1 / 17

Privacy and Anonymity Using Anonymizing Network s –II CS 436/636/736 Spring 2012 Nitesh Saxena

Privacy and Anonymity Using Anonymizing Network s –II CS 436/636/736 Spring 2012 Nitesh Saxena. Some slides borrowed from Philippe Golle, Markus Jacobson. Course Admin. Mid-term exams returned HW3 to be posted very soon. Today’s Outline . Re-encryption based mix networks Secret sharing

spike
Download Presentation

Privacy and Anonymity Using Anonymizing Network s –II CS 436/636/736 Spring 2012 Nitesh Saxena

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Anonymity Using Anonymizing Networks –II CS 436/636/736 Spring 2012Nitesh Saxena Some slides borrowed from Philippe Golle, Markus Jacobson

  2. Course Admin • Mid-term exams returned • HW3 to be posted very soon Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  3. Today’s Outline • Re-encryption based mix networks • Secret sharing • Research flavor Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  4. server 1 server 2 server 3 Message 1 Message 2 Chaum ’81 Principle Requirements : Privacy Efficiency Trust Robustness

  5. I ignore his output STOP But what about robustness? and produce my own encr(Berry) encr(Kush) encr(Kush) Kush Kush Kush There is no robustness!

  6. ? Inputs Outputs Zoology of Mix Networks • Decryption Mix Nets [Cha81,…]: • Inputs: ciphertexts • Outputs: decryption of the inputs. • Re-encryption Mix Nets[PIK93,…]: • Inputs: ciphertexts • Outputs: re-encryption of the inputs Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  7. First Solution Chaum ’81, implemented by Syverson, Goldschlag Not robust (or: tolerates 0 cheaters for correctness) Requires every server to participate (and in the “right” order!)

  8. 1. Users encrypt their inputs: Input Input Pub-key 2. Encrypted inputs are mixed: Server 1 Server 2 Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix Proof Proof Proof 3. A quorum of mix servers decrypts the outputs Priv-key Output Output Re-encryption Mixnet 0. Setup: mix servers generate a shared key

  9. Recall: Discrete Logarithm Assumption • p, q primes such that q|p-1 • g is an element of order q and generates a group Gq of order q • x in Zq, y = gx mod p • Given (p, q, g, y), it is computationally hard to compute x • No polynomial time algorithm known • p should be 1024-bits and q be 160-bits • x becomes the private key and y becomes the public key Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  10. ElGamal Encryption • Encryption (of m in Gq): • Choose random r in Zq • k = gr mod p • c = myr mod p • Output (k,c) • Decryption of (k,c) • M = ck-x mod p • Secure under discrete logarithm assumption Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  11. ElGamal Example: dummy • Let’s construct an example • KeyGen: • p = 11, q = 2 or 5; let’s say q = 5 • 2 is a generator of Z11* • g = 22 = 4 • x = 2; y = 42 mod 11 = 5 • Enc(3): • r = 4  k = 44 mod 11 = 3 • c = 3*54 mod 11 = 5 • Dec(3,5): • m = 5*3-2 mod 11 = 3 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  12. (t+1,n)- Secret Sharing • Motivation: to secure the cryptosystem against t (< n/2) corruptions • Split the secret among n entities so that • any set of t+1 or more entities can recover the secret • an adversary who corrupts at most t entities, learns nothing about the secret • Tool: Shamir’s Polynomial Secret Sharing f(z)  degree t polynomial (mod q) f(0)  x f(i)  ssi SECURE Polynomial interpolation: for any G, s.t. |G|=t+1 INSECURE (n=7, t=3) Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  13. Re-encryption technique Input: a ciphertext (k,c) wrt public key y • Pick a number r’ randomly from [0…q-1] • Compute k’ = kgr’ mod p c’ = cyr’ mod p • Output (k’, c’) Same decryption technique! Compute m k’c’-x Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  14. R E - E N C R Y P T R E - E N C R Y P T A simple Mix (k1, c1) (k2, c2) . . . (kn, cn) (k’1,c’1) (k’2,c’2) . . . (k’n,c’n) (k’’1,c’’1) (k’’2,c’’2) . . . (k’’n,c’’n) Note: different cipher text, different re-encryption exponents!

  15. And to get privacy… permute, too! (k1, c1) (k2, c2) . . . (kn, cn) (k’’1,c’’1) (k’’2,c’’2) . . . (k’’n,c’’n) Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  16. And, finally…the Proof • Mix servers must prove correct re-encryption • Given n El Gamal ciphertexts E(mi) asinput • and n El Gamal ciphertexts E(m’i) asoutput • Compute: E( mi) and E(=m’i) • Ask Mix for Zero-Knowledge proof that these ciphertexts decrypt to same plaintexts Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

  17. Anonymizing Network in practice: Tor • A low-latency anonymizing network http://www.torproject.org/ • Currently 1000 or so routers distributed all over in the internet • Can run any SOCKS application on top of Tor • Peer-based: a client can choose to be a router • A request is routed to/fro a series of a circuit of three routers • A new circuit is chosen every 10 minutes • No real-world implementation of re-encryption mix as yet Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

More Related