500 likes | 619 Views
Robust Sender Anonymity Tamara Rezk. FMCrypto (work in progress) G.Barthe , A.Hevia , Z.Luo , T.Rezk , B.Warinschi April, 28 th – Campinas, Brazil. Anonymity Protocols. Hide the identity associated to a message The message may be public. Example:voting
E N D
Robust Sender AnonymityTamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28th – Campinas, Brazil
Anonymity Protocols • Hide the identity associated to a message • The message may be public. Example:voting • Different kind of anonymity properties
Anonymity Properties • Receiver anonymity • Sender Unlinkability (SUL) • Receiver Unlinkability (RUL) • Sender-Receiver Unlinkability (UL) • Sender Anonymity (SA) • Strong Sender Anonymity (SA*) • Receiver Anonymity (RA) • Strong Receiver Anonymity (RA*) • Sender-Receiver Anonymity (SRA) • Unobservability (UO) • Sender Unlinkability (SUL) • Receiver Unlinkability (RUL) • Sender-Receiver Unlinkability (UL) • Sender Anonymity (SA) • Strong Sender Anonymity (SA*) • Receiver Anonymity (RA) • Strong Receiver Anonymity (RA*) • Sender-Receiver Anonymity (SRA) • Unobservability (UO)
7 Anonymity Properties Characterizations [Micciancio&Hevia06] 1 2 3 4 5 6 7 8 a 1 5 a 1 b 2 b 6 2 a 3 a 7 3 c 4 c d 8 4 d M = 5 6 7 8 mij = sets of messages from party i to party j (Thanks Alejandro for this slide)
= multiset c d for each row i d c M0 M1 Capturing information leaks • By restricting the matrix pair M0,M1 • Let f(M) be the information leaked • Requirement: f(M0) = f(M1) • Example of leaked information: (Thanks Alejandro for this slide)
The anonymity property for protocol PHypothesis: f(M0) = f(M1) CA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; S P(m) g A(S,f(m)) | Pr[CA; g = b] - ½ | is negligible on the security parameter
Motivation • Anonymity in the case of active adversaries • Case study: DC-Nets
Motivation • Anonymity in the case of active adversaries • Case study: DC-Nets • Robustness was not what we expected it to be • Work: definition of robustness
Robust anonymous protocol • A protocol that is anonymous (it does not leak the identity of the participants)
Robust anonymous protocol • A protocol that is anonymous even if some of the participants are corrupt
Robust anonymous protocol • A protocol that is anonymous even if some of the participants are corrupt • Honest messages can be delivered even if dishonest participants do not follow the protocol
Robust anonymous protocol • Anonymity property for active adversaries • Robustness property
The anonymity property for protocol Pfor active adversariesHypothesis: f(M0) = f(M1) CRA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; gA[P(m)] (f(m)) | Pr[CRA; g = b] - ½ | is negligible on the security parameter
Dinning Cryptographers Protocol (DC-nets) • Bitwise XOR [Chaum88] • Not robust • Bilinear Maps [GolleJuels04] • Robust What does exactly the word “robust” assure?
The robust DC-nets protocol 1/4 inizialization • In this phase: • a non-degenerate pairing e : G1 x G1 G2 • generators g, h of a cyclic group G1 • a hash function H: {0,1}* G1 • a private key xi and public key yi = g^xi (secret xi is (t,n)-shared ) • a common reference string
The robust DC-nets protocol 2/4 inizialization transmission In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmission 1/3 In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding. 1 2 i n
transmission 2/3 In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding. 1 • e(H(s||2), yj)^xi*c • ji 2 i n
transmission 3/3 In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding. 1 • e(H(s||2), yj)^xi*c • ji 2 Padding participant i. Coefficient c is 1 if i<j or -1 otherwise. i n
transmission 3/3 In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding. • e(H(s||2), yj)^xi*c • ji • * • m 1 2 i Message m transmission n
transmission If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages. Vector Party 1 Vector Party n 1 1 1 1 m1 m2 … mn 2 2 2 2 = * * … n n n n
transmission Example for 2 paticipants: n=2 1/9
transmission Example for 2 paticipants: n=2 2/9 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 1 2 Vector Party 1
transmission Example for 2 paticipants: n=2 3/9 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 1 1 2 2 Vector Party 1 Vector Party 2
transmission Example for 2 paticipants: n=2 4/9 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission Example for 2 paticipants: n=2 5/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission Example for 2 paticipants: n=2 6/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission Example for 2 paticipants: n=2 7/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission Example for 2 paticipants: n=2 8/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission Example for 2 paticipants: n=2 9/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 ={inverse *} m1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 m1 m2 1 1 1 = * 2 2 2 Vector Party 1 Vector Party 2 transmission result
transmission If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail! Vector Party 1 Vector Party n 1 1 1 1 m1 m2 … mn 2 2 2 2 = * * … n n n n
transmission Vectors are transmitted with a proof of knowledge (zkpk) For all positions in the vector there is a valid padding, except for at most one position.
The robust DC-nets protocol 3/4 inizialization transmission reconstruction In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
reconstruction In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography After this phase, we are left with a set of valid vectors , that is : For all positions in the vector there is a valid padding, except for at most one position.
The robust DC-nets protocol 4/4 inizialization transmission reconstruction recuperation
recuperation In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication. Vector Party 1 Vector Party n 1 1 1 1 m1 m2 … mn 2 2 2 2 = * * … n n n n
What does exactly the word “robust” assure? • If the vector is correct, then there is a unique message in the vector • An adversary may violate the slot reservation protocol to intentionally produce a collision • For each collision, one honest message is not delivered
We propose to state this formally by definning a: Robustness property
Sender robustness, t-n SR:= M,N A0 m := M++N; SP[A](m) if (#(MПS) < 2t-n) then b’:=1 else b’:=0 |Pr[SR; b’=1] is negligible on the security parameter
Sender Robustness Violation 1 Example for 2 paticipants: n=2 ???? m2 1 = * 2 Vector Party 1 Vector Party 2 transmission result 1 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 1 1 2 2
Sender Robustness Violation 2 Example for 2 paticipants: n=2 ???? m2 1 = * 2 Vector Party 1 Vector Party 2 transmission result e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1*m2 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 1 1 2 2
Sender Robustness Example for 2 paticipants: n=2 m1*m2 m2 1 = * 2 Vector Party 1 Vector Party 2 transmission result This is considered secure! e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 1 1 2 2
A stronger robustness propertyConfusion resistant t-n CR:= M,N A0 m := M++N; SP[A(m)] if honest received < honest-dishonest then b’:=1 else b’:=0 |Pr[CR; b’=1] is negligible on the security parameter
A stronger robustness propertyConfusion resistant t-n CR:= M,N A0 m := M++N; SP[A(m)] if honest not received+dishonest received > dishonest. then b’:=1 else b’:=0 |Pr[CR; b’=1] is negligible on the security parameter
A stronger robustness propertyConfusion resistant t-n CR:= M,N A0 m := M++N; SP[A(m)] if (#(S\M) + #(M\S) > n-t) then b’:=1 else b’:=0 |Pr[CR; b’=1] is negligible on the security parameter
Confussion Resistant Violation Example for 2 paticipants: n=2 m1*m2 m2 1 = * 2 Vector Party 1 Vector Party 2 transmission result e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 1 1 2 2
Theorems and Remarks • Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust • Remark: DC-Nets is not confussion resistant
Theorems and Remarks • Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust • Remark: DC-Nets is not confussion resistant Solution? : messages should be “sealed” in such a way that multiplication of two seals produces another seal only with negligible probability
Conclusions • We have a proposed 2 properties to formally specify robustness of sender anonymous protocols • We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol • Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?