Auditable privacy
Download
1 / 17

Auditable Privacy: - PowerPoint PPT Presentation


  • 74 Views
  • Uploaded on

Auditable Privacy:. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. On Tamper-Evident Mix Networks. [email protected] pgolle @parc.com.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Auditable Privacy:' - melyssa-bauer


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Auditable privacy

Auditable Privacy:

Jong Youl Choi

Dept. of Computer Science

Indiana University at Bloomington

Philippe Golle

Palo Alto Research Center

Markus Jakobsson

School of Informatics

Indiana University at Bloomington

On Tamper-Evident Mix Networks

[email protected]

[email protected]

[email protected]


Mix networks
Mix Networks

  • A sequence of mix servers

Public

Private

Public

  • Mixing to make tracing impossible

  • Used as a building block to protect privacy or keep something anonymous


What can be wrong in mix nets
What can be wrong in mix-nets

  • Random permutation is secret

Mix-server 1

Mix-server 2

Mix-server 3


Possible attacks
Possible Attacks

  • Aims to

    • Leak secret permutations

    • Leak private keys

    • Leak any security-critical information

  • Although no side channel is allowed, leaking is possible through public channel

  • Information leak is noticeable only to designated accomplices (by using a covert-channel)


Good time to launch an attack
Good time to launch an attack

Vulnerable

Safe

Key generation

Mixing phase

Mix-server

Time

Verification

Commitment

Tamper-evident

Observer

Safe


How to verify intuitive idea
How to verify – Intuitive idea

  • Cut-and-choose: 50% error rate

  • Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2k error rate


Review re encryption mix nets
Review: Re-encryption mix-nets

  • Two operations in a mix server

El-Gamal

Re-encryption

Permutation

α1

π(1)

Encrypted

Messages

Re-

encrypted

and

Permuted

Messages

α2

π(2)

αn

π(n)

  • El-Gamal re-encryption is homomorphic

    • There exist two integersβandδs.t. α = β + δ

    • Re-encryption(ReEnc) satisfiesReEnc(m, α) = ReEnc(ReEnc(m, β), δ)


Homomorphism
Homomorphism

  • El-Gamal re-encryption

α = β + δ

Encrypted

Messages

Re-

encrypted

Messages

β

δ

  • Permutation

=


An example of a covert channel
An example of a covert channel

  • Replacing a random number generator

Random

Number

Generator

α1

π(1)

α2

π(2)

αn

π(n)

Permutation

El-Gamal

Re-encryption

Inputs

Outputs


Solution overview
Solution overview

  • Data flow

Mixing Phase

Key Generation

Witness

Commitment

Re-encryptedMessage

Observer


Key generation
Key generation

Permutation π

α1

π(1)

  • Conditions: αi = βi + δi, π = τ◦σ

  • Publicize a commitment

α2

π(2)

αn

π(n)

Permutation τ

The same outputs

Permutation σ

The same inputs

β1

δ1

σ(1)

τ(1)

β2

δ2

τ(2)

σ(2)

βn

δn

σ(n)

τ(n)


Mixing phase
Mixing phase

  • Output re-encrypted messages {A’i} and witnesses {Wi}

Permutation π

α1

π(1)

α2

π(2)

A1

A’1

αn

π(n)

A2

A’2

Permutation τ

Permutation σ

β1

δ1

σ(1)

τ(1)

W1

An

A’n

β2

δ2

τ(2)

W2

σ(2)

βn

δn

σ(n)

τ(n)

Wn


Interactive verification
Interactive verification

Permutation τ

Permutation σ

β1

δ1

σ(1)

τ(1)

W1

A’1

A1

β2

δ2

τ(2)

W2

A’2

A2

σ(2)

βn

δn

σ(n)

τ(n)

Wn

A’n

An

Observer

Mix Server

1. Choose either 0(LEFT) or 1(RIGHT)

2. Open corresponding values and hashes of the others

3. Verify that there is no variation from the previous commitment


Security improvement 1
Security improvement #1

  • Proof of tamper-freeness

    • Probability of cheating : 1/2

    • Number of commitments κ

       Acceptable cheating probability <1/2κ

κ proofs


Security improvement 2
Security improvement #2

  • Undercoverobserver

    • Challenges are automatically chosen from κbits of output hash({A’i})

    • Non-interactive proof  Stealthy observation

    • Attackers are hard to find non-interactive observers. Thus we called undercover observers

Mixing Phase

Key Generation

Witness

Commitment


Conclusion
Conclusion

  • A covert-channel in mix networks threatens privacy

  • New notion of security : Tamper-evidence, detecting variations from prescribed commitments

  • Stealthy operation of non-interactive observer

Or, Send me an email : [email protected]


Key generation1
Key generation

  • Commitment : Root of a Merkle hash tree

ρ

Hash function

δ2

δn-1

δ1

δn

β2

β1

σ

τ


ad