1 / 16

Reusable Anonymous Return Channels

Reusable Anonymous Return Channels. Philippe Golle, Stanford / PARC Markus Jakobsson, RSA Labs. WPES ‘03. Mixnet. E(M). M. Anonymous Communication. Model: Parties exchange messages Goal: “keeping confidential who converses with whom, and when they converse” [Chaum]

pbowman
Download Presentation

Reusable Anonymous Return Channels

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Reusable AnonymousReturn Channels Philippe Golle, Stanford / PARC Markus Jakobsson, RSA Labs WPES ‘03

  2. Mixnet E(M) M Anonymous Communication • Model: Parties exchange messages • Goal:“keeping confidential who converses with whom, and when they converse” [Chaum] • Global eavesdropping adversary • Solution: mix network • Alice submits EMIX(Bob || M) • Mixnet decrypts and delivers messages in random order Alice Bob How do we reply to an anonymous message?

  3. Simple solution… • Communication protocol: • Alice submits to the mixnet a message EMIX(Bob || EBob (Alice || M)) • Bob receives EBOB (Alice || M), decrypts it and replies with EMIX(Alice || EAlice (Bob || R)) • Property: external anonymity • Alice and Bob know each other’s identity • They hide from everyone else the fact that they are communicating • In this talk • Complete anonymity: Bob does not learn Alice’s identity • Example applications: love letters, ransom notes • No straightforward solution with mixnets

  4. Outline • Chaumian mixnets: • Processing of (forward) messages • Untraceable return address • Why return addresses can’t be reused • Replies and traffic analysis • Our new protocol • Based on a re-encryption mixnet • Allows for unlimited replies • Filtering policies

  5. X X Y Y Bob Bob M Y Bob Bob Y X X M N P P N M Bob N N P P M M Chaumian Mixnet Alice Mix 1 Mix 2 Mix 3 Bob

  6. Mix 1 Mix 2 Mix 3 Bob k3 k3 k1 k1 k1 k1 k1 k1 k2 k2 k2 k2 Bob Bob Bob Bob M M M M R R R R Untraceable Return Address Alice =

  7. Return Address • Single use return envelope • Privacy compromised if a return address is reused: • Bob replies twice with same envelope • Decryption of return address is deterministic • The mixnet produces the same output in both cases • To allow for N replies, Alice must give Bob N different envelopes

  8. Return channels and Traffic Analysis • Traffic analysis attack • Bob sends K replies in one batch and observes who picks up K messages • Bob sends one reply every hour and computes the intersection of the sets of recipients • Solutions from asynchronous mixes • Random delays • Pool mixing • Make multiple copies of some messages

  9. Our Approach • Reusable return addresses • Alice distributes the same return address to all her correspondents (Bob, Charlie, Dave, …) • Property: cannot test whether two return addresses lead to the same person or different people • Note: cannot reuse Chaumian return addresses • Helps defeat traffic analysis attacks • If Bob sends K replies: Alice receives more than K • Intersection attack: complicated by the fact that multiple correspondents reply to Alice • Works best when combined with other defenses

  10. ElGamal Cryptosystem • ElGamal is a randomized public-key cryptosystem: • Key generation: (SK, PK) • Encryption: m, PK, r  Er (m) • Decryption: Er (m) , SK  m • El Gamal allows for Re-encryption: • Re-encryption: Er(m) , PK , s  Er+s(m) • Requires only public key • Given Er(m) an adversary can’t distinguish Er+s(m) from a random ciphertext.

  11. Re-encryption Mixnet • ElGamal encrypted inputs: EMIX (M) • Mixing: each mix server • Receives a set of inputs • Re-encrypts these inputs • Gives them in random order to the next server • Outputs • Mixnet decrypts and outputs plaintext M

  12. Protocol (outline) • Alice submits her input (Emix(Alice||PKA) ; Emix(M) ; Emix(Bob||PKB)) • Inputs are mixed and re-encrypted • Delivery of messages • Mixnet decrypts the value Bob||PKB • Converts Emix(M)into EPKB(M) • Delivers to Bob EPKB(M), Emix(Alice||PKA).

  13. Protocol (cont’d) • Submitting a reply • Bob has received EPKB(M), Emix(Alice||PKA) • Bob submits to the mixnet the reply (Emix(Bob||PKB) ; Emix(R) ; Emix(Alice||PKA)) Note: the return envelope Emix(Alice||PKA) can be reused multiple times, for multiple correspondents

  14. Properties • Reusable:multiple replies possible • Composable:allows for replies to replies, etc… • Transferable:anyone can reply • Compatible:replies and messages are processed in almost the same way • Efficient:4 times as expensive as normal re-encryption mixnet • Filtering policies: specifies which replies are allowed

  15. Input Filtering • Submission of messages (Emix(Alice||PKA) ; E(M) ; Emix(Bob||PKB) ; E(FM)) • Mixing and delivery: as before • Reply: (Emix(Bob||PKB) ; E(R) ; Emix(Alice||PKA) ; E(FM))

  16. Conclusion • Reusable return channels based on re-encryption mixnets • Helps defend against traffic analysis • Thanks to Ari Juels and Paul Syverson!

More Related