170 likes | 315 Views
Auditable Privacy:. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. On Tamper-Evident Mix Networks. jychoi@cs.indiana.edu. pgolle @parc.com.
E N D
Auditable Privacy: Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington On Tamper-Evident Mix Networks jychoi@cs.indiana.edu pgolle@parc.com markus@indiana.edu
Mix Networks • A sequence of mix servers Public Private Public • Mixing to make tracing impossible • Used as a building block to protect privacy or keep something anonymous
What can be wrong in mix-nets • Random permutation is secret Mix-server 1 Mix-server 2 Mix-server 3
Possible Attacks • Aims to • Leak secret permutations • Leak private keys • Leak any security-critical information • Although no side channel is allowed, leaking is possible through public channel • Information leak is noticeable only to designated accomplices (by using a covert-channel)
Good time to launch an attack Vulnerable Safe Key generation Mixing phase Mix-server Time Verification Commitment Tamper-evident Observer Safe
How to verify – Intuitive idea • Cut-and-choose: 50% error rate • Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2k error rate
Review: Re-encryption mix-nets • Two operations in a mix server El-Gamal Re-encryption Permutation α1 π(1) Encrypted Messages Re- encrypted and Permuted Messages α2 π(2) αn π(n) • El-Gamal re-encryption is homomorphic • There exist two integersβandδs.t. α = β + δ • Re-encryption(ReEnc) satisfiesReEnc(m, α) = ReEnc(ReEnc(m, β), δ)
Homomorphism • El-Gamal re-encryption α = β + δ Encrypted Messages Re- encrypted Messages β δ • Permutation =
An example of a covert channel • Replacing a random number generator Random Number Generator α1 π(1) α2 π(2) αn π(n) Permutation El-Gamal Re-encryption Inputs Outputs
Solution overview • Data flow Mixing Phase Key Generation Witness Commitment Re-encryptedMessage Observer
Key generation Permutation π α1 π(1) • Conditions: αi = βi + δi, π = τ◦σ • Publicize a commitment α2 π(2) αn π(n) Permutation τ The same outputs Permutation σ The same inputs β1 δ1 σ(1) τ(1) β2 δ2 τ(2) σ(2) βn δn σ(n) τ(n)
Mixing phase • Output re-encrypted messages {A’i} and witnesses {Wi} Permutation π α1 π(1) α2 π(2) A1 A’1 αn π(n) A2 A’2 Permutation τ Permutation σ β1 δ1 σ(1) τ(1) W1 An A’n β2 δ2 τ(2) W2 σ(2) βn δn σ(n) τ(n) Wn
Interactive verification Permutation τ Permutation σ β1 δ1 σ(1) τ(1) W1 A’1 A1 β2 δ2 τ(2) W2 A’2 A2 σ(2) βn δn σ(n) τ(n) Wn A’n An Observer Mix Server 1. Choose either 0(LEFT) or 1(RIGHT) 2. Open corresponding values and hashes of the others 3. Verify that there is no variation from the previous commitment
Security improvement #1 • Proof of tamper-freeness • Probability of cheating : 1/2 • Number of commitments κ Acceptable cheating probability <1/2κ κ proofs
Security improvement #2 • Undercoverobserver • Challenges are automatically chosen from κbits of output hash({A’i}) • Non-interactive proof Stealthy observation • Attackers are hard to find non-interactive observers. Thus we called undercover observers Mixing Phase Key Generation Witness Commitment
Conclusion • A covert-channel in mix networks threatens privacy • New notion of security : Tamper-evidence, detecting variations from prescribed commitments • Stealthy operation of non-interactive observer Or, Send me an email : jychoi@cs.indiana.edu
Key generation • Commitment : Root of a Merkle hash tree ρ Hash function … … δ2 δn-1 δ1 δn β2 β1 σ τ