Practical and provably secure anonymity
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

Practical(?) And Provably Secure Anonymity PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on
  • Presentation posted in: General

Practical(?) And Provably Secure Anonymity. Nick Hopper. Sender -Anonymous Communication: The “Love Letter Problem”. Who?. You have a secret admirer!. Alex. Eve, The Net Admin. Receiver-Anonymous Communication: The Whistleblower’s problem. Eve. ?. E PK (“AUDIT ACME!”). IRS. Alex.

Download Presentation

Practical(?) And Provably Secure Anonymity

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Practical and provably secure anonymity

Practical(?) And Provably Secure Anonymity

Nick Hopper


Sender anonymous communication the love letter problem

Sender-Anonymous Communication: The “Love Letter Problem”

Who?

You have a secret admirer!

Alex

Eve,

The Net Admin

Nick Hopper - Crypto/Security Seminar


Receiver anonymous communication the whistleblower s problem

Receiver-Anonymous Communication: The Whistleblower’s problem

Eve

?

EPK(“AUDIT ACME!”)

IRS

Alex

Nick Hopper - Crypto/Security Seminar


Previous work on anonymous communication

Previous Work on anonymous communication

  • Mix-Net/Onion routing:

    • Efficient, but not (yet) provably secure

  • DC-Nets

    • Provably secure, but not efficient

Nick Hopper - Crypto/Security Seminar


Mix net

Mix-Net

E

EMIX(C,M3)

EMIX(D,M1)

EMIX(E,M5)

A

D

Mix

EMIX(E,M2)

EMIX(D,M4)

C

B

Nick Hopper - Crypto/Security Seminar


Mix net1

Mix-Net

E

EMIX(D,M1)

EMIX(E,M2)

A

EMIX(C,M3)

D

Mix

EMIX(D,M4)

EMIX(E,M5)

C

B

Nick Hopper - Crypto/Security Seminar


Mix net2

Mix-Net

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar


Mix net3

Mix-Net

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar


Mix net4

Mix-Net

EE(M5)

EE(M2)

E

ED(M1)

A

ED(M4)

D

Mix

EC(M3)

C

B

Nick Hopper - Crypto/Security Seminar


Onion routing

Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing1

Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing2

Onion Routing

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing3

Onion Routing

EH(M)

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing4

Onion Routing

EF(H,EH(M))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing5

Onion Routing

EB(F,EF(H,EH(M)))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing6

Onion Routing

EE(B,EB(F,EF(H,EH(M))))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing7

Onion Routing

EB(F,EF(H,EH(M)))

E

A

G

C

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing8

Onion Routing

E

A

G

C

EF(H,EH(M))

B

F

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing9

Onion Routing

E

A

G

C

B

F

EH(M)

D

H

Nick Hopper - Crypto/Security Seminar


Onion routing10

Onion Routing

E

A

G

C

B

F

M

D

H

Nick Hopper - Crypto/Security Seminar


Dc net multiparty sum

DC Net: Multiparty Sum

XA

A

XC

XB

C

B

XD

D

Nick Hopper - Crypto/Security Seminar


Dc net multiparty sum1

DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

A

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar


Dc net multiparty sum2

DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

A

SAB

SAC

XC

XB

SAD

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar


Dc net multiparty sum3

DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

A

SA

SC

XC

SB

XB

C

B

SD

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar


Dc net multiparty sum4

DC Net: Multiparty Sum

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

X = SA + SB + SC + SD

= XA + XB + XC + XD

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar


How to use multiparty sum for anonymity

How to use multiparty sum for anonymity

  • If XA = XB = XC = 0 then X=XD!

  • If more than one non-zero: collision

  • Use standard networking techniques

  • Provably, Perfectly secure against passive adversary.

  • Problems:

    • Inefficient – O(n3) protocol messages/ anonymous message

    • Easy to JAM it!

Nick Hopper - Crypto/Security Seminar


Efficiency issue

Efficiency “Issue”

  • “Perfect” security requires (n2) protocol messages per anonymous message

  • Relax to k-anonymity: every message could have been from or to k participants

Nick Hopper - Crypto/Security Seminar


K anonymous message transmission k amt

k-anonymous message transmission (k-AMT)

Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair

P2

P3

s1,2

s1,3

s1,4

P1

P4

s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)

Nick Hopper - Crypto/Security Seminar


How to compromise k anonymity

How to compromise k-anonymity

  • If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.

  • So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.

Nick Hopper - Crypto/Security Seminar


How to break k amt i

How to break k-AMT (I)

  • Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.

  • This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.

Nick Hopper - Crypto/Security Seminar


Stopping the randomizing attack

Stopping the “randomizing” attack

  • Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.

  • These commitments allow verification of her subsequent actions.

Nick Hopper - Crypto/Security Seminar


K anonymous message transmission k amt with vss

P2

P3

P1

P4

k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

C1

C1

C1

Nick Hopper - Crypto/Security Seminar


K anonymous message transmission k amt with vss1

k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

P2

P3

C2

C3

P1

P4

C4

Nick Hopper - Crypto/Security Seminar


How to break k amt ii

How to break k-AMT (II)

  • The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.

  • So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.

Nick Hopper - Crypto/Security Seminar


Accommodating more than one sender per turn

Accommodating more than one sender per turn

  • Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values.

  • If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.

Nick Hopper - Crypto/Security Seminar


Accommodating more than one sender per turn1

Accommodating more than one sender per turn

Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t so that msi,j,t =xi,j

P2

P3

C1,1..2k

C1,1..2k

P1

P4

C1,1..2k

Nick Hopper - Crypto/Security Seminar


Accommodating more than one sender per turn2

Accommodating more than one sender per turn

  • Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.

  • If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?

Nick Hopper - Crypto/Security Seminar


Catching a cheater

Catching a cheater

  • Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot.

  • If someone did cheat, she will have a very low probability of convincing the group she did not.

Nick Hopper - Crypto/Security Seminar


Zero knowledge proof of protocol conformance

Zero-Knowledge proof of protocol conformance

  • Pi (All):

    Pick permutation ρ on {1…2k}

    Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k)

  • (All)  Pi: b  {0,1}

  • Pi (All):

    if b = 0: open 2k-1 0 values;

    else reveal ρ, prove (in ZK) x’ = ρ(x)

Nick Hopper - Crypto/Security Seminar


Efficiency

Efficiency

  • O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead

  • Cheaters are caught with high probability

  • Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)

Nick Hopper - Crypto/Security Seminar


Another problem abuse

Another problem: Abuse

  • Anonymous communications could be used for bad things:

    • Kidnapping & Ransom Notes

    • Child Pornography

    • Libel

    • Excessive Multi Posting

  • How to deal with it fairly?

Nick Hopper - Crypto/Security Seminar


Selective tracing

Selective Tracing

  • Participants agree to a “tracing policy:”

    • Set of voters V

    • Set of sets of voters V.

  • Anytime a “bad” message is sent, when any set of users v 2V agree, the message can be traced to its sender.

Nick Hopper - Crypto/Security Seminar


Example tracing policies

Example Tracing Policies

  • Threshold tracing: if at least t users agree (e.g. 90%)

  • Court tracing: if at least 5/9 justices agree

  • LEA tracing: if FBI, CIA, NSA, DHS, ATF, or DEA want to trace.

Nick Hopper - Crypto/Security Seminar


Support for selective traceability

Support for selective traceability

  • Assume for now singleton voter V.

  • V publishes ElGamal public key GX.

  • Recall that for each slot we have

    R =  ri,

    S = i Ci = gMhR

  • For each slot compute

    a = GR

    b = g-MyR

     = ZK{logg a = loghy Sb}

Nick Hopper - Crypto/Security Seminar


Support for selective traceability1

Support for selective traceability

  • V publishes ElGamal public key GX.

  • For each slot compute

    a = GR

    b = g-MyR

  • V can trace M by checking for each user whether aXb = g-M.

  • Extend to arbitrary tracing policy using “Threshold Cryptography”

Nick Hopper - Crypto/Security Seminar


Open questions

Open Questions

  • What is a good way to model security of onion-routing type protocols?

  • Is k-AMT really practical? Can it be improved on?

  • Can we make a provably secure variant of onion routing with selective traceability?

  • Coercibility.

Nick Hopper - Crypto/Security Seminar


  • Login