Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk,...

Robust Sender AnonymityTamara Rezk

FMCrypto (work in progress)G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi

April, 28th – Campinas, Brazil

Anonymity Protocols

• Hide the identity associated to a message

• The message may be public. Example:voting

• Different kind of anonymity properties

Anonymity Properties• Receiver anonymity• Sender Unlinkability (SUL)• Receiver Unlinkability (RUL)• Sender-Receiver Unlinkability (UL)• Sender Anonymity (SA)• Strong Sender Anonymity (SA*)• Receiver Anonymity (RA)• Strong Receiver Anonymity (RA*)• Sender-Receiver Anonymity (SRA)• Unobservability (UO)• Sender Unlinkability (SUL)• Receiver Unlinkability (RUL)• Sender-Receiver Unlinkability (UL)• Sender Anonymity (SA)• Strong Sender Anonymity (SA*)• Receiver Anonymity (RA)• Strong Receiver Anonymity (RA*)• Sender-Receiver Anonymity (SRA)• Unobservability (UO)

Anonymity Properties Characterizations [Micciancio&Hevia06]

cab

a

4

3

2

1

8

7

6

5

c

a

b

a

4

3

2

1

8

7

6

5

4321 8765

d d

mij = sets of messages from party i to party j

M =

7

(Thanks Alejandro for this slide)

Capturing information leaks

• By restricting the matrix pair M0,M1

– Let f(M) be the information leaked– Requirement: f(M0) = f(M1)

M0

c

dd

c=multiset

for each row i

M1

Example of leaked information:

(Thanks Alejandro for this slide)

The anonymity property for protocol PHypothesis: f(M0) = f(M1)

CA:=b := {0,1};

if (b = 0)

then {m := M0}

else {m := M1};

S P(m)g A(S,f(m))

| Pr[CA; g = b] - ½ | is negligible on the security parameter

Motivation

• Anonymity in the case of active adversaries

• Case study: DC-Nets

Motivation

• Anonymity in the case of active adversaries

• Case study: DC-Nets

• Robustness was not what we expected it to be

• Work: definition of robustness

Robust anonymous protocol

1) A protocol that is anonymous (it does not leak the identity of the participants)


1) A protocol that is anonymous even if some of the participants are corrupt


1) A protocol that is anonymous even if some of the participants are corrupt

2) Honest messages can be delivered even if dishonest participants do not follow the protocol


1) Anonymity property for active adversaries

2) Robustness property

The anonymity property for protocol Pfor active adversariesHypothesis: f(M0) = f(M1)

CRA:=b := {0,1};

if (b = 0)

then {m := M0}

else {m := M1};

g A[P(m)] (f(m))

| Pr[CRA; g = b] - ½ | is negligible on the security parameter

Dinning Cryptographers:all started in a restaurant …

Dinning Cryptographers Protocol (DC-nets)

• Bitwise XOR [Chaum88]– Not robust

• Bilinear Maps [GolleJuels04]– Robust

What does exactly the word “robust” assure?

The robust DC-nets protocol 1/4

inizializationinizialization

In this phase: • a non-degenerate pairing e : G1 x G1 G2• generators g, h of a cyclic group G1• a hash function H: {0,1}* G1• a private key xi and public key yi = g^xi (secret xi is (t,n)-shared ) • a common reference string



In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.

transmissiontransmission



n

i

2

1

1/3



n

i

2

1

2/3

e(H(s||2), yj)^xi*cji



n

i

2

1

3/3


Padding participant i. Coefficient c is 1 if i<j or -1 otherwise.



n

i

2

1

3/3


*m

Message m transmission

If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages.


n

2

1

n

2

1

n

2

1

* * …

Vector Party 1 Vector Party n

=

n

2

1 m1m2 …

mn

Example for 2 paticipants: n=2 1/9




Vector Party 1

2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2



Vector Party 1 Vector Party 2

2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2



*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result


e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1


*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result


e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining}

e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1


*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result



e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity}

e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1


*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result




e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity}

e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1


*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result




e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity}

e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 ={inverse *}

m1


*


=2

1 e(H(s||1), y2)^x1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1

m2

transmission result

If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail!


n

2

1

n

2

1

n

2

1

* * …


=

n

2

1 m1m2 …

mn

Vectors are transmitted with a proof of knowledge (zkpk)


For all positions in the vector there is a valid padding, except for at most one position.





reconstructionreconstruction

In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography


After this phase, we are left with a set of valid vectors , that is :

For all positions in the vector there is a valid padding, except for at most one position.





recuperationrecuperation

In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication.

recuperationrecuperation

n

2

1

n

2

1

n

2

1

* * …


=

n

2

1 m1m2 …

mn

What does exactly the word “robust” assure?

• If the vector is correct, then there is a unique message in the vector

• An adversary may violate the slot reservation protocol to intentionally produce a collision

• For each collision, one honest message is not delivered

ROBUSTNESS PROPERTYWe propose to state this formally by definning a:

Sender robustness, t-n

SR:= M,N A0 m := M++N;

S P[A](m) if (#(MПS) < 2t-n)

then b’:=1 else b’:=0

|Pr[SR; b’=1] is negligible on the security parameter

Sender Robustness Violation 1 Example for 2 paticipants: n=2

*


=2

1 1

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 ????

m2

transmission result

Sender Robustness Violation 2 Example for 2 paticipants: n=2

*


=2

1 e(H(s||2), y2)^x1*m2

e(H(s||2), y2)^x1*m2 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 ????

m2

transmission result

Sender RobustnessExample for 2 paticipants: n=2

*


=2

1 e(H(s||2), y2)^x1*m2

e(H(s||2), y2)^x1 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1*m2

m2

transmission result

This is considered secure!

A stronger robustness propertyConfusion resistant t-n

CR:= M,N A0 m := M++N;

S P[A(m)] if honest received < honest-

dishonestthen b’:=1 else b’:=0 |Pr[CR; b’=1] is negligible on the security parameter


CR:= M,N A0 m := M++N;

S P[A(m)] if honest not

received+dishonest received > dishonest.


|Pr[CR; b’=1] is negligible on the security parameter


CR:= M,N A0 m := M++N;

S P[A(m)] if (#(S\M) + #(M\S) > n-t)


|Pr[CR; b’=1] is negligible on the security parameter

Confussion Resistant ViolationExample for 2 paticipants: n=2

*


=2

1 e(H(s||2), y2)^x1*m2

e(H(s||2), y2)^x1 2

1 e(H(s||1), y1)^-x2 *m1

e(H(s||2), y1)^-x2 2

1 m1*m2

m2

transmission result

Theorems and Remarks

• Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust• Remark: DC-Nets is not confussion resistant

Theorems and Remarks

• Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust• Remark: DC-Nets is not confussion resistant

Solution? : messages should be “sealed” in such a way that multiplication of two seals produces another seal only with negligible probability

Conclusions

• We have a proposed 2 properties to formally specify robustness of sender anonymous protocols

• We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol

• Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?

Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk,...

Documents

Transcript of Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk,...