Practical(?) And Provably Secure Anonymity
-
Upload
nadine-beck -
Category
Documents
-
view
34 -
download
2
description
Transcript of Practical(?) And Provably Secure Anonymity
![Page 1: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/1.jpg)
Practical(?) And Provably Secure Anonymity
Nick Hopper
![Page 2: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/2.jpg)
Nick Hopper - Crypto/Security Seminar 204/19/23
Sender-Anonymous Communication: The “Love Letter Problem”
You have a secret
admirer!
Alex Eve,The Net Admin
Who?
![Page 3: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/3.jpg)
Nick Hopper - Crypto/Security Seminar 304/19/23
Receiver-Anonymous Communication: The Whistleblower’s problem
Alex
Eve
IRS
??EPK(“AUDIT ACME!”)
![Page 4: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/4.jpg)
Nick Hopper - Crypto/Security Seminar 404/19/23
Previous Work on anonymous communication Mix-Net/Onion routing:
Efficient, but not (yet) provably secure DC-Nets
Provably secure, but not efficient
![Page 5: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/5.jpg)
Nick Hopper - Crypto/Security Seminar 504/19/23
Mix-Net
Mix
A
E
D
CB
EMIX(D,M1)
EMIX(E,M2)
EMIX(C,M3)
EMIX(D,M4)
EMIX(E,M5)
![Page 6: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/6.jpg)
Nick Hopper - Crypto/Security Seminar 604/19/23
Mix-Net
Mix
A
E
D
CB
EMIX(D,M1)
EMIX(E,M2)
EMIX(C,M3)
EMIX(D,M4)
EMIX(E,M5)
![Page 7: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/7.jpg)
Nick Hopper - Crypto/Security Seminar 704/19/23
Mix-Net
Mix
A
E
D
CB
D,ED(M1)
E,EE(M2)
C,EC(M3)
D,ED(M4)
E,EE(M5)
![Page 8: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/8.jpg)
Nick Hopper - Crypto/Security Seminar 804/19/23
Mix-Net
Mix
A
E
D
CB
D,ED(M1)
E,EE(M2)
C,EC(M3)
D,ED(M4)
E,EE(M5)
![Page 9: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/9.jpg)
Nick Hopper - Crypto/Security Seminar 904/19/23
Mix-Net
Mix
A
E
D
CB
ED(M1)
EE(M2)
EC(M3)
ED(M4)
EE(M5)
![Page 10: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/10.jpg)
Nick Hopper - Crypto/Security Seminar 1004/19/23
Onion Routing
A
B
C
D
F
E
H
G
![Page 11: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/11.jpg)
Nick Hopper - Crypto/Security Seminar 1104/19/23
Onion Routing
A
B
C
D
F
E
H
G
![Page 12: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/12.jpg)
Nick Hopper - Crypto/Security Seminar 1204/19/23
Onion Routing
A
B
C
D
F
E
H
G
![Page 13: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/13.jpg)
Nick Hopper - Crypto/Security Seminar 1304/19/23
Onion Routing
A
B
C
D
F
E
H
G
EH(M)
![Page 14: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/14.jpg)
Nick Hopper - Crypto/Security Seminar 1404/19/23
Onion Routing
A
B
C
D
F
E
H
G
EF(H,EH(M))
![Page 15: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/15.jpg)
Nick Hopper - Crypto/Security Seminar 1504/19/23
Onion Routing
A
B
C
D
F
E
H
G
EB(F,EF(H,EH(M)))
![Page 16: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/16.jpg)
Nick Hopper - Crypto/Security Seminar 1604/19/23
Onion Routing
A
B
C
D
F
E
H
G
EE(B,EB(F,EF(H,EH(M))))
![Page 17: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/17.jpg)
Nick Hopper - Crypto/Security Seminar 1704/19/23
Onion Routing
A
B
C
D
F
E
H
G
EB(F,EF(H,EH(M)))
![Page 18: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/18.jpg)
Nick Hopper - Crypto/Security Seminar 1804/19/23
Onion Routing
A
B
C
D
F
E
H
G
EF(H,EH(M))
![Page 19: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/19.jpg)
Nick Hopper - Crypto/Security Seminar 1904/19/23
Onion Routing
A
B
C
D
F
E
H
G
EH(M)
![Page 20: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/20.jpg)
Nick Hopper - Crypto/Security Seminar 2004/19/23
Onion Routing
A
B
C
D
F
E
H
G
M
![Page 21: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/21.jpg)
Nick Hopper - Crypto/Security Seminar 2104/19/23
DC Net: Multiparty Sum
A
BC
D
XA
XB
XD
XC
![Page 22: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/22.jpg)
Nick Hopper - Crypto/Security Seminar 2204/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB
![Page 23: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/23.jpg)
Nick Hopper - Crypto/Security Seminar 2304/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB
SAB
SAD
SAC
![Page 24: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/24.jpg)
Nick Hopper - Crypto/Security Seminar 2404/19/23
DC Net: Multiparty Sum
A
BC
D
XA
SAA+SAB+SAC+SAD = XA
SA = SAA + SBA + SCA+SDA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SD = SAD + SBD + SCD+SDD
SBA+SBB+SBC+SBD = XB
SB = SAB + SBB + SCB+SDB
SCA+SCB+SCC+SCD = XB
SC = SAC + SBC + SCC+SDC
SB
SA
SC
SD
![Page 25: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/25.jpg)
Nick Hopper - Crypto/Security Seminar 2504/19/23
DC Net: Multiparty Sum
BC
D
XA
SAA+SAB+SAC+SAD = XA
SA = SAA + SBA + SCA+SDA
XB
XD
XC
SDA+SDB+SDC+SDD = XD
SD = SAD + SBD + SCD+SDD
SBA+SBB+SBC+SBD = XB
SB = SAB + SBB + SCB+SDB
SCA+SCB+SCC+SCD = XB
SC = SAC + SBC + SCC+SDC
X = SA + SB + SC + SD
= XA + XB + XC + XD
![Page 26: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/26.jpg)
Nick Hopper - Crypto/Security Seminar 2604/19/23
How to use multiparty sum for anonymity If XA = XB = XC = 0 then X=XD! If more than one non-zero: collision Use standard networking techniques Provably, Perfectly secure against passive
adversary. Problems:
Inefficient – O(n3) protocol messages/ anonymous message
Easy to JAM it!
![Page 27: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/27.jpg)
Nick Hopper - Crypto/Security Seminar 2704/19/23
Efficiency “Issue”
“Perfect” security requires (n2) protocol messages per anonymous message
Relax to k-anonymity: every message could have been from or to k participants
![Page 28: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/28.jpg)
Nick Hopper - Crypto/Security Seminar 2804/19/23
k-anonymous message transmission (k-AMT)
Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair
P1
P2
P3
P4s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)
s1,2
s1,3
s1,4
![Page 29: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/29.jpg)
Nick Hopper - Crypto/Security Seminar 2904/19/23
How to compromise k-anonymity
If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.
So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.
![Page 30: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/30.jpg)
Nick Hopper - Crypto/Security Seminar 3004/19/23
How to break k-AMT (I)
Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.
This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.
![Page 31: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/31.jpg)
Nick Hopper - Crypto/Security Seminar 3104/19/23
Stopping the “randomizing” attack
Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.
These commitments allow verification of her subsequent actions.
![Page 32: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/32.jpg)
Nick Hopper - Crypto/Security Seminar 3204/19/23
k-anonymous message transmission (k-AMT) with VSS
Before starting, each player commits to si,1
…si,k viaPedersen commitment C(s,r)=gshr
P1
P2
P3
P4
s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)
C 1
1 gs1,1hr1,1
2 gs1,2hr1,2
3 gs1,3hr1,3
4 gs1,4hr1,4
C1
C1
C1
![Page 33: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/33.jpg)
Nick Hopper - Crypto/Security Seminar 3304/19/23
k-anonymous message transmission (k-AMT) with VSS
Before starting, each player commits to si,1
…si,k viaPedersen commitment C(s,r)=gshr
P1
P2
P3
P4
s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)
C 1… k
1 gs1,1hr1,1 gsk,1hrk,1 gs1hr
2 gs1,2hr1,2 gsk,2hrk,2 gs2hr
3 gs1,3hr1,3 gsk,3hrk,3 gs3hr
4 gs1,4hr1,4 gsk,4hrk,4 gs4hr
gx1hr gxkhr
C2
C3
C4
![Page 34: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/34.jpg)
Nick Hopper - Crypto/Security Seminar 3404/19/23
How to break k-AMT (II)
The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.
So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.
![Page 35: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/35.jpg)
Nick Hopper - Crypto/Security Seminar 3504/19/23
Accommodating more than one sender per turn Idea: we can run several turns in parallel.
Instead of sending commitments to shares of a single value, generate shares of 2k values.
If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.
![Page 36: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/36.jpg)
Nick Hopper - Crypto/Security Seminar 3604/19/23
Accommodating more than one sender per turn
Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t
so that msi,j,t =xi,j
P1
P2
P3
P4
C 1,1… 1,2k
1 gs1,1,1hr1,1 gs1,2k,1hrk,1
2 gs1,1,2hr1,2 gs1,2k,2hrk,2
3 gs1,1,3hr1,3 gs1,2k,,3hrk,3
4 gs1,1,4hr1,4 gs1,2k,4hrk,4
gx1,1hr gx1,khr
C1,1..2k
C1,1..2k
C1,1..2k
![Page 37: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/37.jpg)
Nick Hopper - Crypto/Security Seminar 3704/19/23
Accommodating more than one sender per turn Suppose at the end of the protocol, at
least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.
If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?
![Page 38: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/38.jpg)
Nick Hopper - Crypto/Security Seminar 3804/19/23
Catching a cheater
Idea: each party can use her committed values to prove (in zero knowledge) that she transmitted in at most one slot, without revealing that slot.
If someone did cheat, she will have a very low probability of convincing the group she did not.
![Page 39: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/39.jpg)
Nick Hopper - Crypto/Security Seminar 3904/19/23
Zero-Knowledge proof of protocol conformance Pi (All):
Pick permutation ρ on {1…2k}
Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) (All) Pi: b {0,1} Pi (All):
if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x)
![Page 40: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/40.jpg)
Nick Hopper - Crypto/Security Seminar 4004/19/23
Efficiency
O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead
Cheaters are caught with high probability Zero Knowledge proofs are Honest Verifier
and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)
![Page 41: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/41.jpg)
Nick Hopper - Crypto/Security Seminar 4104/19/23
Another problem: Abuse
Anonymous communications could be used for bad things:Kidnapping & Ransom NotesChild PornographyLibelExcessive Multi Posting
How to deal with it fairly?
![Page 42: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/42.jpg)
Nick Hopper - Crypto/Security Seminar 4204/19/23
Selective Tracing
Participants agree to a “tracing policy:”Set of voters VSet of sets of voters V.
Anytime a “bad” message is sent, when any set of users v 2 V agree, the message can be traced to its sender.
![Page 43: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/43.jpg)
Nick Hopper - Crypto/Security Seminar 4304/19/23
Example Tracing Policies
Threshold tracing: if at least t users agree (e.g. 90%)
Court tracing: if at least 5/9 justices agree LEA tracing: if FBI, CIA, NSA, DHS, ATF,
or DEA want to trace.
![Page 44: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/44.jpg)
Nick Hopper - Crypto/Security Seminar 4404/19/23
Support for selective traceability
Assume for now singleton voter V. V publishes ElGamal public key GX. Recall that for each slot we have
R = ri,
S = i Ci = gMhR
For each slot compute a = GR
b = g-MyR
= ZK{logg a = loghy Sb}
![Page 45: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/45.jpg)
Nick Hopper - Crypto/Security Seminar 4504/19/23
Support for selective traceability
V publishes ElGamal public key GX. For each slot compute
a = GR
b = g-MyR
V can trace M by checking for each user whether aXb = g-M.
Extend to arbitrary tracing policy using “Threshold Cryptography”
![Page 46: Practical(?) And Provably Secure Anonymity](https://reader035.fdocuments.in/reader035/viewer/2022062422/56812d5b550346895d92628b/html5/thumbnails/46.jpg)
Nick Hopper - Crypto/Security Seminar 4604/19/23
Open Questions
What is a good way to model security of onion-routing type protocols?
Is k-AMT really practical? Can it be improved on?
Can we make a provably secure variant of onion routing with selective traceability?
Coercibility.