You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Finally, for vertices ⟨i1, . . . , iℓ−1⟩ just above the leaves, we get:<br />
¯S ⟨i1,...,iℓ−1⟩ = (bℓ − k ⟨i1,...,iℓ−1⟩) 2<br />
bℓ<br />
2.4. Analysis of the general case<br />
+ k ⟨i1,...,iℓ−1⟩<br />
bℓ<br />
(2.11)<br />
Expressions (2.9 – 2.11) can be used to compute the expected anonymity set size in the system<br />
iteratively, in case of any number of compromised members. However, note that the computation<br />
depends not only on the number c of the compromised members, but also their positions in the tree.<br />
This makes the comparison of different systems difficult, because for a comprehensive analysis,<br />
all possible allocations of the compromised members over the leaves of the key-tree should be<br />
considered. Therefore, such a formula is preferred that depends solely on c, but characterizes the<br />
effect of compromised members on the level of privacy sufficiently well, so that it can serve as a<br />
basis for comparison of different systems. In the following, such a formula is derived based on the<br />
assumption that the compromised members are distributed uniformly at random over the leaves of<br />
the key-tree. In some sense, this is a pessimistic assumption as the uniform distribution represents<br />
the worst case, which leads to the largest amount of privacy loss due to the compromised members.<br />
Thus, the approximation that is derived can be viewed as a lower bound on the expected anonymity<br />
set size in the system when c members are compromised.<br />
Let the branching factor of the key-tree be B = (b1, b2, . . . , bℓ), and let c be the number of<br />
compromised leaves in the tree. We can estimate k ⟨−⟩ for the root as follows:<br />
k ⟨−⟩ ≈ min(c, b1) = k0<br />
(2.12)<br />
If a vertex ⟨i⟩ at the first level of the tree is compromised, then the number of compromised<br />
leaves in the subtree rooted at ⟨i⟩ is approximately c/k0 = c1. Then, we can estimate k ⟨i⟩ as<br />
follows:<br />
k ⟨i⟩ ≈ min(c1, b2) = k1<br />
(2.13)<br />
In general, if vertex ⟨i1, . . . , ij⟩ at the j-th level of the tree is compromised, then the number<br />
of compromised leaves in the subtree rooted at ⟨i1, . . . , ij⟩ is approximately cj−1/kj−1 = cj, and<br />
we can use this to approximate k ⟨i1,...,ij⟩ as follows:<br />
k ⟨i1,...,ij⟩ ≈ min(cj, bj+1) = kj<br />
(2.14)<br />
Using these approximations in expressions (2.9 – 2.11), we can derive an approximation for<br />
¯S ⟨−⟩, which is denoted by ¯ S0, in the following way:<br />
¯Sℓ−1 = (bℓ − kℓ−1) 2<br />
. . . . . .<br />
bℓ<br />
+ kℓ−1<br />
bℓ<br />
¯Sj = ((bj+1 − kj)bj+2 . . . bℓ) 2<br />
. . . . . .<br />
bj+1 . . . bℓ<br />
¯S0 = ((b1 − k0)b2 . . . bℓ) 2<br />
b1 . . . bℓ<br />
+ k0 ¯S1<br />
b1<br />
+ kj ¯Sj+1<br />
bj+1<br />
(2.15)<br />
(2.16)<br />
(2.17)<br />
Note that expressions (2.17 – 2.15) do not depend on the positions of the compromised leaves<br />
in the tree, but they depend only on the value of c.<br />
In order to see how well ¯ S0 estimates ¯ S ⟨−⟩, some simulations are run. The simulation parameters<br />
are the following:<br />
total number of members N = 27000;<br />
upper bound on the maximum authentication delay Dmax = 90;<br />
Two branching factor vectors are considered: (30, 30, 30) and (72, 5, 5, 5, 3);<br />
The number c of compromised members is varied between 1 and 270 with a step size of one.<br />
21