1 / 12

Anonymity – Chaum Mixes

Anonymity – Chaum Mixes. R. Newman. Topics. Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Applications of anonymity technology. Chaum – Untraceable Mail. Wish to receive email anonymously, but

phyllispereira
Download Presentation

Anonymity – Chaum Mixes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Anonymity – Chaum Mixes R. Newman

  2. Topics • Defining anonymity • Need for anonymity • Defining privacy • Threats to anonymity and privacy • Mechanisms to provide anonymity • Applications of anonymity technology

  3. Chaum – Untraceable Mail • Wish to receive email anonymously, but • Be able to link new messages with past ones • Respond to the sender • Do not trust single authority (e.g., Paypal) • Underlying message delivery system is untrusted • Global active adversary

  4. Chaum Mix 1 • Mix is like a special type of router/gateway • It has its own public key pair, K1 and K1-1 • Recipient A also has public key pair, Ka and Ka-1 • Sender B prepends random confounder Ra to message M, encrypts for A: Ca = {Ra|M}Ka • B then prepends to Ca confounder and A’s address and encrypts for mix: C1 = {R1|A|Ca}K1 • B sends C1 to mix, which later send Ca to A • Mix sends signed receipt to B

  5. Chaum Mix 2 • Mix simply decrypts and strips confounder from message to A, gets A and Ca, mix sends to A • Incoming message and outgoing message do not appear related • Use padding to ensure same length (some technical details here) • Gather a batch of messages from different sources before sending them out in permuted order

  6. Chaum Mix 3 • As long as messages are not repeated, adversary can't link an incoming message with an outgoing one (anonymous within the batch) • Mix can discard duplicate messages • B can insert different confounder in repeats • B can use timestamps – repeats look different • Mix signs message batchs, sends receipt to senders • This allows B to prove to A if a message was not forwarded

  7. Cascading Mixes 1 • What if the mix is compromised? • If one mix is good, lots of mixes are better! • B prepares M for A by selecting sequence of mixes, 1, 2, 3, … , n. • Message for A is prepared for Mix 1 • Message for Mix 1 is prepared for Mix 2 • … Message for Mix n-1 is prepared for Mix n • Layered message is sent to Mix n • Each mix removes its confounder, obtains address of next mix (or A), and forwards when batch is sent in permuted order

  8. Cascading Mixes 2 • Mix in cascade that fails to forward a message can be detected as before (the preceding mix gets the signed receipt) • Any mix in cascade that is not compromised can provide unlinkability • This gets us anonymous message delivery, but does not allow return messages

  9. Return Addresses 1 • B generates a public key Kb for the message • B seals its true address and another key K using the mix's key K1: RetAddr = {K,B}K1, Kb • A sends reply M to mix along with return address: Reply = {K,B}K1, {R0|M}Kb • Mix decrypts address and key, uses key K to re-encrypt reply: {{R0|M}Kb}K and sends to B

  10. Return Addresses 2 • B must generate a new return address for each message (K and Kb) so there are no duplicates • Mix must remove duplicates if found • Symmetric cryptography may be used for both K and Kb here (but not for mix key!) • Cascade can return messages by building the return address in reverse order, then peeling off layers as the reply is forwarded (and encrypted) along the return path

  11. Return Addresses 3 • For cascaded mixes, must build return address for the whole path • Receiver uses built-up return address and return key to send reply • Each mix on return path unwraps its portion of return address, re-encrypts, and forwards to next address • Sender had all the keys (it built the return address) so it can decrypt reply

  12. Next • Generalizing Mixes • Mix Costs • Optimization • How to preserve anonymity at low (least?) cost • Information leakage • How much information is revealed? • How? • How to prevent? • Treat as (covert) communication channel

More Related