Loading in 5 sec....

Practical(?) And Provably Secure AnonymityPowerPoint Presentation

Practical(?) And Provably Secure Anonymity

- 106 Views
- Uploaded on

Download Presentation
## PowerPoint Slideshow about ' Practical(?) And Provably Secure Anonymity' - nadine-beck

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

### Practical(?) And Provably Secure Anonymity

Nick Hopper

Sender-Anonymous Communication: The “Love Letter Problem”

Who?

You have a secret admirer!

Alex

Eve,

The Net Admin

Nick Hopper - Crypto/Security Seminar

Receiver-Anonymous Communication: The Whistleblower’s problem

Eve

?

EPK(“AUDIT ACME!”)

IRS

Alex

Nick Hopper - Crypto/Security Seminar

Previous Work on anonymous communication problem

- Mix-Net/Onion routing:
- Efficient, but not (yet) provably secure

- DC-Nets
- Provably secure, but not efficient

Nick Hopper - Crypto/Security Seminar

Mix-Net problem

E

EMIX(C,M3)

EMIX(D,M1)

EMIX(E,M5)

A

D

Mix

EMIX(E,M2)

EMIX(D,M4)

C

B

Nick Hopper - Crypto/Security Seminar

Mix-Net problem

E

EMIX(D,M1)

EMIX(E,M2)

A

EMIX(C,M3)

D

Mix

EMIX(D,M4)

EMIX(E,M5)

C

B

Nick Hopper - Crypto/Security Seminar

Mix-Net problem

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar

Mix-Net problem

E

D,ED(M1)

E,EE(M2)

A

C,EC(M3)

D

Mix

D,ED(M4)

E,EE(M5)

C

B

Nick Hopper - Crypto/Security Seminar

Mix-Net problem

EE(M5)

EE(M2)

E

ED(M1)

A

ED(M4)

D

Mix

EC(M3)

C

B

Nick Hopper - Crypto/Security Seminar

DC Net: Multiparty Sum problem

XA

SAA+SAB+SAC+SAD = XA

A

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar

DC Net: Multiparty Sum problem

XA

SAA+SAB+SAC+SAD = XA

A

SAB

SAC

XC

XB

SAD

C

B

SCA+SCB+SCC+SCD = XB

SBA+SBB+SBC+SBD = XB

XD

D

SDA+SDB+SDC+SDD = XD

Nick Hopper - Crypto/Security Seminar

DC Net: Multiparty Sum problem

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

A

SA

SC

XC

SB

XB

C

B

SD

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar

DC Net: Multiparty Sum problem

XA

SAA+SAB+SAC+SAD = XA

SA = SAA + SBA + SCA+SDA

X = SA + SB + SC + SD

= XA + XB + XC + XD

XC

XB

C

B

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

XD

D

SDA+SDB+SDC+SDD = XD

SD = SAD + SBD + SCD+SDD

Nick Hopper - Crypto/Security Seminar

How to use multiparty sum for anonymity problem

- If XA = XB = XC = 0 then X=XD!
- If more than one non-zero: collision
- Use standard networking techniques
- Provably, Perfectly secure against passive adversary.
- Problems:
- Inefficient – O(n3) protocol messages/ anonymous message
- Easy to JAM it!

Nick Hopper - Crypto/Security Seminar

Efficiency “Issue” problem

- “Perfect” security requires (n2) protocol messages per anonymous message
- Relax to k-anonymity: every message could have been from or to k participants

Nick Hopper - Crypto/Security Seminar

k-anonymous message transmission (k-AMT) problem

Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair

P2

P3

s1,2

s1,3

s1,4

P1

P4

s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)

Nick Hopper - Crypto/Security Seminar

How to compromise k-anonymity problem

- If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.
- So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.

Nick Hopper - Crypto/Security Seminar

How to break k-AMT (I) problem

- Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.
- This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.

Nick Hopper - Crypto/Security Seminar

Stopping the “randomizing” attack problem

- Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.
- These commitments allow verification of her subsequent actions.

Nick Hopper - Crypto/Security Seminar

P2 problem

P3

P1

P4

k-anonymous message transmission (k-AMT) with VSSBefore starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

C1

C1

C1

Nick Hopper - Crypto/Security Seminar

k-anonymous message transmission (k-AMT) with VSS problem

Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

P2

P3

C2

C3

P1

P4

C4

Nick Hopper - Crypto/Security Seminar

How to break k-AMT (II) problem

- The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.
- So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.

Nick Hopper - Crypto/Security Seminar

Accommodating more than one sender per turn problem

- Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values.
- If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.

Nick Hopper - Crypto/Security Seminar

Accommodating more than one sender per turn problem

Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t so that msi,j,t =xi,j

P2

P3

C1,1..2k

C1,1..2k

P1

P4

C1,1..2k

Nick Hopper - Crypto/Security Seminar

Accommodating more than one sender per turn problem

- Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.
- If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?

Nick Hopper - Crypto/Security Seminar

Catching a cheater problem

- Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot.
- If someone did cheat, she will have a very low probability of convincing the group she did not.

Nick Hopper - Crypto/Security Seminar

Zero-Knowledge proof of protocol conformance problem

- Pi (All):
Pick permutation ρ on {1…2k}

Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k)

- (All) Pi: b {0,1}
- Pi (All):
if b = 0: open 2k-1 0 values;

else reveal ρ, prove (in ZK) x’ = ρ(x)

Nick Hopper - Crypto/Security Seminar

Efficiency problem

- O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead
- Cheaters are caught with high probability
- Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)

Nick Hopper - Crypto/Security Seminar

Another problem: Abuse problem

- Anonymous communications could be used for bad things:
- Kidnapping & Ransom Notes
- Child Pornography
- Libel
- Excessive Multi Posting

- How to deal with it fairly?

Nick Hopper - Crypto/Security Seminar

Selective Tracing problem

- Participants agree to a “tracing policy:”
- Set of voters V
- Set of sets of voters V.

- Anytime a “bad” message is sent, when any set of users v 2V agree, the message can be traced to its sender.

Nick Hopper - Crypto/Security Seminar

Example Tracing Policies problem

- Threshold tracing: if at least t users agree (e.g. 90%)
- Court tracing: if at least 5/9 justices agree
- LEA tracing: if FBI, CIA, NSA, DHS, ATF, or DEA want to trace.

Nick Hopper - Crypto/Security Seminar

Support for selective traceability problem

- Assume for now singleton voter V.
- V publishes ElGamal public key GX.
- Recall that for each slot we have
R = ri,

S = i Ci = gMhR

- For each slot compute
a = GR

b = g-MyR

= ZK{logg a = loghy Sb}

Nick Hopper - Crypto/Security Seminar

Support for selective traceability problem

- V publishes ElGamal public key GX.
- For each slot compute
a = GR

b = g-MyR

- V can trace M by checking for each user whether aXb = g-M.
- Extend to arbitrary tracing policy using “Threshold Cryptography”

Nick Hopper - Crypto/Security Seminar

Open Questions problem

- What is a good way to model security of onion-routing type protocols?
- Is k-AMT really practical? Can it be improved on?
- Can we make a provably secure variant of onion routing with selective traceability?
- Coercibility.

Nick Hopper - Crypto/Security Seminar

Download Presentation

Connecting to Server..