1 / 17

Auditable Privacy:

Auditable Privacy:. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. On Tamper-Evident Mix Networks. jychoi@cs.indiana.edu. pgolle @parc.com.

danton
Download Presentation

Auditable Privacy:

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditable Privacy: Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington On Tamper-Evident Mix Networks jychoi@cs.indiana.edu pgolle@parc.com markus@indiana.edu

  2. Mix Networks • A sequence of mix servers Public Private Public • Mixing to make tracing impossible • Used as a building block to protect privacy or keep something anonymous

  3. What can be wrong in mix-nets • Random permutation is secret Mix-server 1 Mix-server 2 Mix-server 3

  4. Possible Attacks • Aims to • Leak secret permutations • Leak private keys • Leak any security-critical information • Although no side channel is allowed, leaking is possible through public channel • Information leak is noticeable only to designated accomplices (by using a covert-channel)

  5. Good time to launch an attack Vulnerable Safe Key generation Mixing phase Mix-server Time Verification Commitment Tamper-evident Observer Safe

  6. How to verify – Intuitive idea • Cut-and-choose: 50% error rate • Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2k error rate

  7. Review: Re-encryption mix-nets • Two operations in a mix server El-Gamal Re-encryption Permutation α1 π(1) Encrypted Messages Re- encrypted and Permuted Messages α2 π(2) αn π(n) • El-Gamal re-encryption is homomorphic • There exist two integersβandδs.t. α = β + δ • Re-encryption(ReEnc) satisfiesReEnc(m, α) = ReEnc(ReEnc(m, β), δ)

  8. Homomorphism • El-Gamal re-encryption α = β + δ Encrypted Messages Re- encrypted Messages β δ • Permutation =

  9. An example of a covert channel • Replacing a random number generator Random Number Generator α1 π(1) α2 π(2) αn π(n) Permutation El-Gamal Re-encryption Inputs Outputs

  10. Solution overview • Data flow Mixing Phase Key Generation Witness Commitment Re-encryptedMessage Observer

  11. Key generation Permutation π α1 π(1) • Conditions: αi = βi + δi, π = τ◦σ • Publicize a commitment α2 π(2) αn π(n) Permutation τ The same outputs Permutation σ The same inputs β1 δ1 σ(1) τ(1) β2 δ2 τ(2) σ(2) βn δn σ(n) τ(n)

  12. Mixing phase • Output re-encrypted messages {A’i} and witnesses {Wi} Permutation π α1 π(1) α2 π(2) A1 A’1 αn π(n) A2 A’2 Permutation τ Permutation σ β1 δ1 σ(1) τ(1) W1 An A’n β2 δ2 τ(2) W2 σ(2) βn δn σ(n) τ(n) Wn

  13. Interactive verification Permutation τ Permutation σ β1 δ1 σ(1) τ(1) W1 A’1 A1 β2 δ2 τ(2) W2 A’2 A2 σ(2) βn δn σ(n) τ(n) Wn A’n An Observer Mix Server 1. Choose either 0(LEFT) or 1(RIGHT) 2. Open corresponding values and hashes of the others 3. Verify that there is no variation from the previous commitment

  14. Security improvement #1 • Proof of tamper-freeness • Probability of cheating : 1/2 • Number of commitments κ  Acceptable cheating probability <1/2κ κ proofs

  15. Security improvement #2 • Undercoverobserver • Challenges are automatically chosen from κbits of output hash({A’i}) • Non-interactive proof  Stealthy observation • Attackers are hard to find non-interactive observers. Thus we called undercover observers Mixing Phase Key Generation Witness Commitment

  16. Conclusion • A covert-channel in mix networks threatens privacy • New notion of security : Tamper-evidence, detecting variations from prescribed commitments • Stealthy operation of non-interactive observer Or, Send me an email : jychoi@cs.indiana.edu

  17. Key generation • Commitment : Root of a Merkle hash tree ρ Hash function … … δ2 δn-1 δ1 δn β2 β1 σ τ

More Related