practical(?) and provably secure anonymity
DESCRIPTION
Practical(?) And Provably Secure Anonymity. Nick Hopper. Sender -Anonymous Communication: The “Love Letter Problem”. Who?. You have a secret admirer!. Alex. Eve, The Net Admin. Receiver-Anonymous Communication: The Whistleblower’s problem. Eve. ?. E PK (“AUDIT ACME!”). IRS. Alex. - PowerPoint PPT PresentationTRANSCRIPT
Practical(?) And Provably Secure Anonymity
Nick Hopper
Nick Hopper - Crypto/Security Seminar 204/19/23
Sender-Anonymous Communication: The “Love Letter Problem”
You have a secret
admirer!
Alex Eve,The Net Admin
Who?
Nick Hopper - Crypto/Security Seminar 304/19/23
Receiver-Anonymous Communication: The Whistleblower’s problem
Alex
Eve
IRS
??EPK(“AUDIT ACME!”)
Nick Hopper - Crypto/Security Seminar 404/19/23
Previous Work on anonymous communication Mix-Net/Onion routing:
Efficient, but not (yet) provably secure DC-Nets
Provably secure, but not efficient
Nick Hopper - Crypto/Security Seminar 504/19/23
Mix-Net
Mix
A
E
D
CB
EMIX(D,M1)
EMIX(E,M2)
EMIX(C,M3)
EMIX(D,M4)
EMIX(E,M5)
Nick Hopper - Crypto/Security Seminar 604/19/23
Mix-Net
Mix
A
E
D
CB
EMIX(D,M1)
EMIX(E,M2)
EMIX(C,M3)
EMIX(D,M4)
EMIX(E,M5)
Nick Hopper - Crypto/Security Seminar 704/19/23
Mix-Net
Mix
A
E
D
CB
D,ED(M1)
E,EE(M2)
C,EC(M3)
D,ED(M4)
E,EE(M5)
Nick Hopper - Crypto/Security Seminar 804/19/23
Mix-Net
Mix
A
E
D
CB
D,ED(M1)
E,EE(M2)
C,EC(M3)
D,ED(M4)
E,EE(M5)
Nick Hopper - Crypto/Security Seminar 904/19/23
Mix-Net
Mix
A
E
D
CB
ED(M1)
EE(M2)
EC(M3)
ED(M4)
EE(M5)
Nick Hopper - Crypto/Security Seminar 1004/19/23
Onion Routing
A
B
C
D
F
E
H
G
Nick Hopper - Crypto/Security Seminar 1104/19/23
Onion Routing
A
B
C
D
F
E
H
G
Nick Hopper - Crypto/Security Seminar 1204/19/23
Onion Routing
A
B
C
D
F
E
H
G
Nick Hopper - Crypto/Security Seminar 1304/19/23
Onion Routing
A
B
C
D
F
E
H
G
EH(M)
Nick Hopper - Crypto/Security Seminar 1404/19/23
Onion Routing
A
B
C
D
F
E
H
G
EF(H,EH(M))
Nick Hopper - Crypto/Security Seminar 1504/19/23
Onion Routing
A
B
C
D
F
E
H
G
EB(F,EF(H,EH(M)))
Nick Hopper - Crypto/Security Seminar 1604/19/23
Onion Routing
A
B
C
D
F
E
H
G
EE(B,EB(F,EF(H,EH(M))))
Nick Hopper - Crypto/Security Seminar 1704/19/23
Onion Routing
A
B
C
D
F
E
H
G
EB(F,EF(H,EH(M)))
Nick Hopper - Crypto/Security Seminar 1804/19/23
Onion Routing
A
B
C
D
F
E
H
G
EF(H,EH(M))
Nick Hopper - Crypto/Security Seminar 1904/19/23
Onion Routing
A
B
C
D
F
E
H
G
EH(M)
Nick Hopper - Crypto/Security Seminar 2004/19/23
Onion Routing
A
B
C
D
F
E
H
G
M
Nick Hopper - Crypto/Security Seminar 2104/19/23
DC Net: Multiparty Sum
A
BC
D
XA
XB
XD
XC
Nick Hopper - Crypto/Security Seminar 2204/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB
Nick Hopper - Crypto/Security Seminar 2304/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB
SAB
SAD
SAC
Nick Hopper - Crypto/Security Seminar 2404/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
SA = SAA + SBA + SCA+SDA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SD = SAD + SBD + SCD+SDD
SBA+SBB+SBC+SBD = XB
SB = SAB + SBB + SCB+SDB
SCA+SCB+SCC+SCD = XB
SC = SAC + SBC + SCC+SDC
SB
SA
SC
SD
Nick Hopper - Crypto/Security Seminar 2504/19/23
DC Net: Multiparty Sum
BC
D
XA
SAA+SAB+SAC+SAD = XA
SA = SAA + SBA + SCA+SDA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SD = SAD + SBD + SCD+SDD
SBA+SBB+SBC+SBD = XB
SB = SAB + SBB + SCB+SDB
SCA+SCB+SCC+SCD = XB
SC = SAC + SBC + SCC+SDC
X = SA + SB + SC + SD
= XA + XB + XC + XD
Nick Hopper - Crypto/Security Seminar 2604/19/23
How to use multiparty sum for anonymity If XA = XB = XC = 0 then X=XD! If more than one non-zero: collision Use standard networking techniques Provably, Perfectly secure against passive
adversary. Problems:
Inefficient – O(n3) protocol messages/ anonymous message
Easy to JAM it!
Nick Hopper - Crypto/Security Seminar 2704/19/23
Efficiency “Issue”
“Perfect” security requires (n2) protocol messages per anonymous message
Relax to k-anonymity: every message could have been from or to k participants
Nick Hopper - Crypto/Security Seminar 2804/19/23
k-anonymous message transmission (k-AMT)
Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair
P1
P2
P3
P4s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)
s1,2
s1,3
s1,4
Nick Hopper - Crypto/Security Seminar 2904/19/23
How to compromise k-anonymity
If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.
So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.
Nick Hopper - Crypto/Security Seminar 3004/19/23
How to break k-AMT (I)
Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.
This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.
Nick Hopper - Crypto/Security Seminar 3104/19/23
Stopping the “randomizing” attack
Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.
These commitments allow verification of her subsequent actions.
Nick Hopper - Crypto/Security Seminar 3204/19/23
k-anonymous message transmission (k-AMT) with VSS
Before starting, each player commits to si,1
…si,k viaPedersen commitment C(s,r)=gshr
P1
P2
P3
P4
s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)
C 1
1 gs1,1hr1,1
2 gs1,2hr1,2
3 gs1,3hr1,3
4 gs1,4hr1,4
C1
C1
C1
Nick Hopper - Crypto/Security Seminar 3304/19/23
k-anonymous message transmission (k-AMT) with VSS
Before starting, each player commits to si,1
…si,k viaPedersen commitment C(s,r)=gshr
P1
P2
P3
P4
s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)
C 1… k
1 gs1,1hr1,1 gsk,1hrk,1 gs1hr
2 gs1,2hr1,2 gsk,2hrk,2 gs2hr
3 gs1,3hr1,3 gsk,3hrk,3 gs3hr
4 gs1,4hr1,4 gsk,4hrk,4 gs4hr
gx1hr gxkhr
C2
C3
C4
Nick Hopper - Crypto/Security Seminar 3404/19/23
How to break k-AMT (II)
The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.
So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.
Nick Hopper - Crypto/Security Seminar 3504/19/23
Accommodating more than one sender per turn Idea: we can run several turns in parallel.
Instead of sending commitments to shares of a single value, generate shares of 2k values.
If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.
Nick Hopper - Crypto/Security Seminar 3604/19/23
Accommodating more than one sender per turn
Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t
so that msi,j,t =xi,j
P1
P2
P3
P4
C 1,1… 1,2k
1 gs1,1,1hr1,1 gs1,2k,1hrk,1
2 gs1,1,2hr1,2 gs1,2k,2hrk,2
3 gs1,1,3hr1,3 gs1,2k,,3hrk,3
4 gs1,1,4hr1,4 gs1,2k,4hrk,4
gx1,1hr gx1,khr
C1,1..2k
C1,1..2k
C1,1..2k
Nick Hopper - Crypto/Security Seminar 3704/19/23
Accommodating more than one sender per turn Suppose at the end of the protocol, at
least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.
If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?
Nick Hopper - Crypto/Security Seminar 3804/19/23
Catching a cheater
Idea: each party can use her committed values to prove (in zero knowledge) that she transmitted in at most one slot, without revealing that slot.
If someone did cheat, she will have a very low probability of convincing the group she did not.
Nick Hopper - Crypto/Security Seminar 3904/19/23
Zero-Knowledge proof of protocol conformance Pi (All):
Pick permutation ρ on {1…2k}
Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) (All) Pi: b {0,1} Pi (All):
if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x)
Nick Hopper - Crypto/Security Seminar 4004/19/23
Efficiency
O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead
Cheaters are caught with high probability Zero Knowledge proofs are Honest Verifier
and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)
Nick Hopper - Crypto/Security Seminar 4104/19/23
Another problem: Abuse
Anonymous communications could be used for bad things:Kidnapping & Ransom NotesChild PornographyLibelExcessive Multi Posting
How to deal with it fairly?
Nick Hopper - Crypto/Security Seminar 4204/19/23
Selective Tracing
Participants agree to a “tracing policy:”Set of voters VSet of sets of voters V.
Anytime a “bad” message is sent, when any set of users v 2 V agree, the message can be traced to its sender.
Nick Hopper - Crypto/Security Seminar 4304/19/23
Example Tracing Policies
Threshold tracing: if at least t users agree (e.g. 90%)
Court tracing: if at least 5/9 justices agree LEA tracing: if FBI, CIA, NSA, DHS, ATF,
or DEA want to trace.
Nick Hopper - Crypto/Security Seminar 4404/19/23
Support for selective traceability
Assume for now singleton voter V. V publishes ElGamal public key GX. Recall that for each slot we have
R = ri,
S = i Ci = gMhR
For each slot compute a = GR
b = g-MyR
= ZK{logg a = loghy Sb}
Nick Hopper - Crypto/Security Seminar 4504/19/23
Support for selective traceability
V publishes ElGamal public key GX. For each slot compute
a = GR
b = g-MyR
V can trace M by checking for each user whether aXb = g-M.
Extend to arbitrary tracing policy using “Threshold Cryptography”
Nick Hopper - Crypto/Security Seminar 4604/19/23
Open Questions
What is a good way to model security of onion-routing type protocols?
Is k-AMT really practical? Can it be improved on?
Can we make a provably secure variant of onion routing with selective traceability?
Coercibility.