460 likes | 606 Views
Practical(?) And Provably Secure Anonymity. Nick Hopper. Sender -Anonymous Communication: The “Love Letter Problem”. Who?. You have a secret admirer!. Alex. Eve, The Net Admin. Receiver-Anonymous Communication: The Whistleblower’s problem. Eve. ?. E PK (“AUDIT ACME!”). IRS. Alex.
E N D
Practical(?) And Provably Secure Anonymity Nick Hopper
Sender-Anonymous Communication: The “Love Letter Problem” Who? You have a secret admirer! Alex Eve, The Net Admin Nick Hopper - Crypto/Security Seminar
Receiver-Anonymous Communication: The Whistleblower’s problem Eve ? EPK(“AUDIT ACME!”) IRS Alex Nick Hopper - Crypto/Security Seminar
Previous Work on anonymous communication • Mix-Net/Onion routing: • Efficient, but not (yet) provably secure • DC-Nets • Provably secure, but not efficient Nick Hopper - Crypto/Security Seminar
Mix-Net E EMIX(C,M3) EMIX(D,M1) EMIX(E,M5) A D Mix EMIX(E,M2) EMIX(D,M4) C B Nick Hopper - Crypto/Security Seminar
Mix-Net E EMIX(D,M1) EMIX(E,M2) A EMIX(C,M3) D Mix EMIX(D,M4) EMIX(E,M5) C B Nick Hopper - Crypto/Security Seminar
Mix-Net E D,ED(M1) E,EE(M2) A C,EC(M3) D Mix D,ED(M4) E,EE(M5) C B Nick Hopper - Crypto/Security Seminar
Mix-Net E D,ED(M1) E,EE(M2) A C,EC(M3) D Mix D,ED(M4) E,EE(M5) C B Nick Hopper - Crypto/Security Seminar
Mix-Net EE(M5) EE(M2) E ED(M1) A ED(M4) D Mix EC(M3) C B Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing EH(M) E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing EF(H,EH(M)) E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing EB(F,EF(H,EH(M))) E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing EE(B,EB(F,EF(H,EH(M)))) E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing EB(F,EF(H,EH(M))) E A G C B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C EF(H,EH(M)) B F D H Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C B F EH(M) D H Nick Hopper - Crypto/Security Seminar
Onion Routing E A G C B F M D H Nick Hopper - Crypto/Security Seminar
DC Net: Multiparty Sum XA A XC XB C B XD D Nick Hopper - Crypto/Security Seminar
DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA A XC XB C B SCA+SCB+SCC+SCD = XB SBA+SBB+SBC+SBD = XB XD D SDA+SDB+SDC+SDD = XD Nick Hopper - Crypto/Security Seminar
DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA A SAB SAC XC XB SAD C B SCA+SCB+SCC+SCD = XB SBA+SBB+SBC+SBD = XB XD D SDA+SDB+SDC+SDD = XD Nick Hopper - Crypto/Security Seminar
DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA SA = SAA + SBA + SCA+SDA A SA SC XC SB XB C B SD SCA+SCB+SCC+SCD = XB SC = SAC + SBC + SCC+SDC SBA+SBB+SBC+SBD = XB SB = SAB + SBB + SCB+SDB XD D SDA+SDB+SDC+SDD = XD SD = SAD + SBD + SCD+SDD Nick Hopper - Crypto/Security Seminar
DC Net: Multiparty Sum XA SAA+SAB+SAC+SAD = XA SA = SAA + SBA + SCA+SDA X = SA + SB + SC + SD = XA + XB + XC + XD XC XB C B SCA+SCB+SCC+SCD = XB SC = SAC + SBC + SCC+SDC SBA+SBB+SBC+SBD = XB SB = SAB + SBB + SCB+SDB XD D SDA+SDB+SDC+SDD = XD SD = SAD + SBD + SCD+SDD Nick Hopper - Crypto/Security Seminar
How to use multiparty sum for anonymity • If XA = XB = XC = 0 then X=XD! • If more than one non-zero: collision • Use standard networking techniques • Provably, Perfectly secure against passive adversary. • Problems: • Inefficient – O(n3) protocol messages/ anonymous message • Easy to JAM it! Nick Hopper - Crypto/Security Seminar
Efficiency “Issue” • “Perfect” security requires (n2) protocol messages per anonymous message • Relax to k-anonymity: every message could have been from or to k participants Nick Hopper - Crypto/Security Seminar
k-anonymous message transmission (k-AMT) Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair P2 P3 s1,2 s1,3 s1,4 P1 P4 s1,1+s1,2+s1,3+s1,4 = (Gt,Mt) Nick Hopper - Crypto/Security Seminar
How to compromise k-anonymity • If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee. • So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means. Nick Hopper - Crypto/Security Seminar
How to break k-AMT (I) • Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead. • This will randomize the result of the DC-Net protocol, preventing Alice from transmitting. Nick Hopper - Crypto/Security Seminar
Stopping the “randomizing” attack • Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input. • These commitments allow verification of her subsequent actions. Nick Hopper - Crypto/Security Seminar
P2 P3 P1 P4 k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) C1 C1 C1 Nick Hopper - Crypto/Security Seminar
k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) P2 P3 C2 C3 P1 P4 C4 Nick Hopper - Crypto/Security Seminar
How to break k-AMT (II) • The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn. • So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line. Nick Hopper - Crypto/Security Seminar
Accommodating more than one sender per turn • Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values. • If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting. Nick Hopper - Crypto/Security Seminar
Accommodating more than one sender per turn Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t so that msi,j,t =xi,j P2 P3 C1,1..2k C1,1..2k P1 P4 C1,1..2k Nick Hopper - Crypto/Security Seminar
Accommodating more than one sender per turn • Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit. • If not, somebody has cheated and used at least 2 turns. How do we catch the cheater? Nick Hopper - Crypto/Security Seminar
Catching a cheater • Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot. • If someone did cheat, she will have a very low probability of convincing the group she did not. Nick Hopper - Crypto/Security Seminar
Zero-Knowledge proof of protocol conformance • Pi (All): Pick permutation ρ on {1…2k} Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) • (All) Pi: b {0,1} • Pi (All): if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x) Nick Hopper - Crypto/Security Seminar
Efficiency • O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead • Cheaters are caught with high probability • Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins) Nick Hopper - Crypto/Security Seminar
Another problem: Abuse • Anonymous communications could be used for bad things: • Kidnapping & Ransom Notes • Child Pornography • Libel • Excessive Multi Posting • How to deal with it fairly? Nick Hopper - Crypto/Security Seminar
Selective Tracing • Participants agree to a “tracing policy:” • Set of voters V • Set of sets of voters V. • Anytime a “bad” message is sent, when any set of users v 2V agree, the message can be traced to its sender. Nick Hopper - Crypto/Security Seminar
Example Tracing Policies • Threshold tracing: if at least t users agree (e.g. 90%) • Court tracing: if at least 5/9 justices agree • LEA tracing: if FBI, CIA, NSA, DHS, ATF, or DEA want to trace. Nick Hopper - Crypto/Security Seminar
Support for selective traceability • Assume for now singleton voter V. • V publishes ElGamal public key GX. • Recall that for each slot we have R = ri, S = i Ci = gMhR • For each slot compute a = GR b = g-MyR = ZK{logg a = loghy Sb} Nick Hopper - Crypto/Security Seminar
Support for selective traceability • V publishes ElGamal public key GX. • For each slot compute a = GR b = g-MyR • V can trace M by checking for each user whether aXb = g-M. • Extend to arbitrary tracing policy using “Threshold Cryptography” Nick Hopper - Crypto/Security Seminar
Open Questions • What is a good way to model security of onion-routing type protocols? • Is k-AMT really practical? Can it be improved on? • Can we make a provably secure variant of onion routing with selective traceability? • Coercibility. Nick Hopper - Crypto/Security Seminar