Privacy Enhancing Technologies

Spring 2012

What is Privacy?

• “The right to be let alone”

• Confidentiality

• Anonymity

• Access Control

• Most privacy technologies focus on Anonymity

What is anonymity?

• Unobservability

• Unlinkability

• Sender anonymity

• Receiver anonymity

Overview of Anonymity Concepts

• Chaum’s MIX

• Dining Cryptographers

• Onion Routing

• Crowds

Applications beyond privacy

• Digital Cash

• Anonymous e-voting

• Censorship-resistant publishing

• Untraceable e-mail

Chaum’s MIX

• Presented first in 1981 by David Chaum

• Uses public key cryptography for anonymous e-mail

• Basic Idea:– E-mails would be sent to a “Mix” which would

then forward them onto reciepents

• Key building block for anonymity systems

Example

A B

Km(B, KB(A,M))KB(A,M)

Example

A B

C

D

E

Km(B, KB(D,M))

Km(B, KB(A,M))

Km(E, KE(C,M))

KE(C,M)

KB(D,M)

KB(A,M)

What does this buy us?

• Unlinkability– The adversary knows all the senders and

receivers but cannot link senders to receivers

MIX Cascade

• What if some of the mixes are controlled by adversaries?

• A cascade of mixes can be used to handle compromised mixes

• How many adversaries can this withstand?– N-1

Dining Cryptographers

• Also introduced by Chaum

• Purpose is to release a public message in a perfectly untraceable manner

The Protocol

• N cryptographers are having dinner

• Waiter tells them that the dinner has been paid for

• They want to know whether it was paid by one of them or the NSA agent in the corner

The Protocol

1. Each diner flips a coin and shows it to his left neighbor

2. Each diner announces whether he and his neighbor’s coin flips are the same or different. The payer lies.

3. Even number of “same” => NSA paidOdd number of “same” => one the diners paid

Example – NSA PaysDifferent

Different

Same

Same

Example – Diner Pays

Payer

Same

Different

Same

Same

Problems with DC

• Very Impractical– Only one bit sent at a time– Each party has to have pairwise secure

channels– Massive communication overhead

How much anonymity is afforded to the sender in DC?

• We know the sender is one of N diners

• This is sometimes called K-anonymity– We know you are one of k persons, but that’s

the best we can do– This is term is used especially with respect to

databases

Anonymity via Random Routing

• Hide message source through random routing

• Routers don’t know for sure who the source of the message is

Many methods

• Onion routing

• Crowds

• Tor

• …

Onion Routing

• Sender chooses a random sequence of routers– Some are honest, some aren’t– Similar to MIX cascade

• Goal: Hostile routers shouldn’t learn Alice is talking to Bob

Onion Routing• Onion encryption:

• { R2, { R3, { Bob, {M}K4 }K3 }K2 }K1

R1, K1 R2, K2 R3, K3Bob, K4Alice,

K1, K2, K3, K4

Crowds

• Routers form a random path– Different than onion routing because the

routers choose path, not sender

• After receiving a message router flips a biased coin– With probability p, the router forwards the

message to another router– With probability 1-p, the router forwards the

message to the recipient

Example

R1

R2

R3

R4

R

RR

R

Alice Bob

From: R3To: Bob

Probabilistic Notions of Anonymity

• Beyond suspicion– The observed source of the message is no more likely

to be the true sender than anybody else

• Probable innocence– Probability that the observed source of the message

is the true sender is less than 50%– Guaranteed by Crowds if there are sufficiently many

honest routers: Ngood+Nbad ≥ pf/(pf-0.5)•(Nbad +1)

• Possible innocence– Non-trivial probability that the observed source of the

message is not the true sender

A Couple of issues

• Is probable innocence enough?

1% 1% 1% 49% 1% 1% … 1%

• Multiple-paths vulnerability– Can attacker relate multiple paths from same sender?

• E.g., browsing the same website at the same time of day

– Each new path gives attacker a new observation– Can’t keep paths static since members join and leave

Digital Cash

• Cash is a universally anonymous payment system

• How can we have anonymous payments online?

• Idea– Alice can pay for something with a digital cash

token– If she double-spent a digital cash, her identity

should be revealed

Blind signatures

• Blind signatures are used when you want someone to sign something but you don’t want them to see what they are signing– E.g. A notary

• This is done by multiplying the message by a secret number (called blinding).

• The signer signs the blinded message• The secret number can be divided out to

get a signed version of the message

RSA Blind Signatures

• Alice wants Bob to sign message M.

• She gives him M*reb mod n

• Bob signs this giving Alice s’=(M*reb)db mod n

= Mdb reb*db mod n = Mdb r mod n

• Alice can then remove the blind by calculating s= s’*r-1 mod n = Mdb mod

Example

• Alice’s Message: 28• Bob’s public key: 17• Bob’s private key: 53 (n = 77)

• Alice asks Bob to sign 70(=28*617 mod 77)• Bob signs 70 and sends Alice 42• Alice multiplies 42 by 13 (mod 77) to get 7

– 2853 mod 77 = 7

Getting Cash

• Alice creates a bunch (lets say N) of money orders for the same amount (say $100)– Each is given a unique identifier– Each includes n pairs of identity bit strings

$100ID: 1234567Identity bit strings: I1 = (I1L, I1R) I2 = (I2L, I2R) . . . In = (InL, InR)

How the identity bit strings were created

• Secret splitting!

• How it works:– Alice created an identity I

– She then picked n random numbers: r1…rn

– Then she calculates sj = I rj

– Ij = (sj, rj)

– For all j, I = sj rj

Getting Cash

• Alice blinds these messages and sends them to the bank to sign

• The bank asks Alice to unblind n-1 messages (banks choice)

• Alice complies and when the banks sees they are all “well formed” then sign the remaining money order

• Alice unblinds this remaining (signed) money order and spends it

Spending Cash

• Alice presents a token to a merchant

• The merchant asks Alice to randomly reveal either the right or left half of each identity bit string– Essentially they send her a random bit string

of length n, called a selector string.

– If bit j is 0, Alice reveals IjL and if bit j is 1 Alice

reveals IjR

Merchant cashes the token

• The merchant takes the token to the bank– Note that the token has half of the identity bit

strings revealed

• The bank verifies the signature and adds the token to a database of spent tokens

Catching Cheaters

• When the bank checks the signature on a token it also check to see if the token has previously been spent

• If it has, Alice’s identity is likely to be revealed– Why? Because its unlikely that both

merchants sent her the same selector string– This means that there is at least one identity

pair for which the bank has both halves

Secure Multi-party Computation

• Imagine that you want to compute something (say an average salary), but you don’t want the people you are computing with to find out your inputs.

• Solution: Secure Multi-party computation

Secure Multi-party Computation

• Dining Cryptographers is a special case of this problem– The diners want to compute who paid without

admitting they paid

• Computing an average is an easy case of Secure Multi-party computation

Secure Sum

• Imagine that Alice, Bob, Carol and Dave want to compute the average of their salaries.

• Also, assume they all have public and private keys (Ea

, Da respectively for Alice)

Secure Sum

1. Alice picks a random number r and adds it to her salary (Sa).

2. Alice sends Bob Cb = Eb(Sa+ r)3. Bob decrypts Cb and adds his salary to the result and

sends Carol Cc= (Sb+Sa+ r)4. And so forth until…5. Dave then sends Ca=Ea(Sd+Sc+ Sb+Sa+ r) to Alice6. Alice computes (Da(Ca) – r) and divides it by 4 to get

the average salary7. Alice then broadcasts the result to Bob, Carol, and

Dave

Problems with Secure Sum

• This protocol depends on Alice being honest.– Alice can use 2 different r’s and misrepresent

the average

• This can be prevented using a bit commitment scheme– This allows the others to guarantee later that

Alice used the same r– But! Then Bob could figure out her salary

Conclusion

• Anonymity is one of the technological foundations for privacy

• MIX nets are used to hide linkability between senders and receivers– Onion routing and crowds are essentially

implementations of MIX cascades

• DC nets allow for anonymous publishing• Digital Cash allows for anonymous

transactions