Ania M Piotrowska’s research while affiliated with University College London and other places


Ad

What is this page?


This page lists works of an author who doesn't have a ResearchGate profile or hasn't added the works to their profile yet. It is automatically generated from public (personal) data to further our legitimate goal of comprehensive and accurate scientific recordkeeping. If you are this author and want this page removed, please let us know.

Publications (6)


Figure 1: High-level overview of the process of isolating malicious mixes in Miranda.
No Right to Remain Silent: Isolating Malicious Mixes
  • Conference Paper
  • Full-text available

June 2019

·

214 Reads

·

19 Citations

Hemi Leibowitz

·

Ania M Piotrowska

·

·

Mix networks are a key technology to achieve network anonymity and private messaging, voting and database lookups. However, simple mix network designs are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with prov-able robustness address this drawback through complex and expensive proofs of correct shuffling but come at a great cost and make limiting or unrealistic systems assumptions. We present Miranda, an efficient mix-net design, which mitigates active attacks by malicious mixes. Miranda uses both the detection of corrupt mixes, as well as detection of faults related to a pair of mixes, without detection of the faulty one among the two. Each active attack-including dropping packets-leads to reduced connectivity for corrupt mixes and reduces their ability to attack, and, eventually, to detection of corrupt mixes. We show, through experiments, the effectiveness of Miranda, by demonstrating how malicious mixes are detected and that attacks are neutralized early.

Download

Fig. 5. Effect of the community detection mechanism to detect semi-honest links.
Fig. 6. Packet loss using TCP and UDP with FEC.
Fig. 7. The precision of upper bound for δ presented in theorem 1 for a fixed = 0.2. The exact values are computed using the importance sampling technique.
No right to remain silent: Isolating Malicious Mixes

September 2018

·

538 Reads

Mix networks are a key technology to achieve network anonymity, private messaging, voting and database lookups. However, simple mix networks are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with provable robustness address this drawback through complex and expensive proofs of correct shuffling, but come at a great cost and make limiting or unrealistic systems assumptions. We present Miranda, a synchronous mix network mechanism, which is prov-ably secure against malicious mixes attempting active attacks to de-anonymize users, while retaining the simplicity , efficiency and practicality of mix networks designs. Miranda derives a robust mix reputation through the first-hand experience of mix node unreliability, reported by clients or other mixes. As a result, each active attack-including dropping packets-leads to reduced connectivity for malicious mixes and reduces their ability to attack. We show, through experiments, the effectiveness and practicality of Miranda by demonstrating that attacks are neutralized early, and that performance does not suffer.


AnNotify: A Private Notification Service

October 2017

·

158 Reads

·

7 Citations

Ania M Piotrowska

·

Jamie Hayes

·

Nethanel Gelernter

·

[...]

·

AnNotify is a scalable service for private, timely and low-cost on-line notifications, based on anonymous communication, sharding, dummy queries, and Bloom filters. We present the design and analysis of AnNotify, as well as an evaluation of its costs. We outline the design of AnNotify and calculate the concrete advantage of an adversary observing multiple queries. We present a number of extensions, such as generic presence and broadcast notifications, and applications, including notifications for incoming messages in anonymous communications, updates to private cached web and Domain Name Service (DNS) queries.


The Loopix Anonymity System

August 2017

·

301 Reads

·

115 Citations

We present Loopix, a low-latency anonymous communication system that provides bi-directional 'third-party' sender and receiver anonymity and unobservability. Loopix leverages cover traffic and brief message delays to provide anonymity and achieve traffic analysis resistance, including against a global network adversary. Mixes and clients self-monitor the network via loops of traffic to provide protection against active attacks, and inject cover traffic to provide stronger anonymity and a measure of sender and receiver unobservability. Service providers mediate access in and out of a stratified network of Poisson mix nodes to facilitate accounting and off-line message reception, as well as to keep the number of links in the system low, and to concentrate cover traffic. We provide a theoretical analysis of the Poisson mixing strategy as well as an empirical evaluation of the anonymity provided by the protocol and a functional implementation that we analyze in terms of scalability by running it on AWS EC2. We show that a Loopix relay can handle upwards of 300 messages per second, at a small delay overhead of less than 1.5 ms on top of the delays introduced into messages to provide security. Overall message latency is in the order of seconds - which is low for a mix-system. Furthermore, many mix nodes can be securely added to a stratified topology to scale throughput without sacrificing anonymity.


Figure 3: Provider stores messages destined for assigned clients in a particular inbox. When users pull messages from the mix node, the provider generates cover messages to guarantee that the adversary cannot learn how many messages are in the users inbox. The messages from the inbox and dummies are indistinguishable.
Figure 4: Entropy versus the changing rate of the incoming traffic for different delays with mean 1 µ . In order to measure the entropy we run a simulation of traffic arriving at a single Loopix mix node.  
Figure 5: Likelihood difference ε depending on the delay parameter µ of mix nodes. We use λ = 2, a topology of 3 layers with 3 nodes per layer and no corruption.
Figure 7: Likelihood difference ε depending on the percentage of (passively) corrupted mix nodes. We use λ = 2, µ = 1 and a topology of 3 layers with 3 nodes per layer.  
Figure 8: Overall bandwidth and good throughput per second for a single mix node.  
The Loopix Anonymity System

March 2017

·

332 Reads

·

27 Citations

We present Loopix, a low-latency anonymous communication system that provides bi-directional 'third-party' sender and receiver anonymity and unobservability. Loopix leverages cover traffic and brief message delays to provide anonymity and achieve traffic analysis resistance, including against a global network adversary. Mixes and clients self-monitor the network via loops of traffic to provide protection against active attacks, and inject cover traffic to provide stronger anonymity and a measure of sender and receiver unobservability. Service providers mediate access in and out of a stratified network of Poisson mix nodes to facilitate accounting and off-line message reception, as well as to keep the number of links in the system low, and to concentrate cover traffic. We provide a theoretical analysis of the Poisson mixing strategy as well as an empirical evaluation of the anonymity provided by the protocol and a functional implementation that we analyze in terms of scalability by running it on AWS EC2. We show that a Loopix relay can handle upwards of 300 messages per second, at a small delay overhead of less than 1.5 ms on top of the delays introduced into messages to provide security. Overall message latency is in the order of seconds - which is low for a mix-system. Furthermore, many mix nodes can be securely added to a stratified topology to scale throughput without sacrificing anonymity.


AnNotify: A Private Notification Service

May 2016

·

260 Reads

·

1 Citation

AnoNotify is a service for private, timely and low-cost on-line notifications. We present the design and security arguments behind AnoNotify, as well as an evaluation of its cost. AnoNotify is based on mix-networks, Bloom filters and shards. We present a security definition and security proofs for AnoNotify. We then discuss a number of applications, including notifications for incoming messages in anonymous communications , updates to private cached web and Domain Name Service (DNS) queries and finally, a private presence mechanism.

Ad

Citations (4)


... In MixNN, the designer cannot distinguish between the two scenarios, and the simplest way is to replace both the servers. MixNN can use the same approach proposed by Hemi et al. [31] to isolate malicious servers before a cascade transfers the real message. ...

Reference:

MixNN: A Design for Protecting Deep Learning Models
No Right to Remain Silent: Isolating Malicious Mixes

... Modifying packet timing and sizes. The most common defense [24], [50], [7], [5], [32], [44], [35], [26], [1] against traffic analysis attacks is to modify the packets' timing to prevent any data leakage. In the traditional traffic analysis settings, using such defenses is very costly and is often not effective [32], [11], [40]. ...

The Loopix Anonymity System

... This work was published in Proceedings of the 2017 on Workshop on Privacy in the Electronic Society (WPES) [53] and it is a joined work with George Danezis, Nethanel Gelernter, Jamie Hayes and Amir Herzberg. I have provided most of the key design ideas and security analysis. ...

AnNotify: A Private Notification Service

... We explain how to do so in Appendix A.2. We also assume that users can use an anonymous communication channel [35,66] to communicate with the TS and SPs to protect their privacy at the network layer. Suppose that Alice uses Schnorr's identification protocol to authenticate herself to her bank. ...

The Loopix Anonymity System