170 likes | 180 Views
Learn about anonymous communication using digital pseudonyms and mixed cascades. Explore the encryption methods and mix misbehavior protection in this essential study from David L. Chaum.
E N D
Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms Authors: David L. Chaum, University of California, Berkeley Presented by: Murtuza Jadliwala
Electronic Mail System Sender Receiver Insecured Telecommunication Channel Email • Problem: Vulnerable to Traffic Analysis Attacks • How to hide the content of communication (message)? • How to hide who is communicating with whom? More specifically, can the sender send the message anonymously to the receiver? • Additional property needed: Untraceable return addresses CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Motivation • Electronic mail was new in the 1980’s Anonymously sending an electronic mail was a desirable requirement! • The idea of anonymous sending an electronic mail could also be used in other applications Anonymous electronic voting application • Verification that ballots have been properly counted is possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Background – Public Key Cryptography Used for providing confidentiality CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Background – Public Key Cryptography Used for providing authentication CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Notations • Assume that RSA public-key cryptosystem is used • K is the public key (known to everyone) • K-1 is the private key (known to only the sender) • M is the message. Assume all messages consists of equal sized and equal number of blocks. M = M1M2M3…ML-1 • Encryption of M by K (using RSA) is denoted as K(M). K(M) is a random mapping from M to a string of size K(M) • K-1 (K(M)) = K(K-1 (M) = M • If M = M’, then K(M) = K(M’). To overcome this problem, choose a random string, attach to the message before encrypting K(R,M) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Assumptions • No one can determine the mapping between the plaintext and the corresponding encrypted plaintext by just looking at either one of them • No one can create forge a message or a signature without the appropriate random string or private key. • Anyone may learn the origin, destination(s), and representation of all messages in the underlying telecommunication system • Anyone may inject, remove, or modify messages. CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Anonymous Mail System Kmix(R1, Kr3(R0,M),r3) Mix s1 r1 Email s2 r2 Kr3(R0,M) Email s3 r3 s4 r4 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Anonymous Mail System Mix s1 r1 • Timing and Order of arrival can leak information! How to overcome that problem? • Mix hides correspondences between its input and outputs. How is this possible? • By assumption 1 – Cryptanalytic attack not possible! • What if one item is repeated in the input and the output? How to overcome this? • Remove redundant items across multiple batches! Email s2 r2 Email Batch Email Email Email Email s3 r3 Email s4 r4 Email CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Protection against Mix Misbehavior • Mix provides signed receipts of messages to the participants, • Y= K-1mix(C, Kmix(R1, Kr3(R0,M),r3)) • If a participant is wronged, he can supply X = (Kr3(R0,M), r3), and the retained string R1,along with the signed receipt to the authorities • Authorities can verify if Kmix(Y) = C, Kmix(R1,X) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Mix Cascades r1 Mix 1 Mix 2 Mix n s1 r2 s2 … r3 s3 r4 s4 Advantage: Even if n-1mixes are misbehaving or cheating, a single honest mix can provide secrecy CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Mix Cascades • Participant provides the following to the Mix1 • Kmix1(R1, Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….)) • Mix1 yields a lexicographically ordered batch of items, each of the form • Kmix2(R2, …..Kmix n-1(Rn-1, Kmixn(Rn, Kr3(R0,M),r3))….) • The items in the final output batch of a cascade are of the same form as the single mix • Kr3(R0,M),r3 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Return Addresses or Certified Mail • If x can send an anonymous messages to y, is it possible for yto respond to x, while still keeping identity of x secret from y? • Anonymous mail receipt! • Solution: • The sender x forms an untraceable return address Kmix(R1,Ax), KXand includes it in the message sent through the mix • Ax is the address of x • KX is the public key chosen by x CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Return Addresses or Certified Mail Kmix(R2, Kr3(R0,M, Kmix(R1,s1), Ks1),r3) Mix s1 r1 Email s2 r2 Kr3(R0,M,Kmix(R1,s1), Ks1) Email Rcpt s3 r3 s1, R1(Ks1 (R3,M’)) Rcpt Kmix(R1,s1), Ks1 (R3,M’) s4 r4 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Return Address in Mix Cascades • With a cascade of mixes, the message part is prepared the same as for a single mix • Receiver provides the following to the MixN • KmixN(RN, Kmix N-1(RN-1, …..Kmix2(R2, K1(R1,s1))….)), Ks1(R’,M’) • MixNyields a lexicographically ordered batch of items, each of the form • KmixN-1(RN-1, …..Kmix2(R2, K1(R1,s1))….), RN(Ks1(R’,M’)) • The items in the final output batch of a cascade are of the same form as the single mix • s1, R1(…..RN-1(RN(Ks1(R’,M’)))…) CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
Application: Anonymous Electronic Voting • Digital Pseudonym: Public key of anonymous holder (used to verify signatures made by him) • Roster: Collection of “digital pseudonyms” of acceptable anonymous holders maintained by an authority • How can an authority form a roster of anonymous pseudonyms? • Roster could contain a pseudonyms of registered voters • Anonymous Voting: For a single mix, • Each voter submits a ballot of the form Kmix( R1, K, K-1( C, V )), where K is the voter’s pseudonym and V is the vote • Items in the final lexicographically ordered output batch are of the form K, K-1( C, V ) duplicates need to be avoided in this batch • Check if the pseudonym K correctly decrypts the signed vote V • If the above is verified, check if K appears in the roster of registered voters • The above can be easily extended for a cascading mix CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)
General Purpose Anonymous Mail Systems • To prevent misbehavior in single mix systems: • Require all messages pass through mix cascades • To hide the number of messages sent: • All senders send messages to the mix (in a batch) Some senders send dummy messages • To hide the number of messages received: • Each receiver searches the entire output for messages directed to it • Both the above approaches are too costly • One solution is to use only subsets rather than entire sets of senders/receivers • If a message passes through K mixes in the cascade and contains L blocks (L-K content block, K address blocks) • Problem: How to hide the number of mixes a message passes through Each mix typically strips off 1 address block? • Solution: For each mix the message passes through, remove the corresponding address block, but add a junk content block!So number of block in each message is constant CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)