ccc event blog - dcnetworks – the protocol · 2016-11-23 · 28 dcnetworks the protocol threshold...
TRANSCRIPT
![Page 1: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/1.jpg)
Immanuel Scholz
DCNetworks – The Protocol
![Page 2: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/2.jpg)
2
DCNetworks The Protocol
toc
Introduction
Time
Excluding bad clients
Key Exchange
Ondemand disclosure
Literature
![Page 3: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/3.jpg)
3
DCNetworks The Protocol
Introduction
![Page 4: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/4.jpg)
4
DCNetworks The Protocol
Is the meal paid by one of the cryptographers?
Bob
Alice Charlie
kab
key exchange
−kab
key exchange
kbc
−kbc
key exchange−kackac
Introduction
![Page 5: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/5.jpg)
5
DCNetworks The Protocol
Is the meal paid by one of the cryptographers?
Bob
Alice Charlie
key exchange key exchange
key exchange
kab
−kab kbc
−kbc
−kackac
Introduction
Bob:
−kabkbcmbob
Alice:
kabkacmalice
Charlie:
−kac−kbcmcharlie
Everybody:kabkacmalice−kabkbcmbob−kac−kbcmcharlie
=malicembobmcharlie
![Page 6: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/6.jpg)
6
DCNetworks The Protocol
Remember the onetimepad
If an attacker knows and if k is random, he doesnot learn anything about m
In other words: Key k “hides” the cleartext m
km
km
Introduction
![Page 7: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/7.jpg)
7
DCNetworks The Protocol
Bob does not learn anything
Bob
Alice Charlie
key exchange key exchange
key exchange
kab
−kab kbc
−kbc
−kackac
Introduction
Bob:
−kabkbcmbob
Alice:
kabkacmalice
Charlie:
−kac−kbcmcharlie
Bob can learn:
kacmalice and −kacmcharlie
![Page 8: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/8.jpg)
8
DCNetworks The Protocol
Sender and receiver anonymity
Everybody exchanges keys with everybody
Sender Anonymity
Everybody gets every message
Receiver Anonymity
Introduction
![Page 9: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/9.jpg)
9
DCNetworks The Protocol
Time
![Page 10: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/10.jpg)
10
DCNetworks The Protocol
Rounds, separated by ticks
In each round, each client needs to:
Get the list of all participants (may have changed)
Prepare and send the new message
Get the message of the last round
Know, that all others have received the message of the last round
Time
![Page 11: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/11.jpg)
11
DCNetworks The Protocol
The protocol
Time
Tick TickRound
Client
get participants
sendreceive message
add all keys
receive confirmationthat othersgot message
Server
![Page 12: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/12.jpg)
12
DCNetworks The Protocol
Timing attack
Attacker knows who sends at which time
A client answering too fast did not send the answer
Alice
"Everything understandable?"
"No, the lecturer sucks!!1!"
Aliceotherparticipants
too short for human reaction
otherparticipants
Time
![Page 13: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/13.jpg)
13
DCNetworks The Protocol
Timing attack
Solution: Server return message after client sends
All clients receive messages delayed at least one round
Nice side effects:
Only client → server communication (“firewallproof”)
Client receives implicit confirmation(or else last round message is broken)
Time
![Page 14: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/14.jpg)
14
DCNetworks The Protocol
The protocol
Time
Tick TickRound
Client
get participants
send
add all keys
receive message =confirmation
Tick
receive message =confirmationof last round
sendnextround
get participants
add all keys
Round
![Page 15: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/15.jpg)
15
DCNetworks The Protocol
Excluding bad clients
![Page 16: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/16.jpg)
16
DCNetworks The Protocol
Broken and malicious clients
Broken clients
Server logs out any client that did not send
Ban lists, reputation systems etc...
Malicious clients
Anonymous reservation scheme and trap messages
Google “DSuKrypt.pdf”, page 191192, 202203
Excluding bad clients
![Page 17: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/17.jpg)
17
DCNetworks The Protocol
Key Exchange
![Page 18: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/18.jpg)
18
DCNetworks The Protocol
Remember: Diffie & Hellman
Key Exchange
Serverp,q
Alice Bob
choose xalice choose xbob
qxalicemodp qxbobmodppublish
kab=qxbobxalice=qxalice xbob kab=qxalice
xbob=qxalicexbob
![Page 19: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/19.jpg)
19
DCNetworks The Protocol
Diffie & Hellman
No direct client to client communication needed
Complete key graph
Easy distribution
Exchange seeds for random number generator
Unfortunately, keys become “provable”
But: Clients can always exchange real onetimepads(they even do not have to tell the server)
Key Exchange
![Page 20: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/20.jpg)
20
DCNetworks The Protocol
Ondemand disclosure
![Page 21: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/21.jpg)
21
DCNetworks The Protocol
Original scheme by David Chaum
Participants sign round keys
Alice and Bob exchange their signatures
In case of “disclosure”, all participants publish their keys
Alice verifies Bob's key and vice versa
Ondemand disclosure
![Page 22: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/22.jpg)
22
DCNetworks The Protocol
"Watchmen" scheme
n predefined watchmen may work together to disclose sender
Client splits round key into n parts
Send one part to each watchman
In case of “disclosure”, all watchmen post their parts to reconstruct the round key
Ondemand disclosure
![Page 23: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/23.jpg)
23
DCNetworks The Protocol
How to split a key
Ondemand disclosure
How to split a key k into n parts k1 to kn?Generate n−1 independent random numbers r1 to rn−1
ki=r i for all but kn
kn=k∑i=1
n−1
−r i
To join parts together, add them
∑i=1
n
ki =∑i=1
n−1
kikn =∑i=1
n−1
r ik∑i=1
n−1
−r i =k
![Page 24: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/24.jpg)
24
DCNetworks The Protocol
Split keys to Dickens and Elisa
Bob
Alice Charlie
Ondemand disclosure
Dickens Elisa
r a
kabkac−rar c
−kac−kbc−r c
r b −kabkbc−r b
![Page 25: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/25.jpg)
25
DCNetworks The Protocol
Split keys to Dickens and Elisa
Bob
Alice Charlie
Ondemand disclosure
Dickens ElisaDickens says:
r ar br c
Elisa says:
kabkac−r a−kabkbc−r b−kac−kbc−r c
=−r a−r b−rc
Everyone:
0
![Page 26: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/26.jpg)
26
DCNetworks The Protocol
Why do the watchmen learn nothing?
The first watchmen receive random numbers. Obviously, they learn nothing about k
The published valuesonly consist of random numbers
Ondemand disclosure
k∑i=1
n−1
−r i is a onetimepad with ∑i=1
n−1
−r i as key
n−1
r arbr c and −r a−rb−r c
![Page 27: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/27.jpg)
27
DCNetworks The Protocol
Problem: Conspiration
Alice and Bob exchange an additional key
They add to their round message, but not to the key sent to Dickens and Elisa
Sum of Dickens and Elisa is still 0
On “disclosure”, both round keys from Alice and Bob mismatch (by resp. )
Of course, both could be considered “bad guys”
Ondemand disclosure
lab
lab
lab −lab
![Page 28: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/28.jpg)
28
DCNetworks The Protocol
Threshold secret sharing scheme
Reduce number of watchmen necessary for disclosure, e.g. “5 out of 10”
Google “DSuKrypt.pdf”, page 131133
Using Adi Shamirs polynomial interpolation, some restrictions occur
All participants must use same set of watchmen (may be necessary anyway)
Each watchman must get the same xcoordinates from every participant
Ondemand disclosure
![Page 29: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/29.jpg)
29
DCNetworks The Protocol
Comparison
Comparing the disclosure scheme by David Chaum:
Both schemes are insecure against conspirations
Using watchmen, a conspiration can not be formed after the message is published
Using watchmen, no communication to the participants needed after message is published
The disclosure can be kept secret
Ondemand disclosure
![Page 30: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/30.jpg)
30
DCNetworks The Protocol
Serverless
Why do we need a server at all?
Participants publish their rounds on MySpace, Blog, Forum etc.
Login by invitation: Someone send the new participants DHkey + Publishing URL within the DCNetwork
AutoLogout by “not publishing once”
Who is going to do the data retention? ;)
Ondemand disclosure
![Page 31: CCC Event Blog - DCNetworks – The Protocol · 2016-11-23 · 28 DCNetworks The Protocol Threshold secret sharing scheme Reduce number of watchmen necessary for disclosure, e.g](https://reader034.vdocuments.us/reader034/viewer/2022042403/5f16ddded4dfde22e63a79be/html5/thumbnails/31.jpg)
31
DCNetworks The Protocol
Thanks
Interesting stuff:D.Chaum, “The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability”(Journal of Cryptology, vol. 1 no. 1, 1988, pp. 6575 or http://www.cs.cornell.edu/People/egs/herbivore/dcnets.html)
A.Pfitzmann, “Datensicherheit und Kryptographie”(http://dud.inf.tudresden.de/~pfitza/DSuKrypt.html, pp 176199 and 123125. German language)
Literature