticipants.Thethresholdofthemixis b soitresaftereachoftherounds participantshascontributedonemessage.Alicechoosestherecipientofhermessageto bearandommemberofaxedsetofmrecipients.Eachoftheotherparticipantssends amessagetoarecipientchosenuniformlyatrandomoutof N potentialrecipients. WeassumethattheothersendersandAlicechoosetherecipientsoftheirmessages independentlyfromeachother.Theattackerobserves R 1 ;:::;R t therecipientanonymity setscorrespondingtotmessagessentoutbyAliceduringtdierentroundsofmixing. Theattackerthentriestoestablishwhichoutofallpotentialrecipients,eachofAlices messageswassentto. TheoriginalattackasproposedbyKesdogan etal. [ 9 ]rsttriestoidentify mutuallydisjointsetsofrecipientsfromthesequenceofrecipientanonymitysets correspondingtoAlicesmessages.Thisoperationisthemainbottleneckforthe attackersinceittakesatimethatisexponentialinthenumberofmessagestobe analyzed. 3.2.2 PassiveAttacks Apassiveattackisoneinwhichtheintruderattemptstointerceptandreaddata withoutalteringit.Passivemonitoringattacksareoftensymmetric-iftheattackercan seethetracfromAlicetoBobonaparticularlink,there'sagoodchancethathe/she canseethetracinthereversedirection. Communication-patternattack.Bysimplylookingatthecommunicationpatterns (whenuserssendandreceive),onecanndoutmuchusefulinformation.Communicatingparticipantsnormallydon't\talk"atthesametime,thatis,whenoneparty

PAGE 29

21 issending,theotherisusuallysilent.Thelongeranattackercanobservethistypeof communicationsynchronization,thelesslikelyit'sjustanuncorrelatedrandompattern. Thisattackcanbemountedbyapassiveadversarythatcanmonitorentryandexit mixnodes.Lawenforcementocialsmightbequitesuccessfulmountingthiskindof attackastheyoftenhavea-prioriinformation:theyusuallyhaveahunchthattwo partiesarecommunicatingandjustwanttoconrmtheirsuspicion. Packet-countingattack.Thesetypesofattacksaresimilartotheotherpassive attacksinthattheyexploitthefactthatsomecommunicationsareeasytodistinguish fromothers.Ifaparticipantsendsanon-standard(i.e.,unusual)numberofmessages, apassiveexternalattackercanspotthesemessagescomingoutofthemix-network.In fact,unlessalluserssendthesamenumberofmessages,thistypeofattackallowsthe adversarytogainnon-trivialinformation.Thepacketcountingandcommunication patternattackscanbecombinedtogetamessagefrequencyattack(thismightrequire moreprecisetiminginformation).Communicationpattern,packetcountingand messagefrequencyattacksaresometimesreferredtoastracshapingattacksandare usuallydealtwithbyimposingrigidstructuresonusercommunications.Noticethat protocolsachieving\networkunobservability"areimmunetotheseattacks. IntersectionAttack:.Anattackerhavinginformationaboutwhatusersare activeatanygiventimecan,throughrepeatedobservations,determinewhatusers communicatewitheachother.Thisattackisbasedontheobservationthatusers typicallycommunicatewitharelativelysmallnumberofparties.Forexample,the typicaluserusuallyqueriesthesamewebsitesindierentsessions(hisqueriesaren't random).Byperforminganoperationsimilartoanintersectiononthesetsofactive usersatdierenttimesitisprobablethattheattackercangaininterestinginformation. ProbabilisticorPartialAttack:.Mostoftheprecedingattackscanbecarried outpartially,thatis,theattackercanobtainpartialorprobabilisticinformation.For example,hecoulddeducewithprobability p that A iscommunicatingwith B or A is notcommunicatingwith B C and D CovertChannels:.CovertchannelsarediscussedinSection 4.2.5 .

PAGE 30

22 3.3 Summary Inthischapter,wepresentnovelattacksonamixnodeoramix-networkandthe adversarymodelsusedtoaccomplishthisattack.Theadversarycanbeaninsideror anexternalobserver,anactiveattackerorapassiveeavesdropper,alocalattackerora globaladversarywhohascontroloverthewholenetwork. Theattacksaredividedintoactiveandpassiveattacks.Activeattacksinvolves modication,fabrication,andinterceptionofmessagesbytheattacker.Somewell knownexamplesarebruteforceattack,Denial-of-Service(Dos)attack,andnode ushingattack.Passiveattackandallowsanattackertocompromiseanonymity throughobservingthenetworktracfortracpatterns,packetcounts,packetsizes etc.Passiveattacksareverydiculttodetectandmayprovetobeveryharmful. Chapter4presentsthevariousanonymitymetricsandtheanalysistechniquebeing usedtoanalyzevariousattackswithdistinctadversarymodels.

PAGE 31

CHAPTER4 ANONYMITYMETRICSANDANALYSISTECHNIQUE Thischapterdescribesinformationtheoreticmodels,proposedintheliterature,to quantifythedegreeofanonymityprovidedbydierentsystemsofmixnetworks.At rstwediscussuseofanonymitysetsasthemeasureofanonymityandthenwegoon toanalyzetheentropybasedandroutebasedmetrics.Finally,wepresentanonymity analysisofrealtimeanonymizingsystemssuchasOnionroutingandCrowds. 4.1 Anonymity electronicvoting. Anonymitycanbeclassiedasconnectionanonymityanddataanonymity.Data anonymityisabouthidingthecontentsofthepacketsentandreceivedinaparticular session.Dataanonymityisnormallyachievedbyencryption.Connectionanonymityis abouthidingidentitiesofthesourceandthedestinationduringtheactualinformation exchange. AsdiscussedinbyReiterandRubin[ 19 ],therearethreetypesofconnection anonymity:senderanonymity,receiveranonymity,andunlinkabilityofsenderand receiver.Senderanonymitymeansthattheidentityofthepartywhosentamessageis hidden,whileitsreceiver(andthemessageitself)mightnotbe.Receiveranonymity similarlymeansthattheidentityofthereceiverishidden.Unlinkabilityofsender andreceivermeansthatthoughthesenderandreceivercaneachbeidentiedas participatinginsomecommunication,theycannotbeidentiedascommunicatingwith eachother. Asecondaspectofanonymouscommunicationistheadversarymodelagainst whichthesepropertiesareachieved.Theattackermightbeaneavesdropperthat canobservesomeorallmessagessentandreceived,collaborationsconsistingofsome senders,receivers,andotherparties,orvariationsofthese.Dierenttypesofattacks andadversarymodelshavebeendiscussedinChapter 3 23

PAGE 32

24 Wecantprovide\perfect"privacysincethenumberofpossiblesendersand recipientsisbounded.So,forexample,ifthereareonlytwopartiesonthenetwork,an attackerhavingaccesstothisinformationcantriviallydeterminewhoiscommunicating withwhom.Thebestwecanhopeforistomakeallpossiblesender-recipientmatchings lookequallylikely.Thatis,theattackersview'sstatisticaldistributionshouldbe independentfromtheactualsender-recipientmatchings. 4.2 AnonymityMetrics Manyrealtimeanonymitysystemshavebeendeployedinpastdecade,Onion RoutersandCrowdsbeingfewexamples.Witheachofthesesystemsprovidingdifferentlevelanonymity,thereisadeniteneedtohavestandardmetricstoclassifythe levelsofanonymityprovided.Informationtheoryhasbeenproventobeausefultool tomeasuretheamountofinformation.Thiscanbeusedinmeasuringtheinformation gainedbytheattacker.Dependingonthepoweroftheattacker,andthecircumstances wecanquantifytheanonymitylevelprovidedbythesystem. 4.2.1 AnonymitySets Traditionally,anonymitysetshavebeenusedtomeasuretheanonymityofmix systems.ThenotionofanonymitysetswasintroducedbyChaumformodelingsecurity ofDC-Net(DiningCryptographers'Networks)[ 3 ]. Chaumdenesanonymitysetasthesetofparticipantswhocouldhavesenta particularmessage,asseenbyaglobalobserverwhohasalsocompromisedasetof nodes[ 4 ].Thesideofanonymitysetisagoodindicatorofhowgoodtheanonymity providedbythesystemreallyis.Inthebestcase,theanonymitysetisequaltothe numberofusers,whichmeansanyuserhasequalprobabilityofsendingthemessage.In theworstcase,thesizeisone,whichmeansthereisnoanonymityinthenetwork. 4.2.2 ProblemswithAnonymitySetSize TheattacksagainstDCnetworkspresentedin[ 4 ]canonlyresultinpartitionsof thenetworkinwhichalltheparticipantsarestillequallylikelytohavesentorreceived aparticularmessage.Thereforethesizeoftheanonymitysetisagoodmetricofthe qualityoftheanonymityoeredtotheremainingparticipants.

PAGE 33

25 Inthestop-and-gosystem[ 9 ]denition,theauthorsrealizethatdierentsenders maynothavebeenequallylikelytohavesentaparticularmessage,butchooseto ignoreit.Ifdierentparticipantsaccountedintheanonymitysetarenotequallylikely tobethesendersorreceivers,adesignermightbetemptedtodistributeamongstmany participantssomepossibilitythattheywerethesendersorreceiverswhileallowingthe realsenderorreceivertohaveanabnormallyhighprobability.Thecardinalityofthe anonymitysetisinthiscaseamisleadingmeasureofanonymity.Inthestandardization attempt,weseethatthereisanattempttostate,andtakeintoaccountthisfactinthe notionofanonymity,yetaformaldenitionisstilllacking.SerjantovandDanezis[ 20 ] discussthisfactintheirpaperandconcludethatitisunwiselyignoredintheliterature butcangivealotofextrainformationtotheattacker. ThePoolMix.Wediscussthecaseofpoolmixtofurtheremphasizethedangersof usingsetsandtheircardinalitiestoassessandcompareanonymitysystems.Thismix alwaysstoresapoolof n messages.Whenincoming N messageshaveaccumulatedin itsbuer,itpicks n randomlyoutofthe n + N ithas,andstoresthem,forwardingthe remaining N intheregularmanner.Thedetailsaboutpoolmixhasbeendescribedin section 2.2 Thereisalwaysasmallprobabilitythatanymessagethathasevergoneintothe mixhaveneverleftit.Therefore,thesenderofeverymessageshouldbeincludedinthe anonymityset.Atthispointifweconsidertheanonymityprovidedbythissystemin termsofanonymitysetsize,itwouldincludeallthemessagesgoneintothemix.We noticethattheanonymitysetisindependentofthesizeofthepool, n ,whichintuitively suggeststhattheanonymitymetricusedisinappropriate. KnowledgeVulnerability.Anonymitysetmetricisalsovulnerableagainstattacker'shasadditionalknowledgeaboutthesystem.Considerthearrangementof mixesinFigure 4{1 .Thesmallsquaresinthediagramrepresentsenders,labeledwith theirname.Thebiggerboxesaremixes,withthresholdof2.Someofthereceiversare labeledwiththeirsenderanonymitysets. Noticethatiftheattackersomehowestablishesthefactthat,forinstance, A iscommunicatingwith R ,hecanderivethefactthat S receivedamessagefrom E .

PAGE 34

26 Mix-1 Mix-2 Mix-3 Mix-4 A B C D E P Q R S '' O O O O O O O O O O O O O 77 o o o o o o o o o o o o o 77 o o o o o o o o o o o o o '' O O O O O O O O O O O O O 77 o o o o o o o o o o o o o ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? 99 r r r r r r r r r r 99 r r r r r r r r r r 99 r r r r r r r r r r %% L L L L L L L L L L Figure4{1: VulnerabilityofAnonymitySets Indeed,toexposethelink E S ,alltheattackerneedstoknowisthatoneof A;B;C;D iscommunicatingto R .Andyetthisisinnowayreectedin S 'ssender anonymityset(although E 'sreceiveranonymityset,asexpected,containsjust R and S ). Itisalsoclearthatnotallsendersinthisarrangementareequallyvulnerable tothis,asisthefactthatotherarrangementsofmixesmaybelessso.Althoughwe havehighlightedtheattackherebyusingmixeswiththresholdof2,itisclearthatthe principlecanbeusedingeneraltocutdownthesizeoftheanonymityset. 4.2.3 Entropy SerjantovandDanezis[ 20 ]formalizedtheuseofentropyasanonymitymetricand extendedittocalculatetheanonymityinasystemofmixes.Theprincipalinsight behindthemetric(entropy)isthatthegoalofanattackeristheuniqueidentication ofanactor(senderorreceiver),whileatthesametimethegoalofthedefenderis toincreasetheattackersworkloadtoachievethis.Thereforewechosetodenethe anonymityprovidedbyasystemastheamountofinformationtheattackerismissing touniquelyidentifyanactorslinktoanaction.

PAGE 35

27 TheterminformationisusedinatechnicalsenseinthecontextofShannons informationtheory[ 22 ].Thereforewedeneaprobabilitydistributionoverallactors i ,describingtheprobabilitytheyperformedaparticularaction.Asonewouldexpect, thesumofthesemustbeone.Thesumoftheseprobabilitiesmustalwaysbeequalto one. X Pr [ i ]=1 Assoonastheprobabilitydistributionaboveisknown,onecancalculatethe anonymityprovidedbythesystemasameasureofuncertaintythattheprobability distributionrepresents.Ininformationtheoretictermsthisisrepresentedbytheentropyofthediscreteprobabilitydistribution.Thereforewecalltheeectiveanonymity setsizeofasystem,theentropyoftheprobabilitydistributionattributingaroleto actorsgivenathreatmodel.Itcanbecalculatedas A = [ i ]= X Pr [ i ]log Pr [ i ] Thismetricprovidesanegativequantityrepresentingthenumberofbitsof informationanadversaryismissingbeforetheycanuniquelyidentifythetarget.A similarmetricbasedoninformationtheorywasproposedbyDiaz etal. [ 6 ].Insteadof directlyusingtheentropyasameasureofanonymity,itisnormalizedbythemaximum amountofanonymitythatthesystemcouldprovide.Thishasthedisadvantagethatit ismoreameasureoffullledpotentialthananonymity.Ananonymitysizeof1means thatoneisasanonymousaspossible,eventhoughonemightnotbeanonymousatall. Thenon-normalizedentropybasedmetricwepropose,intuitivelyprovidesanindication ofthesizeofthegroupwithinwhichoneishidden.Itisalsoisagoodindicationofthe eortnecessaryforanadversarytouniquelyidentifyasenderorreceiver. 4.2.4 RouteLength Intheprevioussection,wehavedemonstratedthatentropybasedmetricscangive theattackermoreinformationaboutthesystemthanjustanonymitysets.

PAGE 36

28 Wenotethatthestandardattacksaimedatreducingthesizeoftheanonymity setwillnowhavetheeectofnarrowingtheanonymityprobabilitydistribution.If weconsiderthisdistributionasasetofpairs(ofasenderanditsrespectivenon-zero probabilityofhavingsentthemessage),thennarrowingtheprobabilitydistributionis theprocessofderivingthatsomesendershavezeroprobabilityofsendingthemessage andcanthereforebesafelyexcludedfromtheset. Assuggestedin[ 20 ],routelengthisimportantandsomearrangementsofmixes aremorevulnerabletoroutelengthbasedattacksthanothers.Iftheattackerknows themaximumroutelengthallowedbythemixsystem,thenhecaneliminateallthe routeslongerthanthemaximumlength.Thisreducestheentropyoftheanonymity probabilitydistributionswithoutaectingtheunderlyinganonymityset.Hence,the maximumroutelengthshouldbetakenintoaccountwhencalculatinganonymitysets. Severalmixsystemshavebeendesignedtoremovethemaximumroutelength constraint,forinstanceviatunnelinginOnionRouting[ 17 ]orHybridmixes,butit existsineldedsystemssuchasMixmaster[ 5 11 ](maximumroutelengthof20)andso canbeusedbytheattacker.Itmayalsobepossibletoobtainrelevantinformationby compromisingamix.Somemixsystemswillallowamixtoinferthenumberofmixesa messagehasalreadypassedthroughandthereforethemaximumnumberofmessagesit maygothroughbeforereachingthedestination.Suchinformationwouldstrengthenour attack,socareneedstobetakentodesignmixsystems(suchasMixmaster[ 5 ])which donotgiveitaway. examplesofcovertchannels,covertchannelanalysis(CCA)andcovertchannels arisinginmixnetworks. 4.2.5 CovertChannels Covertchannelscanbeeitherinnocuousorharmful.Innocuouschannelsareconsistentwiththeintentofthesystems'ssecuritypolicy.Theymayresultinsurprising systembehaviors,butdonotplacethesystemortheinformationthatitprotectsat risk.Harmfulcovertchannelsareinformationowsthatarecontrarytotheintentof thesystem'ssecuritypolicy.

PAGE 37

29 Severaldenitionsforcovertchannelshavebeenproposedinliterature,suchasthe following: Denition1:Acommunicationchanneliscovertifitisneitherdesignednor intendedtotransferinformationatall Denition2:Acovertchannelisamechanismthatcanbeusedtotransfer informationfromoneuserofasystemtoanotherusingmeansnotintendedfor thispurposebythesystemdevelopers. Denition3:Covertchannels\willbedenedasthosechannelsthatarearesult ofresourceallocationpoliciesandresourcemanagementimplementation." Alltheabovedenitionsarevague(Whatisinformation?whatisintent?)and omitanydiscussionofsecurity.Noneoftheabovedenitionsbringsoutexplicitly thenotionthatcovertchannelsdependonthetypeofmandatoryaccesscontrol(e.g., BellLaPadulaorBibamodel)policybeingusedandonthepolicy'simplementation withinasystemdesign.Anewdenitionusingtheseconceptscanbeprovidedthatis consistentwiththeTCSECdenitionofcovertchannels: \Acovertchannelisacommunicationchannelthatallowsaprocesstotransfer informationinamannerthatviolatesthesystem'ssecuritypolicy" Inanyscenarioofcovertchannelexploitation,onemustdenethesynchronization relationshipbetweenthesenderandthereceiverofinformation.Thus,covertchannels ischaracterizedbythesynchronizationrelationshipbetweenthesenderandthe receiver.Thepurposeofsynchronizationisforoneprocesstonotifytheotherprocess ithascompletedreadingorwritingadatavariable.Therefore,acovertchannelmay includenotonlyacovertdatavariablebutalsotwosynchronizationvariables,onefor sender-receiversynchronizationandtheotherforthereceiver-sendersynchronization. Anyformofsynchronouscommunicationrequiresboththesender-receiverandreceiversendersynchronizationeitherimplicitlyorexplicitly. However,sender-receiversynchronizationmaystillneedasynchronizationvariable toinformthereceiverofabittransfer.Achannelthatdoesnotincludesender-receiver synchronizationvariablesinasystemallowingthereceiver-sendertransferofmessages iscalledaquasi-synchronouschannel. Inallpatternsofsender-receiversynchronization,synchronizationdatamaybe includedinthedatavariableitselfattheexpenseofsomebandwidthdegradation.

PAGE 38

30 Packet-formattingbitsinringandEthernetlocalareanetworksareexamplesof synchronizationdatasentalongwiththeinformationbeingtransmitted.Thus,explicit sender-receiversynchronizationthroughaseparatevariablemaybeunnecessary. Covertchannelsaremoreseriousprobleminanetworksystem.Networktrac analysisismuchmoreeasierthanmonitoringCPUtimingandschedulingprocess. Networkcovertchannelcanbebasedoneithertimingorspatialinformationofthe tracowpattern.Usingspatialinformation,aneavesdropperobservingnetwork traccanobservethesizeanddestinationofthepacketstogetinformation.In collaborationofaninternalactiveadversary,thecovertchannelcanbecodedby varyingthepacketsizeanddestination.Usingtiminginformation,acovertchannel isrepresentedbythefrequencyandburstinessofthepacketgeneration.Thenext subsectiondiscussesaparticulartypeofcovertchannelexistingmixnetworks. 4.2.6 CovertChannelsinMixNetworks Aninsidercanusetheexit-mixservertocovertlycommunicatewithanexternal passiveeavesdropperbyusingtheinformationthattheeavesdropper(Eve)canprobabilisticallydetermineiftheinsider(Alice)sendsamessageinaparticulartimeinterval. Thisisanexampleofaone-directionalnetworkcovertchannel,andwasrstdiscovered byNewman,Moskowitz,Crepeau,andMiller[ 13 ]. Toillustratethechannel,letusassumethatwehaveasimpleexit-mixserver. Alice,theinsider,wantstotransferinformationcovertlytotheeavesdropper,Eve.The onlyactionthatEvecantakeistocountthenumberofmessagesper t goingfromthe Mix-rewalltoeachofreceivers,sincethemessagesareindistinguishable. Inaperfectnoiselessscenariowithsinglereceiver,Alicecantransmitbits1and 0toEvebysendingamessageornotsendingamessage.Alicecanuseapredecided encodingtosendimportantinformationthroughthischannel. Theexternaladversarymodelcanbeeitherglobalmodel,whichhascontrolover allthelinksoriginatingfromthemixasshownin 4{3 orarestrictedmodel,whichcan countthenumberofmessagesbetweentwoenclavesasshowninFigure 4{2 .

PAGE 39

31 4.2.7 CovertChannelCapacityasAnonymityMetric Inthecovertchannelscenariopresentedinprevioussubsection,Alicecanobviously leakconsiderableinformationtoEve.Theabilitytocommunicatecovertlyarisesdue toalackofanonymity.Iftherewere\perfect"anonymity,thenwewouldnotexpect tondacovertchannel[ 13 ].Bymeasuringtheamountofcovertinformationthatmay beleakedthroughlessthanperfectanonymity,wecanobtainanestimateofanonymity providedbythesystem. Themutualinformationisagoodindicationofinterferencebetweensenderand eavesdropper.Onewaytomeasurethisisbyestimatingthelowerboundofcapacity. Shannon'sInformationTheory[ 22 ]isusedtocalculatethemutualinformationand thecapacityofthechannel(whichisthemaximumvalueofmutualinformation).The analysistechniqueandcapacitycalculationsarepresentedinSection 4.3 Intheinitialwork[ 13 ],itisshownthatassystemlevelanonymityincreasesin thesimplemixmodels(i.e.,thenumberofpotentialsendersincreases),theminimum capacitydecreasestozero.However,astheprobabilitythataCluelesssendertransmits inagiventickincreases,theexpectednumberofactualsendersinagiventimetick alsoincreases,hencetheanonymityincreases,butthecapacityofthecovertchannel increasesoncethisprobabilityexceeds0.5. ofnetworkdesign. 4.3 AnalysisTechnique Inthissectionwewouldpresentsomescenariosforcovertchannelsarisingwhen usingamixserverfordierentadversarymodelsandnetworksettings.Thenext subsectiondiscussesthenetworkchannelmatrixandcapacityestimation. 4.3.1 Scenarios Thereisalwaysonespecialtransmittingnodeinanetworkcalled Alice ,whichis themalicious.Alicehascapabilitiesofanactiveinternaladversaryandcanbeeither staticordynamicallyadapttoretainthecovertchannel. Aliceandpossiblyothertransmitters(assume N )havelegitimatebusinesstransmittingmessagestoasetofreceivers R i j i =1 ; 2 ;:::;M .Thesetransmittersactcompletely

PAGE 40

32 independentlyofoneanother,andhavenodirectknowledgeofeachother'srecent transmissionbehavior. Alicemayhavesomegeneralknowledgeofthelong-termtraclevelsproducedby theothertransmitters,e.g.,thenumberofothertransmittersandtheirprobabilistic behavior,whichcanallowAlicetowriteacodethatcanimprovethecovertcommunicationchannel'sdatarate.Shecannot,however,performshort-termadaptationtotheir behavior. Wealsoassumethatthereisaclock,andthattransmissionsonlyoccurintheunit intervaloftimecalleda tick .Anysubsetoftransmitterscaneacheithersendasingle messagetoasinglereceiverinatick,ornotsendamessageatall.Eachtransmitterin atickcansendtoadierentreceiver,andtwoormoretransmittersmaysendtothe samereceiverinthesametick.Allmessages'contentsareencryptedend-to-end. Enclave1 ~}|xyz{wvutpqrs Enclave2 ~}|xyz{wvutpqrs Eve 33 Figure4{2: RestrictedPassiveAdversaryModel Thereisalsoaneavesdropperonthenetworkcalled Eve .Sincealltransmissions areencrypted,theyappeartotheeavesdropperEveashavingindistinguishablecontent. Evemaybeeitheraglobalpassiveadversary(GPA),withtheabilitytoseelinktrac oneverylinkinthenetwork,orarestrictedpassiveadversary(RPA),withtheability toobservetraconlyoncertainlinks. AliceisnotallowedanydirectcommunicationwithEve.However,Alicecan inuencewhatEveseesonthenetwork.Westudynetworkscenariosthatattemptto achieveadegreeofanonymitywithrespecttothenetworkcommunication.Thatis,the networksaredesignedwithvariousanonymitydevicestopreventEvefromlearningwho issendingamessagetowhom.Evenifacertaindegreeofanonymityisachieved,itstill maybepossibleforAlicetocommunicatecovertlywithEve.

PAGE 41

33 4.3.2 ChannelMatrix BetweenAliceandthe N cluelesssenders,thereare N +1possiblesendersper t ,andthereare M +1possibleactionspersender(sinceeachsendermayormaynot transmit,andifitdoestransmit,ittransmitstoexactlyoneofthe M receivers). Alice R 1 R M Eve 55 k k k k k k k k k k k k k k k k )) S S S S S S S S S S S S S S S S OO Figure4{3: GlobalPassiveAdversaryModel WeconsiderAlicetobetheinputtothequasi-anonymouschannel,whichisa propercommunicationschannel[ 22 ].Alicecansendtooneofthe M receiversornot sendamessage.Thus,werepresenttheinputstothequasi-anonymouschannelby the M +1inputsymbols0 ; 1 ;:::;M ,where i =0representsAlicenotsendinga message,and i 2f 1 ;:::;M g representsAlicesendingamessagetothe i threceiver R i However,notethatthe\receiver"inthequasi-anonymouschannelisEve.Evereceives theoutputsymbols e j ;j =1 ;:::;K .Evereceives e 1 ifnosendersendsamessage. Thequasi-anonymouschannelthatwehavebeendescribingisadiscretememorylesschannel(DMC).WedenethechannelmatrixMasan( M +1) K matrix,where M[ i;j ]representstheconditionalprobabilitythatEveobservestheoutputsymbol e j giventhatAliceinput i .

PAGE 42

34 M M +1 ;K = 0 B B B B B B B B B B B B B B B B B @ 012 :::jj +1 :::K 0 p 0 ; 0 p 0 ; 1 p 0 ; 2 :::p 0 ;j p 0 ;j +1 :::p 0 ;K 1 p 1 ; 0 p 1 ; 1 p 1 ; 2 :::p 1 ;j p 1 ;j +1 :::p 1 ;K 2 p 2 ; 0 p 2 ; 1 p 2 ; 2 :::p 2 ;j p 2 ;j +1 :::p 2 ;K . . . . . . . . . . . . . ip i; 0 p i; 1 p i; 2 :::p i;j p i;j +1 :::p i;K . . . . . . . . . . . . . Mp M; 0 p M; 1 p M; 2 :::p M;j p M;j +1 :::p M;K 1 C C C C C C C C C C C C C C C C C A Thenumber ofsymbolsseenbyEvemayvary,dependingontheadversarymodelconsidered.For example,withanRPAobservingalinkbetweentwomix-enclaves,thenumberof symbolsobservedbyEveis N +1.WhereasifaGPAisobservingallthelinksgoing outaexit-mix,thenumberofpossiblesymbolsismuchhigherandafunctionofthe receivers, M N +1senderscansendornotsend,atmostonemessageeach,outofthe privateenclave,providedatleastonesenderdoessendamessage.Forexamplethere isonlyoneoutputsymbolobservedbyEvefortheN+1waysthatone,andonlyone sender,cansendamessageto R 1 WemodelAliceaccordingtothefollowingdistributioneach t : P ( AlicesendsamessagetoR i )= x i Fromtheaboveequation,weget x 0 = P ( Alicedoesn 0 tsendamessage )=1 M X i =1 x i : Welet A representthedistributionforAlice'sinputbehavior,andwedenoteby E thedistributionoftheoutputsymbolsthatEvereceives.Thus,thechannelmatrix Malongwiththedistribution A totallydeterminethequasi-anonymouschannel. ThisisbecausetheelementsofMtakethedistributions C i intoaccount,andMand A letonedeterminethedistribution E describingtheoutputsthatEvereceives, P (Evereceives e j ).

PAGE 43

35 Givenadiscreterandomvariable X ,takingonthevalues x i ;i =1 ;:::;n X ,the entropyof X is H ( X )= n X X i =1 p ( x i )log p ( x i ) : Weuse p ( x i )asashorthandnotationfor P ( X = x i ).Giventwosuchdiscreterandom variables X and Y wedenetheconditionalentropy(equivocation)tobe H ( X j Y )= n Y X i =1 p ( y i ) n X X j =1 p ( x j j y i )log p ( x j j y i ) : Giventwosuchrandomvariableswedenethemutualinformationbetweenthemtobe I ( X;Y )= H ( X ) H ( X j Y ) : Notethat H ( X ) H ( X j Y )= H ( Y ) H ( Y j X ),soweseethat I ( X;Y )= I ( Y;X ). ForaDMCwhosetransmitterrandomvariableis X ,andwhosereceiverrandom variableis Y ,wedenethe channelcapacity [ 22 ]tobe: C =max X I ( X;Y ) ; wherethemaximizationisoverallpossibledistributionvalues p ( x i )(thatis,the p ( x i ) areallnon-negativeandsumtoone). Forus,thecapacityofthecovertchannelbetweenAliceandEveis C =max x f H ( E ) H ( E j A ) g : wherethemaximizationisoverthedierentpossiblevaluesthatthe x i maytake(of course,the x i arestillconstrainedtorepresentaprobabilitydistribution).Recall M[ i;j ]= P ( E = e j j A = i ),whereM[ i;j ]istheentryinthe i th rowand j th columnof thechannelmatrix,M. 4.4 Summary Inthischapterwehavedenedtheobjectivesofanonymouscommunication,and thethreatsagainstit.Wehaveshowedhowusinganonymitysetasmetriccanleadto wrongresults.Thepoolmixwasusedasanexampletoillustratehowanonymityset showedperfectanonymity,whenitwasintuitivelynotpossible.

PAGE 44

36 Wepresentedentropyasmetricmeasuringanonymity,basedonShannonsinformationtheory.Thisrepresentshowmuchinformationanadversaryismissingtoidentify thesenderorthereceiverofatargetmessage.UsingcovertchannelcapacityasameasureofanonymityisdiscussedfollowedbycovertchannelScenariosinMixNetworks. Finally,wepresentthechannelmatrixasthetooltoestimatethechannelcapacity.

PAGE 45

CHAPTER5 PREVIOUSWORKANDTHEEXIT-MIXMODEL Thischapterpresentsthepreviousworkdone(whichformsthebasisofourwork), exit-mixrewallmodelsetupandassumptions.Itdescribestheconventionsand terminologyused,themessagedistributionprobabilities,tracadversarymodeland channelmatrixindetail. 5.1 CapacityAnalysisforIndistinguishableReceiversCase Theinitialwork[ 13 ]analyzedthesituationwheretherearetwoenclaves,communicationbetweenthemisencrypted,andpacketsaresentonlyfromtherstenclave (whichcontainsAlice)tothesecond(Fig. 4{2 ).Eveisabletomonitorthecommunicationfromtherstenclavetothesecond.Anonymityis\achieved"inthatan eavesdroppersuchasEve(asRPA)doesnot\know"whoissendingamessage(that ishiddeninsideoftherstenclave)norwhoisreceivingthemessage(thiscanonly beknownifoneisinteriortothesecondenclave).Eveisonlyallowedtoknowhow manymessagesperticktravelfromtherstenclavetothesecond.Nonetheless,Alice attemptstocommunicatecovertlywithEve. Theinputsymbolsforthischannelare0,whichsigniesthatAliceisnottransmittingamessagetoanyreceiver,and0 c ,whichsigniesthatAliceistransmittinga messagetosomereceiver(keepinmindthatAliceisoblivioustotheothertransmitters). WebreakScenariodownintothreecases:case 5.1.1 ,case 5.1.2 ,andcase 5.1.3 Case 5.1.3 isthegeneralformofScenarioandthersttwoaresimpliedspecialcases. 5.1.1 Case0:AliceAlone Thisisthecasewhere N =0.Aliceistheonlytransmitter.Alicesendseither0 (bynotsendingamessage)or0 c (bysendingamessage).Evereceiveseither e 0 =0 (Alicedidnothing)or e 1 =1(Alicesentamessagetoareceiver).Thecapacityofthis noiselesscovertchannelis1. 37

PAGE 46

38 Notethoughthecapacityisthemaximum,overtheprobability x forAlice inputtinga0,ofthemutualinformation I ( E;A ). A isthedistributionforAlice describedby x ,and E isthedistributionforEve.Sincethereisnonoise, I issimply theentropy H ( E )describingEve(whichismaximizedto1when x = : 5). I ( E;A )= H ( E )= x log x (1 x )log(1 x ) : 5.1.2 Case1:AliceandOneAdditionalCluelessTransmitter Inthiscase N =1.Therefore,Evereceives: 0ifneitherAlicenorCluelesstransmit; 1ifAlicedoesnottransmitandCluelessdoestransmit,orCluelesstransmitsand Alicedoesnot;or 2ifbothAliceandCluelesstransmit. A // anonymizing network // E A 0 0 p 33 f f f f f f f f f f f f f f f f f f q ++ X X X X X X X X X X X X X X X X X X 1 0 c 33 f f f f f f f f f f f f f f f f f f ++ X X X X X X X X X X X X X X X X X X 2 B Figure5{1: ChannelModelforSubsection5.1.1.A)Channelblockdiagram.B)Channeltransitiondiagram Figure 5{1 Bshowstheoutputsymbolscorrespondingtothethreestates E might perceive.Letusconsiderthechannelmatrix. M 2 : 1 = 0 B @ 012 0 pq 0 0 c 0 1 C A

PAGE 47

39 The2 3channelmatrix M 2 : 1 [ i;j ]representstheconditionalprobabilityofEve receivingthesymbol j whenAlicesendsthesymbol i .Itfollowsthat p = ,andthusit triviallyfollowsthat q = Soourchannelmatrixsimpliesto: 0 B @ 012 0 pq 0 0 c 0 pq 1 C A : TheprobabilitythatAlicesendsa0is P ( A =0)= x ,andtherefore P ( A =0 c )= 1 x .Theterm x istheonlytermthatcanbevariedtoachievecapacity.Hereis whereAlicemayuseknowledgeoflong-termtransmissioncharacteristicsoftheother transmitters,aswellashowmanyothertransmittersthereare,tochangeher(longterm)behavior.Aswithotherstudiesofcovertchannels[ 12 ]wearenotconcernedwith sourcecoding/decodingissues[ 22 ].Ourconcernisthelimitsonhowwellatransmitter can\optimize"itsbitratetoareceiver,giventhatachannelisnoisy.Thecapacityof thecovertchannelbetweenAliceandEveis C =max x f H ( E ) H ( E j A ) g : Giventheabovechannelmatrixwehave: H ( E )= f px log px +[ qx + p (1 x )]log[ qx + p (1 x )]+ q (1 x )log q (1 x ) g : and H ( E j A )= 1 X i =0 p ( a i ) 2 X j =0 p ( e j j a i )log p ( e j j a i )= h ( p ) : Where h ( p )denotesthefunction p log p (1 p )log(1 p ).Thus, C =max x 8 > > > > > < > > > > > : px log px +[ qx + p (1 x )]log[ qx + p (1 x )] + q (1 x )log q (1 x ) h ( p ) 9 > > > > > = > > > > > ; : Wecannotanalyticallyndthe x thatmaximizesthemutualinformation,evendoing thestandardtrickofsettingthederivativeofthemutualinformationtozero.However,

PAGE 48

40 wecanplotthecapacityasafunctionof p ,andofthe x valuethatmaximizesthe mutualinformationasafunctionof p Figure5{2: PlotofCovertChannelCapacityasaFunctionof p Figure 5{2 showscertainsymmetries.Thecapacitygraphissymmetricabout p = : 5,andthegraphofthe x thatachievescapacityisskew-symmetricabout p = : 5 Considerthetwosituationswhere p = ,andwhere p =1 ;inbothsituations 0 : 5.Let x betheprobabilityfortheinputsymbol0thatachievescapacityin therstsituation,andlet x 1 betheprobabilitythatachievescapacityforthesecond situation.Fortherstsituationwehavethat1 x isthecapacityachievingprobability fortheoutputsymbol0 c ,andsimilarlyforthesecondsituation1 x 1 isthecapacity achievingprobabilityfortheoutputsymbol0 c .Physicallythetwosituationsare\the same"ifwereversetherolesoftheoutputssymbols0and2.Therefore x =1 x 1 Writing x as x = 1 2 +,weseethat x 1 = 1 2 ;thisiswhatthelowerdottedplot showsinFigure 5{2 ( =1 = 2 ) =0). Observation1 Inconditionsofverylittleextratrac,orveryhighextratrac,the covertchannelfromAlicetoEvehashighercapacity. Observation2 Thecapacity C ( p ) ,asafunctionof p isstrictlyboundedbelowby C ( : 5) ,and C ( : 5) isachievedwhenthemutualinformationisevaluatedat x = : 5 Itisobviousthatverylittleextratraccorrespondstoverylittlenoise.Atrst glancethough,itseemscounterintuitivethatheavytracalsocorrespondstoasmall

PAGE 49

41 amountofnoise.Thisisbecausethehightracisusedasabaselineagainstwhichto signal.Thisisanalogoustotransmissionofbitsoverachannelwherethebiterrorrate (BER) P e isgreaterthan1 = 2.Inthiscase,thecapacityofthechannelisthesameas thatofachannelwithBERof1 P e ,byrstinvertingallthebits.Itisthein-between situationsthatnegativelyaectthesignalingabilityofAlice.But,eveninthenoisiest case(i.e.,where p = : 5)Alicecanstilltransmitwithacapacityofahalfbitpertick. Notethatwecanneverguaranteeerror-freetransmission,nomatterhowwe grouptheoutputsymbols.Infact,itispossiblethattheoutputswillalwaysbethe symbol1(ofcoursetheprobabilityofthisquicklyapproacheszero,asthenumber oftransmissionsgoesup).Sothiscovertchannelhasa zero-errorcapacity [ 23 ]of zero.Capacityisausefulmeasureofacommunicationchanneliftheassumptionis thatthetransmittercantransmitalargenumberoftimes.Withalargenumberof transmissions,anerror-correctingcodecanbeutilizedsoastoachievearatecloseto capacity.Ifthetransmitteronlytransmitsasmallnumberoftransmissions,thenusing thecapacityalonecanbemisleading. 5.1.3 Case2:Aliceand N AdditionalTransmitters weimaginethatthereare N +1transmitters,Aliceisoneofthem,andtheother N areallindependentlyidenticalcluelesstransmitters.Thatis,therearetransmitters Clueless 1 ,Clueless 2 ::: ,Clueless N .Again,Evecanonlyseehowmanymessagesare leavingtherstMIX-rewallheadedforthesecondMIX-rewall.ThereforeEvecan determineifthereare0 ; 1 ;:::;N +1messagesleavingtherewall.ThatisallEvecan determine.Therefore,therearestillthetwoinputsymbols a 0 =0and a 1 =0 c ,butwe have N +2outputsymbols.TheprobabilitythatClueless i doesnotsendamessageis still p ,andthatitdoessendamessageis q =1 p .Now,calculatethechannelmatrix. KeepinmindthatAliceactsindependentlyoftheClueless i Alicesendsa 0 ForEvetoreceive e k (thatis E = k ),0 k N weneed k oftheclueless transmitterstosendamessage,and N k nottosendamessage.Therefore, p ( e k j A =0)= N k p N k q k ; 0 k N:

PAGE 50

42 p ( e N +1 j A =0)=0. Alicesendsa 0 c p ( e 0 j A =0 c )=0,sincetheeventneverhappens. ForEvetoreceive e k (thatis E = k ),1 k N +1weneed k 1oftheclueless transmitterstosendamessage,and N k +1nottosendamessage. p ( e k j A =0 c )= N k 1 p N k +1 q k 1 ; 1 k N +1 : 0 1 0 p N 77 p p p p p p p p p p p p p p p p p p p p p p p Np N 1 q 22 e e e e e e e e e e e e e e e e e e e e e q N && M M M M M M M M M M M M M M M M M M M M M M M 0 c p N 88 q q q q q q q q q q q q q q q q q q q q q q q Npq N 1 ,, Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y q N && N N N N N N N N N N N N N N N N N N N N N N N +1 A Thechannelmatrix M 3 :N is 012 :::NN +1 0 p N Np N 1 q N 2 p N 2 q 2 :::q N 0 0 c 0 p N Np N 1 q:::Npq N 1 q N B Figure5{3: ChannelforCase3,thegeneralcaseof N cluelessusers.A)Channeltransitiondiagram.B)ChannelMatrix Weobtainthefollowingresultsfromtheanalysis.Thefulldetailsandproofsarein [ 13 ]. Inconditionsofverylittleextratrac,orveryhighextratrac,thecovert channelfromAlicetoEvehashighercapacity. Thecapacity C ( p ),asafunctionof p isstrictlyboundedbelowby C ( : 5),and C ( : 5)isachievedwhenthemutualinformationisevaluatedat x = : 5(ofcourse p = : 5alsointhissituation).

PAGE 51

43 Thecapacity C ( p ),asafunctionof p isstrictlyboundedbelowbyafunctionthat decreasesmonotonicallytozeroasthenumberoftransmittersincreases,butis neverzero. ThebiasinthecodeusedbyAlicetoachievetheoptimumdatarateonthe channelisnotalways x =0 : 5,butitisneverfarfrom0 : 5,andourpreliminary experimentalresultsindicatethatthedierenceincapacityisminor. Thislastobservationagreeswith[ 10 ],whichpresentsthegeneralresultthatin DMCs,mutualinformationbitratesobtainedbyusing x = : 5isnolessthan94.21% ofthechannelcapacity.EvenifAlicehasnoknowledgeoftheprobabilisticbehavior oftheothertransmitters,herdataratewillnotbetoofarfromoptimalifsheusesan unbiasedcode. 5.2 Exit-MixModel 5.2.1 Scenario Thereare N +1sendersinaprivateenclave.Messagespassonewayfromthe privateenclavetoasetof M receivers.Theprivateenclaveisbehindarewallwhich alsofunctionsasatimedMix[ 21 ]thatreseverytick, t ,hencewecallitasimple timedMix-rewall.ForthesakeofsimplicitywewillrefertoasimpletimedMixrewallasaMix-rewallinthispaper.Oneofthe N +1senders,calledAlice,is malicious.Theother N cluelesssenders,Clueless i ;i =1 ;:::;N ,arebenign.Each sendermaysendatmostonemessageperunittime t tothesetofreceivers.All messagesfromtheprivateenclavetothesetofreceiverspassthroughpubliclinesthat aresubjecttoeavesdroppingbyaneavesdroppercalledEve.TheonlyactionthatEve cantakeistocountthenumberofmessagesper t goingfromtheMix-rewalltoeach receiver,sincethemessagesareotherwiseindistinguishable.Eveknowsthatthereare N +1possiblesenders.The N cluelesssendersactinanindependentandidentical manner(i.i.d.)accordingtoaxeddistribution C i ;i =1 ;:::;N .Alice,bysendingor notsendingamessageeach t toatmostonereceiver,aectsEve'smessagecounts.This ishowAlicecovertlycommunicateswithEveviaaquasi-anonymouschannel[ 14 ].

PAGE 52

44 Mix-rewall R 1 R 2 Eve R i R M Clueless 1 Clueless 2 Alice Clueless i Clueless N ++ V V V V V V V V V V V V V V -Z Z Z Z Z Z Z Z Z Z Z Z Z Z // 11 d d d d d d d d d d d d d d 33 h h h h h h h h h h h h h h 44 h h h h h h h h h h h h h h h h 11 d d d d d d d d d d d d d d d d .. ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ** V V V V V V V V V V V V V V V V OO Figure5{4: ExitMix-rewallModelwith N CluelessSendersand M Distinguishable Receivers Aliceactsindependently(throughignoranceofthecluelesssenders)whendeciding tosendamessage;wecallthisthe ignoranceassumption .Alicehasthesamedistributioneach t .BetweenAliceandthe N cluelesssenders,thereare N +1possiblesenders per t ,andthereare M +1possibleactionspersender(eachsendermayormaynot transmit,andifitdoestransmit,ittransmitstoexactlyoneof M receivers). WeconsiderAlicetobetheinputtothequasi-anonymouschannel,whichisa propercommunicationschannel[ 22 ].Alicecansendtooneofthe M receiversornot sendamessage.Thus,werepresenttheinputstothequasi-anonymouschannelbythe M +1inputsymbols0 ; 1 ;:::;M ,where i =0representsAlicenotsendingamessage, and i 2f 1 ;:::;M g representsAlicesendingamessagetothe i threceiver R i .The \receiver"inthequasi-anonymouschannelisEve.Evereceivestheoutputsymbols e j ;j =1 ;:::;K .Evereceives e 1 ifnosendersendsamessage.Theotheroutput symbolscorrespondtoallthedierentwaysthe N +1senderscansendornotsend, atmostonemessageeach,outoftheprivateenclave,providedatleastonesenderdoes sendamessage. 5.2.2 ChannelMatrixProbabilities Forthesakeofsimplicityweintroduceadummyreceiver R 0 (notshownabove).If asenderdoesnotsendamessageweconsiderthattobea\message"to R 0 .For N +1 sendersand M receivers,theoutputsymbol e j observedbyEveisan M +1vector h a j 0 ;a j 1 ;::::;a j M i ,where a j i ishowmanymessagestheMix-rewallsendsto R i .Ofcourse itfollowsthat P M i =0 a j i = N +1 :

PAGE 53

45 Thequasi-anonymouschannelthatwehavebeendescribingisadiscretememorylesschannel(DMC).WedenethechannelmatrixMasan( M +1) K matrix,where M[ i;j ]representstheconditionalprobabilitythatEveobservestheoutputsymbol e j giventhatAliceinput i .Wemodelthecluelesssendersaccordingtothei.i.d. C i for eachperiodofpossibleaction t : P ( Clueless i doesn 0 tsendamessage )= p P ( Clueless i sendsamessagetoanyreceiver )= q M = 1 p M whereinkeepingwithpreviouspapers, q =1 p istheprobabilitythatClueless i sendsamessagetoanyoneofthe M receivers.WhenClueless i does sendamessage, thedestinationisuniformlydistributedoverthereceivers R 1 ;:::;R M .Wecallthisthe semi-uniformityassumption .Again,keepinmindthateachcluelesssenderhasthe samedistributioneach t ,buttheyallactindependentlyofeachother. 5.3 CapacityAnalysisforExit-MIXScenario Thischapterpresentsthecapacityanalysisfordierentcasesoftransmittersand receivers.Eachcaseisdiscussedindetailandcapacityestimatediscomparedamong thecases. Themathematicsinvolvedincapacityestimationforthisscenarioisverycomplicated.Hence,weestimatethecapacityforsimplecasesandthentrytogeneralizeour observationsfor N sendersand M receivers. Todistinguishthevariouschannelmatrices,wewilladoptthenotationthatM N:M isthechannelmatrixfor N cluelesssendersand M receivers. 5.3.1 OneReceiver( M =1) Case1:NoCluelessSendersandOneReceiver( N =0 ;M =1).Aliceisthe onlysender,andthereisonlyonereceiver R 1 .Alicesendseither0(bynotsending amessage)or1(bysendingamessage).Evereceiveseither e 1 = h 1 ; 0 i (Alicedid nothing)or e 2 = h 0 ; 1 i (Alicesentamessagetothereceiver).Sincethereisnonoise (therearenocluelesssenders)thechannelmatrixM 0 : 1 isthe2 2identitymatrixandit triviallyfollowsthat P ( E = e 1 )= x 0 ,andthat P ( E = e 2 )= x 1 .

PAGE 54

46 M 0 : 1 = 0 B @ e 1 e 2 010 101 1 C A Since x 0 =1 x 1 ,weseethat 1 H ( E )= x 0 log x 0 (1 x 0 )log(1 x 0 ).The channelmatrixisanidentitymatrix,sotheconditionalprobabilitydistribution P ( E j A ) ismadeupofzeroesandones,therefore H ( E j A )isidenticallyzero.Hence,thecapacity isthemaximumover x 0 of H ( E ),whichiseasilyseentobeunity 2 (andoccurswhen x 0 =1 = 2).Ofcourse,wecouldhaveobtainedthiscapacity 3 withoutappealingto mutualinformationsincewecannoiselesslysendonebitpertick,butwewishtostudy thenon-trivialcasesandusethisasastartingpoint. Case2: N CluelessSendersandOneReceiver( M =1).Thiscasereducesto the indistinguishablereceivers casewith N sendersanalyzedin[ 13 ]withbothanexit Mix-rewallthatwehavebeendiscussingandanentryMix-rewall(withthereceivers behindthelatter).Alicecaneithersendornotsendamessage,sotheinputalphabet againhastwosymbols.Eveobserves N +2possibleoutputsymbols.Thatis,Evesees e 1 = h N +1 ; 0 i e 2 = h N; 1 i e 3 = h N 1 ; 2 i , e N +2 = h 0 ;N +1 i .Adetailed discussionofthiscasecanbefoundin[ 13 ]. 5.3.2 SomeSpecialCasesforTwoReceivers( M =2) Therearetwopossiblereceivers.AlicecansignalEvewithanalphabetofthree symbols:1or2,ifAlicetransmitsto R 1 or R 2 ,respectively,orthesymbol0fornot sendingamessage.Letusanalyzethechannelmatricesandtheentropiesfordierent casesofsenders. 1 Alllogarithmsarebase2. 2 Theunitsofcapacityarebitspertick t ,butwewilltaketheunitsasbeingunderstoodfortherestofthereport.Recallthatallsymbolstakeone t topassthroughthe channel. 3 ThisusesShannon's[ 22 ]asymptoticdenitionofcapacity,whichisequivalentfor noiselesschannels(inunitsofbitspersymbol).

PAGE 55

47 Thesymbol e j thatEvereceivesisan3-tupleoftheform h a j 0 ;a j 1 ;a j 2 i ,where a j i is thenumberofmessagesreceivedby i th receiver. 4 Asbefore,theindex i =0relates toAlicenotsendinganymessage.Theelementsofthe3-tuplemustsumtothetotal numberofsenders, N +1, 2 X i =0 a j i = N +1 : Case3:NoCluelessSendersandTwoReceivers( N =0 ;M =2).Aliceistheonly senderandcansendmessagestotwopossiblereceivers.Thechannelmatrixistrivial andthereisnoanonymityinthechannel. M 0 : 2 = 0 B B B B @ h 1 ; 0 ; 0 ih 0 ; 1 ; 0 ih 0 ; 0 ; 1 i 0100 1010 2001 1 C C C C A Thesubscript0.2representsonesender(Alicealone)andtworeceivers.The3 3 channelmatrixM 0 : 2 [ i;j ]representstheconditionalprobabilityofEvereceivingthe symbol e j ,whenAlicesendstothereceiver R i ( A = i ).`0'standsfornotsendinga message. Themutualinformation I isgivenbytheentropy H ( E )describingEve I ( E;A )= H ( E )= x 1 log x 1 x 2 log x 2 (1 x 1 x 2 )log(1 x 1 x 2 ) : Thecapacityofthisnoiselesscovertchannelislog3 1 : 58(at x i =1/3, i =0 ; 1 ; 2).For M =2thisisthelargestcapacity,whichwenotecorrespondstozeroanonymity.Of course,thisisnotsurprisingsincetherearenocluelesssenders. Case4: N =1CluelessSenderand M =2Receivers. Thefollowingrowvectordescribestheprobabilitiesofthepossibleoutputsymbols whenonlyonecluelesssenderisinvolved. 4 Recallthatthe a j i 'softheoutputsymbolarenotdirectlyrelatedto A ,whichdenotesthedistributionofAlice.

PAGE 56

48 Mix-rewall R 1 Eve R 2 Clueless 1 Alice 33 h h h h h h h h h h h h h h h h h ++ V V V V V V V V V V V V V V 44 h h h h h h h h h h h h h h h h ** V V V V V V V V V V V V V V V V OO Figure5{5: Case4:Systemwith N =1CluelessSenderand M =2Receivers h 1 ; 0 ; 0 ih 0 ; 1 ; 0 ih 0 ; 0 ; 1 i pq= 2 q= 2 The message-setmatrix givenbelowshowshowthevariousoutputsymbolscanbe formed.TherowscorrespondtoAlice'sactions,andthecolumns,correspondtothe actionsofClueless.Rowandcolumnlabelsareaddedelementwisetoformthematrix entry,whichistheoutputsymbolcorrespondingtothechannelstate. 0 B B B B @ h 1 ; 0 ; 0 ih 0 ; 1 ; 0 ih 0 ; 0 ; 1 i h 1 ; 0 ; 0 ih 2 ; 0 ; 0 ih 1 ; 1 ; 0 ih 1 ; 0 ; 1 i h 0 ; 1 ; 0 ih 1 ; 1 ; 0 ih 0 ; 2 ; 0 ih 0 ; 1 ; 1 i h 0 ; 0 ; 1 ih 1 ; 0 ; 1 ih 0 ; 1 ; 1 ih 0 ; 0 ; 2 i 1 C C C C A Thesetofdistinctsymbolsformedinthematrixcellsconstitutesthesetofoutput symbolsEvemayreceive.Inthiscase,therearethreerepetitionsinthemessage-set matrix,soEvemayreceive9-3=6symbols. Letusconsiderthechannelmatrix. M 1 : 2 = 0 B B B B @ h 2 ; 0 ; 0 ih 1 ; 1 ; 0 ih 1 ; 0 ; 1 ih 0 ; 2 ; 0 ih 0 ; 1 ; 1 ih 0 ; 0 ; 2 i 0 pq= 2 q= 2000 10 p 0 q= 2 q= 20 200 p 0 q= 2 q= 2 1 C C C C A The3 6channelmatrixM 1 : 2 [ i;j ]representstheconditionalprobabilityofEve receivingthesymbol e j whenAlicesendsto R i .Asnoted,thedummyreceiver R 0

PAGE 57

49 Figure5{6: Capacityfor N =1CluelessSenderand M =2Receivers correspondstoAlicenotsendingtoanyreceiver(howeverthisisstillatransmissionto Eveviathequasi-anonymouschannel). Giventheabovechannelmatrixwehave: H ( E )= f px 0 log[ px 0 ] +[ qx 0 = 2+ px 1 ]log[ qx 0 = 2+ px 1 ] +[ qx 0 = 2+ px 2 ]log[ qx 0 = 2+ px 2 ] +[ qx 1 = 2]log[ qx 1 = 2]+[ qx 1 = 2+ qx 2 = 2]log[ qx 1 = 2+ qx 2 = 2] +[ qx 2 = 2]log[ qx 2 = 2] g : Theconditionalentropyisgivenby H ( E j A )= 2 X i =0 p ( x i ) 6 X j =1 p ( e j j x i )log p ( e j j x i ) # = h 2 ( p ) ; where h 2 ( p )denotesthefunction h 2 ( p )= (1 p ) = 2log((1 p ) = 2) (1 p ) = 2log((1 p ) = 2) p log p = (1 p )log((1 p ) = 2) p log p: ThemutualinformationbetweenAliceandEveisgivenby

PAGE 58

50 Mix-rewall R 1 Eve R 2 Clueless 1 Alice Clueless 2 // ++ V V V V V V V V V V V V V V 33 h h h h h h h h h h h h h h 44 h h h h h h h h h h h h h h h h ** V V V V V V V V V V V V V V V V OO Figure5{7: Case5:Systemwith N =2CluelessSendersand M =2Receivers I ( A;E )= H ( E ) H ( E j A ) ; andthechannelcapacityisgivenby C =max A I ( A;E ) =max x 1 ;x 2 f px 0 log[ px 0 ] +[ qx 0 = 2+ px 1 ]log[ qx 0 = 2+ px 1 ] +[ qx 0 = 2+ px 2 ]log[ qx 0 = 2+ px 2 ] +[ qx 1 = 2]log[ qx 1 = 2]+[ qx 1 = 2+ qx 2 = 2]log[ qx 1 = 2+ qx 2 = 2] +[ qx 2 = 2]log[ qx 2 = 2] g h 2 ( p ) : Notethatthemaximizationisover x 1 and x 2 ,since x 0 isdeterminedbythese twoprobabilities(holdsforany N ).Thisequationisverydiculttosolveanalytically andrequiresnumericaltechniques.Figure 5{6 showsthecapacityforthiscasewith thecurve N =1.Fromtheplottheminimumcapacityisapproximately0.92,when p =1 = 3.Thisislessthan1.58,whichisthecorrespondingvaluefor N =0case.We willcomebacktothiscurvelaterforcomparisonpurposeswithothervaluesof N Case5: N =2CluelessSendersand M =2Receivers. Therowvectordescribingtheoutputsymbolsandtheirprobabilitieswithonlythe twocluelesssendersonlyisgivenby h 2 ; 0 ; 0 ih 1 ; 1 ; 0 ih 1 ; 0 ; 1 ih 0 ; 2 ; 0 ih 0 ; 1 ; 1 ih 0 ; 0 ; 2 i p 2 pqpqq 2 = 4 q 2 = 2 q 2 = 4 :

PAGE 59

51 Thesymbol h 2 ; 0 ; 0 i hasprobability p 2 becausebothcluelessdonotsendamessage. Thesymbol h 1 ; 1 ; 0 i hasprobability2 p ( q= 2)becauseeitherClueless 1 doesnotsenda messageandClueless 2 sendsamessageto R 1 orvisaversa.Theothervaluesbehave similarly.Themessagesetmatrix,whichhasthecontributionsfromthecluelessasthe columnindexandthecontributionsfromAliceastherowindex,isasfollows. 0 B B B B @ h 2 ; 0 ; 0 ih 1 ; 1 ; 0 ih 1 ; 0 ; 1 ih 0 ; 2 ; 0 ih 0 ; 1 ; 1 ih 0 ; 0 ; 2 i h 1 ; 0 ; 0 ih 3 ; 0 ; 0 ih 2 ; 1 ; 0 ih 2 ; 0 ; 1 ih 1 ; 2 ; 0 ih 1 ; 1 ; 1 ih 1 ; 0 ; 2 i h 0 ; 1 ; 0 ih 2 ; 1 ; 0 ih 1 ; 2 ; 0 ih 1 ; 1 ; 1 ih 0 ; 3 ; 0 ih 0 ; 2 ; 1 ih 0 ; 1 ; 2 i h 0 ; 0 ; 1 ih 2 ; 0 ; 1 ih 1 ; 1 ; 1 ih 1 ; 0 ; 2 ih 0 ; 2 ; 1 ih 0 ; 1 ; 2 ih 0 ; 0 ; 3 i 1 C C C C A Byinspectionofthematrix,wenoticethattheoutputsymbolswithmorerepetitionswillhavehigherprobabilityofbeingseenbyEve,whencomparedtoothers. Thatis,outputsymbol h 1 ; 1 ; 1 i willhaveagreaterprobabilityofbeingobservedthan h 3 ; 0 ; 0 i or h 0 ; 3 ; 0 i .Theprobabilityofobservingasymbolalsodependsontheprobabilitydistributionofthetransmitteroverthereceivers(i.e.,thevalueof q ).Thereare eightrepetitionsinthemessage-setmatrix,sothenumberoftotalpossiblesymbolsEve mayreceive18-8=10symbols.ThechannelmatrixM 2 : 2 isgivenbelow. M 2 : 2 = 0 B B B @ h 3 ; 0 ; 0 ih 2 ; 1 ; 0 ih 2 ; 0 ; 1 ih 1 ; 2 ; 0 ih 1 ; 1 ; 1 ih 1 ; 0 ; 2 ih 0 ; 1 ; 2 ih 0 ; 3 ; 0 ih 0 ; 2 ; 1 ih 0 ; 0 ; 3 i 0 p 2 pqpqq 2 = 4 q 2 = 2 q 2 = 40000 10 p 2 0 pqpq 0 q 2 = 4 q 2 = 4 q 2 = 20 200 p 2 0 pqpqq 2 = 20 q 2 = 4 q 2 = 4 1 C C C A The3 10channelmatrix M 2 : 2 [ i;j ]representstheconditionalprobabilityofEve receiving e j whenAlicesendsamessagetoreceiver R i Figure 5{8 showsthecapacityforthiscase N =2.Again,theminimumcapacityis foundat p =1 = 3=1 = ( M +1).Fromtheplottheminimumcapacityisapproximately 0.62,when p =1 = 3. 5.3.3 SomeSpecialCasesforThreeReceivers( M =3) Case6: N =1CluelessSendersand M =3Receivers.AliceorCluelesscansend tothreepossiblereceiversorrefrainfromsending(denotedby`0').Theprobabilitiesof

PAGE 60

52 Figure5{8: Capacityfor N =2cluelesssendersand M =2receivers MIX-rewall R 1 R 2 Eve R 3 Clueless 1 Alice 33 h h h h h h h h h h h h h h h h ++ V V V V V V V V V V V V V V 44 h h h h h h h h h h h h h h h h // ** V V V V V V V V V V V V V V V V OO Figure5{9: Case6:Systemwith N =1CluelessSendersand M =3Receivers thevariousoutputsymbolsfromtheonecluelesssenderaregivenbelow. h 1 ; 0 ; 0 ; 0 ih 0 ; 1 ; 0 ; 0 ih 0 ; 0 ; 1 ; 0 ih 0 ; 0 ; 0 ; 1 i pq= 3 q= 3 q= 3 Nowletusexaminethenumberofpossiblemessagesetsymbolsobtainedifwe mergetheindividualmessagesetsofAliceandClueless.

PAGE 61

53 Figure5{10: Capacityfor N =1cluelesssenderand M =3receivers 0 B B B B B B B @ h 1 ; 0 ; 0 ; 0 ih 0 ; 1 ; 0 ; 0 ih 0 ; 0 ; 1 ; 0 ih 0 ; 0 ; 0 ; 1 i h 1 ; 0 ; 0 ; 0 ih 2 ; 0 ; 0 ; 0 ih 1 ; 1 ; 0 ; 0 ih 1 ; 0 ; 1 ; 0 ih 1 ; 0 ; 0 ; 1 i h 0 ; 1 ; 0 ; 0 ih 1 ; 1 ; 0 ; 0 ih 0 ; 2 ; 0 ; 0 ih 0 ; 1 ; 1 ; 0 ih 0 ; 1 ; 0 ; 1 i h 0 ; 0 ; 1 ; 0 ih 1 ; 0 ; 1 ; 0 ih 0 ; 1 ; 1 ; 0 ih 0 ; 0 ; 2 ; 0 ih 0 ; 0 ; 1 ; 1 i h 0 ; 0 ; 0 ; 1 ih 1 ; 0 ; 0 ; 1 ih 0 ; 1 ; 0 ; 1 ih 0 ; 0 ; 1 ; 1 ih 0 ; 0 ; 0 ; 2 i 1 C C C C C C C A Aswecanseefromtheabovemessage-matrix,therearesixrepetitionsinthe messagesetsformed,soEvemayreceive10dierentsymbols. ThechannelmatrixM 1 : 3 isgivenbelow. 0 B B B B B B B @ h 2 ; 0 ; 0 ; 0 ih 1 ; 1 ; 0 ; 0 ih 1 ; 0 ; 1 ; 0 ih 1 ; 0 ; 0 ; 1 ih 0 ; 2 ; 0 ; 0 ih 0 ; 1 ; 1 ; 0 ih 0 ; 1 ; 0 ; 1 ih 0 ; 0 ; 2 ; 0 ih 0 ; 0 ; 1 ; 1 ih 0 ; 0 ; 0 ; 2 i 0 pq= 3 q= 3 q= 3000000 10 p 00 q= 3 q= 3 q= 3000 200 p 00 q= 30 q= 3 q= 30 3000 p 00 q= 30 q= 3 q= 3 1 C C C C C C C A The4 10channelmatrix M 1 : 3 [ i;j ]representstheconditionalprobabilityofEve receiving e j whenAlicesendsamessagetoreceiver R i .

PAGE 62

54 Figure 5{10 showsthecapacityforthiscaseof N =1.Theminimumcapacityis foundat p =1 = 4=1 = ( M +1).Fromtheplottheminimumcapacityisapproximately 1.25,when p =1 = 4. Case7: N =2CluelessSendersand M =3Receivers. Therowvectordescribinghowthecluelessusersinuencetheoutputsymbolsis givenbelow. h 2 ; 0 ; 0 ; 0 ih 1 ; 1 ; 0 ; 0 ih 1 ; 0 ; 1 ; 0 ih 1 ; 0 ; 0 ; 1 ih 0 ; 2 ; 0 ; 0 ih 0 ; 1 ; 1 ; 0 ih 0 ; 1 ; 0 ; 1 ih 0 ; 0 ; 2 ; 0 ih 0 ; 0 ; 1 ; 1 ih 0 ; 0 ; 0 ; 2 i p 2 2 pq= 32 pq= 32 pq= 3 q 2 = 92 q 2 = 92 q 2 = 9 q 2 = 92 q 2 = 9 q 2 = 9 Nowletusexaminethesizeofthesetofoutputsymbolsobtainedifwemergethe individualmessagesetsofAliceandthetwocluelesssenders: 0 B B B B B B B @ h 2 ; 0 ; 0 ; 0 ih 1 ; 1 ; 0 ; 0 ih 1 ; 0 ; 1 ; 0 ih 1 ; 0 ; 0 ; 1 ih 0 ; 2 ; 0 ; 0 ih 0 ; 1 ; 1 ; 0 ih 0 ; 1 ; 0 ; 1 ih 0 ; 0 ; 2 ; 0 ih 0 ; 0 ; 1 ; 1 ih 0 ; 0 ; 0 ; 2 i h 1 ; 0 ; 0 ; 0 ih 3 ; 0 ; 0 ; 0 ih 2 ; 1 ; 0 ; 0 ih 2 ; 0 ; 1 ; 0 ih 2 ; 0 ; 0 ; 1 ih 1 ; 2 ; 0 ; 0 ih 1 ; 1 ; 1 ; 0 ih 1 ; 1 ; 0 ; 1 ih 1 ; 0 ; 2 ; 0 ih 1 ; 0 ; 1 ; 1 ih 1 ; 0 ; 0 ; 2 i h 0 ; 1 ; 0 ; 0 ih 2 ; 1 ; 0 ; 0 ih 1 ; 2 ; 0 ; 0 ih 1 ; 1 ; 1 ; 0 ih 1 ; 1 ; 0 ; 1 ih 0 ; 3 ; 0 ; 0 ih 0 ; 2 ; 1 ; 0 ih 0 ; 2 ; 0 ; 1 ih 0 ; 1 ; 2 ; 0 ih 0 ; 1 ; 1 ; 1 ih 0 ; 1 ; 0 ; 2 i h 0 ; 0 ; 1 ; 0 ih 2 ; 0 ; 1 ; 0 ih 1 ; 1 ; 1 ; 0 ih 1 ; 0 ; 2 ; 0 ih 1 ; 0 ; 1 ; 1 ih 0 ; 2 ; 1 ; 0 ih 0 ; 1 ; 2 ; 0 ih 0 ; 1 ; 1 ; 1 ih 0 ; 0 ; 3 ; 0 ih 0 ; 0 ; 2 ; 1 ih 0 ; 0 ; 1 ; 2 i h 0 ; 0 ; 0 ; 1 ih 2 ; 0 ; 0 ; 1 ih 1 ; 1 ; 0 ; 1 ih 1 ; 0 ; 1 ; 1 ih 1 ; 0 ; 0 ; 2 ih 0 ; 2 ; 0 ; 1 ih 0 ; 1 ; 1 ; 1 ih 0 ; 1 ; 0 ; 2 ih 0 ; 0 ; 2 ; 1 ih 0 ; 0 ; 1 ; 2 ih 0 ; 0 ; 0 ; 3 i 1 C C C C C C C A Aswecansee,thereare20repetitionsinthesymbolsformed.Hence,thetotal symbolsseenbyEvebecome=40-20=20symbols.Ifwelookthroughthecolumns h 1 ; 1 ; 0 ; 0 i h 0 ; 1 ; 1 ; 0 i and h 1 ; 0 ; 1 ; 0 i ,wecanndtheelement h 1 ; 1 ; 1 ; 0 i commonto allthethreecolumns.Therearetwomoresimilarcasesforacommonelementin threecolumns.Fromthis,weconcludethatthemessagesetswithevendistributionof messagesseemtohaveasingleelementcommontomanyofthethem,whereasthose withskeweddistributionseemtobeunique.Thisisexpected,asthewaystodistribute overseveralreceiversismultiple,whilethereisonlyonewayforallsenderstosendto thesamereceiver. Thechannelmatrix(splitintotwo)isgivenbelow. 0 B B B B B B B @ h 3 ; 0 ; 0 ; 0 ih 2 ; 1 ; 0 ; 0 ih 2 ; 0 ; 1 ; 0 ih 2 ; 0 ; 0 ; 1 ih 1 ; 2 ; 0 ; 0 ih 1 ; 0 ; 2 ; 0 ih 1 ; 0 ; 0 ; 2 ih 1 ; 1 ; 1 ; 0 ih 1 ; 1 ; 0 ; 1 ih 1 ; 0 ; 1 ; 1 i 0 p 2 2 pq= 32 pq= 32 pq= 3 q 2 = 9 q 2 = 9 q 2 = 92 q 2 = 92 q 2 = 92 q 2 = 9 10 p 2 002 pq= 3002 pq= 32 pq= 30 200 p 2 002 pq= 302 pq= 302 pq= 3 3000 p 2 002 pq= 302 pq= 32 pq= 3 1 C C C C C C C A

PAGE 63

55 Figure5{11: Capacityfor N =2cluelesssendersand M =3receivers 0 B B B B B B B @ h 0 ; 3 ; 0 ; 0 ih 0 ; 2 ; 1 ; 0 ih 0 ; 2 ; 0 ; 1 ih 0 ; 1 ; 2 ; 0 ih 0 ; 1 ; 0 ; 2 ih 0 ; 1 ; 1 ; 1 ih 0 ; 0 ; 3 ; 0 ih 0 ; 0 ; 2 ; 1 ih 0 ; 0 ; 1 ; 2 ih 0 ; 0 ; 0 ; 3 i 00000000000 1 q 2 = 92 q 2 = 92 q 2 = 9 q 2 = 9 q 2 = 92 q 2 = 90000 20 q 2 = 902 q 2 = 902 q 2 = 9 q 2 = 92 q 2 = 9 q 2 = 90 300 q 2 = 902 q 2 = 92 q 2 = 90 q 2 = 92 q 2 = 9 q 2 = 9 1 C C C C C C C A The4 20channelmatrixM 2 : 3 [ i;j ]representstheconditionalprobabilityofEve receiving e j whenAlicesendsamessagetoreceiver R i .Thegeneralizedformulaforthe matrixelementsisgivenby m (0 ;j )= 8 > < > : 2 ( a j 0 1)! a j 1 a j 2 a j 3 p ( a j 0 1) ( q= 3) 3 a j 0 for a j 0 =1 ; 2 ; 3 0for a j 0 =0 m (1 ;j )= 8 > < > : 2 a j 0 !( a j 1 1)! a j 2 a j 3 p a j 0 ( q= 3) 2 a j 0 for a j 1 =1 ; 2 ; 3 0for a j 1 =0 m (2 ;j )= 8 > < > : 2 a j 0 a j 1 !( a j 2 1)! a j 3 p a j 0 ( q= 3) 2 a j 0 for a j 2 =1 ; 2 ; 3 0for a j 2 =0

PAGE 64

56 MIX-rewall R 1 R 2 Eve R 3 Clueless 1 Alice Clueless 2 // ++ V V V V V V V V V V V V V V 33 h h h h h h h h h h h h h h 44 h h h h h h h h h h h h h h h h // ** V V V V V V V V V V V V V V V V OO Figure5{12: Case7:SystemWith N =2CluelessSendersand M =3Receivers MIX-rewall R 1 R 2 Eve R i R M Clueless Alice -Z Z Z Z Z Z Z Z Z Z Z Z Z Z Z 11 d d d d d d d d d d d d d d d d 44 h h h h h h h h h h h h h h h h 11 d d d d d d d d d d d d d d d d .. ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ** V V V V V V V V V V V V V V V OO Figure5{13: Case8:Systemwith N =1CluelessSenderand M Receivers m (3 ;j )= 8 > < > : 2 a j 0 :a j 1 a j 2 !( a j 3 1)! p a j 0 ( q= 3) 2 a j 0 for a j 3 =1 ; 2 ; 3 0for a j 3 =0 Figure 5{11 showsthecapacityforthiscaseinthecurvewhen N =2.The minimumcapacityisfoundat p =1 = 4=1 = ( M +1).Fromtheplottheminimum capacityisapproximately0.89,when p =1 = 4,whichislessthanthelowestcapacityfor the N =1case. 5.3.4 SomeGeneralizedCasesof N and M Case8: N =1Cluelessand M Receivers. Wegeneralizethescenariotoonecluelesstransmitterand M receivers.Theprobability describingtheactionsofonlytheonecluelesssenderisgivenbelow. h 1 ; 0 ; 0 ; 0 ;:::; 0 ih 0 ; 1 ; 0 ; 0 ;:::; 0 ih 0 ; 0 ; 1 ; 0 ;:::; 0 ih 0 ; 0 ; 0 ; 1 ;:::; 0 i ::: h 0 ; 0 ; 0 ; 0 ;:::; 1 i pq=Mq=Mq=M:::q=M

PAGE 65

57 Themessagesetmatrixisgivenbelow. 0 B B B B B B B B B B B B B B @ h 1 ; 0 ; 0 ; 0 ;:::; 0 ih 0 ; 1 ; 0 ; 0 ;:::; 0 ih 0 ; 0 ; 1 ; 0 ;:::; 0 ih 0 ; 0 ; 0 ; 1 ;:::; 0 i ::: h 0 ; 0 ; 0 ; 0 ;:::; 1 i h 1 ; 0 ; 0 ; 0 ;:::; 0 ih 2 ; 0 ; 0 ; 0 ;:::; 0 ih 1 ; 1 ; 0 ; 0 ;:::; 0 ih 1 ; 0 ; 1 ; 0 ;:::; 0 ih 1 ; 0 ; 0 ; 1 ;:::; 0 i ::: h 1 ; 0 ; 0 ; 0 ;:::; 1 i h 0 ; 1 ; 0 ; 0 ;:::; 0 ih 1 ; 1 ; 0 ; 0 ;:::; 0 ih 0 ; 2 ; 0 ; 0 ;:::; 0 ih 0 ; 1 ; 1 ; 0 ;:::; 0 ih 0 ; 1 ; 0 ; 1 ;:::; 0 i ::: h 0 ; 1 ; 0 ; 0 ;:::; 1 i h 0 ; 0 ; 1 ; 0 ;:::; 0 ih 1 ; 0 ; 1 ; 0 ;:::; 0 ih 0 ; 1 ; 1 ; 0 ;:::; 0 ih 0 ; 0 ; 2 ; 0 ;:::; 0 ih 0 ; 0 ; 1 ; 1 ;:::; 0 i ::: h 0 ; 0 ; 1 ; 0 ;:::; 1 i h 0 ; 0 ; 0 ; 1 ;:::; 0 ih 1 ; 0 ; 0 ; 1 ;:::; 0 ih 0 ; 1 ; 0 ; 1 ;:::; 0 ih 0 ; 0 ; 1 ; 1 ;:::; 0 ih 0 ; 0 ; 0 ; 2 ;:::; 0 i ::: h 0 ; 0 ; 0 ; 1 ;:::; 1 i . . . . . . . . . . h 0 ; 0 ; 0 ; 0 ;:::; 1 ih 1 ; 0 ; 0 ; 0 ;:::; 1 ih 0 ; 1 ; 0 ; 0 ;:::; 1 ih 0 ; 0 ; 1 ; 0 ;:::; 1 ih 0 ; 0 ; 0 ; 1 ;:::; 1 i ::: h 0 ; 0 ; 0 ; 0 ;:::; 2 i 1 C C C C C C C C C C C C C C A ThenumberofoutputsymbolsthatmaybeseenbyEveisidenticaltothetotal possibledistinctpairsinthemessage-setmatrixshownabove.Therearetwoindistinguishabletransmissions(includingnulltransmissions)andtheyaresentinto M +1 distinctreceivers(urns)(thisalsoincludesthenulltransmission,whichbyconvention goesto R 0 ,notshowninthegure).Combinatoricstellsusthenthatthereare M +2 2 distinctcombinations(symbols)thatEvemayreceive. Thechannelmatrixisgivenbelow. 0 B B B B B B B B B B B B B B @ h 2 ; 0 ; 0 ; 0 ;:::; 0 ih 1 ; 1 ; 0 ; 0 ;:::; 0 ih 1 ; 0 ; 1 ; 0 ;:::; 0 i ::: h 1 ; 0 ; 0 ; 0 ;:::; 1 ih 0 ; 2 ; 0 ; 0 ;:::; 0 i ::: h 0 ; 0 ; 0 ; 0 ;:::; 2 i 0 pq=Mq=M:::q=M 0 ::: 0 10 p 0 ::: 0 q=M::: 0 200 p::: 00 ::: 0 3000 ::: 00 ::: 0 . . . . . . . . . . . . . M 000 :::p 0 :::q=M 1 C C C C C C C C C C C C C C A The( M +1) M +2 2 channelmatrixM 1 :M [ i;j ]representstheconditionalprobability ofEvereceiving e j whenAlicesendsamessagetoreceiver R i Theprobabilitydistributionamongtheelementsofthechannelmatrixcanbe calculatedbytheformulabelow. m i;j = 8 > < > : p a j 0 ( q=M ) N a j 0 : a j i 6=0 8 i =1 ; 2 ; 3 ; ;Mandj =1 ; 2 ; 3 ; ; M +2 2 0: a j i =0 m 0 ;j = 8 > < > : p ( a j 0 1) ( q=M ) N a j 0 +1 : a j 0 6=0 8 j =0 ; 1 ; 2 ; ; M +2 2 0: a j 0 =0 Theconclusionsandmoregeneralizationsrelatedtothiscasearediscussedinthe resultssection.

PAGE 66

58 Case9: N CluelessSendersand M =2Receivers.Inthiscase,wegeneralize theproblemto N cluelesstransmittersforthetworeceiverscase.Thetotalnumber ofmessagesetsymbolsseenbyEve,ifonlythecluelessaretransmitting,canbe calculatedasthenumberofcombinationsinwhich N transmitterscansend(ornot send)amessagetimesthenumberofcombinationsinwhichthemessagessentcanbe distributedintotworeceivers. If k outof N transmitterssendamessage,thenthe k messagessentcanbedivided intotworeceiversin k +1possiblecombinations(( k; 0) ; ( k 1 ; 1) ;:::; (0 ;k )). messagesetsize =1+2+3+4+ +( N +2) = N +2 X i =0 i =( N +2)( N +3) = 2 Theprobabilityofeachchannelstatewithcluelessonlyisasfollows. h N; 0 ; 0 ih N 1 ; 1 ; 0 ih N 1 ; 0 ; 1 ih N 2 ; 2 ; 0 ih N 2 ; 1 ; 1 ih N 2 ; 0 ; 2 i ::: h 0 ; 0 ;N i p N Np N 1 p= 2 Np N 1 q= 2 N ( N 1) p N 2 q 2 = 8 N ( N 1) p N 2 q 2 = 4 N ( N 1) p N 2 q 2 = 8 ::: ( q= 2) N NowletusmergetheindividualmessagesetsofAliceandthe N cluelesstransmitterstodeterminethenumberofsymbolsreceivedbyEve. 0 B B B @ h N; 0 ; 0 ih N 1 ; 1 ; 0 ih N 1 ; 0 ; 1 ih N 2 ; 2 ; 0 ih N 2 ; 1 ; 1 ih N 2 ; 0 ; 2 i ::: h 0 ; 0 ;N i h 1 ; 0 ; 0 ih N +1 ; 0 ; 0 ih N; 1 ; 0 ih N; 0 ; 1 ih N 1 ; 2 ; 0 ih N 1 ; 1 ; 1 ih N 1 ; 0 ; 2 i ::: h 1 ; 0 ;N i h 0 ; 1 ; 0 ih N; 1 ; 0 ih N 1 ; 2 ; 0 ih N 1 ; 1 ; 1 ih N 2 ; 3 ; 0 ih N 2 ; 2 ; 1 ih N 2 ; 1 ; 2 i ::: h 0 ; 1 ;N i h 0 ; 0 ; 1 ih N; 0 ; 1 ih N 1 ; 1 ; 1 ih N 1 ; 0 ; 2 ih N 2 ; 2 ; 1 ih N 2 ; 1 ; 2 ih N 2 ; 0 ; 3 i ::: h 0 ; 0 ;N +1 i 1 C C C A Asobservedbefore,themessageset h N= 3+1 ;N= 3 ;N= 3 i isthemostuniform messagedistribution. Hence,ithasmaximumnumberofrepetitionsinthemessagesetmatrixandwill haveagreaterprobabilityofbeingobservedthan h N +1 ; 0 ; 0 i or h 0 ; 1 ;N i ThechannelmatrixM N; 2 isgivenbelow. 0 B B B @ h N +1 ; 0 ; 0 ih N; 1 ; 0 ih N; 0 ; 1 ih N 1 ; 2 ; 0 ih N 1 ; 1 ; 1 ih N 1 ; 0 ; 2 i ::: h 0 ; 0 ;N +1 i 0 p N Np N 1 q= 2 Np N 1 q= 2 N ( N 1) p N 2 q 2 = 8 N ( N 1) p N 2 q 2 = 4 N ( N 1) p N 2 q 2 = 8 ::: 0 10 p N 0 Np N 1 q= 2 Np N 1 q= 20 ::: 0 200 p N 0 Np N 1 q= 2 Np N 1 q= 2 ::: ( q= 2) N 1 C C C A

PAGE 67

59 MIX-rewall R 1 Eve R 2 Clueless 1 Clueless 2 Alice Clueless i Clueless N ++ V V V V V V V V V V V V V V -Z Z Z Z Z Z Z Z Z Z Z Z Z // 11 d d d d d d d d d d d d d d 33 h h h h h h h h h h h h h 33 f f f f f f f f f f f f f f f f ++ X X X X X X X X X X X X X X X X OO Figure5{14: Case9:Systemwith N CluelessSendersand M =2Receivers The3 (( N +2)( N +3) = 2)channelmatrixM N: 2 [ i;j ]representstheconditional probabilityofEvereceiving e j whenAlicesendsamessagetoreceiver R i Theprobabilitydistributioninthechannelmatrixcanbeimaginedasnesting oftwobinomialdistributions:First,betweenmessagessentandreceived;second,the distributionofmessagessenttothetworeceivers.So,giventhevector h a j 0 ;a j 1 ;a j 2 i ,the elementofthechannelmatrixcanbegeneralizedbytheformulabelow. m 0 ;j = N a j 0 1 p ( a j 0 1) ( prob:distributionof ( N ( a j 0 1)) messagestoR 1 andR 2 ) = N a j 0 1 p ( a j 0 1) N ( a j 0 1) a j 1 ( q= 2) a j 1 : ( q= 2) a j 2 = N a j 0 1 p ( a j 0 1) N ( a j 0 1) a j 1 ( q= 2) N ( a j 0 1) m 1 ;j = N a j 0 p a j 0 N a j 0 a j 1 1 ( q= 2) N a j 0 m 2 ;j = N a j 0 p a j 0 N a j 0 a j 1 ( q= 2) N a j 0 Notethat a j 2 doesnotexplicitlyappearbutisimplicitlyintheabovesince( a j 0 + a j 1 + a j 2 ) 1= N ,thisrelationshipwillbeseentobeimportantinthefollowinggeneral case(whereweuseageneralizedcombinatorialformula).Theconclusionsandmore generalizationsrelatedtothiscasearediscussedintheresultssection.

PAGE 68

60 Case10: N CluelessSendersand M Receivers.Wenowgeneralizetheproblem to N cluelesssendersand M receivers(referagaintoFigure 5{4 ).Thereare N +1 indistinguishabletransmissions(includingnulltransmissions)andtheyaresentinto M +1distinctreceivers(urns)(thisalsoincludesthenulltransmission,whichby conventiongoesto R 0 ,notshowninthegure).Combinatoricstellsusthenthatthere are K = N + M +1 N +1 possiblesymbols e j TherowsofourchannelmatrixcorrespondtotheactionsofAlice.The i throwof M N:M describestheconditionalprobabilities p ( e j j x i )(Forsimplicitywewillnotalways explicitlynotethat j =1 ;:::; N + M +1 N +1 .).Byconvention e 1 alwayscorrespondsto everysendernotsendingamessage(whichisequivalenttoallsenderssendingto R 0 ). Therefore e 1 isthe M +1tuple h N +1 ; 0 ;:::; 0 i .Givenoursimplifyingsemi-uniformity assumptionforthecluelesssenders'distribution,thistermmustbehandleddierently. TherstrowofthechannelmatrixismadeupofthetermsM N:M [0,j].Here,Alice isnotsendinganymessage(i.e.,sheis\sending"to R 0 ),soAlicecontributesoneto theterm a j 0 inthe M +1tuple h a j 0 ;a j 1 ;a j 2 ;:::;a j M i associatedwith e j .Infact,this tupleisthe\longhand"representationof e j .Thereforethecontributionstothe M +1 tuple h a j 0 1 ;a j 1 ;a j 2 ;:::;a j M i describewhatthe N cluelesssendersaredoing.Thatis, a j 0 1cluelesssendersarenotsendingamessage, a j 1 cluelesssendersaresendingto R 1 ,etc.Hence,themultinomialcoecient N a j 0 1 ;a j 1 ;:::;a j M tellsushowmanywaysthis mayoccur. 5 Foreachsuchoccurrenceweseethatthetransmissionsto R 0 aectthe probabilityby p a j 0 1 ,andthetransmissionsto R i ;i> 0,duetothesemi-uniformity assumption,contribute( q=M ) a j i .Sincetheactionsareindependent,theprobabilities multiply,andsince a j 0 1+ a j 1 + + a j M = N ,wehaveaprobabilitytermof p a j 0 1 ( q=M ) N +1 a j 0 .Multiplyingthattermbythetotalnumberofwaysofarrivingat thatarrangementwehavethat: M N:M [0 ;j ]= N a j 0 1 ;a j 1 ;:::;a j M p a j 0 1 ( q=M ) N +1 a j 0 5 Themultinomialcoecientistakentobezero,ifanyofthe\bottom"entriesare negative.

PAGE 69

61 TheotherrowsofthechannelmatrixareM N:M [ i;j ] ;i> 0.Forrow i> 0,wehave acombinatorialterm N a j 0 ;a j 1 ;:::;a j i 1 ;a j i 1 ;a j i +1 ;:::;a j M forthe N cluelesssenders, a j 0 ofwhich aresendingto R 0 and N a j 0 ofwhicharesendingtothe R i ;i> 0.Therefore,wesee thatundertheuniformityassumption, M N:M [ i;j ]= N a j 0 ;a j 1 ;:::;a j i 1 ;a j i 1 ;a j i +1 ;:::;a j M p a j 0 ( q=M ) N a j 0 ;i> 0. Weshowtheplotsofthemutualinformationwhenthecluelesssendersact(as assumedthroughoutthereport)inasemi-uniformmanner and whenAlicealsosendsin asemi-uniformmanner(i.e., x i =(1 x 0 ) =M;i =1 ; 2 ;:::;M ).We conjecture based uponourintuition,butdonotprove,thatAlicehavingasemi-uniformdistribution ofdestinations R 1 ;:::;R M whenthecluelesssendersactinasemi-uniformmanner maximizesmutualinformation(achievescapacity).Thishasbeensupportedbyallof ournumericcomputationsforcapacity.Withthisconjecture,wecanreducethedegrees offreedomforAlicefrom M to1(herdistribution A isdescribedentirelyby x 0 ),which allowsgreaterexperimentalandanalyticalexploration. ThechannelmatrixgreatlysimplieswhenboththecluelesssendersandAliceact ina totallyuniformmanner .Thatis,when x 0 =1 = ( M +1),then x i =(1 x 0 ) =M = 1 = ( M +1)forall x i ,and p =1 = ( M +1).Wehave M N:M [0 ;j ]= N a j 0 1 ;a j 1 ;:::;a j M p a j 0 1 ( q=M ) N +1 a j 0 ; whichsimpliesto M N:M [0 ;j ]= N a j 0 1 ;a j 1 ;:::;a j M ( 1 M +1 ) N : (Notethisformfor i =0isduetothetotaluniformityofthe C i s.).Wealsohave M N:M [ i;j ]= N a j 0 ;a j 1 ;:::;a j i 1 ;a j i 1 ;a j i +1 ;:::;a j M p a j 0 ( q=M ) N a j 0 ;i> 0 ; whichsimpliesto M N:M [ i;j ]= N a j 0 ;a j 1 ;:::;a j i 1 ;a j i 1 ;a j i +1 ;:::;a j M ( 1 M +1 ) N ;i> 0 : Table1.Lowercapacityboundsfor N =0 ;:::; 9 ,and M =1 ;:::; 10

PAGE 70

62 M 1 2 3 4 5 6 7 8 9 10 N # 0 0.3113 1.5849 2.0000 2.3219 2.5850 2.8074 3.0000 3.1699 3.2192 3.4594 1 0.2193 0.9172 1.2500 1.5219 1.7515 1.9502 2.1250 2.2811 2.4219 2.5503 2 0.1675 0.6204 0.8891 1.1204 1.3218 1.4996 1.6586 1.8021 1.9328 2.0529 3 0.1351 0.4555 0.6760 0.8423 1.0515 1.2112 1.3560 1.4882 1.6097 1.7221 4 0.1133 0.3537 0.5371 0.7080 0.8649 1.0090 1.1410 1.2630 1.3761 1.4813 5 0.0976 0.2864 0.4408 0.5893 0.7288 0.8588 0.9798 1.0925 1.1978 1.2965 6 0.0857 0.2392 0.3710 0.5010 0.6255 0.7434 0.8544 0.9587 1.0570 1.1496 7 0.0765 0.2048 0.3187 0.4334 0.5450 0.6522 0.7542 0.8510 0.9428 1.0298 8 0.0691 0.1789 0.2785 0.3803 0.4809 0.5786 0.6726 0.7626 0.8484 0.9303 9 0.0630 0.1587 0.2467 0.3377 0.4288 0.5183 0.6051 0.6888 0.7692 0.8463 Todeterminethedistribution E describingEveweneedtosumoverthecolumns ofthechannelmatrixandusethetotaluniformityof A P ( E = e j )= X i P ( E = e j j A = i ) P ( A = i ) ;i =0 ;:::;M: Thisgivesus P ( E = e j )=( 1 M +1 ) N M X i =0 N a j 0 ;:::;a j i 1 ;a j i 1 ;a j i +1 ;:::;a j M =( 1 M +1 ) N N +1 a j 0 ;:::;a j M : Fromthiswecancomputetheentropy H ( E )withouttoomuchtrouble: H ( E )=( 1 M +1 ) N X j N +1 a j 0 ;:::;a j M N log( M +1) log N +1 a j 0 ;:::;a j M : However,theconditionalentropyismorecomplicated,butisexpressible.Therefore,we wroteMatlabcodetocalculatethemutualinformation,whichisconjecturedtoachieve capacity,whenboththecluelesssendersactinasemi-uniformmannerandAliceacts inatotallyuniformmanner.Localexplorationofnearbypointsallyieldlowermutual informationvalues. Table1tabulatestheresultsofnumericalcalculationsofcapacitiesfordierent combinationsofvaluesof N and M usingMatlab.WeconjecturethatwhenAliceacts inatotallyuniformmanner(thatiseveryAliceprobabilityis1 = ( M +1))thatcapacity isachievedwhenthe p valuesarethesame,andthiscapacityisthelowerboundforall capacities.Thetablegivescapacitywith p xedat1 = ( M +1),whichwedetermined numericallytobelessthanthecapacityforothervaluesof p .

PAGE 71

63 5.3.5 Non-UniformMessageDistributions EachoftheSenders(includingAlice)canhavedierentmessagedistributions amongthereceivers.Weconsider80 = 20andthemorepractical\Zipf"distributionsand explaineachofthemwithrespecttoourscenario. Zipfdistribution.Zipfsdistributionreferstothedistributionofoccurrenceof anrelativetoitsrank' r '.TherearetwoZipfslaws:therank-frequencyoneandthe frequencycountone.Accordingtotherank-frequencylaw,thefrequencyofthe r th largestoccurrenceoftheeventisinverselyproportionaltoitsrank: f r / 1 =r ThisistypicallyreferredtoasZipf'slaworZipfdistribution.Therank-frequency plotisastraightlinewithaslopeonalog-logscale. Thesecondlawstatesthatthecountofeventsthathaveafrequency' f 'interms of' f '.Itisdenedas c f / 1 =f Wecaneasilyprovethatthesecondlawisamathematicalconsequenceoftherst one.Itcanalsobeshownthat =1+1 = WenowcalculatethemessagedistributionprobabilitiesinZipfdistributionfor OneCluelesstransmitter( N =1)andvereceivers( M =5)case.Theprobability distributionisgivenby: P ( cluelesssendtoR 1)= c: 1 = 1 P ( cluelesssendtoR 2)= c: 1 = 2 P ( cluelesssendtoR 3)= c: 1 = 3 P ( cluelesssendtoR 4)= c: 1 = 4 P ( cluelesssendtoR 5)= c: 1 = 5 P ( cluelessdoesn 0 tsendamessage )=1 p = q Theconstantcisgivenby60p/137andthenewprobabilitiesforsendingtovarious receiversis60p/137,30p/137,20p/137,15p/137,and12p/137.

PAGE 72

64 80/20distribution.Accordingtothisdistribution,80%ofthemessagesaresentto 20%oftherecipientsandtheremaining20%to80%oftherecipients.Letusassume, withoutlossofgenerality,thattherstM/5receiversget80%ofthemessagesandthe remainingreceiversgettheother20%ofthemessages.Theprobabilitydistributionofa Cluelesstransmitterisasfollows: P ( cluelesssendtoR i 8 i =1 ; 2 ;;M= 5)= p 4 = 5 M= 5 = 4 p M P ( cluelesssendtoR i 8 i = M= 5+1 ;;M )= p 1 = 5 4 M= 5 = p 4 M P ( cluelessdoesn 0 tsendamessage )=1 p = q FortheprobabilitydistributionofAlice,therearethreedierentprobabilities:Firstly fornotsendingamessage,secondlyforsendingtorst M= 5messagesandthelastone fortheremaining4 M= 5receivers. 5.4 Summary Thischapterpresentsthecapacityanalysisofthecovertchannelscenario.Since themathematicsinvolvedintheanalysisisverycomplex,maysimplecasesareanalyzed.Theseincludemanycasesinvolvingcombinationsof N =1,2,3,4additional transmittersand M =1,2,3receivers.Basedontheobservationsfromthedierent cases,thechannelmatrixandtheentropyforgeneralizedcaseisdiscussed. Finally,Zipfand80 = 20messagedistributionsareconsideredforAliceandClueless Transmitters.Theresultsofthecalculationspresentedandgeneralizationsofthe resultsarepresentedinthenextchapter.

PAGE 73

CHAPTER6 DISCUSSIONOFRESULTS 6.1 Capacityvs.CluelessTransmitters Figure 6{1 showsthecapacityasafunctionof p with M =2receivers,for N =1 ; 2 ; 3 ; 4cluelesssenders.Inallcases,theminimumcapacityisrealizedat p =1 = 3, andthecapacityat p =1islog3.As N increases,thecapacitydecreases,withthe mostmarkedeectsat p =1 = 3. InFigure 6{1 ,thecapacity(ofcourseunderthesemi-uniformityassumptionfor C i whichisinforcethroughoutthereport))wasdeterminednumericallyforanychoiceof A .However,fortheremainingplots,weappliedthesemi-uniformityconjecture(that Aliceisbetterobehavingsemi-uniformlyifthatiswhatthecluelesssendersdo). Thus, x 0 istheonlyfreevariableforAlice'sdistributioninwhatfollows. 6.2 Capacityvs.NumberofReceivers Figure 6{2 showsthecapacityasafunctionof p with M =3receivers,for N =1 ; 2 ; 4cluelesssenders.Asexpected,inallcases,theminimumcapacityisrealized at p =1 = 4,andthecapacityat p =1islog4=2.As N increases,thecapacity decreases,withthemostmarkedeectsat p =1 = 4.Theminimumcapacityisgreater whencomparedtocorrespondingvalueinthe M =2case(refertoplot 6{1 ). Themutualinformationasafunctionof x 0 isshowninFigure 6{3 for M =2 receiversand N =1cluelesssenderfor p =0 : 25 ; 0 : 33 ; 0 : 5 ; 0 : 67.Here,notethatthe curvewith p =0 : 33hasthesmallestmaximumvalue(capacity),andthatthevalue of x 0 atwhichthatmaximumoccursis x 0 =0 : 33.The x 0 valuethatmaximizesthe mutualinformation(i.e.,forwhichcapacityisreached)fortheothercurvesisnot0 : 33, butthemutualinformationat x 0 =0 : 33isnotmuchlessthanthecapacityforanyof thecurves. Figure 6{4 showsthemutualinformationcurvesforvariousvaluesof x 0 asa functionof p ,with N =2cluelesssendersand M =2receivers.Similarly,Figure 6{5 65

PAGE 74

66 Figure6{1: Capacityfor N =1to4CluelessSendersand M =2Receivers Figure6{2: Capacityfor N =1 ; 2 ; 4CluelessSendersand M =3Receivers

PAGE 75

67 Figure6{3: MutualInformationvs. x 0 for N =1CluelessSenderand M =2Receivers, for p =0 : 25 ; 0 : 33 ; 0 : 5 ; 0 : 67 Figure6{4: MutualInformationvs. p for N =2CluelessSendersand M =2Receivers

PAGE 76

68 Figure6{5: MutualInformationvs. p for N =2CluelessSendersand M =3Receivers showsthemutualinformationcurvesforvariousvaluesof x 0 asafunctionof p ,with N =2cluelesssendersand M =3receivers. Inthegure 6{4 ,notethatthecurvefor x 0 =1 = ( M +1)=1 = 3hasthelargest minimummutualinformation,andalsohasthegreatestmutualinformationatthe pointwhere p =1,i.e.,whenthereisnonoisesinceClueless 1 isnotsendingany messages.Thecapacityforvariousvaluesof p is,inessence,thecurvethatisthe maximumateach p overallofthe x 0 curves,andthelowerboundoncapacityoccursat p =1 = 3=1 = ( M +1). Alsoobservethatthe x 0 =0 : 33curvehasthehighestvaluefor p = : 33,but forothervaluesof p ,othervaluesof x 0 havehighermutualinformation(i.e.,Alice hasastrategybetterthanusing x 0 =0 : 33).However,themutualinformationwhen x 0 =0 : 33isnevermuchlessthanthecapacityatanyvalueof p ,sointheabsenceof informationaboutthebehaviorofthecluelesssenders,agoodstrategyforAliceisto justuse x 0 =1 = ( M +1).Theseobservationsareillustratedandexpandedinthenext twogures.NotethedierencesinconcavitybetweenFigure 6{3 andFigure 6{4 .We willdiscussconcavityagainlaterinthereport. Figure 6{6 showstheoptimalvaluefor x 0 ,i.e.,theonethatmaximizesmutual informationandhence,achieveschannelcapacity,for N =1 ; 2 ; 3 ; 4cluelesssenders and M =3receiversasafunctionof p .Asimilargraphin[ 13 ]for M =1receiveris

PAGE 77

69 Figure6{6: Valueof x 0 thatMaximizesMutualInformationfor N =1 ; 2 ; 3 ; 4Clueless Sendersand M =3ReceiversasaFunctionof p symmetricabout x 0 =0 : 5,butfor M> 1thesymmetryismultidimensional,andthe graphprojectedtothe( p;x 0 )-planewherethedestinationsareuniformlydistributed isnotsymmetric.However,notethattheoptimumchoiceof x 0 is1 = ( M +1)bothat p =1 = ( M +1)andat p =1,thatis,whenthecluelesssenderseithercreatemaximum noiseorwhentheydonottransmitatall(nonoise).As N increases,theoptimum x 0 forothervaluesof p isfurtherfrom1 = ( M +1).AlsoobservethatAlice'sbeststrategyis todotheoppositeofwhatthecluelesssendersdo,uptoapoint.Iftheyarelesslikely tosendmessages( p> 1 = ( M +1)),thenAliceshouldbemorelikelytosendmessages ( x 0 < 1 = ( M +1)),whereasifClueless i ismorelikelytosendmessages(( p< 1 = ( M +1)), thenAliceshouldbelesslikelytosendmessages( x 0 > 1 = ( M +1)). 6.3 Capacityvs.MutualInformationat x 0 =1 = ( M +1) Figure 6{7 showsthedegreetowhichthechoiceof x 0 =1 = ( M +1)canbe suboptimal,for N =1 ; 2 ; 3 ; 4cluelesssendersand M =3receivers.Theplotshowsthe mutualinformationforthegiven p and x 0 =1 = ( M +1),normalizedbydividingbythe capacity(maximummutualinformation)atthatsame p .Hence,itshowsthedegreeto whichachoiceof x 0 =1 = ( M +1)failstoachievethemaximummutualinformation. For N =2,itisneverworsethan0.94(numerically),butfor N =4,itsminimum is0.88.Therelationshipofsuboptimalityforotherchoicesof M and N ,orforother distributions,isnotknown.

PAGE 78

70 Figure6{7: NormalizedMutualInformationwhen x 0 =1 = 4for N =1 ; 2 ; 3 ; 4Clueless Sendersand M =3Receivers Figure6{8: Capacityfor N =1CluelessSenderand M =1to5Receivers

PAGE 79

71 Figure6{9: Capacityfor N =0to9CluelessSendersand M =1to10. InFigure 6{8 ,weshowthelowerboundoncapacityofthechannelasafunctionof p for N =1cluelesssenderandvariousvaluesof M receivers.Numericalresultsshow thatthislowerboundincreasesforall p as M increases,andthelowerboundonthe capacityforagiven M occursat p =1 = ( M +1),whichisindicatedbythedottedlines inthegure. ForFigure 6{9 ,wetakethecapacityat p =1 = ( M +1),whichwefoundnumerically tominimizethecapacityofthecovertchannel,andplotthislowerboundforcapacity formanyvaluesof N and M .Weretaintheassumptionthat x i =(1 x 0 ) = ( M +1) for i =1 ; 2 ;:::;M ,thatis,giventhesemi-uniformdistributionoftransmissionstothe receiversbythecluelesssenders,itisbestforAlicetodolikewise.Alongthesurface where N =0,wehavethenoiselesschannel,andthecapacityislog( M +1),whichis alsotheupperboundforcapacityforall N and M .Thevaluesalongthesurfacewhen M =1giveusthesamevalueswederivedin[ 13 ]. 6.4 Capacityvs.MessageDistributions Ingure 6{10 ,weshowthelowerboundoncapacityofthechannelfordierent messagedistributionsoftheCluelesstransmitter,Alicefollowingtheuniformdistribution.The80 = 20distributionhasthehighestvalueoflowerboundoncapacity,followed bythezipfandtheuniformdistributions.Noticethattheuniformdistributionhas

PAGE 80

72 Figure6{10: CapacityforUniform,Zipf,and80 = 20DistributionsforCluelessTransmitterandUniformDistributionforCluelessTransmitter thelowestcapacityboundofthethreedistribution,indicatingthatthecapacityofthe covertchannelincreaseswithlesseruniformdistributions. Figure 6{11 showsthemutualinformationcurves,whenplottedforvarious messagedistributionsfollowedbyAlice,with N =1cluelesssenderand M =4receivers andthecluelesssenderfollowinguniformdistribution.Fromthecurve,wededucethat Alicehasbetterchannelcapacitybymaintainingtheuniformmessagedistribution, whenthecluelesstransmitterisfollowinguniformdistribution. Thegure 6{12 conrmstheabovefactforthecasewhereCluelesssenderfollows zipfdistribution.CalculatingCapacityfordierentmessagedistributionsgetmoreand morecomplicatedbecauseofincreaseinnumberofvariablesandmoreworkneedstobe carriedoutinthisarea. 6.5 CommentsandGeneralizations Werstnotethatthemaximumcapacityofthis(covert)quasi-anonymouschannel islog( M +1)for M distinguishablereceivers,andisachievableonlyifthereareno othersenders( N =0),orequivalently,ifnoneofthemeversend( p =1),i.e.,whenthe channelisnoiseless. Herearesomeoftheobservationsfromthedierentcasesconsidered,underthe semi-uniformassumptionforthecluelesssendersandthesemi-uniformconjecturefor Alice,followedbysomegeneralizations.

PAGE 81

73 Figure6{11: CapacityforUniform,Zipf,and80 = 20DistributionsforAliceandUniformDistributionforCluelessTransmitter Figure6{12: CapacityforUniform,Zipf,and80 = 20distributionsforAliceandZipf DistributionforCluelessTransmitter

PAGE 82

74 Thecapacity C ( p;N;M ),asafunctionoftheprobability p thatacluelesssender remainssilent,with N cluelesssendersand M receivers,isstrictlyboundedbelow by C ( 1 M +1 ;N;M ),andisachievedwith x 0 =1 = ( M +1). Thelowerboundforcapacityforagivennumber M ofreceiversdecreasesasthe number N ofcluelesssendersincreases, C ( 1 M +1 ;N;M ) >C ( 1 M +1 ;N +1 ;M ). Thelowerboundforcapacityforagivennumber N ofcluelesssendersincreases asthenumber M ofdistinguishablereceiversincreases, C ( 1 M +2 ;N;M +1) >C ( 1 M +1 ;N;M ). Theseobservationsareintuitive,butwehavenotshownthemtobetruenumericallyinthegeneralcase(wedidforthecasethat M =1inourinitialpublication[ 13 ]). Itisinterestingtonotethatincreasingthenumberofdistinguishablereceiversincreases thecovertchannelcapacity,whichinsomesense decreases the(sender)anonymityin thesystem(Alicehasmoreroominwhichtoexpressherself).Thisisabitcontraryto theintuitiveviewofanonymityinMixnetworks,wheremorereceiverstendstoprovide \greateranonymity."Inthislight,wenotethatDanezisandSerjantovinvestigatedthe eectsofmultiplereceiversinstatisticalattacksonanonymitynetworks[ ? ].Theyfound thatAlicehavingmultiplereceiversgreatlyloweredastatisticalattacker'scertaintyof Alice'sreceiverset. Whilethegraphsandnumericaltestssupportthatthe\worst"thingtheclueless senderscandoistosend(ornot)withuniformprobabilitydistributionoverthe R i i =0 ; 1 ; 2 ;:::;M ,wehavenotproventhismathematically.Norhaveweproventhat, undertheseconditions,thebestAlicecandoistosend(ornot)toeachreceiver R i withuniformprobability, x i =1 = ( M +1)for i =0 ; 1 ; 2 ;:::;M ,althoughthenumerical computationssupportthis.Theproofin[ 13 ]oftheseconjecturesforthecasewhere M =1relied,inpart,onthesymmetryabout x 0 =0 : 5,whichisnotthecasewhen M> 1,soanotherapproachmustbeused.However,weshouldstillbeabletouse theconcavity/convexityresultsfrom[ 13 ].Notethatourconjecturethatthebestthat Alicecandoistosendinasemi-uniformmanner,andtheresultsillustratedinFigure 8,seemtobeanextensionoftheinterestingresultsof[ 10 ]. 6.6 Summary Thecapacity C ( p;N;M ),asafunctionoftheprobability p thatacluelesssender remainssilent,with N cluelesssendersand M receivers,isstrictlyboundedbelow

PAGE 83

75 by C ( 1 M +1 ;N;M ),andisachievedwith x 0 =1 = ( M +1).Thethelowerboundof capacitydecreaseswithincreaseinCluelesssendersandincreaseswithincreasein distinguishablereceivers.Thelowerboundforcapacityforagivennumberofreceivers decreasesasthenumberofCluelesssendersincreases.

PAGE 84

CHAPTER7 CONCLUSIONSANDFUTUREWORK Thisthesishastakenasteptowardstyingthenotionofcapacityofaquasianonymouschannelassociatedwithananonymitynetworktotheamountofanonymity thatthenetworkprovides.Itexplorestheparticularsituationofasimpletypeof timedMix(itreseverytick)thatalsoactsasanexitrewall.Casesforvarying numbersofdistinguishablereceiversandvaryingnumbersofsenderswereconsidered, resultingintheobservationsthatmoresenders(notsurprisingly)decreasesthecovert channelcapacity,whilemorereceiversincreasesit.Thelatterobservationisintuitive tocommunicationengineers,butmaynothaveoccurredtomanyintheanonymity community,sincethefocusthereisoftenonsenderanonymity. Astheentropy H oftheprobabilitydistributionassociatedwithamessage outputfromaMixgivestheeectivesize,2 H ,oftheanonymityset,wewonderifthe capacityoftheresidualquasi-anonymouschannelinananonymitysystemprovides somemeasureoftheeectivesizeoftheanonymitysetforthesystemasawhole. Thatis,usingthecovertchannelcapacityasastandardyardstick,canwetakethe capacityofthecovertchannelfortheobservedtransmissioncharacteristicsofclueless senders,equateitwiththecapacityfora(possiblysmaller)setofcluelesssenderswith maximumentropy(i.e.,whointroducethemaximumamountofnoiseintothechannel forAlice),andusethesizeofthislattersetastheeectivenumberofcluelesssenders inthesystem.ThisisillustratedinFigure 6{1 ,withtheverticaldashedlineshowing that N =4cluelesssendersthatremainsilentwithprobability p =0 : 87areinsome senseequivalenttoonecluelesssenderthatsendswith p =0 : 33. ThecaseinwhichtheMixitselfinjectsdummymessagesintothestreamrandomly isnotdistinguishablefromhavinganadditionalcluelesssender.However,iftheMix predicatesitsinjectionofdummymessagesupontheactivityofthesenders,thenitcan aectthechannelmatrixgreatly,tothepointofeliminatingthecovertchannelentirely. 76

PAGE 85

77 WearealsointerestedinthedegreetowhichtheMixcanreducethecovertchannel capacity(increaseanonymity)withalimitedabilitytoinjectdummymessages. ]plain

PAGE 86

REFERENCES [1] AdamBack,UlfMoller,andAntonStiglic.Tracanalysisattacksandtrade-os inanonymityprovidingsystems.InIraS.Moskowitz,editor, InformationHiding, 4thInternationalWorkshop(IH2001) ,pages245{257.Springer-Verlag,LNCS 2137,2001. [2] P.Boucher,I.Goldberg,andA.Shostack.Freedomsystem2.0architecture. http://www.freedom.net/info/whitepapers/ ,December2000.Zero-Knowledge Sytems,Inc. [3] DavidChaum.Untraceableelectronicmail,returnaddressesanddigital pseudonyms. CommunicationsoftheACM ,24(2):84{88,1981. [4] DavidChaum.Thediningcryptographersproblem:Unconditionalsenderand recipientuntraceability. JournalofCryptology:theJournaloftheInternational AssociationforCryptologicResearch ,1(1):65{75,1988. [5] L.Cottrell.Mixmasterandremailerattacks, August 1994. http://www.obscura.com/ ~loki/remailer/remailer-essay.html August 2004. [6] ClaudiaDiaz,StefaanSeys,JorisClaessens,andBartPreneel.Towardsmeasuring anonymity.InPaulSyversonandRogerDingledine,editors, PrivacyEnhancing Technologies(PET2002) .Springer-Verlag,LNCS2482,April2002. [7] D.Goldschlag,M.Reed,andP.Syverson.Onionroutingforanonymousand privateinternetconnections. CommunicationsoftheACM(USA) ,42(2):39{41, 1999. [8] C.GulcuandG.Tsudik.MixingEmailwith Babel .In InternetSocietySymposium onNetworkandDistributedSytemSecurity(NDSS'96) ,pages2{16,SanDiego, CA,Feb1996. [9] D.Kesdogan,J.Egner,andR.Buschkes.Stop-and-go-MIXesprovidingprobabilisticanonymityinanopensystem.In ProceedingsoftheInternationalInformation HidingWorkshop ,April1998. [10] E.E.MajaniandH.Rumsey.Tworesultsonbinaryinputdiscretememoryless channels.In IEEEInternationalSymposiumonInformationTheory ,page104, June1991. [11] UlfMoellerandLanceCottrell. MixmasterProtocolVersion3 ,2000. http: //www.eskimo.com/~rowdenw/crypt/Mix/draft-moeller-v3-01.txt, August 2004 [12] IraS.MoskowitzandMyongH.Kang.Covertchannels|heretostay?In Proc. COMPASS'94 ,pages235{243,Gaithersburg,MD,June27-July11994.IEEE Press. 78

PAGE 87

79 [13] IraS.Moskowitz,RichardE.Newman,DanielP.Crepeau,andAllenR.Miller. Covertchannelsandanonymizingnetworks.In ACMWPES ,pages79{88, Washington,October2003. [14] IraS.Moskowitz,RichardE.Newman,andPaulF.Syverson.Quasi-anonymous channels.In IASTEDCNIS ,pages126{131,NewYork,December2003. [15] R.E.Newman-WolfeandB.R.Venkatraman.Highlevelpreventionoftrac analysis.In Proc.IEEE/ACMSeventhAnnualComputerSecurityApplications Conference ,pages102{109,SanAntonio,TX,Dec2-61991.IEEECSPress. [16] R.E.Newman-WolfeandB.R.Venkatraman.Performanceanalysisofamethod forhighlevelpreventionoftracanalysis.In Proc.IEEE/ACMEighthAnnual ComputerSecurityApplicationsConference ,pages123{130,SanAntonio,TX,Nov 30-Dec41992.IEEECSPress. [17] Onionroutinghomepage. http://www.onion-router.net August 2004. [18] J.Raymond.Tracanalysis:Protocols,attacks,designissues,andopenproblems. InHannesFederrath,editor, DesigningPrivacyEnhancingTechnologies:Design IssuesinAnonymityandObservability ,pages10{29.Springer-Verlag,LNCS2009, July2000. [19] MichaelK.ReiterandAvielD.Rubin.Crowds:anonymityforwebtransactions. ACMTransactionsonInformationandSystemSecurity ,1(1):66{92,1998. [20] AndreiSerjantovandGeorgeDanezis.Towardsaninformationtheoreticmetric foranonymity.InPaulSyversonandRogerDingledine,editors, PrivacyEnhacing Technologies(PET2002) .Springer-Verlag,LNCS2482,April2002. [21] AndreiSerjantov,RogerDingledine,andPaulSyverson.Fromatrickletoaood: Activeattacksonseveralmixtypes.In IH2002 ,pages36{52,Noordwijkerhout, theNetherlands,October2002. [22] ClaudeE.Shannon.Themathematicaltheoryofcommunication. BellSystems TechnicalJournal ,30:50{64,1948. [23] ClaudeE.Shannon.Thezeroerrorcapacityofanoisychannel. IRETrans.on InformationTheory ,Vol.IT-2:S8{S19,September1956. [24] PFSyverson,DMGoldschlag,andMGReed.Anonymousconnectionsandonion routing.In IEEESymposiumonSecurityandPrivacy ,pages44{54,Oakland, California,4{71997. [25] PaulF.Syverson,GeneTsudik,MichaelG.Reed,andCarlE.Landwehr.Towards ananalysisofonionroutingsecurity.InHannesFederrath,editor, Designing PrivacyEnhancingTechnologies:DesignIssuesinAnonymityandObservability pages96{114.Springer-Verlag,LNCS2009,July2000. [26] B.R.VenkatramanandR.E.Newman-Wolfe.Transmissionschedulestoprevent tracanalysis.In Proc.IEEE/ACMNinthAnnualComputerSecurityApplications Conference,pages108{115,Orlando,FL,December6-101993.IEEECSPress.

PAGE 88

[27] B.R.VenkatramanandR.E.Newman-Wolfe.Performanceanalysisofamethodforhighlevelpreventionoftracanalysisusingmeasurementsfromacampusnetwork.InProc.IEEE/ACMTenthAnnualComputerSecurityApplicationsConference,pages288{297,Orlando,FL,December5-91994.IEEECSPress.

PAGE 89

VipanReddyNallawasbornonAugust1st,1981,inNizamabad,AndhraPradesh,India.Hereceivedhisundergraduatedegree,BachelorofTechnology,civilengineering,fromIndianInstituteofTechnology,Chennai(Madras),India,inAugust2001.HejoinedtheUniversityofFloridainSpring2003topursuehismaster'sdegree.HisresearchinterestsincludeNetworkSecurityandCryptographywithanemphasisonanonymityandcovertchannels. 81


Permanent Link: http://ufdc.ufl.edu/UFE0007303/00001

Material Information

Title: Anonymity and Covert Channels in Mix-Firewalls
Physical Description: Mixed Material
Copyright Date: 2008

Record Information

Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.
System ID: UFE0007303:00001

Permanent Link: http://ufdc.ufl.edu/UFE0007303/00001

Material Information

Title: Anonymity and Covert Channels in Mix-Firewalls
Physical Description: Mixed Material
Copyright Date: 2008

Record Information

Source Institution: University of Florida
Holding Location: University of Florida
Rights Management: All rights reserved by the source institution and holding location.
System ID: UFE0007303:00001


This item has the following downloads:


Full Text











ANONYMITY AND COVERT CHANNELS IN MIX-FIREWALLS


By

VIPAN REDDY R. NALLA


















A THESIS PRESENTED TO THE GRADUATE SCHOOL
OF THE UNIVERSITY OF FLORIDA IN PARTIAL FULFILLMENT
OF THE REQUIREMENTS FOR THE DEGREE OF
MASTER OF SCIENCE

UNIVERSITY OF FLORIDA


2004




































Copyright 2004

by

Vipan Reddy R. Nalla















ACKNOWLEDGMENTS

I would like to gratefully acknowledge the great supervision of Dr. Richard

Newman during this work. I thank Dr. Joseph Wilson and Dr. Shigang C('!. 1 for

serving on my committee and for reviewing my work.

I would like to thank Ira Moskowitz and N ,. I Research Labs for funding me

through research grants. I am grateful to all my friends who helped me directly or

indirectly in preparing this work. Finally, I am forever indebted to my parents for

helping me to reach this stage in my life.
















TABLE OF CONTENTS
page

ACKNOW LEDGMENTS ....... ........................ iii

LIST OF FIGURES ........ .......................... vi

ABSTRACT ............... ............ ........ viii

1 INTRODUCTION ........ ............. .......... 1

2 MIXES AND MIX NETWORKS ....... .................. 3

2.1 Mix ............................. .... .. .. 3
2.2 Types of M ixes .. .. .. .. .. .. ... .. .. .. .. .. .. 3
2.2.1 Simple M ixes ........ .................... 3
2.2.2 Pool Mixes ....... ......... ...... ..... 5
2.3 M ix Networks .. .. .. . .. ... .. .. .. .. .. .... 6
2.3.1 Design Issues in Mix Networks .. ..... .......... 6
2.3.2 Classification of Mix Networks .. .... ........... 9
2.4 Real-time Mix Networks .. .... ............ ..... 10
2.4.1 Crowds ........ ........ ...... ...... 10
2.4.2 Onion Routing ........ ........... ....... 11
2.4.3 Babel ................. ............. 11
2.4.4 MixMaster ........ ........... ........ 12
2.4.5 Freedom ............... ......... .. .. 13
2.4.6 PipeNet ............... ......... .. .. 13
2.4.7 Stop-And-Go Mixes .............. ... .. .. 14
2.4.8 Tarzan ..... ............ .......... 14
2.5 Summary .................. ........... .. .. 15

3 ADVERSARY MODELS AND ATTACKS ON MIXES . . ... 16

3.1 Adversary Models ............ . . ... 16
3.1.1 Internal and External Adversary ..... . . 16
3.1.2 Active and Passive Adversary ............... .. 16
3.1.3 Local, Restricted and Global Adversary . . 16
3.1.4 Static and Adaptive Adversary .................. .. 17
3.2 Attacks on Mixes .................. ........... .. 17
3.2.1 Active Attacks .................. ......... .. 17
3.2.2 Passive Attacks .................. ...... .. .. 20
3.3 Summary .................. ............... .. 22

4 ANONYMITY METRICS AND ANALYSIS TECHNIQUE . . ... 23

4.1 Anonymity .................. .............. .. 23
4.2 Anonymity Metrics .................. .......... .. 24
4.2.1 Anonymity Sets .................. ........ .. 24
iv










4.2.2 Problems with
4.2.3 Entropy .
4.2.4 Route Length
4.2.5 Covert C'!i .,
4.2.6 Covert C'!i i,
4.2.7 Covert ('C! i,
4.3 Analysis Technique .
4.3.1 Scenarios .
4.3.2 C' i, ,, I M atri:
4.4 Summary ......


Anonymity Set Size .


l . . . .
I- in Mix Networks .
I Capacity as Anonymity


x . . . .


5 PREVIOUS WORK AND THE EXIT-MIX MODEL .. ...........

5.1 Capacity Analysis for Indistinguishable Receivers Case .. .......
5.1.1 Case 0: Alice Alone . . . . . . .
5.1.2 Case 1: Alice and One Additional Clueless Transmitter...
5.1.3 Case 2: Alice and N Additional Transmitters .. .........


5.2 Exit-M ix M odel .. ................
5.2.1 Scenario . . . . .
5.2.2 C('! I ,,,! I Matrix Probabilities ........
5.3 Capacity Analysis for Exit-MIX Scenario .....
5.3.1 One Receiver (M = 1) ............
5.3.2 Some Special Cases for Two Receivers (Mf
5.3.3 Some Special Cases for Three Receivers (M
5.3.4 Some Generalized Cases of N and M .
5.3.5 Non-Uniform Message Distributions .
5.4 Sum m ary . . . . . .


2)
3)


6 DISCUSSION OF RESULTS .. ......................


6.1 Capacity vs. Clueless Transmitters .
6.2 Capacity vs. Number of Receivers .
6.3 Capacity vs. Mutual Information at xo :
6.4 Capacity vs. Message Distributions .
6.5 Comments and Generalizations .
6.6 Summary .. .............

7 CONCLUSIONS AND FUTURE WORK ..


1/(M + 1)


REFERENCES ......................................


BIOGRAPHICAL SKETCH ............


Metric
















LIST OF FIGURES
Figure page

4-1 Vulnerability of Anonymity Sets ................ ..... 26

4-2 Restricted Passive Adversary Model ................ ....... 32

4-3 Global Passive Adversary Model ................ ..... 33

5-1 ('!,i i ,, I Model for Subsection 5.1.1. A) ('C! iho,,, I block diagram. B) C'!h i1-
nel transition diagram .................. ......... .. 38

5-2 Plot of Covert C'!i i n., I Capacity as a Function of p ............ ..40

5-3 ('!,i iii, I for Case 3, the general case of N clueless users. A) ('C! i, I tran-
sition diagram. B) ('C1 ,ii, I Matrix ................ .. .. 42

5-4 Exit Mix-firewall Model with N Clueless Senders and M Distinguishable
Receivers .................. ................ .. 44

5-5 Case 4: System with N = 1 Clueless Sender and M = 2 Receivers . 48

5-6 Capacity for N = 1 Clueless Sender and M = 2 Receivers . ... 49

5-7 Case 5: System with N = 2 Clueless Senders and M = 2 Receivers . 50

5-8 Capacity for N = 2 clueless senders and M = 2 receivers . ... 52

5-9 Case 6: System with N = 1 Clueless Senders and M = 3 Receivers . 52

5-10 Capacity for N = 1 clueless sender and M = 3 receivers . ... 53

5-11 Capacity for N = 2 clueless senders and M = 3 receivers . ... 55

5-12 Case 7: System With N = 2 Clueless Senders and M = 3 Receivers . 56

5-13 Case 8: System with N = 1 Clueless Sender and M Receivers . ... 56

5-14 Case 9: System with N Clueless Senders and M = 2 Receivers ...... ..59

6-1 Capacity for N = 1 to 4 Clueless Senders and M = 2 Receivers ...... ..66

6-2 Capacity for N = 1, 2, 4 Clueless Senders and M = 3 Receivers . 66

6-3 Mutual Information vs. x0 for N = 1 Clueless Sender and M = 2 Re-
ceivers, for p 0.25, 0.33, 0.5, 0.67 ................ .. ... 67

6-4 Mutual Information vs. p for N = 2 Clueless Senders and M = 2 Receivers 67

6-5 Mutual Information vs. p for N = 2 Clueless Senders and M = 3 Receivers 68










6-6 Value of x0 that Maximizes Mutual Information for N = 2, 3, 4 Clueless
Senders and M = 3 Receivers as a Function of p . . ..... 69

6-7 Normalized Mutual Information when xo = 1/4 for N = 1, 2, 3, 4 Clueless
Senders and M = 3 Receivers ................ ..... 70

6-8 Capacity for N = 1 Clueless Sender and M = 1 to 5 Receivers ...... ..70

6-9 Capacity for N = 0 to 9 Clueless Senders and M = 1 to 10 . . 71

6-10 Capacity for Uniform, Zipf, and 80/20 Distributions for Clueless Trans-
mitter and Uniform Distribution for Clueless Transmitter . ... 72

6-11 Capacity for Uniform, Zipf, and 80/20 Distributions for Alice and Uni-
form Distribution for Clueless Transmitter .... . . 73

6-12 Capacity for Uniform, Zipf, and 80/20 distributions for Alice and Zipf
Distribution for Clueless Transmitter ............. .. 73















Abstract of Thesis Presented to the Graduate School
of the University of Florida in Partial Fulfillment of the
Requirements for the Degree of Master of Science

ANONYMITY AND COVERT CHANNELS IN MIX-FIREWALLS

By

Vipan Reddy R. Nalla

December 2004

C('! i: Richard E. Newman
Major Department: Computer and Information Science and Engineering

Privacy is becoming a critical issue on the Internet. Some people want to keep

their purchases private. They do not want to have third parties (or even merchants)

know their identity. This concern may arise because the customer is buying a good of

questionable social value (e.g., pornography); or because the customer does not want to

have his name added to a marketing or mailing list; or for illegal reasons (e.g., to evade

taxes); or simply because the customer personally values privacy.

Mix networks are the most promising approach to anonymize communication in

the Internet. Originally designed to anonymize e-mail communication, variations of the

basic design have led to systems that provide anonymity for low-latency applications

such as web browsing.

Traditional methods for evaluating the amount of anonymity afforded by various

mix configurations have depended on either measuring the size of the set of possible

senders of a particular message (the anonymity set size), or by measuring the entropy

associated with the probability distribution of the messages of possible senders. Our

study further explores an alternative way of assessing the .ii. .ivymity of a mix system

by considering the capacity of a covert channel from a sender behind the mix to an

observer of the mix's output.















CHAPTER 1
INTRODUCTION

Privacy is becoming a critical issue on the Internet. Some people want to keep

their purchases private. They do not want to have third parties (or even merchants)

know their identity. This concern may arise because the customer is buying a good of

questionable social value (e.g., pornography); or because the customer does not want to

have his name added to a marketing or mailing list; or for illegal reasons (e.g., to evade

taxes); or simply because the customer personally values privacy. Elections constantly

remind us that one of the most important barriers to electronic voting is users' fear of

having their privacy violated. Unfortunately, this is justified, as marketers and national

security agencies have been very ..-.--ressive in monitoring user activity.

Mix networks [3] are the most promising approach to anonymize communication in

the Internet. Originally designed to anonymize e-mail communication, variations of the

basic design have led to systems that provide anonymity for low-latency applications

such as web browsing. All these .i,:,-. :vmity networks were not designed with covert

channel threat in mind. The goal of this work is to show that even in what appears to

be a benign form of communication, information may still leak out of the network.

Overview.Our study addressed anonymity and covert channels. The in i i"r con-

tribution of our study is identification, analysis, and capacity estimation of, the covert

channels that arise from the use of a Mix [3, 21] as an exit firewall.

Mixes are special nodes in a network that relay messages while hiding the cor-

respondence between their input and their output. A careful explanation of mixes

and a detailed classification of mixes is presented in chapter 2. Several mixes can be

chained to relay a message ..ii:, ,vmously. These systems provide the best compromise

between security and efficiency in terms of bandwidth, latency, and overheads. Design

issues related to mix networks are also presented along with examples of some real-time










mix-based anonymizing systems. C'!I ipter 3 presents various adversary models, followed

by a comprehensive listing of attacks against mixes and mix networks.

Anonymity is an important issue in electronic p ,iments, electronic auctions,

electronic voting, and also for email and web browsing. A communication can never be

truly .il rnlmvious, but relative anonymity can be achieved. ('!, lpter 4 defines anonymity

and presents various types anonymity. It also describes generalized methods to measure

anonymity and the technique used for analysis. We measured the lack of perfect

anonymity via a covert channel. Covert channel analysis includes finding security flaw,

development of covert channel scenarios and its capacity analysis. ('! Ilpter 4 gives a

brief description of a particular flavor of covert channels arising in mix networks.

C'! Ilpter 5 presents adversary model with details of terminology and model setup.

It also presents initial work involving a simple model [13] with a restricted adversary

(RPA), along with results and conclusions. It also presents the main analysis done in

the thesis. This includes analyzing the capacity of the covert channels for different cases

of sends and receivers. A detailed discussion of results of this analysis form the C'! Ilpter

6. C'! Ilpter 7 presents conclusions and -i-.-i- --; future work, needed in this area.
















CHAPTER 2
MIXES AND MIX NETWORKS

2.1 Mix

David C'!i li, first introduced mix networks for untraceable electronic mail [3].

A mix server randomly permutes and decrypts input messages. The Key property of

the mix network is that we can't tell which ciphertext corresponds to a given message.

C'!i ii"i's original system used a very simple threshold mix model, but since then many

different types of mixes have been proposed in literature, and some of them are being

used in practice.

A mix server is classified by the watching strategy used. The watching strategy

involves collecting messages, mixing them well, and flushing the messages when certain

conditions are met. The flushing algorithm used in the mix can be expressed as a

function P : N -- (0, 1) from the number of messages inside the mix to the fraction of

messages to be flushed. The flushing condition is expressed in terms of time interval t,

threshold of messages n collected in the mix, or a combination of both.

2.2 Types of Mixes

Based on the flushing algorithm used, mixes can be divided into simple mixes and

pool mixes.

2.2.1 Simple Mixes

A simple mix flushes all the messages it contain, when the flushing conditions are

met. Hence, the value of the function P(n) is equal to one. These mixes can be further

classified, depending on the flushing condition used.

Threshold mix.

Flushing Condition Parameters: threshold on messages collected in the mix, n.
Flushing Algorithm: the mix fires all the messages when n messages are collected.
Message delay: The minimum delay is c (this happens when mix already con-
tained n-1 messages before the target message arrives). The maximum delay
can be infinite, if no more messages arrive after the target message. Assuming a
message arrival rate r, the average message delay is given by 2.

3










* Anonymity: Assuming all the messages in the mix are from different senders and
go to different receivers, the probability that an outgoing message corresponds to
a particular incoming message is given by -. This probability aliv-,- equal to 1
since the threshold n is constant.

Timed mix.

* Flushing Condition Parameters: time interval, t.
* Flushing Algorithm: The mix flushes (all the messages in the mix) every t time
units (generally seconds).
* Message delay: The minimum delay is c, when the target message arrives just
before the flushing time period of the mix. The maximum delay is t c, when
the target message arrives just after the mix has fired. Hence, the mean d,1 iv is t
units.
* Anonymity: The. .,- .ir-,mity of the mix depends on the number of messages
arriving in a particular flushing interval. The minimum anonymity is zero, when
no message arrives in the time interval. The maximum anonymity is theoretically
infinite, but is limited to the number of messages the mix can hold. Assuming a
message arrival rate of r, a total of rt messages are fired. So the probability of an
outgoing message corresponds to a particular incoming message is given by I.

Threshold or timed mix.

* Flushing Condition Parameters: time interval, t; threshold on messages, n.
* Flushing Algorithm: The mix flushes (all the messages in the mix) every t time
units (generally seconds) or when n messages accumulate in the mix.
* Message delay: The minimum delay is c, when the target message arrives just
before the flushing time period or when the mix already has n-1 messages. The
maximum delay is t c, when the target message arrives just after the mix has
fired and number of messages arrived in the next interval is less than n.
* Anonymity: The. .,- .ir-,mity of the mix depends on the number of messages
arriving in a particular flushing interval. The minimum anonymity is zero, when
no message arrives in the time interval. The maximum anonymity is not infinite
as in the previous case because of the threshold n. The minimum probability of
an outgoing message corresponds to a particular incoming message is given by 1

Threshold and timed mix.

* Flushing Condition Parameters: time interval, t; threshold on messages, n.
* Flushing Algorithm: The mix flushes (all the messages in the mix) every t time
units (generally seconds) but only when at least n messages have accumulated in
the mix.
* Message delay: The minimum delay is c, when the target message arrives just
before the flushing time period. The maximum delay can be infinite, if number of
messages accumulated is less than n.
* Anonymity: The minimum anonymity for this mix is no more zero, since the
mix doesn't fire until it has n messages. The maximum anonymity is in theory
infinite, but is limited in practice by the number of messages the mix can hold.
The maximum probability of an outgoing message corresponds to a particular
incoming message is given by 1










2.2.2 Pool Mixes

In pool mixes, the mix retains some messages and hence the value of the flushing

function P(n) is less then one. Pool mixes can be further divided into constant and

dynamic pool mixes, depending on whether the value of function P is constant over

successive flushes by the mix.

Constant pool mixes. The simple mixes described earlier can be modified to retain

a constant pool of messages for the next round.

Threshold pool mix.

Flushing Condition Parameters: number of messages retained (pool), f; threshold
on messages, n.
Flushing Algorithm: The mix fires n messages when it accumulates n + f
messages. The pool of messages to be retained (f) are uniformly chosen at
random from the n + f messages collected in the mix.
Message delay: The minimum delay is c and the maximum delay is theoretically
infinite. Serjantov, Syverson and Dingledine[20] analyze the threshold pool mixes
in detail. They calculate the mean delay by taking into account the fact that a
message can be retained in the mix for arbitrary long time. The probability of a
message being retained is a particular round is given by -.f The mean delay is 1
+ ( f) rounds. If the message arrives at a rate or r messages per time unit, the
average delay is (1 + n )"
Anonymity: The ,-.ir:ymity of the message going through a pool mix depends on
the entire history of events that happened in the mix. The minimum anonymity
of the mix is at least equal to the simple threshold mix. Serjantov and N, i. iI
[20] carried out the analysis and have calculated the maximum anonymity in
terms of number of possible sets.

Ama -(1- f)log(n+ f)+ log(f)
n n

Timed pool mix.

Flushing Condition Parameters: number of messages retained (pool), f; time
interval, t.
Flushing Algorithm: The mix fires every t time units. A pool of f messages
chosen uniformly at random is retained in the mix. If there the number of
messages accumulated is less than of equal to f, then the mix doesn't fire.
Message delay: The minimum delay is c and the maximum delay is infinite (when
no message arrives for a long time, the messages retained in the pool never leave
the mix). Like in the threshold pool mix, there is a non-zero probability that a
message is retained for arbitrarily long time.










Dynamic pool mixes. Dynamic pool mixes are represented by the function P and

this function can be modified to maximize the anonymity obtained. Cottrell mix [5] and

Binomial mix [20] are some examples of dynamic pool mixes.

Timed dynamic pool mix (Cottrell mix).

Flushing Condition Parameters: number of messages retained(pool), f; time
interval, t; a, fraction of messages to be sent; threshold, n.
Flushing Algorithm: The mix fires every t time units, provided there are at least
n + f messages in the mix; However, instead of firing n messages, it fires max(l,
Lm a]) messages, where m + f is the number of messages in the mix (m > n).
Message delay: Like the timed pool mix, the minimum delay is c. The maximum
delay is at least as high as that of timed constant pool mix. The average d. 1 i
depends on the future rate of arrival of the messages.
Anonymity: The .,-.rir-ymity provided by this mix is higher than the constant
pool mixes. This is because as the the number of messages collected goes up,
the a keeps the chance of message remaining in the dynamic pool mix constant.
For a constant timed pool mix, this quantity decreases with increase in messages
collected and in case of threshold pool mix, the mix has to flush frequently, hence
reducing the chance of a message remaining in the mix per unit time.

Binomial mix.

Flushing Condition Parameters: time interval, t; threshold, n.
Flushing Algorithm: We can imagine the flushing function P(n) as a probability.
For all the messages collected, the mix tosses a coin. A head indicates that the
message will be sent and a tail indicates it will remain in the mix. On an average,
the number of messages sent, s = nP(n). s follows the well known binomial
distribution with a variance equal to np(1 p), where is p is the result of the
function P(n).
Message delay: The minimum delay is c and maximum delay depends on the
random binomial function P(n).
Anonymity: The .r,. ir:,mity provided by the mix is much more than that of
previously discussed mix types, this is because the attacker can't easily determine
the number of messages in the mix, n by observing the value of s.

2.3 Mix Networks

The chain of mixes from a client to a server is called anonymous tunnel or a

mix network. A single encrypted connection is used to transport the data of multiple

anonymous tunnels between two mixes.

2.3.1 Design Issues in Mix Networks

A Mix Network is characterized by the type of anonymity provided, packet sizes,

dummy traffic, routing, and the node-flushing Algorithm used at individual nodes. We


will discuss each of these issues briefly.










Anonymity. Probably the most important design issue is that of anonymity versus

pseudonymity. Pseudonymity mean that some node(s) knows the users pseudonym (it

can't link a pseudonym with a real-world identity). Another option is to have the user

be anonymous in the mix network but be pseudonymous in its dealings with other users

(half-pseudonymity).

Anonymity provides better security since if a pseudonym (nym) is linked with

a user, all future uses of the nym can be linked to the user. But, pseudonymity has

many other advantages when compared to complete anonymity. Pseudonymity provides

the best of both worlds: privacy protection and accountability (and openness). Since

pseudonyms (nyms) have a persistent nature, long term relationships and trust can be

cultivated. Authentication (verifying that someone has the right to use the network) is

easier with pseudonymity because C' iiniii ii blinding [4] needs to be used when using

anonymity.

Packet sizes. The messages (e.g. web requests/replies) are chopped in fixed-length

packets and are delivered in a particular order lexicographicc etc.). This eliminates

the traffic analysis at a mix based on the packet length. But in many situations, using

different message sizes yield substantial performance improvements. For example

TCP/IP connections require on average one small control packet for every two (large)

data packets. It might be inefficient for small messages to be5 padded or large packets

split up in order to get a message of the correct size. So, we have a tradeoff between

security and performance: using more than one message size gives better performance

but worse security.

Dummy traffic. Dummy packets are normally introduced to reduce traffic pattern

based attacks and to some extent other passive attacks discussed in 3.2.2. Dummy

messages contain random bit strings and are indistinguishable from real packets.

Messages can be introduced between two mixes between client and the first mix in a

tunnel, between the client and the last mix in the tunnel, or end-to-end dummies. This

results in constant, bi-directional packet streams between any two mix-nodes or the

users and their entry node.










Dummy traffic is often used in an unstructured manner in to the mix-networks and

might not be as effective as it could be, some studies [15, 16, 18, 26, 27] have discussed

and analyzed the use of dummy traffic for traffic analysis prevention.

If a mix node sends its message to less than t nodes, dummy messages should be

sent in such a way that t nodes receive messages. The larger t, the harder it is to mount

the brute search attacks and intersection attacks.

Each mix node should send messages to at least t destinations outside the mix

network (dummy messages should be used to fill the gaps). The larger t, the harder it is

to mount the brute search attack. Furthermore, this technique also complicates attacks

in which the adversary monitors the exit nodes.

Dummy messages can also be used to randomize the users communication patterns

by making the user to send dummy traffic to the entry node. The challenge here is to

have good security and minimize the amount of dummy messages used.

Finally, dummy messages could also be used to reduce the amount of time mes-

sages stay at a given node. It seems that waiting for s messages to enter a mix node

before sending t (t > s ) has similar security properties as waiting to receive t messages

before releasing them. This trick could be used to reduce the time messages wait at

nodes [18].

Routing. Routing can be either static, in which a preassigned number routes are

used, or dynamic, where the user chooses the nodes in his route randomly. For large

Internet based systems especially, having the user choose the nodes in his route is a

viable option because of the following reasons.


The nodes and users must 1:.i,'.-" each other node, which might be impractical.
Some servers are far from each other and it doesn't make sense from a perfor-
mance view point to have, for example, a route consisting of nodes in Australia,
Canada, South Africa and C'ii!i ,
Nodes should be "socially" independent. Ideally, the nodes in a route should
belong to different organizations and be located in different legal jurisdictions.
The whole idea behind using more than one node is that none of them have
enough information to determine sender-recipient matching. Hence, if all nodes
in a route belong to the same organization we might as well just use a single
node. The motivation for having nodes in different legal jurisdiction is that more
than one subpoena needs to be obtained to compromise nodes legally.










Normally, systems use static routes that allow mix nodes to associate each message

with a connection identifier, which helps reducing the number of public key operations

executed. But on the negative side, it is more susceptible to attacks because having

fixed routes makes some of the attacks a lot easier to be carried out.

Creating good network topologies and route finding algorithms with respect to

security and efficiency is not a trivial task and needs lot of analysis on designer's part.

Node-Flushing Algorithm. As seen in Section 2.2, there are many different ap-

proaches to flushing nodes. Again, there is a security/practicality tradeoff: the longer

messages can stay in mix-nodes the better the security (in most settings).

more users (in the same anonymity set. The mix servers in any .ri:,lr. mous tunnel

are not known to the adversary,

in a particular order lexicographicc etc..)

used to encrypt the mix-network-internal protocol headers between two .ildi i:ent

mix servers. This defeats traffic on the pattern of packets.

they are forwarded. This beats traffic analysis by looking at the sequence of

incoming and outgoing packets

strings and for an observer are indistinguishable from real packets. Messages

can be introduced either between client and first mix in the tunnel or end-to-end

dummies between the client and the last mix in the constant, bi-directional packet

streams between any two mixes or the clients and their first mix length of messages is

no longer possible.

2.3.2 Classification of Mix Networks

We can classify mix networks based on the number of servers as static mix-

networks and /;,i' /. mix-networks. Static mix-networks are made up of a relatively

small number of highly available, powerful mixes with good network connectivity that

serve a much larger number of users (e.g. 100 mixes, 100,000 users). These networks

can either be operated commercially or by volunteers. Dynamic mix-networks are

peer-to-peer based networks and every client is also a mix server.

The dynamic mix networks have several advantages compared to static mix-

networks. In theory,there are no limits in the number of users it can support, and










since it is a peer-to-peer system, the barrier to join is low. Entry points (connections

between client and first mix) are no longer visible, which makes end-to-end traffic

analysis attacks more difficult to mount. With these advantages come new difficulties.

Dynamic means nodes can join and leave at any time, so the .i-,,:. vimous tunnels are

less stable and may need to be established frequently. Discovering a node is a problem

and some nodes (using dialup) offer poor service, which degrades the quality of service

of a tunnel.

attacker) becomes expensive.

We can also classify the mix network into two types based on the cryptographic

alternative used: Decryption Mix Nets [3] and Re-encryption Mix Nets. Decryption

Mix Nets take cipher texts as input and decrypt them to get back the plain text at the

end-node. Re-encryption Mix Nets use El Gamal cryptosystem's Malleability property

for re-encryption. So the cipher text is re-encrypted to obtain the original text.

2.4 Real-time Mix Networks

On the practical side, several systems have been implemented to provide fast,

secure and anonymous communication. These systems differ in terms of infrastructure

costs, type of protection provided and the transparency provided to users.

2.4.1 Crowds

Crowds [19] was developed by Reiter and Rubin at the ATT Laboratories. It

aims to provide a privacy preserving way of accessing the web, without web sites

being able to recognize which individuals machine is browsing. Crowds consists of a

number of network nodes that are run by the users of the system. Web requests are

randomly chained through a number of them before being forwarded to the web server

hosting the requested data. The server will see a connection coming from one of the

Crowds users, but cannot tell which of them is the original sender. In addition, Crowds

uses encryption, so that some protection is provided against attackers who intercept

a user's network connection. However, this encryption does not protect against an

attacker who cooperates with one of the nodes that the user has selected, since the

encryption key is shared between all nodes participating in a connection. Crowds is

also vulnerable to passive traffic analysis: since the encrypted messages are forwarded










without modification, traffic analysis is trivial if the attacker can observe all network

connections. An eavesdropper intercepting only the encrypted messages between the

user and the first node in the chain as well as the cleartext messages between the final

node and the web server can associate the encrypted data with the plaintext using the

data length and the transmission time.

2.4.2 Onion Routing

Onion Routing [7, 17, 24, 25] is the most famous of all anonymizing networks.

In this system, a user sends encrypted data to a network of so-called Onion Routers

(C('!h ,ii, Mixes). A trusted proxy chooses a series of these network nodes and opens

a connection by sending a multiply encrypted data structure called an "onion" to the

first of them. Each router is a store-and-forward device which receives messages of fixed

length from different sources, removes one -1v.-r of encryption, which reveals parameters

such as session keys, and forwards the encrypted remainder of the onion to the next

network node. An onion router can store messages for indefinite amount of time waiting

for the adequate number of messages, but this is practically not a feasible solution.

The onion routers wait for a fixed amount of time, which weakens the protection in

presence of low traffic. Once the connection is set up, an application specific proxy

forwards HTTP data through the Onion Routing network to a responder proxy which

establishes a connection with the web server the user wishes to use. The users proxy

multiply encrypts outgoing packets with the session keys it sent out in the setup phase;

each node decrypts and forwards the packets, and encrypts and forwards packets that

contain the servers response. The network model consists of core onion routers, the

end-proxy routers and the links between them, through which the routers pass messages

of fixed length. The routers form a complete graph among themselves so that every

message has equal probability of being forwarded to any of the routers. All the links try

to maintain same bandwidth and this is achieved by sending dummy packets to pad the

low-bandwidth links.

2.4.3 Babel

Babel [8] was designed in the mid-nineties. Babel offers sender anonymity, called

the !.iv, i d Il' ,I I! and receiver anonymity,through replies travelling over the "return










l 1i1! The forward part is constructed by the sender of an anonymous message by

wrapping a message in Il-. -ir of encryption. message can also include a return address

to be used to route the replies. The system supports bidirectional anonymity by

allowing messages to use a forward path, to protect the anonymity of the sender,

and for the second half of the journey they are routed by the return address so as to

hide the identity of the receiver. While the security of the forward path is as good

as in the secured original mix network proposals, the security of the return path is

slightly weaker. The integrity of the message cannot be protected, thereby allowing

,.- -.ii-.; attacks, since no information in the reply address, which is effectively the only

information available to intermediate nodes, can contain the hash of the message body.

The reason for this is that the message is only known to the person replying using the

return address. Babel also proposes a system of intermix detours. Messages to be mixed

could be I 1' 1.: I,. d" by intermediary mixes, and sent along a random route through

the network. It is worth observing that even the sender of the messages, who knows

all the symmetric encryption keys used to encode and decode the message, cannot

recognize it in the network when this is done.

2.4.4 MixMaster

Mixmaster has been an evolving system since 1995 [5, 11]. It is the most widely

deploy. .1 and used remailer system. It follows a message-based approach, namely it

supports sending single messages, usually email, though a fully connected mix network.

Mixmaster supports only sender .i:,r.. r mity. Messages are made bitwise unlinkable

by hybrid RSA and EDE 3DES encryption, while the message size is kept constant by

appending random noise at the end of the message. In version two, the integrity of the

RSA encrypted header is protected by a hash, making :r-;-iir.-; attacks on the header

impossible. In version three the noise to be appended is generated using a secret shared

between the remailer, and the sender of the message, included in the header. Since the

noise is predictable to the sender, it is possible to include in the header a hash of the

whole message therefore protecting the integrity of the header and body of the message.

This trick makes replies impossible to construct since the body of the message would

not be known to the creator of an anonymous address block to compute in the hash.










Beyond the security features, Mixmaster provides quite a few usability features. It

allows large messages to be divided in smaller chunks and sent independently through

the network. If all the parts end up at a common mix, then reconstruction happens

transparently in the network. So large emails can be sent to users without requiring

special software. Recognising that building robust remailer networks could be difficult

(and indeed the first versions of the Mixmaster server software were notoriously

unreliable) it also allowed messages to be sent multiple times, using different paths. It

is worth noting that no analysis of the impact of these features on anonymity has ever

been performed.

2.4.5 Freedom

The Freedom [2] network consists of a set of nodes called Anonymous Internet

Proxies (AIPs) which run on top of the existing Internet infrastructure. The user

communicates by first selecting a series of nodes (a route), and then using this route

to forward IP packets that are stripped of identifying information. This system is

secure against denial-of-service attacks but is vulnerable to some general traffic analysis

attacks such as packet counting attack, wie-die's attack, latency attack and, ( 1... _in.

attack.

2.4.6 PipeNet

Pipenet was one of the early systems to be implemented. It is a synchronous

network implemented on top of an ..i-nchronous network. Routes are created through

the network by choosing the intermediate hops uniformly at random. For providing

further anonymity, a certain number of route creation requests are collected by a node,

shuffled and then acted upon. The user establishes a shared key with each node on

its route as part of the route creation process, using a key negotiation algorithm. The

routes are padded end to end for their duration. End-to-end padding means that the

originator creates all of the padding and the recipient (or exit node) strips the 1'p 111i,

each of the intermediate nodes is unable to distinguish padding from normal traffic,

and just processes it as normal. This system provided protection against general traffic

analysis but is vulnerable to Denial-of-Service attacks, which are more catastrophic in

nature than the normal traffic analysis kind of attacks.










2.4.7 Stop-And-Go Mixes

Stop-and-Go mixes [9] (sg-mix) present a mixing strategy, that is not based on

batches but d.1-1- It aims at minimizing the potential for (n 1) attacks, where the

attacker inserts a genuine message in a mix along with a flood of his own messages until

the mix processes the batch. It is then trivial to observe where the traced message is

going.

Each packet to be processed by an sg-mix contains a d.1 li and a time window.

The delay is chosen according to an exponential distribution by the original sender,

and the time windows can be calculated given all the d.-1 iv. Each sg-mix receiving a

message, checks that it has been received within the time window, d-1 i-, the message

for the specified amount of time, and then forwards it to the next mix or final recipient.

If the message was received outside the specified time window it is discarded. A very

important feature of sg-mixes is the mathematical analysis of the anonymity they

provide. It is observed that each mix can be modeled as a M/\ /oo queue, and a

number of messages waiting inside it follow the Poisson distribution. The d. 1 li can

therefore be adjusted to provide the necessary anonymity set size.

2.4.8 Tarzan

Freedman designed Tarzan [19], a peer-to-peer network in which every node is a

mix. A node initiating the transport of a stream through the network would create an

encrypted tunnel to another node, and ask that node to connect the stream to another

server. By repeating this process a few times it is possible to have an onion encrypted

connection, r-l .i-, through a sequence of intermediate nodes.

An interesting feature of Tarzan is that the network topology is somewhat re-

stricted. Each node maintains persistent connections with a small set of other nodes,

forming a structure called a mimics. Then routes of anonymous messages are selected

in such a way that they will go through mimics and between mimics in order to avoid

links with insufficient traffic. A weakness of the mimics scheme is that the selection

of neighboring nodes is done on the basis of a network identifier or address which,

unfortunately, is easy to spoof in real-world networks.










2.5 Summary

In this chapter, we have presented in detail different types of mixes based on

blending strategies and flushing conditions used. The mixes are divided into simple and

pool mixes depending on whether the mix flushes all the messages or not. These two

categories are further subdivided into timed and threshold mixes based on the flushing

condition being a time interval or a threshold on number of messages. We can also have

hybrid mix types, which have both timed or/and threshold properties.

We have also described .i,1. ivimous communication systems based on mix networks.

Various issues involved in design of mix-networks are presented. This includes the the

most important issue of how much anonymity the network provides and which type of

mix is used to assure such anonymity.

Finally, we discuss different real time mix systems deploy, -1 such as Crowds,

Onion-Routing, MixMaster etc. and the functionalities provided in those systems.

Different adversary models and attacks on mix networks are presented in next

chapter. The next chapter it discusses the anonymity metrics used in practice to

measure the level of .,r .ir:vmity provided by a anonymizing system. It also describes the

analysis technique used to analyze passive attacks on mixes.















CHAPTER 3
ADVERSARY MODELS AND ATTACKS ON MIXES

In this chapter, we discuss the various adversary models, followed by different

types of attacks. The attacks include active attacks such as timing attacks and denial

of service attacks, and passive attacks which are mainly accomplished through traffic

analysis.

3.1 Adversary Models

The adversary models discussed below are high level descriptions of the attacker's

powers and limitations [6].

3.1.1 Internal and External Adversary

An adversary can be a user compromising communication media and network

resources (external). An adversary can also be a compromised mix node, sender or a

recipient trying to leak information to outsiders (internal).

3.1.2 Active and Passive Adversary

An active adversary can arbitrarily modify the messages and computations, cause

interruption of service, fabricate new messages, and intercept the messages. Denial of

service and loss of data are examples of interruption, spoofing and forging are examples

of fabrication and modification. A passive adversary can only listen to the traffic.

This is typically done by eavesdropping the network connections by wiretapping, or

signal catching in case of wireless transmissions. We can also have a combination of

active and passive adversaries. For example, an active external adversary can insert

secret messages and a passive internal adversary can correlate the messages coming in a

compromised node with messages going out.

3.1.3 Local, Restricted and Global Adversary

A global adversary has the ability to see link traffic on every link and control each

and ever resource in the network, whereas a local adversary can observe traffic only on

certain links in the network. Depending on whether the adversary has complete control

16










over few local links or restricted control over a certain area in the network, he is called

a local or a restricted adversary.

3.1.4 Static and Adaptive Adversary

A static adversary chooses the tools required before the attack protocol starts

and can't change them later in the middle of the attack. Most of the brute force

attacks (eg. password crackers) come under this category, since the attacker exhausts

all combinations of inputs using an automated tool, which normally is not adaptive.

Adaptive adversaries use different tools and resources depending on the response they

receive from the previous stage of attack. They can, for example, "follh.- messages

that are .---. d with the original message.

3.2 Attacks on Mixes

The attacks described below are high level descriptions of the attacker's schemes

and not dependent on any specific implementation[18]. We assume that there are

no known implementation weaknesses in the system. The attacker can have any

combination of adversary powers discussed in the previous section. In the security

literature, the attacks are broadly classified into two main categories -active and

passive attacks.

3.2.1 Active Attacks

An active attack is one in which the intruder may transmit messages, replay old

messages, modify messages in transit, or delete selected messages from the wire. A typ-

ical active attack is one in which an intruder impersonates one end of the conversation,

or acts as a man-in-the-middle. Active attacks often have ..i-mmetric characteristics in

that the attacker's location makes one of the communicating parties more vulnerable.

Some of the common active attack schemes used are discussed briefly.

Brute Force Attack:. This the simplest and most inefficient of the attacks. Brute

force attack is an attack that requires trying all (or a large fraction of all) possible

values until the right value is found. In case of mixes, the adversary may want to follow

every possible path the message could have taken (passive external adversary). Using

this attack, the attacker is able to construct a list of possible recipients for a particular










message in most cases. But if the mix or mix-network is not designed well, the attacker

may be able to establish the sender-receiver correspondence.

To illustrate the working of brute force attack, let us consider a mix network with

individual nodes as threshold mix with a threshold n. Let us also assume that the

message go through exactly d mix nodes.


The attacker follows a message from the sender to the first mix node.
The attacker then follows each of the n messages being flushed from the first mix
node. To do this, the attacker needs to observe n different links, if all the second
level mixes are different.
The attacker continues this way till the route length is d nodes. At this point,
the attacker would have been following nd messages. From these nd message, the
attacker now has to choose only those messages that leave the mix network.

In the worst case, the attacker can learn the exact receiver from this attack. If the

mix is designed for perfect .ilvr:i,,mity, the attacker may end up having nd possibilities.

Dummy messages are normally used as the counter measure against brute force attack.

Denial-of-service attack. A denial of service (DoS) attack is an incident in which a

user or organization is deprived of the services of a resource they would normally expect

to have. Network-flooding, -~'p .,,i,-in- port 1i iiiiii,. ii.- syn attack (in case of TCP

protocol), disk or memory exhaustion are some well known techniques of mounting a

DoS attack. By rendering some mix-nodes inoperational, the adversary tries to gain

information about the routes chosen by the remaining nodes in case of static networks

and by certain senders in case of dynamic mix networks.

Message-delaying attack. In this scheme, the attacker can withhold messages

until he can obtain enough resources (i.e., links, nodes) or until the network becomes

easier to monitor (or to see if the possible recipients receive other messages, etc.). In

defense of this attack, the mix nodes should be equipped to verify authenticated timing

information.

Message-' .-.-i,-; attack:. For this type of attack, an active internal adversary with

control over the first and last node in a message route is needed. To launch the attack,

the attacker can simply tag messages at the first node in such a way that the exit node

can spot them. Since the entry node knows the sender and the exit node the recipient,










the system is broken. To prevent this attack, measures should be taken to minimize or

eliminate the possibility of message I:,--i,.-

Node-flushing or blending attack. This attack was first mentioned by David ('!i Ch i

[21] in his seminal paper. The flushing attack is very effective and can be mounted by

an active global adversary. A spamming attack or n-1 attack is a very good example

for this type of attack. The capabilities of the adversary include delaying (removing)

messages, inserting arbitrarily many messages into the system in a short time. The

attack is illustrated in case of a simple threshold mix (n).


The attacker observes the target message leaving the sender and d.-i 1 it.
The attacker now sends fabricated messages until the mix fires.
As soon as the mix fires, he stops all other messages to the mix and sends the
target message along with n -1 of his own messages.
After the mix fires, the attacker can easily recognize his n-1 messages and
therefore determine the destination of the target message.

This is an exact attack -that is, it provides the adversary with the exact receiver

rather than a set of receivers as in case of the brute force attack. Also note that this

attack is mix specific and does not depend on the rest of the mix-network.

Timing attack. In this attack, the adversary uses the fact that different routes can

take different amounts of time. Given the set of messages coming into the mix-network

and the set of outgoing messages, the adversary uses the route time information to

establish a correlation between a certain set of incoming and outgoing messages.

The attacker doesn't need to carry the expensive brute force or flushing attacks

to determine the route taken. If the attacker has access to one of the communicating

parties, he might be able to infer which route is taken by simply computing the round

trip time (that is, calculating the time it takes to receive a reply).

This attack can be prevented by using variable delay mixes, which wait for a

random amount of time before firing. This would cause uncertainty in estimating the

route lengths if the time taken is very close in magnitude.

Wie Die's Attack. In this attack, the attacker wishes to defeat the traffic shaping

mechanisms [1] that attempt to hide the real volumes of traffic on an anonymous

channel. The attacker creates a route using the link that he wishes to observe, and










slowly increases the traffic on it. The router will not know that the stream or streams

are all under the control of the attacker, and at some point will signal that the link has

reached its maximum capacity. The attacker then subtracts the volume of traffic he

was sending from the maximum capacity of the link to estimate the volumes of honest

traffic.

Disclosure attack. The formal model on which the disclosure attack is based is

quite simple. A single mix is used by b participants each round, one of them alv--xi

being Alice, while the other (b 1) are chosen randomly out of a total number of N 1

possible participants. The threshold of the mix is b so it fires after each of the rounds

participants has contributed one message. Alice chooses the recipient of her message to

be a random member of a fixed set of m recipients. Each of the other participants sends

a message to a recipient chosen uniformly at random out of N potential recipients.

We assume that the other senders and Alice choose the recipients of their messages

independently from each other. The attacker observes R, ..., Rt the recipient anonymity

sets corresponding to t messages sent out by Alice during t different rounds of mixing.

The attacker then tries to establish which out of all potential recipients, each of Alices

messages was sent to.

The original attack as proposed by Kesdogan et al. [9] first tries to identify

mutually disjoint sets of recipients from the sequence of recipient anonymity sets

corresponding to Alices messages. This operation is the main bottleneck for the

attacker since it takes a time that is exponential in the number of messages to be

analyzed.

3.2.2 Passive Attacks

A passive attack is one in which the intruder attempts to intercept and read data

without altering it. Passive monitoring attacks are often symmetric if the attacker can

see the traffic from Alice to Bob on a particular link, there's a good chance that he/she

can see the traffic in the reverse direction.

Communication-pattern attack. By simply looking at the communication patterns

(when users send and receive), one can find out much useful information. Communi-

cating participants normally don't 1 !I:" at the same time, that is, when one party










is sending, the other is usually silent. The longer an attacker can observe this type of

communication synchronization, the less likely it's just an uncorrelated random pattern.

This attack can be mounted by a passive adversary that can monitor entry and exit

mix nodes. Law enforcement officials might be quite successful mounting this kind of

attack as they often have a-priori information: they usually have a hunch that two

parties are communicating and just want to confirm their suspicion.

Packet-counting attack. These types of attacks are similar to the other passive

attacks in that they exploit the fact that some communications are easy to distinguish

from others. If a participant sends a non-standard (i.e., unusual) number of messages,

a passive external attacker can spot these messages coming out of the mix-network. In

fact, unless all users send the same number of messages, this type of attack allows the

adversary to gain non-trivial information. The packet counting and communication

pattern attacks can be combined to get a message frequency attack (this might require

more precise timing information). Communication pattern, packet counting and

message frequency attacks are sometimes referred to as traffic shaping attacks and are

usually dealt with by imposing rigid structures on user communications. Notice that

protocols achieving "network unobservability" are immune to these attacks.

Intersection Attack:. An attacker having information about what users are

active at any given time can, through repeated observations, determine what users

communicate with each other. This attack is based on the observation that users

typically communicate with a relatively small number of parties. For example, the

typical user usually queries the same web sites in different sessions (his queries aren't

random). By performing an operation similar to an intersection on the sets of active

users at different times it is probable that the attacker can gain interesting information.

Probabilistic or Partial Attack:. Most of the preceding attacks can be carried

out partially, that is, the attacker can obtain partial or probabilistic information. For

example, he could deduce with probability p that A is communicating with B or A is

not communicating with B, C and D.

Covert Channels:. Covert channels are discussed in Section 4.2.5.










3.3 Summary

In this chapter, we present novel attacks on a mix node or a mix-network and the

adversary models used to accomplish this attack. The adversary can be an insider or

an external observer, an active attacker or a passive eavesdropper, a local attacker or a

global adversary who has control over the whole network.

The attacks are divided into active and passive attacks. Active attacks involves

modification, fabrication, and interception of messages by the attacker. Some well

known examples are brute force attack, Denial-of-Service(Dos) attack, and node

flushing attack. Passive attack and allows an attacker to compromise anonymity

through observing the network traffic for traffic patterns, packet counts, packet sizes

etc. Passive attacks are very difficult to detect and may prove to be very harmful.

C'i lpter 4 presents the various anonymity metrics and the ,i" 1,-; technique being

used to analyze various attacks with distinct adversary models.
















CHAPTER 4
ANONYMITY METRICS AND ANALYSIS TECHNIQUE

This chapter describes information theoretic models, proposed in the literature, to

quantify the degree of anonymity provided by different systems of mix networks. At

first we discuss use of .1,rr. y mity sets as the measure of .riti, vmity and then we go on

to analyze the entropy based and route based metrics. Finally, we present anonymity

analysis of real time anonymizing systems such as Onion routing and Crowds.

4.1 Anonymity

electronic voting.

Anonymity can be classified as connection anonymity and data .ii. .ivimity. Data

anonymity is about hiding the contents of the packet sent and received in a particular

session. Data anonymity is normally achieved by encryption. Connection anonymity is

about hiding identities of the source and the destination during the actual information

exchange.

As discussed in by Reiter and Rubin [19], there are three types of connection

anonymity: sender anonymity, receiver anonymity, and unlinkability of sender and

receiver. Sender anonymity means that the identity of the party who sent a message is

hidden, while its receiver (and the message itself) might not be. Receiver anonymity

similarly means that the identity of the receiver is hidden. Unlinkability of sender

and receiver means that though the sender and receiver can each be identified as

participating in some communication, they cannot be identified as communicating with

each other.

A second aspect of anonymous communication is the adversary model against

which these properties are achieved. The attacker might be an eavesdropper that

can observe some or all messages sent and received, collaborations consisting of some

senders, receivers, and other parties, or variations of these. Different types of attacks

and adversary models have been discussed in Ci Ilpter 3.

23










We cant provide "perfect" privacy since the number of possible senders and

recipients is bounded. So, for example, if there are only two parties on the network, an

attacker having access to this information can trivially determine who is communicating

with whom. The best we can hope for is to make all possible sender-recipient matching

look equally likely. That is, the attackers view's statistical distribution should be

independent from the actual sender-recipient matching.

4.2 Anonymity Metrics

Many real time anonymity systems have been deploy, -1 in past decade, Onion

Routers and Crowds being few examples. With each of these systems providing dif-

ferent level anonymity, there is a definite need to have standard metrics to classify the

levels of anonymity provided. Information theory has been proven to be a useful tool

to measure the amount of information. This can be used in measuring the information

gained by the attacker. Depending on the power of the attacker, and the circumstances

we can quantify the anonymity level provided by the system.

4.2.1 Anonymity Sets

Traditionally, anonymity sets have been used to measure the anonymity of mix

systems. The notion of .:,11 .vimity sets was introduced by C'!i ,ii, for modeling security

of DC-Net(Dining Cryptographers' Networks)[3].

C!i ii, defines anonymity set as the set of participants who could have sent a

particular message, as seen by a global observer who has also compromised a set of

nodes[4]. The side of anonymity set is a good indicator of how good the anonymity

provided by the system really is. In the best case, the anonymity set is equal to the

number of users, which means any user has equal probability of sending the message. In

the worst case, the size is one, which means there is no anonymity in the network.

4.2.2 Problems with Anonymity Set Size

The attacks against DC networks presented in [4] can only result in partitions of

the network in which all the participants are still equally likely to have sent or received

a particular message. Therefore the size of the anonymity set is a good metric of the

quality of the .,r,,irv:mity offered to the remaining participants.










In the stop-and-go system [9] definition, the authors realize that different senders

may not have been equally likely to have sent a particular message, but choose to

ignore it. If different participants accounted in the anonymity set are not equally likely

to be the senders or receivers, a designer might be tempted to distribute amongst many

participants some possibility that they were the senders or receivers while allowing the

real sender or receiver to have an abnormally high probability. The cardinality of the

anonymity set is in this case a misleading measure of anonymity. In the standardization

attempt, we see that there is an attempt to state, and take into account this fact in the

notion of anonymity, yet a formal definition is still lacking. Serjantov and Doi,,. i-[2n]

discuss this fact in their paper and conclude that it is unwisely ignored in the literature

but can give a lot of extra information to the attacker.

The Pool Mix. We discuss the case of pool mix to further emphasize the dangers of

using sets and their cardinalities to assess and compare anonymity systems. This mix

ahi--i,- stores a pool of n messages. When incoming N messages have accumulated in

its buffer, it picks n randomly out of the n + N it has, and stores them, forwarding the

remaining N in the regular manner. The details about pool mix has been described in

section 2.2.

There is aliv-- a small probability that any message that has ever gone into the

mix have never left it. Therefore, the sender of every message should be included in the

anonymity set. At this point if we consider the anonymity provided by this system in

terms of anonymity set size, it would include all the messages gone into the mix. We

notice that the anonymity set is independent of the size of the pool, n, which intuitively

-~i:-'- -i- that the anonymity metric used is inappropriate.

Knowledge Vulnerability. Anonymity set metric is also vulnerable against at-

tacker's has additional knowledge about the system. Consider the arrangement of

mixes in Figure 4-1. The small squares in the diagram represent senders, labeled with

their name. The bigger boxes are mixes, with threshold of 2. Some of the receivers are

labeled with their sender anonymity sets.

Notice that if the attacker somehow establishes the fact that, for instance, A

is communicating with R, he can derive the fact that S received a message from E.

































Figure 4-1: Vulnerability of Anonymity Sets


Indeed, to expose the link E -- S, all the attacker needs to know is that one of

A, B, C, D is communicating to R. And yet this is in no way reflected in S's sender

anonymity set (although E's receiver ...ivir mity set, as expected, contains just R and

S).

It is also clear that not all senders in this arrangement are equally vulnerable

to this, as is the fact that other arrangements of mixes may be less so. Although we

have highlighted the attack here by using mixes with threshold of 2, it is clear that the

principle can be used in general to cut down the size of the anonymity set.

4.2.3 Entropy

Serjantov and Danezis [20] formalized the use of entropy as anonymity metric and

extended it to calculate the anonymity in a system of mixes. The principal insight

behind the metric(entropy) is that the goal of an attacker is the unique identification

of an actor(sender or receiver), while at the same time the goal of the defender is

to increase the attackers workload to achieve this. Therefore we chose to define the

anonymity provided by a system as the amount of information the attacker is missing

to uniquely identify an actors link to an action.












The term information is used in a technical sense in the context of Shannons

information theory [22]. Therefore we define a probability distribution over all actors

~i, describing the probability they performed a particular action. As one would expect,

the sum of these must be one. The sum of these probabilities must alv--,v- be equal to

one.

S Pr[a ] 1

As soon as the probability distribution above is known, one can calculate the

anonymity provided by the system as a measure of uncertainty that the probability

distribution represents. In information theoretic terms this is represented by the en-

tropy of the discrete probability distribution. Therefore we call the effective .i1. .i:v"mity

set size of a system, the entropy of the probability distribution attributing a role to

actors given a threat model. It can be calculated as


A = [a, = Pr[a] log Pr[ai


This metric provides a negative quantity representing the number of bits of

information an adversary is missing before they can uniquely identify the target. A

similar metric based on information theory was proposed by Diaz et al. [6]. Instead of

directly using the entropy as a measure of anonymity, it is normalized by the maximum

amount of anonymity that the system could provide. This has the disadvantage that it

is more a measure of fulfilled potential than anonymity. An anonymity size of 1 means

that one is as anonymous as possible, even though one might not be .,.iz"],vmous at all.

The non-normalized entropy based metric we propose, intuitively provides an indication

of the size of the group within which one is hidden. It is also is a good indication of the

effort necessary for an adversary to uniquely identify a sender or receiver.

4.2.4 Route Length

In the previous section, we have demonstrated that entropy based metrics can give

the attacker more information about the system than just anonymity sets.










We note that the standard attacks aimed at reducing the size of the anonymity

set will now have the effect of narrowing the anonymity probability distribution. If

we consider this distribution as a set of pairs (of a sender and its respective non-zero

probability of having sent the message), then narrowing the probability distribution is

the process of deriving that some senders have zero probability of sending the message

and can therefore be safely excluded from the set.

As -i-i- -1 in [20], route length is important and some arrangements of mixes

are more vulnerable to route length based attacks than others. If the attacker knows

the maximum route length allowed by the mix system, then he can eliminate all the

routes longer than the maximum length. This reduces the entropy of the anonymity

probability distributions without affecting the underlying anonymity set. Hence, the

maximum route length should be taken into account when calculating anonymity sets.

Several mix systems have been designed to remove the maximum route length

constraint, for instance via tunneling in Onion Routing [17] or Hybrid mixes, but it

exists in fielded systems such as Mixmaster [5, 11] (maximum route length of 20) and so

can be used by the attacker. It may also be possible to obtain relevant information by

compromising a mix. Some mix systems will allow a mix to infer the number of mixes a

message has already passed through and therefore the maximum number of messages it

may go through before reaching the destination. Such information would strengthen our

attack, so care needs to be taken to design mix systems (such as Mixmaster [5]) which

do not give it away.

examples of covert channels, covert channel analysis(CCA) and covert channels

arising in mix networks.

4.2.5 Covert C'!i ip. !4

Covert channels can be either innocuous or harmful. Innocuous channels are con-

sistent with the intent of the systems's security policy. They may result in surprising

system behaviors, but do not place the system or the information that it protects at

risk. Harmful covert channels are information flows that are contrary to the intent of

the system's security policy.










Several definitions for covert channels have been proposed in literature, such as the

following:


Definition 1: A communication channel is covert if it is neither designed nor
intended to transfer information at all
Definition 2: A covert channel is a mechanism that can be used to transfer
information from one user of a system to another using means not intended for
this purpose by the system developers.
Definition 3: Covert channels v.-ll be defined as those channels that are a result
of resource allocation policies and resource management implementation."

All the above definitions are vague (What is information? what is intent?) and

omit any discussion of security. None of the above definitions brings out explicitly

the notion that covert channels depend on the type of mandatory access control (e.g.,

Bell La Padula or Biba model) policy being used and on the policy's implementation

within a system design. A new definition using these concepts can be provided that is

consistent with the TCSEC definition of covert channels:

"A covert channel is a communication channel that allows a process to transfer

information in a manner that violates the system's security policy"

In any scenario of covert channel exploitation, one must define the synchronization

relationship between the sender and the receiver of information. Thus, covert channels

is characterized by the synchronization relationship between the sender and the

receiver. The purpose of synchronization is for one process to notify the other process

it has completed reading or writing a data variable. Therefore, a covert channel may

include not only a covert data variable but also two synchronization variables, one for

sender- receiver synchronization and the other for the receiver-sender synchronization.

Any form of synchronous communication requires both the sender-receiver and receiver-

sender synchronization either implicitly or explicitly.

However, sender-receiver synchronization may still need a synchronization variable

to inform the receiver of a bit transfer. A channel that does not include sender-receiver

synchronization variables in a system allowing the receiver-sender transfer of messages

is called a quasi-synchronous channel.

In all patterns of sender-receiver synchronization, synchronization data may be

included in the data variable itself at the expense of some bandwidth degradation.










Packet-formatting bits in ring and Ethernet local area networks are examples of

synchronization data sent along with the information being transmitted. Thus, explicit

sender-receiver synchronization through a separate variable may be unnecessary.

Covert channels are more serious problem in a network system. Network traffic

analysis is much more easier than monitoring CPU timing and scheduling process.

Network covert channel can be based on either timing or spatial information of the

traffic flow pattern. Using spatial information, an eavesdropper observing network

traffic can observe the size and destination of the packets to get information. In

collaboration of an internal active adversary, the covert channel can be coded by

varying the packet size and destination. Using timing information, a covert channel

is represented by the frequency and burstiness of the packet generation. The next

subsection discusses a particular type of covert channel existing mix networks.

4.2.6 Covert C('Ii ini, I- in Mix Networks

An insider can use the exit-mix server to covertly communicate with an external

passive eavesdropper by using the information that the eavesdropper (Eve) can proba-

bilistically determine if the insider (Alice) sends a message in a particular time interval.

This is an example of a one-directional network covert channel, and was first discovered

by N. v ii, i, Moskowitz, Crepeau, and Miller [13].

To illustrate the channel, let us assume that we have a simple exit-mix server.

Alice, the insider, wants to transfer information covertly to the eavesdropper, Eve. The

only action that Eve can take is to count the number of messages per t going from the

Mix-firewall to each of receivers, since the messages are indistinguishable.

In a perfect noiseless scenario with single receiver, Alice can transmit bits 1 and

0 to Eve by sending a message or not sending a message. Alice can use a predecided

encoding to send important information through this channel.

The external adversary model can be either global model, which has control over

all the links originating from the mix as shown in 4-3 or a restricted model, which can

count the number of messages between two enclaves as shown in Figure 4-2.










4.2.7 Covert C('!h i,, I Capacity as Anonymity Metric

In the covert channel scenario presented in previous subsection, Alice can obviously

leak considerable information to Eve. The ability to communicate covertly arises due

to a lack of anonymity. If there were "perfect" i:._i yvmity, then we would not expect

to find a covert channel [13]. By measuring the amount of covert information that may

be leaked through less than perfect anonymity, we can obtain an estimate of .1r:,.ivrmity

provided by the system.

The mutual information is a good indication of interference between sender and

eavesdropper. One way to measure this is by estimating the lower bound of capacity.

Shannon's Information Theory [22] is used to calculate the mutual information and

the capacity of the channel (which is the maximum value of mutual information). The

analysis technique and capacity calculations are presented in Section 4.3.

In the initial work [13], it is shown that as system level anonymity increases in

the simple mix models (i.e., the number of potential senders increases), the minimum

capacity decreases to zero. However, as the probability that a Clueless sender transmits

in a given tick increases, the expected number of actual senders in a given time tick

also increases, hence the anonymity increases, but the capacity of the covert channel

increases once this probability exceeds 0.5.

of network design.

4.3 Analysis Technique

In this section we would present some scenarios for covert channels arising when

using a mix server for different adversary models and network settings. The next

subsection discusses the network channel matrix and capacity estimation.

4.3.1 Scenarios

There is ahv-l- one special transmitting node in a network called Alice, which is

the malicious. Alice has capabilities of an active internal adversary and can be either

static or dynamically adapt to retain the covert channel.

Alice and possibly other transmitters(assume N) have legitimate business transmit-

ting messages to a set of receivers Rili = 1, 2,..., M. These transmitters act completely










independently of one another, and have no direct knowledge of each other's recent

transmission behavior.

Alice may have some general knowledge of the long-term traffic levels produced by

the other transmitters, e.g., the number of other transmitters and their probabilistic

behavior, which can allow Alice to write a code that can improve the covert communi-

cation channel's data rate. She cannot, however, perform short-term adaptation to their

behavior.

We also assume that there is a clock, and that transmissions only occur in the unit

interval of time called a tick. Any subset of transmitters can each either send a single

message to a single receiver in a tick, or not send a message at all. Each transmitter in

a tick can send to a different receiver, and two or more transmitters may send to the

same receiver in the same tick. All messages' contents are encrypted end-to-end.




Eve
((Enclave 1)



Figure 4 2: Restricted Passive Adversary Model


There is also an eavesdropper on the network called Eve. Since all transmissions

are encrypted, they appear to the eavesdropper Eve as having indistinguishable content.

Eve may be either a global passive adversary (GPA), with the ability to see link traffic

on every link in the network, or a restricted passive adversary (RPA), with the ability

to observe traffic only on certain links.

Alice is not allowed any direct communication with Eve. However, Alice can

influence what Eve sees on the network. We study network scenarios that attempt to

achieve a degree of anonymity with respect to the network communication. That is, the

networks are designed with various anonymity devices to prevent Eve from learning who

is sending a message to whom. Even if a certain degree of anonymity is achieved, it still

may be possible for Alice to communicate covertly with Eve.










4.3.2 Channel Matrix

Between Alice and the N clueless senders, there are N + 1 possible senders per

t, and there are M + 1 possible actions per sender (since each sender may or may not

transmit, and if it does transmit, it transmits to exactly one of the M receivers).

Eve


R,


Alice


RM

Figure 4-3: Global Passive Adversary Model


We consider Alice to be the input to the quasi-anonymous channel, which is a

proper communications channel [22]. Alice can send to one of the M receivers or not

send a message. Thus, we represent the inputs to the quasi-anonymous channel by

the M + 1 input symbols 0, 1,..., M, where i = 0 represents Alice not sending a

message, and i E {1,..., M} represents Alice sending a message to the ith receiver Ri.

However, note that the i. Ix- r" in the quasi-anonymous channel is Eve. Eve receives

the output symbols ej,j = 1,..., K. Eve receives el if no sender sends a message.

The quasi-anonymous channel that we have been describing is a discrete memory-

less channel (DMC). We define the channel matrix M as an (M + 1) x K matrix, where

M[i, j] represents the conditional probability that Eve observes the output symbol ej

given that Alice input i.







34


0 1 2 ... j j+1 ... K

0 Po,o Po,i P,2 .. Po,j PO,j+I PO,K

1 Pl,o P1,1 Pl,2 Pj Pj+l Pl,K

2 P2,0 P2,1 P2,2 ... P2,j P2,j+l ... P2,K

MM+1,K = : : : : ". : The number

i Pi,o Pi,i Pi,2 Pi,j Pi,j+l Pi,K



M PM,o PM,1 PM,2 *.. PM,j PM,j+1 *. PM,K

of symbols seen by Eve may vary, depending on the adversary model considered. For

example, with an RPA observing a link between two mix-enclaves, the number of

symbols observed by Eve is N + 1. Whereas if a GPA is observing all the links going

out a exit-mix, the number of possible symbols is much higher and a function of the

receivers, M. N + 1 senders can send or not send, at most one message each, out of the

private enclave, provided at least one sender does send a message. For example there

is only one output symbol observed by Eve for the N+1 v--,v that one, and only one

sender, can send a message to Ri.

We model Alice according to the following distribution each t:


P(Alice sends a message to Ri) = xi


From the above equation, we get

M
xo = P(Alice doesn't send a message) 1 xi
i=1

We let A represent the distribution for Alice's input behavior, and we denote by E

the distribution of the output symbols that Eve receives. Thus, the channel matrix

M along with the distribution A totally determine the quasi-anonymous channel.

This is because the elements of M take the distributions Ci into account, and M and

A let one determine the distribution E describing the outputs that Eve receives,

P(Eve receives ej).










Given a discrete random variable X, taking on the values xi, i = ,..., nx, the

entropy of X is
nX
H(X) = p(xi) logp(xi) .
i= 1
We use p(xi) as a shorthand notation for P(X = xi). Given two such discrete random

variables X and Y we define the conditional entropy (equivocation) to be
ny nx
H(X Y) =- p(Yi) p(xj y) logp(xj yI) .
i= 1 j= 1

Given two such random variables we define the mutual information between them to be


I(X,Y)= H(X)- H(XIY) .


Note that H(X)- H(XIY) = H(Y)- H(YIX), so we see that I(X,Y)= I(Y,X).

For a DMC whose transmitter random variable is X, and whose receiver random

variable is Y, we define the channel *.' /'. .:1/; [22] to be:


C max I(X,Y),
x

where the maximization is over all possible distribution values p(xi) (that is, the p(xi)

are all non-negative and sum to one).

For us, the capacity of the covert channel between Alice and Eve is


C= max{H(E) H(EIA)}.


where the maximization is over the different possible values that the xi may take (of

course, the xi are still constrained to represent a probability distribution). Recall

M[i, j] = P(E = ej A = i), where M[i, j] is the entry in the ith row and jth column of

the channel matrix, M.

4.4 Summary

In this chapter we have defined the objectives of anonymous communication, and

the threats against it. We have showed how using anonymity set as metric can lead to

wrong results. The pool mix was used as an example to illustrate how .rir ,vmity set

showed perfect anonymity, when it was intuitively not possible.










We presented entropy as metric measuring .r1.ir :vmity, based on Shannons informa-

tion theory. This represents how much information an adversary is missing to identify

the sender or the receiver of a target message. Using covert channel capacity as a mea-

sure of anonymity is discussed followed by covert channel Scenarios in Mix Networks.

Finally, we present the channel matrix as the tool to estimate the channel capacity.















CHAPTER 5
PREVIOUS WORK AND THE EXIT-MIX MODEL

This chapter presents the previous work done (which forms the basis of our work),

exit-mix firewall model setup and assumptions. It describes the conventions and

terminology used, the message distribution probabilities, traffic adversary model and

channel matrix in detail.

5.1 Capacity Analysis for Indistinguishable Receivers Case

The initial work [13] analyzed the situation where there are two enclaves, commu-

nication between them is encrypted, and packets are sent only from the first enclave

(which contains Alice) to the second (Fig. 4-2). Eve is able to monitor the commu-

nication from the first enclave to the second. Anonymity is I !i, i1, d" in that an

eavesdropper such as Eve (as RPA) does not !,.i--" who is sending a message (that

is hidden inside of the first enclave) nor who is receiving the message (this can only

be known if one is interior to the second enclave). Eve is only allowed to know how

many messages per tick travel from the first enclave to the second. Nonetheless, Alice

attempts to communicate covertly with Eve.

The input symbols for this channel are 0, which signifies that Alice is not trans-

mitting a message to any receiver, and 0', which signifies that Alice is transmitting a

message to some receiver (keep in mind that Alice is oblivious to the other transmit-

ters).

We break Scenario down into three cases: case 5.1.1, case 5.1.2, and case 5.1.3.

Case 5.1.3 is the general form of Scenario and the first two are simplified special cases.

5.1.1 Case 0: Alice Alone

This is the case where N = 0. Alice is the only transmitter. Alice sends either 0

(by not sending a message) or 0c (by sending a message). Eve receives either eo = 0

(Alice did nothing) or el = 1 (Alice sent a message to a receiver). The capacity of this

noiseless covert channel is 1.










Note though the capacity is the maximum, over the probability x for Alice

inputting a 0, of the mutual information I(E, A). A is the distribution for Alice

described by x, and E is the distribution for Eve. Since there is no noise, I is simply

the entropy H(E) describing Eve (which is maximized to 1 when x = .5).


I(E, A)= H(E) -x log x -(1 x) log(1 x).


5.1.2 Case 1: Alice and One Additional Clueless Transmitter

In this case N 1= Therefore, Eve receives:

0 if neither Alice nor Clueless transmit;

1 if Alice does not transmit and Clueless does transmit, or Clueless transmits and

Alice does not; or

2 if both Alice and Clueless transmit.


A anonymizing E
network


A
P 0

0
q
a, 1

0C

2
B

Figure 5-1: C('!i i,, I Model for Subsection 5.1.1. A) C('i in,, I block diagram. B) C(! ,i-
nel transition diagram


Figure 5-1B shows the output symbols corresponding to the three states E might

perceive. Let us consider the channel matrix.


0 1 2
012


it' 0 >










The 2 x 3 channel matrix i. [i, j] represents the conditional probability of Eve

receiving the symbol j when Alice sends the symbol i. It follows that p = a, and thus it

trivially follows that q = 3.

So our channel matrix simplifies to:


0 1 2
012

0 p q 0
0" 0 p q

The probability that Alice sends a 0 is P(A = 0) = x, and therefore P(A = 0c)

1 x. The term x is the only term that can be varied to achieve capacity. Here is

where Alice may use knowledge of long-term transmission characteristics of the other

transmitters, as well as how many other transmitters there are, to change her (long-

term) behavior. As with other studies of covert channels [12] we are not concerned with

source coding/decoding issues [22]. Our concern is the limits on how well a transmitter

can "opt 'ii. its bit rate to a receiver, given that a channel is noisy. The capacity of

the covert channel between Alice and Eve is


C max{H(E) H(EIA)}.

Given the above channel matrix we have:


H(E) = -{pxlogpx + [qx +p(1 x)] log[.1 + p(l x)] + q(1 x) log q( x)}.

1 2
and H(EIA) p(ai) p(eyj a) logp(ey| a) h(p) .
i=o j=0
Where h(p) denotes the function -plogp (1 p) log(1 p). Thus,

(px log px

C = max +[qx + p(l x)] log[. p + p(l x)]
+q(1 x) log q( x)) h(p)


We cannot analytically find the x that maximizes the mutual information, even doing

the standard trick of setting the derivative of the mutual information to zero. However,











we can plot the capacity as a function of p, and of the x value that maximizes the

mutual information as a function of p.





0.75 \
S\Capacity as a function of p


0.5-
0
Co-

0.25



0
0 ----------------------
0 0.25 0.5 0.75 1
p = P(Alice not sending a message) -->


Figure 5-2: Plot of Covert Channel Capacity as a Function of p


Figure 5-2 shows certain symmetries. The capacity graph is symmetric about

p = .5, and the graph of the x that achieves capacity is skew-symmetric about p = .5

Consider the two situations where p = c, and where p = 1 c; in both situations

0 < c < .5. Let x, be the probability for the input symbol 0 that achieves capacity in

the first situation, and let xl_e be the probability that achieves capacity for the second

situation. For the first situation we have that 1-x, is the capacity achieving probability

for the output symbol 0c, and similarly for the second situation 1 xil, is the capacity

achieving probability for the output symbol O0. Physically the two situations are "the

same" if we reverse the roles of the outputs symbols 0 and 2. Therefore x, = 1 xl-.

Writing x, as x, = + A, we see that xl_ = A; this is what the lower dotted plot

shows in Figure 5-2 (e = 1/2 == A 0).

Observation 1 In conditions of very little extra traffic, or very high extra traffic, the

covert channel from Alice to Eve has higher ,'p', .:,';

Observation 2 The 'pr. .:/;/ C(p), as a function of p is strictly bounded below by

C(.5), and C(.5) is achieved when the mutual information is evaluated at x = .5.

It is obvious that very little extra traffic corresponds to very little noise. At first

glance though, it seems counterintuitive that heavy traffic also corresponds to a small










amount of noise. This is because the high traffic is used as a baseline against which to

signal. This is analogous to transmission of bits over a channel where the bit error rate

(BER) Pg is greater than 1/2. In this case, the capacity of the channel is the same as

that of a channel with BER of 1 Pe, by first inverting all the bits. It is the in-between

situations that negatively affect the signaling ability of Alice. But, even in the noisiest

case (i.e., where p = .5) Alice can still transmit with a capacity of a half bit per tick.

Note that we can never guarantee error-free transmission, no matter how we

group the output symbols. In fact, it is possible that the outputs will alv--, be the

symbol 1 (of course the probability of this quickly approaches zero, as the number

of transmissions goes up). So this covert channel has a zero-error .p', t. .:1,' [23] of

zero. Capacity is a useful measure of a communication channel if the assumption is

that the transmitter can transmit a large number of times. With a large number of

transmissions, an error-correcting code can be utilized so as to achieve a rate close to

capacity. If the transmitter only transmits a small number of transmissions, then using

the capacity alone can be misleading.

5.1.3 Case 2: Alice and N Additional Transmitters

we imagine that there are N + 1 transmitters, Alice is one of them, and the other

N are all independently identical clueless transmitters. That is, there are transmitters

Cluelessl, Clueless2, ..., CluelessN. Again, Eve can only see how many messages are

leaving the first MIX-firewall headed for the second MIX-firewall. Therefore Eve can

determine if there are 0, 1,... N + 1 messages leaving the firewall. That is all Eve can

determine. Therefore, there are still the two input symbols ao = 0 and al 0 but we

have N + 2 output symbols. The probability that Cluelessi does not send a message is

still p, and that it does send a message is q = 1 p. Now, calculate the channel matrix.

Keep in mind that Alice acts independently of the Cluelessi.

Alice sends a 0

For Eve to receive ek (that is E = k), 0 < k < N we need k of the clueless

transmitters to send a message, and N k not to send a message. Therefore,


p(ek|A = 0) (N)pN-kqk, O0 \k










p(eN+1A =0) 0.

Alice sends a 0O

p(eo|A = 0c) = 0, since the event never happens.

For Eve to receive ek (that is E = k), 1 < k < N + 1 we need k 1 of the clueless

transmitters to send a message, and N k + 1 not to send a message.


p(eklA =0) ( ) 1 PN-k+lqk-1, 1 < k < N+ 1.


The channel matrix .3 v is


n 1


9


VT


0 (pN NpN- q ()pN- 2 ... qN
0c 0 pN NpN- q ... NpqN-1

B

Figure 5-3: ('! iCi,! I for Case 3, the general case of N clueless
tion diagram. B) ('C1 ,i,, I Matrix


N+1
0
qN


users. A) ('!i i,.i I transi-


We obtain the following results from the analysis. The full details and proofs are in

[13].

In conditions of very little extra traffic, or very high extra traffic, the covert

channel from Alice to Eve has higher capacity.

The capacity C(p), as a function of p is strictly bounded below by C(.5), and

C(.5) is achieved when the mutual information is evaluated at x = .5 (of course

p = .5 also in this situation).










The capacity C(p), as a function of p is strictly bounded below by a function that

decreases monotonically to zero as the number of transmitters increases, but is

never zero.

The bias in the code used by Alice to achieve the optimum data rate on the

channel is not alv-- x = 0.5, but it is never far from 0.5, and our preliminary

experimental results indicate that the difference in capacity is minor.

This last observation agrees with [10], which presents the general result that in

DMCs, mutual information bit rates obtained by using x = .5 is no less than 94.21.

of the channel capacity. Even if Alice has no knowledge of the probabilistic behavior

of the other transmitters, her data rate will not be too far from optimal if she uses an

unbiased code.

5.2 Exit-Mix Model

5.2.1 Scenario

There are N + 1 senders in a private enclave. Messages pass one way from the

private enclave to a set of M receivers. The private enclave is behind a firewall which

also functions as a timed Mix [21] that fires every tick, t, hence we call it a simple

timed Mix-firewall. For the sake of simplicity we will refer to a simple timed Mix-

firewall as a Mix-firewall in this paper. One of the N + 1 senders, called Alice, is

malicious. The other N clueless senders, Clueless, i = 1,..., N, are benign. Each

sender may send at most one message per unit time t to the set of receivers. All

messages from the private enclave to the set of receivers pass through public lines that

are subject to eavesdropping by an eavesdropper called Eve. The only action that Eve

can take is to count the number of messages per t going from the Mix-firewall to each

receiver, since the messages are otherwise indistinguishable. Eve knows that there are

N + 1 possible senders. The N clueless senders act in an independent and identical

manner (i.i.d.) according to a fixed distribution C, i = 1,..., N. Alice, by sending or

not sending a message each t to at most one receiver, affects Eve's message counts. This

is how Alice covertly communicates with Eve via a quasi-anonymous channel [14].










Eve


Clueless R
Clueless2 IR2
Alice Mix-firewall
Clueless RM
Cl UeicSSN RM

Figure 5-4: Exit Mix-firewall Model with N Clueless Senders and M Distinguishable
Receivers

Alice acts independently (through ignorance of the clueless senders) when deciding

to send a message; we call this the ignorance assumption. Alice has the same distribu-

tion each t. Between Alice and the N clueless senders, there are N + 1 possible senders

per t, and there are M + 1 possible actions per sender (each sender may or may not

transmit, and if it does transmit, it transmits to exactly one of M receivers).

We consider Alice to be the input to the quasi-anonymous channel, which is a

proper communications channel [22]. Alice can send to one of the M receivers or not

send a message. Thus, we represent the inputs to the quasi-anonymous channel by the

M + 1 input symbols 0, 1,..., M, where i = 0 represents Alice not sending a message,

and i E {1,..., M} represents Alice sending a message to the ith receiver Ri. The

i I -:-, in the quasi-anonymous channel is Eve. Eve receives the output symbols

ej,j = 1,..., K. Eve receives el if no sender sends a message. The other output

symbols correspond to all the different v--i- the N + 1 senders can send or not send,

at most one message each, out of the private enclave, provided at least one sender does

send a message.

5.2.2 Channel Matrix Probabilities

For the sake of simplicity we introduce a dummy receiver Ro (not shown above). If

a sender does not send a message we consider that to be a in. -- ,.-" to Ro. For N + 1

senders and M receivers, the output symbol ej observed by Eve is an M + 1 vector

(a al, ...., a ), where aj is how many messages the Mix-firewall sends to Ri. Of course
it follows that 0 aj N + 1.










The quasi-anonymous channel that we have been describing is a discrete memory-

less channel (DMC). We define the channel matrix M as an (M + 1) x K matrix, where

M[i, j] represents the conditional probability that Eve observes the output symbol ej

given that Alice input i. We model the clueless senders according to the i.i.d. Ci for

each period of possible action t:


P(Cluelessi doesn't send a message) = p
q 1-p
P(Cluelessi sends a message to any receiver) M M


where in keeping with previous papers, q = 1 p is the probability that Cluelessi

sends a message to any one of the M receivers. When Cluelessi does send a message,

the destination is uniformly distributed over the receivers R1,..., RM. We call this the

semi-uniformity assumption. Again, keep in mind that each clueless sender has the

same distribution each t, but they all act independently of each other.

5.3 Capacity Analysis for Exit-MIX Scenario

This chapter presents the capacity analysis for different cases of transmitters and

receivers. Each case is discussed in detail and capacity estimated is compared among

the cases.

The mathematics involved in capacity estimation for this scenario is very compli-

cated. Hence, we estimate the capacity for simple cases and then try to generalize our

observations for N senders and M receivers.

To distinguish the various channel matrices, we will adopt the notation that MN.M

is the channel matrix for N clueless senders and M receivers.

5.3.1 One Receiver (M = 1)

Case 1: No Clueless Senders and One Receiver (N = 0, M 1= ). Alice is the

only sender, and there is only one receiver R1. Alice sends either 0 (by not sending

a message) or 1 (by sending a message). Eve receives either e = (1, 0) (Alice did

nothing) or e2 = (0, 1) (Alice sent a message to the receiver). Since there is no noise

(there are no clueless senders) the channel matrix Mo.1 is the 2x2 identity matrix and it

trivially follows that P(E = el) = xo, and that P(E = e2) x.












ei 62

0 0
Mo.1i =
1 0 1

Since x0 = 1 xi, we see that1 H(E) = -xologxo (1 xo) log(1 xo). The

channel matrix is an identity matrix, so the conditional probability distribution P(EIA)

is made up of zeroes and ones, therefore H(EIA) is identically zero. Hence, the capacity

is the maximum over x0 of H(E), which is easily seen to be unity2 (and occurs when

xo = 1/2). Of course, we could have obtained this capacity3 without appealing to

mutual information since we can noiselessly send one bit per tick, but we wish to study

the non-trivial cases and use this as a starting point.

Case 2: N Clueless Senders and One Receiver (M 1). This case reduces to

the indistinguishable receivers case with N senders i &.i-. .1 in [13] with both an exit

Mix-firewall that we have been discussing and an entry Mix-firewall (with the receivers

behind the latter). Alice can either send or not send a message, so the input alphabet

again has two symbols. Eve observes N + 2 possible output symbols. That is, Eve sees

el (N + 1,0), e2 (N- 1), e3 = (N 1,2), eN+ (0, N + 1). A detailed

discussion of this case can be found in [13].

5.3.2 Some Special Cases for Two Receivers (M = 2)

There are two possible receivers. Alice can signal Eve with an alphabet of three

symbols: 1 or 2, if Alice transmits to R1 or R2, respectively, or the symbol 0 for not

sending a message. Let us analyze the channel matrices and the entropies for different

cases of senders.



1 All logarithms are base 2.

2 The units of capacity are bits per tick t, but we will take the units as being under-
stood for the rest of the report. Recall that all symbols take one t to pass through the
channel.

3 This uses Shannon's [22] ..-i-! I,.l ic definition of capacity, which is equivalent for
noiseless channels (in units of bits per symbol).










The symbol ej that Eve receives is an 3-tuple of the form (a], ai, a'), where at is

the number of messages received by ith receiver.4 As before, the index i = 0 relates

to Alice not sending any message. The elements of the 3-tuple must sum to the total

number of senders, N + 1,
2
at N+1.
ai=N+ t
i=0
Case 3: No Clueless Senders and Two Receivers (N = 0, M = 2). Alice is the only

sender and can send messages to two possible receivers. The channel matrix is trivial

and there is no anonymity in the channel.


(1,0,0) (0,1,0) (0,0,1)

0 1 0 0

Mo.2 = 1 0 1 0

2 0 0 1

The subscript 0.2 represents one sender (Alice alone) and two receivers. The 3 x 3

channel matrix Mo.2 [i, ] represents the conditional probability of Eve receiving the

symbol ej, when Alice sends to the receiver Ri (A = i). '0' stands for not sending a

message.

The mutual information I is given by the entropy H(E) describing Eve


I(E,A) = H(E) = -x logx log x21(1 xl x 2) log( xl x2).


The capacity of this noiseless covert channel is log 3 t 1.58 (at xi=1/3, i = 0, 1, 2). For

M = 2 this is the largest capacity, which we note corresponds to zero anonymity. Of

course, this is not surprising since there are no clueless senders.

Case 4: N = 1 Clueless Sender and M = 2 Receivers.

The following row vector describes the probabilities of the possible output symbols

when only one clueless sender is involved.




4 Recall that the at's of the output symbol are not directly related to A, which de-
notes the distribution of Alice.









Eve


Clueless1 ,,


Mix-firewall


Ali:ce -

Figure 5-5: Case 4: with N =1 C I : i .Sender and M = 2 -!ceivers



(1,0,0) (0,1,0) (0,0,1)

( q/2 q/2 j

The message-set matrix given below shows how the various output symbols can be

formed. The rows correspond to Alice's actions, and the columns, correspond to the

actions of Clueless. Row and column labels are added elementwise to form the matrix

entry, which is the output symbol corresponding to the channel state.


(1,0,0) (0,1,0) (0,0,1)

(1, 0, 0) (2, 0, 0) (1,1,0) (1,0, 1)

(0, 1,0) (1, ,0) (0,2,0) (0, )

(0,0, 1) ( 0, 1) (0, 1, 1) (0, 0, 2)
The set of distinct symbols formed in the matrix cells constitutes the set of output

symbols Eve may receive. In this case, there are three repetitions in the message-set

matrix, so Eve may receive 9 3 6 symbols.

Let us consider the channel matrix.

(2,0,0) (1,1,0) (1,0,1) (0,2,0) (0,1,1) (0,0,2)

0 p q/2 q/2 0 0 0

M1.2 1 0 p 0 q/2 q/2 0

2 0 0 p 0 q/2 q/2

The 3 x 6 channel matrix M1.2[i, j] represents the conditional probability of Eve

receiving the symbol ej when Alice sends to Ri. As noted, the dummy receiver Ro











1.6-!

1.4 \



12

S0.8

0.6

0.4

0.2

0
0 --------------------------
0 0.2 0.4 0.6 0.8 1
q->

1 figure 5 6: Capacity for N 1 ( :. i Sender and :' 2 Receivers


corresponds to Alice not sending to any receiver (however this is still a transmission to

Eve via the quasi-anonymous channel).

Given the above channel matrix we have:


H(E) -{pxo log[pxo]

+[qxo/2 + pxi] log [, ,,/2 + pxl]

+[qxo/2 + px2] log[. ,,/2 + px2

+[qxl/2] log [, 1/2] + [qxl/2 + qx2/2] log [, 1/2 + qx2/2]

+[qx2/2] log[., _/2]}.


The conditional entropy is given by

2 6
H(E|A) = -, p(xi) e xi)log p(c xi) = 2(p) ,
i=0 j =1

where h2(p) denotes the function


h2(p) -(1 p)/21og(( p)/2)- (1 p)/2log(( p)/2) plogp


= -(1 p)log((1 -p)/2) -plogp .


The mutual information between Alice and Eve is given by










Eve


Cluelessl Ri


Alice Mix-firewall


Clueless2 V R2

Figure 5-7: Case 5: System with N = 2 Clueless Senders and M = 2 Receivers

I(A,E)= H(E)- H(EIA) ,


and the channel capacity is given by

C maxI(A,E)
A
= max -{pxo 1. -[/"1,]
X1,2
+[qxo/2+pxi] log [.,,,/2+pxl]

+[qxo/2+px2] log [,,,,/2+px2]

+[qxl/2] log [., 1/2]+[qxl/2+qx2/2] log[.,, 1/2+qx2/2]

+[qx2/2] log [,2/2]}-h2(p).

Note that the maximization is over xl and x2, since x0 is determined by these

two probabilities (holds for any N). This equation is very difficult to solve analytically

and requires numerical techniques. Figure 5-6 shows the capacity for this case with

the curve N 1= From the plot the minimum capacity is approximately 0.92, when

p = 1/3. This is less than 1.58, which is the corresponding value for N = 0 case. We

will come back to this curve later for comparison purposes with other values of N.

Case 5: N = 2 Clueless Senders and M = 2 Receivers.

The row vector describing the output symbols and their probabilities with only the

two clueless senders only is given by


(2,0,0) (1,1,0) (1,0,1) (0,2,0) (0,1,1) (0,0,2)

( 2 p ppq q2/4 q2/2 q2/4










The symbol (2, 0, 0) has probability p2 because both clueless do not send a message.

The symbol (1, 1, 0) has probability 2p(q/2) because either Cluelessl does not send a

message and Clueless2 sends a message to R1 or visa versa. The other values behave

similarly. The message set matrix, which has the contributions from the clueless as the

column index and the contributions from Alice as the row index, is as follows.

(2,0,0) (1,1,0) (1,0,1) (0,2,0) (0,1,1) (0,0,2)

(1,0,0) (3,0,0) (2, 1,0) (2,0, 1) (1,2,0) (1,1,1) (1,0,2)

(0,1,0) (2,1,0) (1,2,0) (1,1,1) (0,3,0) (0,2,1) (0,1,2)

(0, 0, 1) (2,0, 1) (1,1,1) (1,0,2) (0,2, 1) (0, 1,2) (0, 0,3)

By inspection of the matrix, we notice that the output symbols with more rep-

etitions will have higher probability of being seen by Eve, when compared to others.

That is, output symbol (1, 1, 1) will have a greater probability of being observed than

(3, 0, 0) or (0, 3, 0).The probability of observing a symbol also depends on the proba-

bility distribution of the transmitter over the receivers (i.e., the value of q). There are

eight repetitions in the message-set matrix, so the number of total possible symbols Eve

may receive 18 8 = 10 symbols. The channel matrix M_ _. is given below.


(3,0,0) (2, 1,0) (2,0, 1) (1,2,0) (1,1, 1) (1,0,2) (0,1,2) 0,3,0) (0,2, 1) 0,0,3)
0 p2 pq pq q2/4 q2/2 q2/4 0 0 0 0
M2.2 =1 0 p2 0 pq pq 0 q2/4 q2/4 q2/2 0
2 0 0 p2 0 pq pq q2/2 0 q2/4 q2/4


The 3 x 10 channel matrix 3 -_ [i, j] represents the conditional probability of Eve

receiving ej when Alice sends a message to receiver Ri.

Figure 5-8 shows the capacity for this case N = 2. Again, the minimum capacity is

found at p = 1/3 = 1/(M + 1). From the plot the minimum capacity is approximately

0.62, when p 1/3.

5.3.3 Some Special Cases for Three Receivers (M = 3)

Case 6: N = 1 Clueless Senders and M = 3 Receivers. Alice or Clueless can send

to three possible receivers or refrain from sending (denoted by '0'). The probabilities of























0.8
0


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
q -->


Figure 5-8: C. :


Itv for N


2 clueless senders and M


Eve


Cluelessl





Alice


Figure 5-9: Case 6: S


: with N 1 C i :


Senders and .l = 3 Receivers


the various output symbols from the one clueless sender are given below.


(1,0,0,0) (0, 1,0,0)

p q/3


(0,0, 1,0)

q/3


(0,0,0,1)

q/3


Now let us examine the number of possible message set symbols obtained if we

merge the individual message sets of Alice and Clueless.


2 receivers





R1


-R2


R3























1


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
q -->


Figure 5-10: C : y N


S1 clueless sender and = 3 receivers


(1,0,0,0) (0,1,0,0) (0,0,1,0)

(1,0,0,0) (2,0,0,0) (1,1,0,0) (1,0,1,0)

(0, 1,0,0) (1,1,0,0) (0,2,0,0) (0,1,1,0)

(0,0, ,0) (1,0,1,0) (0, 0) (0, 0,02,0)

(0,0,0, 1) (1,0,0, 1) (0, 1,0, 1) (0,0, 1, 1)

As we can see from the above message-matrix, there are

message sets formed, so Eve may receive 10 different symbols.
The channel matrix M1.3is given below.

(2,0,0,0) (1,1,0,0) (1,0,1,0) (1,0,0,1) (0,2,0,0) (0,1,1,0) (0,1,0,1)
0 p q/3 q/3 q/3 0 0 0
1 0 p 0 0 q/3 q/3 q/3
2 0 0 p 0 0 q/3 0
3 0 0 0 p 0 0 q/3


(0,0,0,1)

(1,0,0, 1)

(0, 1,0, 1)

(0,0, 1, 1)

(0,0,0,2)

six repetitions in the





( ,0,,2,0) ( ,0,,1,1) (0,0,0,2)
0 0 0
0 0 0
q/3 q/3 0
0 q/3 q/3


The 4 x 10 channel matrix M1.3[i, j represents the conditional probability of Eve

receiving ej when Alice sends a message to receiver Ri.











Figure 5-10 shows the capacity for this case of N 1= The minimum capacity is

found at p = 1/4 = 1/(M + 1). From the plot the minimum capacity is approximately

1.25, when p 1/4.

Case 7: N = 2 Clueless Senders and M = 3 Receivers.
The row vector describing how the clueless users influence the output symbols is
given below.

(2,0,0,0) (1, 1,0,0) (1,0,1,0) (1,0,0,1) (0,2,0,0) (0,1,1,0) (0,1,0, 1) (0,0,2,0) (0,0, 1, 1) (0,0,0,2)
( p2 2pq/3 2pq/3 2pq/3 q2 /9 2q/9 2q2/9 q2/9 2q/9 q2/9 )


Now let us examine the size of the set of output symbols obtained if we merge the

individual message sets of Alice and the two clueless senders:

(2,0,0,0) (1, 1,0,0) (1,0,1,0) (1,0,0, 1) (0,2,0,0) (0, 1,1,0) (0,1,0, 1) (0,0,2,0) (0,0,1,1) (0,0,0,2)
(1,0,0,0) (3,0,0,0) (2, 1,0,0) (2,0, 1,0) (2,0,0, 1) (1,2,0,0) (1, 1, 1,0) (1, 1,0, 1) (1,0,2,0) (1,0, 1, 1) (1,0,0,2)
(0, 1,0,0) (2, 1,0,0) (1,2,0,0) (1, 1, 1,0) (1, 1,0, 1) (0,3,0,0) (0,2, 1,0) (0,2,0, 1) (0, 1,2,0) (0, 1, 1, 1) (0, 1,0,2)
(0,0, 1,0) (2,0, 1,0) (1, 1, 1,0) (1,0,2,0) (1,0, 1, 1) (0,2, 1,0) (0, 1,2,0) (0, 1, 1, 1) (0,0,3,0) (0,0,2, 1) (0,0, 1,2)
(0,0,0, 1) (2,0,0, 1) (1, 1,0, 1) (1,0, 1, 1) (1,0,0,2) (0,2,0, 1) (0, 1, 1, 1) (0, 1,0,2) (0,0,2, 1) (0,0, 1,2) (0,0,0,3)

As we can see, there are 20 repetitions in the symbols formed. Hence, the total

symbols seen by Eve become = 40 20 = 20 symbols. If we look through the columns

(1, 1, 0, 0), (0, 1, 1, 0) and (1,0, 1, 0), we can find the element (1, 1, 1, 0) common to

all the three columns. There are two more similar cases for a common element in

three columns. From this, we conclude that the message sets with even distribution of

messages seem to have a single element common to many of the them, whereas those

with skewed distribution seem to be unique. This is expected, as the v--v to distribute

over several receivers is multiple, while there is only one way for all senders to send to

the same receiver.
The channel matrix (split into two) is given below.

(3,0,0,0) (2,1,0,0) (2,0,1,0) (2,0,0,1) (1,2,0,0) (1,0,2,0) (1,0,0,2) (1,1,1,0) (1,1,0,1) (1,0,1,1)
0 p2 2pq/3 2pq/3 2pq/3 q2 /9 q2/9 q2/9 2q2/9 2q2/9 2q2/9
1 0 p2 0 0 2pq/3 0 0 2pq/3 2pq/3 0
2 0 0 p2 0 0 2pq/3 0 2pq/3 0 2pq/3
3 0 0 0 2 0 0 2pq/3 0 2pq/3 2pq/3















1.8 \

1.6

1.4

1.2

S1

0.8

0.6

0.4

0.2


0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1
q -->

Figure 5-11: C.: : vy for N = 2 clueless senders and M = 3 receivers


(0,3,0,0) (0,2,1,0) (0,2,0,1) (0,1,2,0) (0, 1, 0,2) (, 1,1,1) (0,0,3,0) (0,0,2,1) (0,0, 1,2) (0,0,0,3)
0 0 0 0 0 0 0 0 0 0 0
1 q2/9 2q2/9 2q2/9 q2/9 q2/9 2q2/9 0 0 0 0
2 0 q2/9 0 2q2/9 0 2q2/9 q2/9 2q2/9 q2/9 0
3 0 0 q2/9 0 2q2/9 2q2/9 0 q2/9 2q2/9 q2/9

The 4 x 20 channel matrix _11 ;[i, j] represents the conditional probability of Eve


receiving ej when Alice sends a message to receiver Ri. The generalized formula for the

matrix elements is given by


2 p(a 7-1)q/3)3-aJ for a 1,2,3

m(0,j) { (a~--l)'^'^ u
0 for a = 0





0 for a = 0


,2 pa 27-(q/3)2-a for a = 1,2,3
m(2, j) L (

0 for a 0










Eve


Cluelessl P Ri


Alice MIX-firewall R2


Clueless2 R3

Figure 5-12: Case 7: System With N = 2 Clueless Senders and M = 3 Receivers

Eve


R71
Clueless R2
MIX-firewall
Rj
Alice
RM

Figure 5-13: Case 8: System with N = 1 Clueless Sender and M Receivers


S(q/3 2-a3 for a = 1, 2,3
n(3,j) =f a 3.a3!a3!(a3 1)1
0 for a 0

Figure 5-11 shows the capacity for this case in the curve when N = 2. The

minimum capacity is found at p = 1/4 = 1/(M + 1). From the plot the minimum

capacity is approximately 0.89, when p = 1/4, which is less than the lowest capacity for

the N = 1 case.

5.3.4 Some Generalized Cases of N and M

Case 8: N = 1 Clueless and M Receivers.
We generalize the scenario to one clueless transmitter and M receivers. The probability
describing the actions of only the one clueless sender is given below.

(1,0,0,0 0) 0,1, 0,0 .0) 0, 1,0, .. 0) (0,0,0,1 ... 0) ... 0,0,0,0 ..., 1)
( p ( if q/M q/M ... q/M











The message set matrix is given below.

(1,0,0,0, .. 0) (0, (0,0,1,0, 0) (0,0,0, 1, 0) ( 1)
(1,0,0,0, ...,0) (2,0,0,0, .. 0) (1,1,0,0,. 0) (1,0,1,0, .,0) (1,0,0,1,.. 0) ... (1,0,0,0 .. 1)
(0,1,0 0, 0, 0) (1,1,0,0, 0) (0,2,0,0,. 0) (0,1,1,0, ,0) (0,1,0,1,.. 0) ... (0,1,0,0 ... 1)
(0,0,1,0,. ,0) (1,0,1,0, 0) (0,1,1,0, 0) (0,0,2,0, ,0) (0,0,1,1,.. 0) ... (0,0,1,0 .. ,1)
(0,0,0,1,. ,0) (1,0,0,1, 0) (0,1,0,1, 0) (0,0,1,1, ,0) (0,0,0,2,.. 0) ... (0,0,0,1 1)


(0,0,0,0, ) (1,0,0,0 .. 1) (0,1,0,0, ... ) (0,0,1,0,..,1) (0,0,0,1 ... 1) ... (0,0,0,0, 2)

The number of output symbols that may be seen by Eve is identical to the total

possible distinct pairs in the message-set matrix shown above. There are two indistin-

guishable transmissions (including null transmissions) and they are sent into M + 1

distinct receivers (urns) (this also includes the null transmission, which by convention

goes to Ro, not shown in the figure). Combinatorics tells us then that there are (M2+)

distinct combinations (symbols) that Eve may receive.

The channel matrix is given below.

(2,0,0,0, ,0) 1,1,0,0, ,0) (1,0,1,0, ) ... 1,0,0,0 ,1) 0,2,0,0 .. 0) ... 0, 0,0, 0,... 2)
0 p q/M q/M ... q/M 0 ... 0
1 0 p 0 ... 0 q/M ... 0
2 0 0 p ... 0 0 ... 0
3 0 0 0 ... 0 0 ... 0

M 0 0 0 ... p 0 ... q/M

The (M+1) x (M+2) channel matrix Ml.M[i,j] represents the conditional probability

of Eve receiving ej when Alice sends a message to receiver Ri.

The probability distribution among the elements of the channel matrix can be

calculated by the formula below.




pf o (q/M)N- : a jO Vi 1,2,3,... ,M and j 1,2,3,. (M2)

0 ai 0


p(ai- ) (q/M)N-a-+1 : aj / 0 Vj 0,1,2, (M+2)
S0mo =
0 : a' = 0

The conclusions and more generalizations related to this case are discussed in the

results section.











Case 9: N Clueless Senders and M = 2 Receivers. In this case, we generalize

the problem to N clueless transmitters for the two receivers case. The total number

of message set symbols seen by Eve, if only the clueless are transmitting, can be

calculated as the number of combinations in which N transmitters can send (or not

send) a message times the number of combinations in which the messages sent can be

distributed into two receivers.

If k out of N transmitters send a message, then the k messages sent can be divided

into two receivers in k + 1 possible combinations ((k, 0), (k 1, 1),..., (0, k)).


message set size = 1 + 2 + 3 + 4 + + (N + 2)
N+2

i=0
(N + 2)(N + 3)/2


The probability of each channel state with clueless only is as follows.

(N, 0,0) N 1,1,0) N 1,0,1) (N 2,2, 0) N -2, 1,1) (N -2,0,2) ... (0,0, N)
( p NpN-1 p2 NpN-1q/2 N(N 1)p-q2/8 N(N )p-2 q2 /4 N(N )p-2/8 ... (q/2)N)

Now let us merge the individual message sets of Alice and the N clueless transmit-

ters to determine the number of symbols received by Eve.

(N, 0, 0) (N-1,1,0) (N-1,0,1) (N -2,2,) (N 2,1,1) (N 2,0,2) ... (, 0, N)
1, 0, 0) (N+1, 0, ) N, 1,0) (N,0, 1) N -1,2,0) N -1,1,1) N -1,0,2) ... (1,0, N)
(0,1,0) (N, 1, ) (N -1,2,) (N -1,1,1) (N-2,3,0) (N--2,2,1) (N--2,1,2) ... (01,, N)
( 0, 1) (N, 0,1) (N -1,1,1) (N--1,0,2) (N--2,2,1) (N--2,1,2) (N-2,0,3) ... (0,0, N+1)

As observed before, the message set (N/3 + 1, N/3, N/3) is the most uniform

message distribution.

Hence, it has maximum number of repetitions in the message set matrix and will

have a greater probability of being observed than (N + 1,0, 0) or (0, 1, N)

The channel matrix MN,2 is given below.

N + 1, 0, 0) (N, 1,0) N, 0, 1) N 1, 2, 0) N 1,1,1) N 1, 0, 2) ... 0,0, N + 1)
0 pN NpN-lq/2 NpN-lq/2 N(Nl)pN 2q2/8 N(N-l)pN 2q2/4 N(N )pN- 2q2/8 ... 0
1 0 p" 0 NpNlq/2 NpN-lq/2 0 ...
2 0 0 p" 0 NpNlq/2 NpNq/2 ,












Cluelessl
Clueless, R
Alice MIX-firewall

Clueltess--

Sigure 5 14: Case 9: System with N ('::. Senders and / 2 Receivers

The 3 x ((N + 2)(N + 3)/2) channel matrix MN.2[i,jl represents the conditional
probability of Eve receiving ej when Alice sends a message to receiver Ri.
The probability distribution in the channel matrix can be imagined as nesting
of two binomial distributions: First, between messages sent and received; second, the
distribution of messages sent to the two receivers. So, given the vector (ai, a\, aj), the
element of the channel matrix can be generalized by the formula below.



moj N= -N 1)p(a-1)(prob. distribution of (N (a 1)) messages to RI and R2)


S(a ( (O ))(q/2) (q/2)


(aN )p(a 1)N- (a 1) 2)
t ) p1 (q/.(/)10) -a -)



( N 1J t)
m2j Ip a31o (q/2)N-





Note that aj does not explicitly appear but is implicitly in the above since (a' + a' +

a) 1 = N, this relationship will be seen to be important in the following general
case (where we use a generalized combinatorial formula). The conclusions and more
generalizations related to this case are discussed in the results section.









Case 10: N Clueless Senders and M Receivers. We now generalize the problem

to N clueless senders and M receivers (refer again to Figure 5-4). There are N + 1

indistinguishable transmissions (including null transmissions) and they are sent into

M + 1 distinct receivers (urns) (this also includes the null transmission, which by

convention goes to Ro, not shown in the figure). Combinatorics tells us then that there

are K = (N+M+) possible symbols e,.

The rows of our channel matrix correspond to the actions of Alice. The ith row of

MN.M describes the conditional probabilities p(ejlxi) (For simplicity we will not ah--bi-.
explicitly note that j = 1,..., (N+M+1).) By convention el al--i-b corresponds to

every sender not sending a message (which is equivalent to all senders sending to Ro).

Therefore el is the M + 1 tuple (N + 1, 0,..., 0). Given our simplifying semi-uniformity

assumption for the clueless senders' distribution, this term must be handled differently.

The first row of the channel matrix is made up of the terms MN.M[0,j]. Here, Alice

is not sending any message (i.e., she is sendingg to Ro), so Alice contributes one to

the term aj in the M + 1 tuple (aj, a a, ..., aj)} associated with ej. In fact, this

tuple is the "long hand" representation of ej. Therefore the contributions to the M + 1

tuple (aj 1, a{, aj,..., aM) describe what the N clueless senders are doing. That is,

a' 1 clueless senders are not sending a message, a\ clueless senders are sending to

R1, etc. Hence, the multinomial coefficient (_, ... ) tells us how many v-- i- this

may occur.5 For each such occurrence we see that the transmissions to Ro affect the

probability by pa -1, and the transmissions to Ri, i > 0, due to the semi-uniformity

assumption, contribute (q/M)ai. Since the actions are independent, the probabilities

multiply, and since aj 1 + a{ + .. + aM = N, we have a probability term of
pa3-1(q/M)N+l-ao. Multiplying that term by the total number of v--,v of arriving at

that arrangement we have that:
MN.M[O,j] ( ,., -1(q/M)N+l-aS




5 The multinomial coefficient is taken to be zero, if any of the "bottom" entries are
negative.









The other rows of the channel matrix are MN.M[i,j], i > 0. For row i > 0, we have
a combinatorial term (j ) for the N clueless senders, aj of which

are sending to Ro and N a/ of which are sending to the Ri, i > 0. Therefore, we see

that under the uniformity assumption,

MN.M[, ( ..... 1, .... (q/M )N-a ,i > O .
We show the plots of the mutual information when the clueless senders act (as

assumed throughout the report) in a semi-uniform manner and when Alice also sends in

a semi-uniform manner (i.e., xi = (1 Xo)/M, i = 1, 2,..., M). We conjecture based

upon our intuition, but do not prove, that Alice having a semi-uniform distribution

of destinations Ri,..., RM when the clueless senders act in a semi-uniform manner

maximizes mutual information (achieves capacity). This has been supported by all of

our numeric computations for capacity. With this conjecture, we can reduce the degrees
of freedom for Alice from M to 1 (her distribution A is described entirely by xo), which

allows greater experimental and analytical exploration.

The channel matrix greatly simplifies when both the clueless senders and Alice act

in a '. ,ll;/ ",,:'. ti ,,, manner. That is, when xo 1/(M + 1), then xi = (1 xo)/M

1/(M + 1) for all xi, and p = 1/(M + 1). We have

N ajM))ajl/1 )N+l.aj
MN.M[O, j a]= a- (q/M)N+1-

which simplifies to


MN..M[0,j] a 1,j l.)M M+

(Note this form for i = 0 is due to the total uniformity of the Cs.). We also have

MN.M [i,J ,, J J P (q/M)" ,i > 0 ,
ao,al,...,ai_ ,ai --1 aai,...,aM

which simplifies to


MN.M ] > i>
(aa ,...,aa_i,a -1 i,a a+,... ,aM 1a

Table 1. Lower capacity bounds for N = 0,..., 9, and M = 1,..., 10











M- 1 2 3 4 5 6 7 8 9 10
Nt
0 0.3113 1.5849 2.0000 2.3219 2.5850 2.8074 3.0000 3.1699 3.2192 3.4594
1 0.2193 0.9172 1.2500 1.5219 1.7515 1.9502 2.1250 2.2811 2.4219 2.5503
2 0.1675 0.6204 0.8891 1.1204 1.3218 1.4996 1.6586 1.8021 1.9328 2.0529
3 0.1351 0.4555 0.6760 0.8423 1.0515 1.2112 1.3560 1.4882 1.6097 1.7221
4 0.1133 0.3537 0.5371 0.7080 0.8649 1.0090 1.1410 1.2630 1.3761 1.4813
5 0.0976 0.2864 0.4408 0.5893 0.7288 0.8588 0.9798 1.0925 1.1978 1.2965
6 0.0857 0.2392 0.3710 0.5010 0.6255 0.7434 0.8544 0.9587 1.0570 1.1496
7 0.0765 0.2048 0.3187 0.4334 0.5450 0.6522 0.7542 0.8510 0.9428 1.0298
8 0.0691 0.1789 0.2785 0.3803 0.4809 0.5786 0.6726 0.7626 0.8484 0.9303
9 0.0630 0.1587 0.2467 0.3377 0.4288 0.5183 0.6051 0.6888 0.7692 0.8463

To determine the distribution E describing Eve we need to sum over the columns

of the channel matrix and use the total uniformity of A.


P(E e,) Z P(E e JA )P(A i) 0,...,M .


This gives us


P(E e- ) ) j
SM+1a ,a i a a,...a ,+1 a ...,aM

From this we can compute the entropy H(E) without too much trouble:


H(E)= (M + N (a ..at ) N( log(M+1) -log (i t, ., ))


However, the conditional entropy is more complicated, but is expressible. Therefore, we

wrote Matlab code to calculate the mutual information, which is conjectured to achieve

capacity, when both the clueless senders act in a semi-uniform manner and Alice acts

in a totally uniform manner. Local exploration of nearby points all yield lower mutual

information values.

Table 1 tabulates the results of numerical calculations of capacities for different

combinations of values of N and M using Matlab. We conjecture that when Alice acts

in a totally uniform manner (that is every Alice probability is 1/(M + 1)) that capacity

is achieved when the p values are the same, and this capacity is the lower bound for all

capacities. The table gives capacity with p fixed at 1/(M + 1), which we determined

numerically to be less than the capacity for other values of p.










5.3.5 Non-Uniform Message Distributions

Each of the Senders (including Alice) can have different message distributions

among the receivers. We consider 80/20 and the more practical "Zipf" distributions and

explain each of them with respect to our scenario.

Zipf distribution. Zipfs distribution refers to the distribution of occurrence of

an relative to its rank 'r'. There are two Zipfs laws: the rank-frequency one and the

frequency count one. According to the rank-frequency law, the frequency of the rth

largest occurrence of the event is inversely proportional to its rank:

fr oc 1/ro

This is typically referred to as Zipf's law or Zipf distribution. The rank-frequency

plot is a straight line with a slope -0 on a log-log scale.

The second law states that the count of events that have a frequency '' in terms

of 'f'. It is defined as

Cf C l1/f

We can easily prove that the second law is a mathematical consequence of the first

one. It can also be shown that = 1 + 1/0.

We now calculate the message distribution probabilities in Zipf distribution for

One Clueless transmitter (N = 1) and five receivers (M = 5) case. The probability

distribution is given by:


P(clueless send to R1) = c.1/1

P(clueless send to R2) = c.1/2

P(clueless send to R3) = c.1/3

P(clueless send to R4) = c.1/4

P(clueless send to R5) = c.1/5

P(clueless doesn't send a message) = 1 p

q


The constant c is given by 60p/137 and the new probabilities for sending to various

receivers is 60p/137,30p/137, 20p/137, 15p/137, and 12p/137.










80/20 distribution. According to this distribution, II '. of the messages are sent to

211'. of the recipients and the remaining 211'. to ,II'.- of the recipients. Let us assume,

without loss of generality, that the first M/5 receivers get 1l''. of the messages and the

remaining receivers get the other 21' of the messages. The probability distribution of a

Clueless transmitter is as follows:

p 4/5
P(cluelesssendtoRiVi 1,2,, M/5)
M/5
4p
M
p 1/5
P(cluelesssendtoRVi = M/5 + 1,, M) 5
S4M/5
p
4M
P(clueless doesn't send a message) = 1 p

q


For the probability distribution of Alice, there are three different probabilities: Firstly

for not sending a message, secondly for sending to first M/5 messages and the last one

for the remaining 4M/5 receivers.

5.4 Summary

This chapter presents the capacity analysis of the covert channel scenario. Since

the mathematics involved in the analysis is very complex, may simple cases are an-

alyzed. These include many cases involving combinations of N = 1,2,3,4 additional

transmitters and M = 1,2,3 receivers. Based on the observations from the different

cases, the channel matrix and the entropy for generalized case is discussed.

Finally, Zipf and 80/20 message distributions are considered for Alice and Clueless

Transmitters. The results of the calculations presented and generalizations of the

results are presented in the next chapter.















CHAPTER 6
DISCUSSION OF RESULTS

6.1 Capacity vs. Clueless Transmitters

Figure 6-1 shows the capacity as a function of p with M = 2 receivers, for

N = 1, 2, 3, 4 clueless senders. In all cases, the minimum capacity is realized at p = 1/3,

and the capacity at p = 1 is log 3. As N increases, the capacity decreases, with the

most marked effects at p = 1/3.

In Figure 6-1, the capacity (of course under the semi-uniformity assumption for C,

which is in force throughout the report)) was determined numerically for any choice of

A. However, for the remaining plots, we applied the semi-uniformity conjecture (that

Alice is better off behaving semi-uniformly if that is what the clueless senders do).

Thus, xo is the only free variable for Alice's distribution in what follows.

6.2 Capacity vs. Number of Receivers

Figure 6-2 shows the capacity as a function of p with M = 3 receivers, for

N = 1, 2, 4 clueless senders. As expected, in all cases, the minimum capacity is realized

at p = 1/4, and the capacity at p = 1 is log 4 = 2. As N increases, the capacity

decreases, with the most marked effects at p = 1/4. The minimum capacity is greater

when compared to corresponding value in the M = 2 case (refer to plot 6-1).

The mutual information as a function of xo is shown in Figure 6-3 for M = 2

receivers and N = 1 clueless sender for p = 0.25, 0.33, 0.5, 0.67. Here, note that the

curve with p = 0.33 has the smallest maximum value (capacity), and that the value

of x0 at which that maximum occurs is x0 = 0.33. The x0 value that maximizes the

mutual information (i.e., for which capacity is reached) for the other curves is not 0.33,

but the mutual information at x0 = 0.33 is not much less than the capacity for any of

the curves.

Figure 6-4 shows the mutual information curves for various values of x0 as a

function of p, with N = 2 clueless senders and M = 2 receivers. Similarly, Figure 6-5

65

















































0.25 0.33 0.5 0.75
p = P(Clueless not sending a message) -->


Figure 6-1: Capacity for N


2.0




1.6


cu
03
1.2
0



0.8

0
-i

0.4




0


1 lo 4 C ::. i Senders and M = 2 Receivers


0.25 0.33 0.5 0.75
p = P(Clueless not sending a message) -->


F1:: 6 2: Capacity for AN


1,2,4 C(::


Senders and lM ... 3 Receivers


o 0.917

o


00.
0
-J






































F ; 3: Mutual Information vs
for p : 0.33, 0.5, 0.67


0.5
x0 -->


for N 1 C :: Sender and M


2 Receivers.


0 0.250.33 0.5 0.75
p = : -->


Figure 6 4: Mutual Information vs. p for N 2 ( i::. :


Senders and M A 2 Receivers

















------x0=0.20


0=0.10

0.5
x0=0.75



0 0.25 0.5 0.75 1
p = (1-q) -->

Figure 6-5: Mutual Information vs. p for N = 2 Clueless Senders and M = 3 Receivers


shows the mutual information curves for various values of x0 as a function of p, with

N = 2 clueless senders and M = 3 receivers.

In the figure 6-4, note that the curve for xo 1/(AM + 1) = 1/3 has the largest

minimum mutual information, and also has the greatest mutual information at the

point where p = 1, i.e., when there is no noise since Clueless, is not sending any

messages. The capacity for various values of p is, in essence, the curve that is the

maximum at each p over all of the x0 curves, and the lower bound on capacity occurs at

p 1/3 1/(M + 1).

Also observe that the x0 = 0.33 curve has the highest value for p = .33, but

for other values of p, other values of xo have higher mutual information (i.e., Alice

has a strategy better than using x0 = 0.33). However, the mutual information when

x0 = 0.33 is never much less than the capacity at any value of p, so in the absence of

information about the behavior of the clueless senders, a good strategy for Alice is to

just use xo = 1/(M + 1). These observations are illustrated and expanded in the next

two figures. Note the differences in concavity between Figure 6-3 and Figure 6-4 We

will discuss concavity again later in the report.

Figure 6-6 shows the optimal value for x0, i.e., the one that maximizes mutual

information and hence, achieves channel capacity, for N = 1, 2, 3, 4 clueless senders

and M = 3 receivers as a function of p. A similar graph in [13] for M = 1 receiver is


















S0.5
-------N=3
---- N=2

0.25
N=1


0 0.25 0.5 0.75 1
p = P(Clueless not sending a message)

Figure 6-6: Value of xo that Maximizes Mutual Information for N = 1, 2, 3, 4 Clueless
Senders and M = 3 Receivers as a Function of p


symmetric about xo = 0.5, but for M > 1 the symmetry is multidimensional, and the

graph projected to the (p, xo)-plane where the destinations are uniformly distributed

is not symmetric. However, note that the optimum choice of xo is 1/(M + 1) both at

p = 1/(M + 1) and at p = 1, that is, when the clueless senders either create maximum

noise or when they do not transmit at all (no noise). As N increases, the optimum xo

for other values of p is further from 1/(M+ 1). Also observe that Alice's best strategy is

to do the opposite of what the clueless senders do, up to a point. If they are less likely

to send messages (p > 1/(M + 1)), then Alice should be more likely to send messages

(xo < 1/(M + 1)), whereas if Cluelessi is more likely to send messages ((p < 1/(M + 1)),

then Alice should be less likely to send messages (xo > 1/(M + 1)).

6.3 Capacity vs. Mutual Information at xo = 1/(M + 1)

Figure 6-7 shows the degree to which the choice of xo 1/(AM + 1) can be

suboptimal, for N 1= 2, 3,4 clueless senders and M = 3 receivers. The plot shows the

mutual information for the given p and xo 1/(AM + 1), normalized by dividing by the

capacity (maximum mutual information) at that same p. Hence, it shows the degree to

which a choice of xo 1/(MA + 1) fails to achieve the maximum mutual information.

For N = 2, it is never worse than 0.94 (numerically), but for N = 4, its minimum

is 0.88. The relationship of suboptimality for other choices of M and N, or for other

distributions, is not known.











































0.25 0.5 0.75
p = P(Clueless not sending a message)


Figure 6-7: Normalized Mutual I:::,: :


Senders and Mf


3 : .(ceivers


0 0.25 0.5 0.75
p = P(Clueless not sending a message) -->


Sender and M =- 1 to 5 Rec(eivers


7
II
0
x 1.25

0

0
S1.0


S0.88


N 0.75

0
z


N=I


- N4= 2


Swhen 1/4 N 1, 2,3.4 Clueless


Figure


Capacity for N = 1 ( :::












Capacity graph


Figure 6-9: Capacity for N = 0 to 9 Clueless Senders and M = 1 to 10.


In Figure 6-8, we show the lower bound on capacity of the channel as a function of

p for N = 1 clueless sender and various values of M receivers. Numerical results show

that this lower bound increases for all p as M increases, and the lower bound on the

capacity for a given M occurs at p = 1/(M + 1), which is indicated by the dotted lines

in the figure.

For Figure 6-9, we take the capacity at p = 1/(M + 1), which we found numerically

to minimize the capacity of the covert channel, and plot this lower bound for capacity

for many values of N and M. We retain the assumption that xi = (1 xo)/(M + 1)

for i = 2,..., M, that is, given the semi-uniform distribution of transmissions to the

receivers by the clueless senders, it is best for Alice to do likewise. Along the surface

where N = 0, we have the noiseless channel, and the capacity is log(M + 1), which is

also the upper bound for capacity for all N and M. The values along the surface when

M = 1 give us the same values we derived in [13].

6.4 Capacity vs. Message Distributions

In figure 6-10, we show the lower bound on capacity of the channel for different

message distributions of the Clueless transmitter, Alice following the uniform distribu-

tion. The 80/20 distribution has the highest value of lower bound on capacity, followed

by the zipf and the uniform distributions. Notice that the uniform distribution has


4-


2-


0

4
6

Clueless Transmitters, N -->


Receivers, M


















o
a
0-)
0
1.2
o0

0
-J


0 0.2 0.4 0.6 0.8 1
p = P(Clueless not sending any message) -->

Figure 6-10: Capacity for Uniform, Zipf, and 80/20 Distributions for Clueless Trans-
mitter and Uniform Distribution for Clueless Transmitter


the lowest capacity bound of the three distribution, indicating that the capacity of the

covert channel increases with lesser uniform distributions.

Figure 6-11 shows the mutual information curves, when plotted for various

message distributions followed by Alice, with N = 1 clueless sender and M = 4 receivers

and the clueless sender following uniform distribution. From the curve, we deduce that

Alice has better channel capacity by maintaining the uniform message distribution,

when the clueless transmitter is following uniform distribution.

The figure 6-12 confirms the above fact for the case where Clueless sender follows

zipf distribution. Calculating Capacity for different message distributions get more and

more complicated because of increase in number of variables and more work needs to be

carried out in this area.

6.5 Comments and Generalizations

We first note that the maximum capacity of this (covert) quasi-anonymous channel

is log(M + 1) for M distinguishable receivers, and is achievable only if there are no

other senders (N = 0), or equivalently, if none of them ever send (p = 1), i.e., when the

channel is noiseless.

Here are some of the observations from the different cases considered, under the

semi-uniform assumption for the clueless senders and the semi-uniform conjecture for

Alice, followed by some generalizations.


























C
0


1.2
-8

5


0 0.2 0.4 0.6 0.8
x0 = P(Alice not sending any message) -->


i : :e 6 11: Capacity for Uniform, i and i:/20 Distributions for Alice and
form Distribution for Clueless Transmitter


0 0.2 0.4 0.6 0.8
x0 = P(Alice not sending any message) -->


Figure 6-12: Capacity for Uniform, :i and 80/20 n : :: iutions for Alice and
Distribution -.. Clueless Transmitter










The capacity C(p, N, M), as a function of the probability p that a clueless sender
remains silent, with N clueless senders and M receivers, is strictly bounded below
by C( i N, M), and is achieved with xo 1/(M + 1).
The lower bound for capacity for a given number M of receivers decreases as the
number N of clueless senders increases,
C(M ,N,M) > C( ,N+1,M).
The lower bound for capacity for a given number N of clueless senders increases
as the number M of distinguishable receivers increases,
C( N,M+1) > C(4,N,M).

These observations are intuitive, but we have not shown them to be true numeri-

cally in the general case (we did for the case that M = 1 in our initial publication [13]).

It is interesting to note that increasing the number of distinguishable receivers increases

the covert channel capacity, which in some sense decreases the (sender) anonymity in

the system (Alice has more room in which to express herself). This is a bit contrary to

the intuitive view of anonymity in Mix networks, where more receivers tends to provide

,i- Ii, r anonymity." In this light, we note that Danezis and Serjantov investigated the

effects of multiple receivers in statistical attacks on anonymity networks [?]. They found

that Alice having multiple receivers greatly lowered a statistical attacker's certainty of

Alice's receiver set.

While the graphs and numerical tests support that the v. i-I thing the clueless

senders can do is to send (or not) with uniform probability distribution over the Ri,

i = 0, 2,..., M, we have not proven this mathematically. Nor have we proven that,

under these conditions, the best Alice can do is to send (or not) to each receiver Ri

with uniform probability, xi 1/(M + 1) for i = 0, 1, 2,..., M, although the numerical

computations support this. The proof in [13] of these conjectures for the case where

M = 1 relied, in part, on the symmetry about xo = 0.5, which is not the case when

M > 1, so another approach must be used. However, we should still be able to use

the concavity/convexity results from [13]. Note that our conjecture that the best that

Alice can do is to send in a semi-uniform manner, and the results illustrated in Figure

8, seem to be an extension of the interesting results of [10].

6.6 Summary

The capacity C(p, N, M), as a function of the probability p that a clueless sender

remains silent, with N clueless senders and M receivers, is strictly bounded below







75

by C( N, M), and is achieved with xo = 1/(M + 1). The the lower bound of

capacity decreases with increase in Clueless senders and increases with increase in

distinguishable receivers. The lower bound for capacity for a given number of receivers

decreases as the number of Clueless senders increases.















CHAPTER 7
CONCLUSIONS AND FUTURE WORK

This thesis has taken a step towards tying the notion of capacity of a quasi-

anonymous channel associated with an .,ii.. v,:mity network to the amount of anonymity

that the network provides. It explores the particular situation of a simple type of

timed Mix (it fires every tick) that also acts as an exit firewall. Cases for varying

numbers of distinguishable receivers and varying numbers of senders were considered,

resulting in the observations that more senders (not surprisingly) decreases the covert

channel capacity, while more receivers increases it. The latter observation is intuitive

to communication engineers, but may not have occurred to many in the anonymity

community, since the focus there is often on sender anonymity.

As the entropy H of the probability distribution associated with a message

output from a Mix gives the effective size, 2H, of the anonymity set, we wonder if the

capacity of the residual quasi-anonymous channel in an anonymity system provides

some measure of the effective size of the anonymity set for the system as a whole.

That is, using the covert channel capacity as a standard yardstick, can we take the

capacity of the covert channel for the observed transmission characteristics of clueless

senders, equate it with the capacity for a (possibly smaller) set of clueless senders with

maximum entropy (i.e., who introduce the maximum amount of noise into the channel

for Alice), and use the size of this latter set as the effective number of clueless senders

in the system. This is illustrated in Figure 6-1, with the vertical dashed line showing

that N = 4 clueless senders that remain silent with probability p = 0.87 are in some

sense equivalent to one clueless sender that sends with p = 0.33.

The case in which the Mix itself injects dummy messages into the stream randomly

is not distinguishable from having an additional clueless sender. However, if the Mix

predicates its injection of dummy messages upon the activity of the senders, then it can

affect the channel matrix greatly, to the point of eliminating the covert channel entirely.

76







77

We are also interested in the degree to which the Mix can reduce the covert channel

capacity (increase anonymity) with a limited ability to inject dummy messages.

]plain















REFERENCES


[1] Adam Back, Ulf Moller, and Anton Stiglic. Traffic analysis attacks and trade-offs
in anonymity providing systems. In Ira S. Moskowitz, editor, Information Hiding,
4th International Workshop (IH 2001), pages 245-257. Springer-Verlag, LNCS
2137, 2001.

[2] P. Boucher, I. Goldberg, and A. Shostack. Freedom system 2.0 architecture.
http://www.freedom.net/info/whitepapers/, December 2000. Zero-Knowledge
Sytems, Inc.

[3] David C'!i iiii Untraceable electronic mail, return addresses and digital
pseudonyms. Communications of the AC(/, 24(2):84-88, 1981.

[4] David C'!i iloi The dining cryptographers problem: Unconditional sender and
recipient untraceability. Journal of Cryptology: the Journal of the International
Association for CrllI.1. ..: Research, 1(1):65-75, 1988.

[5] L. Cottrell. Mixmaster and remailer attacks, August 1994. http://www.obscura.com/
"loki/remailer/remailer-essay .html, August 2004.

[6] Claudia Diaz, Stefaan Seys, Joris Claessens, and Bart Preneel. Towards measuring
anonymity. In Paul Syverson and Roger Dingledine, editors, Pr'; '; Eu,1,;, ..'.:,j;
Technologies (PET 2002). Springer-Verlag, LNCS 2482, April 2002.

[7] D. Goldschlag, M. Reed, and P. Syverson. Onion routing for .iri. .rvmous and
private internet connections. Communications of the AC'i (USA), 42(2):39-41,
1999.

[8] C. Giilcii and G. Tsudik. Mixing Email with Babel. In Internet S ... .: I, Symposium
on Network and Distributed Sytem .. i,.ii, (NDSS'96), pages 2-16, San Diego,
CA, Feb 1996.

[9] D. Kesdogan, J. Egner, and R. Buschkes. Stop-and-go-MIXes providing probabilis-
tic anonymity in an open system. In Proceedings of the International ITr f., i',,n.. n
Hiding Workshop, April 1998.

[10] E.E. Majani and H. Rumsey. Two results on binary input discrete memoryless
channels. In IEEE International Symposium on Information The .-;, page 104,
June 1991.

[11] Ulf Moeller and Lance Cottrell. Mixmaster Protocol Version 3, 2000. http:
//www. eskimo. com/~rowdenw/crypt/Mix/draft-moeller-v3-01 .txt, August 2004.

[12] Ira S. Moskowitz and Myong H. Kang. Covert channels -here to stay? In Proc.
COMPASS'94, pages 235-243, Gaithersburg, MD, June 27- July 1 1994. IEEE
Press.










[13] Ira S. Moskowitz, Richard E. Newman, Daniel P. Crepeau, and Allen R. Miller.
Covert channels and anonymizing networks. In AC'_I WPES, pages 79-88,
Washington, October 2003.

[14] Ira S. Moskowitz, Richard E. Newman, and Paul F. Syverson. On i-;- i1i~'i vmous
channels. In IASTED CNIS, pages 126-131, New York, December 2003.

[15] R. E. Newman-Wolfe and B. R. Venkatraman. High level prevention of traffic
analysis. In Proc. IEEE/AC'I[ Seventh Annual Computer S.. ii;I, Applications
Conference, pages 102-109, San Antonio, TX, Dec 2-6 1991. IEEE CS Press.

[16] R. E. Newman-Wolfe and B. R. Venkatraman. Performance analysis of a method
for high level prevention of traffic analysis. In Proc. IEEE/AC'_[ Eighth Annual
Computer S.. i.1' Applications Conference, pages 123-130, San Antonio, TX, Nov
30-Dec 4 1992. IEEE CS Press.

[17] Onion routing home page. http://www.onion-router.net, August 2004.

[18] J. Raymond. Traffic analysis: Protocols, attacks, design issues, and open problems.
In Hannes Federrath, editor, Designing P, i.,'; .; FI,.i:. .:,; Technologies: Design
Issues in Anoiimi'; and O1-, i;,7l.,/,' pages 10-29. Springer-V. i.- LNCS 2009,
July 2000.

[19] Michael K. Reiter and Aviel D. Rubin. Crowds: anonymity for web transactions.
AC('I Transactions on Information and System S.. iii;', 1(1):66-92, 1998.

[20] Andrei Serjantov and George Danezis. Towards an information theoretic metric
for anonymity. In Paul Syverson and Roger Dingledine, editors, Pr':; ;, Enhacing
Technologies (PET 2002). Springer-Verlag, LNCS 2482, April 2002.

[21] Andrei Serjantov, Roger Dingledine, and Paul Syverson. From a trickle to a flood:
Active attacks on several mix types. In IH 2002, pages 36-52, N.... v iijkerhout,
the Netherlands, October 2002.

[22] Claude E. Shannon. The mathematical theory of communication. Bell S,',l mI
Technical Journal, 30:50-64, 1948.

[23] Claude E. Shannon. The zero error capacity of a noisy channel. IRE Trans. on
Inh.-,,rl.:i. n Th(.-,;, Vol. IT-2:S8-S19, September 1956.

[24] P F Syverson, D M CG .1-, 1.1 I and M G Reed. Anonymous connections and onion
routing. In IEEE Symposium on S.. 'i;.I, and P, ,. .;l pages 44-54, Oakland,
California, 4-7 1997.

[25] Paul F. Syverson, Gene Tsudik, Michael G. Reed, and Carl E. Landwehr. Towards
an analysis of onion routing security. In Hannes Federrath, editor, Designing
Pr',' Ei. ; F,.I'n.. :u, Technologies: Design Issues in Anon;imiii;, and 01,. n ,r.il,/.1
pages 96-114. Springer-V i1 .- LNCS 2009, July 2000.

[26] B. R. Venkatraman and R. E. N. .--in i:-Wolfe. Transmission schedules to prevent
traffic analysis. In Proc. IEEE/AC'MI Ninth Annual Computer S.. n'i1, Applications
Conference, pages 108-115, Orlando, FL, December 6-10 1993. IEEE CS Press.










27] B. R. Venkatraman and R. E. N. 'i--1 ,i-Wolfe. Performance analysis of a method
for high level prevention of traffic analysis using measurements from a campus
network. In Proc. IEEE/ACM' Tenth Annual Computer S.-, i.ii' Applications
Conference, pages 288-297, Orlando, FL, December 5-9 1994. IEEE CS Press.















BIOGRAPHICAL SKETCH

Vipan Reddy Nalla was born on August 1st, 1981, in Nizamabad, Andhra Pradesh,

India. He received his undergraduate degree, Bachelor of Technology, civil engineering,

from Indian Institute of Technology, C(', mi, .( Madras), India, in August 2001.

He joined the University of Florida in Spring 2003 to pursue his master's degree.

His research interests include Network Security and Cryptography with an emphasis on

anonymity and covert channels.