practical and provably secure anonymity
Download
Skip this Video
Download Presentation
Practical(?) And Provably Secure Anonymity

Loading in 2 Seconds...

play fullscreen
1 / 46

Practical(?) And Provably Secure Anonymity - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Practical(?) And Provably Secure Anonymity. Nick Hopper. Sender -Anonymous Communication: The “Love Letter Problem”. Who?. You have a secret admirer!. Alex. Eve, The Net Admin. Receiver-Anonymous Communication: The Whistleblower’s problem. Eve. ?. E PK (“AUDIT ACME!”). IRS. Alex.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Practical(?) And Provably Secure Anonymity' - nadine-beck


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
sender anonymous communication the love letter problem
Sender-Anonymous Communication: The “Love Letter Problem”

Who?

You have a secret admirer!

Alex

Eve,

The Net Admin

Nick Hopper - Crypto/Security Seminar

receiver anonymous communication the whistleblower s problem
Receiver-Anonymous Communication: The Whistleblower’s problem

Eve

?

EPK(“AUDIT ACME!”)

IRS

Alex

Nick Hopper - Crypto/Security Seminar

previous work on anonymous communication
Previous Work on anonymous communication
  • Mix-Net/Onion routing:
    • Efficient, but not (yet) provably secure
  • DC-Nets
    • Provably secure, but not efficient

Nick Hopper - Crypto/Security Seminar

mix net
Mix-Net

E

EMIX(C,M3)

EMIX(D,M1)

EMIX(E,M5)

A

D

Mix

EMIX(E,M2)

EMIX(D,M4)

C

B

Nick Hopper - Crypto/Security Seminar

mix net1
Mix-Net

E

EMIX(D,M1)

EMIX(E,M2)

A

EMIX(C,M3)

D

Mix

EMIX(D,M4)

EMIX(E,M5)

C

B

Nick Hopper - Crypto/Security Seminar

mix net2
Mix-Net

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar

mix net3
Mix-Net

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar

mix net4
Mix-Net

EE(M5)

EE(M2)

E

ED(M1)

A

ED(M4)

D

Mix

EC(M3)

C

B

Nick Hopper - Crypto/Security Seminar

onion routing
Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing1
Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing2
Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing3
Onion Routing

EH(M)

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing4
Onion Routing

EF(H,EH(M))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing5
Onion Routing

EB(F,EF(H,EH(M)))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing6
Onion Routing

EE(B,EB(F,EF(H,EH(M))))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing7
Onion Routing

EB(F,EF(H,EH(M)))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing8
Onion Routing

E

A

G

C

EF(H,EH(M))

B

F

D

H

Nick Hopper - Crypto/Security Seminar

onion routing9
Onion Routing

E

A

G

C

B

F

EH(M)

D

H

Nick Hopper - Crypto/Security Seminar

onion routing10
Onion Routing

E

A

G

C

B

F

M

D

H

Nick Hopper - Crypto/Security Seminar

dc net multiparty sum
DC Net: Multiparty Sum

XA

A

XC

XB

C

B

XD

D

Nick Hopper - Crypto/Security Seminar

dc net multiparty sum1
DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

A

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar

dc net multiparty sum2
DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

A

SAB

SAC

XC

XB

SAD

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar

dc net multiparty sum3
DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

A

SA

SC

XC

SB

XB

C

B

SD

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar

dc net multiparty sum4
DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

X = SA + SB + SC + SD

= XA + XB + XC + XD

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar

how to use multiparty sum for anonymity
How to use multiparty sum for anonymity
  • If XA = XB = XC = 0 then X=XD!
  • If more than one non-zero: collision
  • Use standard networking techniques
  • Provably, Perfectly secure against passive adversary.
  • Problems:
    • Inefficient – O(n3) protocol messages/ anonymous message
    • Easy to JAM it!

Nick Hopper - Crypto/Security Seminar

efficiency issue
Efficiency “Issue”
  • “Perfect” security requires (n2) protocol messages per anonymous message
  • Relax to k-anonymity: every message could have been from or to k participants

Nick Hopper - Crypto/Security Seminar

k anonymous message transmission k amt
k-anonymous message transmission (k-AMT)

Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair

P2

P3

s1,2

s1,3

s1,4

P1

P4

s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)

Nick Hopper - Crypto/Security Seminar

how to compromise k anonymity
How to compromise k-anonymity
  • If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.
  • So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.

Nick Hopper - Crypto/Security Seminar

how to break k amt i
How to break k-AMT (I)
  • Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.
  • This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.

Nick Hopper - Crypto/Security Seminar

stopping the randomizing attack
Stopping the “randomizing” attack
  • Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.
  • These commitments allow verification of her subsequent actions.

Nick Hopper - Crypto/Security Seminar

k anonymous message transmission k amt with vss

P2

P3

P1

P4

k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

C1

C1

C1

Nick Hopper - Crypto/Security Seminar

k anonymous message transmission k amt with vss1
k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

P2

P3

C2

C3

P1

P4

C4

Nick Hopper - Crypto/Security Seminar

how to break k amt ii
How to break k-AMT (II)
  • The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.
  • So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.

Nick Hopper - Crypto/Security Seminar

accommodating more than one sender per turn
Accommodating more than one sender per turn
  • Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values.
  • If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.

Nick Hopper - Crypto/Security Seminar

accommodating more than one sender per turn1
Accommodating more than one sender per turn

Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t so that msi,j,t =xi,j

P2

P3

C1,1..2k

C1,1..2k

P1

P4

C1,1..2k

Nick Hopper - Crypto/Security Seminar

accommodating more than one sender per turn2
Accommodating more than one sender per turn
  • Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.
  • If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?

Nick Hopper - Crypto/Security Seminar

catching a cheater
Catching a cheater
  • Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot.
  • If someone did cheat, she will have a very low probability of convincing the group she did not.

Nick Hopper - Crypto/Security Seminar

zero knowledge proof of protocol conformance
Zero-Knowledge proof of protocol conformance
  • Pi (All):

Pick permutation ρ on {1…2k}

Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k)

  • (All)  Pi: b  {0,1}
  • Pi (All):

if b = 0: open 2k-1 0 values;

else reveal ρ, prove (in ZK) x’ = ρ(x)

Nick Hopper - Crypto/Security Seminar

efficiency
Efficiency
  • O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead
  • Cheaters are caught with high probability
  • Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)

Nick Hopper - Crypto/Security Seminar

another problem abuse
Another problem: Abuse
  • Anonymous communications could be used for bad things:
    • Kidnapping & Ransom Notes
    • Child Pornography
    • Libel
    • Excessive Multi Posting
  • How to deal with it fairly?

Nick Hopper - Crypto/Security Seminar

selective tracing
Selective Tracing
  • Participants agree to a “tracing policy:”
    • Set of voters V
    • Set of sets of voters V.
  • Anytime a “bad” message is sent, when any set of users v 2V agree, the message can be traced to its sender.

Nick Hopper - Crypto/Security Seminar

example tracing policies
Example Tracing Policies
  • Threshold tracing: if at least t users agree (e.g. 90%)
  • Court tracing: if at least 5/9 justices agree
  • LEA tracing: if FBI, CIA, NSA, DHS, ATF, or DEA want to trace.

Nick Hopper - Crypto/Security Seminar

support for selective traceability
Support for selective traceability
  • Assume for now singleton voter V.
  • V publishes ElGamal public key GX.
  • Recall that for each slot we have

R =  ri,

S = i Ci = gMhR

  • For each slot compute

a = GR

b = g-MyR

 = ZK{logg a = loghy Sb}

Nick Hopper - Crypto/Security Seminar

support for selective traceability1
Support for selective traceability
  • V publishes ElGamal public key GX.
  • For each slot compute

a = GR

b = g-MyR

  • V can trace M by checking for each user whether aXb = g-M.
  • Extend to arbitrary tracing policy using “Threshold Cryptography”

Nick Hopper - Crypto/Security Seminar

open questions
Open Questions
  • What is a good way to model security of onion-routing type protocols?
  • Is k-AMT really practical? Can it be improved on?
  • Can we make a provably secure variant of onion routing with selective traceability?
  • Coercibility.

Nick Hopper - Crypto/Security Seminar

ad