1 / 46

Practical(?) And Provably Secure Anonymity

Practical(?) And Provably Secure Anonymity. Nick Hopper. Sender -Anonymous Communication: The “Love Letter Problem”. Who?. You have a secret admirer!. Alex. Eve, The Net Admin. Receiver-Anonymous Communication: The Whistleblower’s problem. Eve. ?. E PK (“AUDIT ACME!”). IRS. Alex.

nadine-beck
Download Presentation

Practical(?) And Provably Secure Anonymity

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical(?) And Provably Secure Anonymity Nick Hopper

  2. Sender-Anonymous Communication: The “Love Letter Problem” Who? You have a secret admirer! Alex Eve, The Net Admin Nick Hopper - Crypto/Security Seminar

  3. Receiver-Anonymous Communication: The Whistleblower’s problem Eve ? EPK(“AUDIT ACME!”) IRS Alex Nick Hopper - Crypto/Security Seminar

  4. Previous Work on anonymous communication • Mix-Net/Onion routing: • Efficient, but not (yet) provably secure • DC-Nets • Provably secure, but not efficient Nick Hopper - Crypto/Security Seminar

  5. Mix-Net E EMIX(C,M3) EMIX(D,M1) EMIX(E,M5) A D Mix EMIX(E,M2) EMIX(D,M4) C B Nick Hopper - Crypto/Security Seminar

  6. Mix-Net E EMIX(D,M1) EMIX(E,M2) A EMIX(C,M3) D Mix EMIX(D,M4) EMIX(E,M5) C B Nick Hopper - Crypto/Security Seminar

  7. Mix-Net E D,ED(M1) E,EE(M2) A C,EC(M3) D Mix D,ED(M4) E,EE(M5) C B Nick Hopper - Crypto/Security Seminar

  8. Mix-Net E D,ED(M1) E,EE(M2) A C,EC(M3) D Mix D,ED(M4) E,EE(M5) C B Nick Hopper - Crypto/Security Seminar

  9. Mix-Net EE(M5) EE(M2) E ED(M1) A ED(M4) D Mix EC(M3) C B Nick Hopper - Crypto/Security Seminar

  10. Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar

  11. Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar

  12. Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar

  13. Onion Routing EH(M) E A G C B F D H Nick Hopper - Crypto/Security Seminar

  14. Onion Routing EF(H,EH(M)) E A G C B F D H Nick Hopper - Crypto/Security Seminar

  15. Onion Routing EB(F,EF(H,EH(M))) E A G C B F D H Nick Hopper - Crypto/Security Seminar

  16. Onion Routing EE(B,EB(F,EF(H,EH(M)))) E A G C B F D H Nick Hopper - Crypto/Security Seminar

  17. Onion Routing EB(F,EF(H,EH(M))) E A G C B F D H Nick Hopper - Crypto/Security Seminar

  18. Onion Routing E A G C EF(H,EH(M)) B F D H Nick Hopper - Crypto/Security Seminar

  19. Onion Routing E A G C B F EH(M) D H Nick Hopper - Crypto/Security Seminar

  20. Onion Routing E A G C B F M D H Nick Hopper - Crypto/Security Seminar

  21. DC Net: Multiparty Sum XA A XC XB C B XD D Nick Hopper - Crypto/Security Seminar

  22. DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA A XC XB C B SCA+SCB+SCC+SCD = XB SBA+SBB+SBC+SBD = XB XD D SDA+SDB+SDC+SDD = XD Nick Hopper - Crypto/Security Seminar

  23. DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA A SAB SAC XC XB SAD C B SCA+SCB+SCC+SCD = XB SBA+SBB+SBC+SBD = XB XD D SDA+SDB+SDC+SDD = XD Nick Hopper - Crypto/Security Seminar

  24. DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA SA = SAA + SBA + SCA+SDA A SA SC XC SB XB C B SD SCA+SCB+SCC+SCD = XB SC = SAC + SBC + SCC+SDC SBA+SBB+SBC+SBD = XB SB = SAB + SBB + SCB+SDB XD D SDA+SDB+SDC+SDD = XD SD = SAD + SBD + SCD+SDD Nick Hopper - Crypto/Security Seminar

  25. DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA SA = SAA + SBA + SCA+SDA X = SA + SB + SC + SD = XA + XB + XC + XD XC XB C B SCA+SCB+SCC+SCD = XB SC = SAC + SBC + SCC+SDC SBA+SBB+SBC+SBD = XB SB = SAB + SBB + SCB+SDB XD D SDA+SDB+SDC+SDD = XD SD = SAD + SBD + SCD+SDD Nick Hopper - Crypto/Security Seminar

  26. How to use multiparty sum for anonymity • If XA = XB = XC = 0 then X=XD! • If more than one non-zero: collision • Use standard networking techniques • Provably, Perfectly secure against passive adversary. • Problems: • Inefficient – O(n3) protocol messages/ anonymous message • Easy to JAM it! Nick Hopper - Crypto/Security Seminar

  27. Efficiency “Issue” • “Perfect” security requires (n2) protocol messages per anonymous message • Relax to k-anonymity: every message could have been from or to k participants Nick Hopper - Crypto/Security Seminar

  28. k-anonymous message transmission (k-AMT) Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair P2 P3 s1,2 s1,3 s1,4 P1 P4 s1,1+s1,2+s1,3+s1,4 = (Gt,Mt) Nick Hopper - Crypto/Security Seminar

  29. How to compromise k-anonymity • If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee. • So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means. Nick Hopper - Crypto/Security Seminar

  30. How to break k-AMT (I) • Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead. • This will randomize the result of the DC-Net protocol, preventing Alice from transmitting. Nick Hopper - Crypto/Security Seminar

  31. Stopping the “randomizing” attack • Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input. • These commitments allow verification of her subsequent actions. Nick Hopper - Crypto/Security Seminar

  32. P2 P3 P1 P4 k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) C1 C1 C1 Nick Hopper - Crypto/Security Seminar

  33. k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) P2 P3 C2 C3 P1 P4 C4 Nick Hopper - Crypto/Security Seminar

  34. How to break k-AMT (II) • The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn. • So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line. Nick Hopper - Crypto/Security Seminar

  35. Accommodating more than one sender per turn • Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values. • If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting. Nick Hopper - Crypto/Security Seminar

  36. Accommodating more than one sender per turn Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t so that msi,j,t =xi,j P2 P3 C1,1..2k C1,1..2k P1 P4 C1,1..2k Nick Hopper - Crypto/Security Seminar

  37. Accommodating more than one sender per turn • Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit. • If not, somebody has cheated and used at least 2 turns. How do we catch the cheater? Nick Hopper - Crypto/Security Seminar

  38. Catching a cheater • Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot. • If someone did cheat, she will have a very low probability of convincing the group she did not. Nick Hopper - Crypto/Security Seminar

  39. Zero-Knowledge proof of protocol conformance • Pi (All): Pick permutation ρ on {1…2k} Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) • (All)  Pi: b  {0,1} • Pi (All): if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x) Nick Hopper - Crypto/Security Seminar

  40. Efficiency • O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead • Cheaters are caught with high probability • Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins) Nick Hopper - Crypto/Security Seminar

  41. Another problem: Abuse • Anonymous communications could be used for bad things: • Kidnapping & Ransom Notes • Child Pornography • Libel • Excessive Multi Posting • How to deal with it fairly? Nick Hopper - Crypto/Security Seminar

  42. Selective Tracing • Participants agree to a “tracing policy:” • Set of voters V • Set of sets of voters V. • Anytime a “bad” message is sent, when any set of users v 2V agree, the message can be traced to its sender. Nick Hopper - Crypto/Security Seminar

  43. Example Tracing Policies • Threshold tracing: if at least t users agree (e.g. 90%) • Court tracing: if at least 5/9 justices agree • LEA tracing: if FBI, CIA, NSA, DHS, ATF, or DEA want to trace. Nick Hopper - Crypto/Security Seminar

  44. Support for selective traceability • Assume for now singleton voter V. • V publishes ElGamal public key GX. • Recall that for each slot we have R =  ri, S = i Ci = gMhR • For each slot compute a = GR b = g-MyR  = ZK{logg a = loghy Sb} Nick Hopper - Crypto/Security Seminar

  45. Support for selective traceability • V publishes ElGamal public key GX. • For each slot compute a = GR b = g-MyR • V can trace M by checking for each user whether aXb = g-M. • Extend to arbitrary tracing policy using “Threshold Cryptography” Nick Hopper - Crypto/Security Seminar

  46. Open Questions • What is a good way to model security of onion-routing type protocols? • Is k-AMT really practical? Can it be improved on? • Can we make a provably secure variant of onion routing with selective traceability? • Coercibility. Nick Hopper - Crypto/Security Seminar

More Related