auditable privacy:
DESCRIPTION
Auditable Privacy:. Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington. Philippe Golle Palo Alto Research Center. Markus Jakobsson School of Informatics Indiana University at Bloomington. On Tamper-Evident Mix Networks. [email protected]. pgolle @parc.com. - PowerPoint PPT PresentationTRANSCRIPT
Auditable Privacy:On Tamper-Evident Mix Networks
Jong Youl ChoiDept. of Computer ScienceIndiana University at Bloomington
Philippe GollePalo Alto Research Center
Markus JakobssonSchool of InformaticsIndiana University at [email protected]
Page 2
Mix Networks
PublicPrivate Public
• Mixing to make tracing impossible• Used as a building block to protect
privacy or keep something anonymous
• A sequence of mix servers
Page 3What can be wrong in mix-nets• Random permutation is secret
Mix-server 1 Mix-server 2 Mix-server 3
Page 4
Possible Attacks• Aims to
– Leak secret permutations– Leak private keys– Leak any security-critical information
• Although no side channel is allowed, leaking is possible through public channel
• Information leak is noticeable only to designated accomplices (by using a covert-channel)
Page 5
Vulnerable
Good time to launch an attack
Key generation
Commitment
Mixing phase
Verification
Safe
Time
Safe
Mix-server
Observer
Tamper-evident
Page 6
How to verify – Intuitive idea• Cut-and-choose: 50% error rate
• Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2k error rate
Page 7Review: Re-encryption mix-nets• Two operations in a mix server
• El-Gamal re-encryption is homomorphic– There exist two integers β and δ s.t. α = β + δ
– Re-encryption(ReEnc) satisfiesReEnc(m, α) = ReEnc(ReEnc(m, β), δ)
El-GamalRe-encryption
Permutation
α1
α2
αn
EncryptedMessages
Re-encrypted
andPermutedMessages
π(1)
π(2)
π(n)
Page 8
Homomorphism• El-Gamal re-encryption
EncryptedMessages
Re-encryptedMessages
α = β + δ
β δ• Permutation
=
Page 9An example of a covert channel• Replacing a random number
generator
El-GamalRe-encryption
Permutation
α1
α2
αn
Inputs
RandomNumber
Generator
Outputs
π(1)
π(2)
π(n)
Page 10
Solution overview• Data flow
Key Generation Mixing Phase
Observer
Commitment Witness
Re-encryptedMessage
Page 11
Permutation τPermutation σ
Key generation
• Conditions: αi = βi + δi , π = τ ◦ σ
• Publicize a commitment
α1
α2
αn
Permutation πTh
e s
am
e in
pu
ts
Th
e s
am
e o
utp
uts
β1
β2
βn
δ1
δ2
δn
π(1)
π(2)
π(n)
σ(1)
σ(2)
σ(n)
τ(1)
τ(2)
τ(n)
Page 12
Mixing phase• Output re-encrypted messages {A’i} and
witnesses {Wi}
Permutation τPermutation σβ1
β2
βn
δ1
δ2
δn
W1
W2
Wn
α1
α2
αn
Permutation π
A1
A2
An
A’1
A’2
A’n
π(1)
π(2)
π(n)
σ(1)
σ(2)
σ(n)
τ(1)
τ(2)
τ(n)
Page 13
Interactive verificationPermutation τPermutation σ
β1
β2
βn
δ1
δ2
δn
A1
A2
An
A’1
A’2
A’n
W1
W2
Wn
Observer Mix Server1. Choose either 0(LEFT) or 1(RIGHT)
2. Open corresponding values and hashes of the others
3. Verify that there is no variation from the previous commitment
τ(1)
τ(2)
τ(n)
σ(1)
σ(2)
σ(n)
Page 14
Security improvement #1• Proof of tamper-freeness
– Probability of cheating : 1/2
– Number of commitments κ Acceptable cheating probability < 1/2κ
κ proofs
Page 15
Security improvement #2• Undercover observer
– Challenges are automatically chosen from
κ bits of output hash({A’i})
– Non-interactive proof Stealthy observation– Attackers are hard to find non-interactive
observers. Thus we called undercover observers
Key Generation Mixing Phase
Commitment Witness
Page 16
Conclusion• A covert-channel in mix networks
threatens privacy • New notion of security :
Tamper-evidence, detecting variations from prescribed commitments
• Stealthy operation of non-interactive observer
Or, Send me an email : [email protected]
Page 17
Key generation• Commitment : Root of a Merkle hash tree
σ τ β1…
ρ
…δ1 δn
Hash function
β2 δ2 δn-1