CS 6204, Spring 2005 Dining Cryptographers, Glenn Fink1 Dining Cryptographers Paper by David Chaum...
-
Upload
alisha-mcdonald -
Category
Documents
-
view
217 -
download
0
Transcript of CS 6204, Spring 2005 Dining Cryptographers, Glenn Fink1 Dining Cryptographers Paper by David Chaum...
Dining Cryptographers, Glenn Fink 1CS 6204, Spring 2005
Dining Cryptographers
Paper by David Chaum (1988)
Presentation by Glenn Fink
Dining Cryptographers, Glenn Fink 2CS 6204, Spring 2005
Dining Cryptographers: Overview
Who says all the tough papers are at the end of the semester?– Anyone know what the Frobenius
automorphism of the Galois group GF(pn) is?
But apart from this, there is still much of practical utility in the paper.
Dining Cryptographers, Glenn Fink 3CS 6204, Spring 2005
Dining Cryptographers
“Same”“Same”
“Same”Result:
#Diffs: 0 (Even)NSA Pays
Act I: Three of a kind
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 4CS 6204, Spring 2005
Dining Cryptographers
“Same”“Different”
“Different”Result:
#Diffs: 2 (Even)NSA Pays
Act II: Two of a kind
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 5CS 6204, Spring 2005
Dining Cryptographers
“Different”* Inverted *
“Different”
“Different”Result:
#Diffs: 3 (Odd)Some Cryptographer Pays
Act III: Two of a kind + Inversion
I’m paying, but no one
knows it’s me!
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 6CS 6204, Spring 2005
Proof Sketch (By Induction) All heads or all tails: 0 Diffs One tail, rest heads: 2 Diffs
– On each side of tail Two tails, rest heads: 2 cases:
I. Two tails are adjacent: 2 DiffsII. Two tails nonadjacent: 4 Diffs
N+1 tails, rest heads: three cases:
I. New tail is adjacent to one string of tails: No change
II. New tail is nonadjacent to any string of tails: Two more diffs
III. New tail connects two strings of tails: Two fewer diffs
H
H
T
H
T
H
Diffs
H
H
T
T
H
H
Diffs
H
H
H
H
H
H
H
H
T
H
H
H
Diffs
Result: If everyone tells the truth, there will always be an even number of differences
H
H
T
T
H
H
Diffs
T
T
T
Dining Cryptographers, Glenn Fink 7CS 6204, Spring 2005
Anonymity Set 0
AnonymitySet 1
Anonymity Set
Graph Theory Interpretation
Persons=Nodes Keys=Edges
– Shared by nodes Anonymity Set:
– The set of nodes whose transmissions are indistinguishable
Collusion– Sharing keys to expose
another person’s transmissions
Partial Collusion: Not all keys shared
Dining Cryptographers, Glenn Fink 8CS 6204, Spring 2005
SharedSharedKeysKeys
SharedSharedKeysKeys
Keys and Compromises
A “key” is really just a history of all the quarters that will ever be flipped between two participants.– E.g., a string of bits
Key compromise means that a third party also knows the results of each flip.
Dining Cryptographers, Glenn Fink 9CS 6204, Spring 2005
Practical Considerations Key Generation
– Generate a true one-time pad via a physical random process
– Generate a short key and expand it via pseudo-random process
Key Distribution– Covertly: in person or via pre-shared symmetric cipher– Publicly: via a public-key-enabled key exchange
Key Usage– Everyone sees the stream of bits from the message– Everyone sees the sum of the outputs of all the nodes– Comparing the sum at each round tells whether
someone is transmitting, but…– … No one knows the originator of the message
Dining Cryptographers, Glenn Fink 10CS 6204, Spring 2005
Transmission Example
1001
0010 0100
0111
1011
1100
10 = 1
10 = 1
10 = 1
00 = 0
00 = 0
10 = 1
y1=x
x1=y
y1=x
y0=y
x1=yy0=y
y
Round 1yx
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 11CS 6204, Spring 2005
Transmission Example
1001
0010 0100
0111
1011
1100
00 = 0
00 = 0
10 = 1 0
11 = 0
11 = 0
01 = 1
“yx”
y0=y
y0=y
y0=y
x0=x
y1=xx0=x
yx
Round 2yx
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 12CS 6204, Spring 2005
Transmission Example
1001
0010 0100
0111
1011
1100
10 = 1
11 = 0
11 = 0 1
01 = 1
00 = 0
00 = 0
“yx”
x1=y
y0=y
y1=x
x0=x
x0=xx1=y
yx
Round 3
y
yx
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 13CS 6204, Spring 2005
Transmission Example
1001
0010 0100
0111
1011
1100
11 = 0
11 = 0
11 = 0
01 = 1
00 = 0
10 = 1
y0=y
y0=y
y0=y
x0=x
y1=xx1=y
yx
Round 4
yx
yx
• Flip Coins
• Make Observations
• Count Observations
Dining Cryptographers, Glenn Fink 14CS 6204, Spring 2005
Transmission Example
yx
Summary
yx
yx
y xyx0110
“ ”yx
AnonymousTransmission
Dining Cryptographers, Glenn Fink 15CS 6204, Spring 2005
Attacking the Dining Cryptographers
“1”
By partitioning a non-fully-connected network
Sum = 1; Someone transmitted.
Sum = 1;Transmitter is on this side.
Sum = 0;Transmitter is not on this side.
Ring network can be attacked in n log n rounds
Fully-connected network requires n-1 attackers!
Dining Cryptographers, Glenn Fink 16CS 6204, Spring 2005
Conclusion
Chaum’s protocol allows parties to transmit anonymous messages in public.
The protocol is highly resistant to collusion attacks.– But attacks are possible because anonymity degrades
with time.– Protocol does not protect physical path tracing.– Protocol does not provide for message confidentiality.
Communication via this protocol is four times less efficient on average than traceable transmission protocols.
Protocol forms the basis for Chaum’s DC-Net.
Dining Cryptographers, Glenn Fink 17CS 6204, Spring 2005
Other References
Good source of information on all sorts of anonymity schemes:– http://www.freehaven.net/anonbib
Tutorial presentation given at ACM CCS 2004 on anonymity:– http://www.cs.georgetown.edu/~clay/ccs-
anon.ppt