Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil.

Published byFranklin Napper Modified over 10 years ago

Similar presentations

Presentation on theme: "Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil."— Presentation transcript:

1 Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil

2 Anonymity Protocols Hide the identity associated to a message The message may be public. Example:voting Different kind of anonymity properties

3 Anonymity Properties Receiver anonymity Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO) Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO)

4 Anonymity Properties Characterizations [Micciancio&Hevia06] c a b a 4 3 2 1 8 7 6 5 c a b a 4 3 2 1 8 7 6 5 43218765 d d m ij = sets of messages from party i to party j M = 7 (Thanks Alejandro for this slide)

5 Capturing information leaks By restricting the matrix pair M 0,M 1 – Let f(M) be the information leaked – Requirement: f(M 0 ) = f(M 1 ) M0M0 c d d c = multiset for each row i M1M1 Example of leaked information: (Thanks Alejandro for this slide)

6 The anonymity property for protocol P Hypothesis: f( M0 ) = f( M1 ) CA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; S P( m ) g A( S,f(m) ) | Pr[CA; g = b] - ½ | is negligible on the security parameter

7 Motivation Anonymity in the case of active adversaries Case study: DC-Nets

8 Motivation Anonymity in the case of active adversaries Case study: DC-Nets Robustness was not what we expected it to be Work: definition of robustness

9 Robust anonymous protocol 1)A protocol that is anonymous (it does not leak the identity of the participants)

10 Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt

11 Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt 2)Honest messages can be delivered even if dishonest participants do not follow the protocol

12 Robust anonymous protocol 1)Anonymity property for active adversaries 2)Robustness property

13 The anonymity property for protocol P for active adversaries Hypothesis: f(M0) = f(M1) CRA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; g A[P( m )] ( f(m) ) | Pr[CRA; g = b] - ½ | is negligible on the security parameter

14 Dinning Cryptographers: all started in a restaurant …

15 Dinning Cryptographers Protocol (DC-nets) Bitwise XOR [Chaum88] – Not robust Bilinear Maps [GolleJuels04] – Robust What does exactly the word robust assure?

16 The robust DC-nets protocol 1/4 inizialization In this phase: a non-degenerate pairing e : G1 x G1 G2 generators g, h of a cyclic group G1 a hash function H: {0,1}* G1 a private key xi and public key yi = g^xi (secret xi is (t,n)- shared ) a common reference string

17 The robust DC-nets protocol 2/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission

18 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 1/3

19 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 2/3 e(H(s||2), yj)^xi*c j i

20 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i Padding participant i. Coefficient c is 1 if i<j or -1 otherwise.

21 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i * m Message m transmission

22 If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages. transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

23 Example for 2 paticipants: n=2 1/9 transmission

24 Example for 2 paticipants: n=2 2/9 transmission Vector Party 1 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2

25 Example for 2 paticipants: n=2 3/9 transmission Vector Party 1Vector Party 2 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2

26 Example for 2 paticipants: n=2 4/9 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

27 Example for 2 paticipants: n=2 5/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

28 Example for 2 paticipants: n=2 6/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

29 Example for 2 paticipants: n=2 7/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

30 Example for 2 paticipants: n=2 8/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

31 Example for 2 paticipants: n=2 9/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 = {inverse *} m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

32 If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail! transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1Vector Party n = n 2 1 m1 m2 … mn

33 Vectors are transmitted with a proof of knowledge (zkpk) transmission For all positions in the vector there is a valid padding, except for at most one position.

34 The robust DC-nets protocol 3/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission reconstruction

35 In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography reconstruction After this phase, we are left with a set of valid vectors, that is : For all positions in the vector there is a valid padding, except for at most one position.

36 The robust DC-nets protocol 4/4 inizialization transmission reconstruction recuperation

37 In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication. recuperation n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

38 What does exactly the word robust assure? If the vector is correct, then there is a unique message in the vector An adversary may violate the slot reservation protocol to intentionally produce a collision For each collision, one honest message is not delivered

39 ROBUSTNESS PROPERTY We propose to state this formally by definning a:

40 Sender robustness, t-n SR:= M,N A0 m := M++N; S P[A]( m ) if (#(MПS) < 2t-n) then b:=1 else b:=0 |Pr[SR; b=1] is negligible on the security parameter

41 Sender Robustness Violation 1 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

42 Sender Robustness Violation 2 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

43 Sender Robustness Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result This is considered secure!

44 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest received < honest- dishonest then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

45 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest not received+dishonest received > dishonest. then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

46 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if (#(S\M) + #(M\S) > n-t) then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

47 Confussion Resistant Violation Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result

48 Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant

49 Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant Solution? : messages should be sealed in such a way that multiplication of two seals produces another seal only with negligible probability

50 Conclusions We have a proposed 2 properties to formally specify robustness of sender anonymous protocols We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?

Download ppt "Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil."

Similar presentations

5.3 Inverse Function.

5.3 Inverse Function.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
1 9 4 5 1 8 8 6 E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April. 30. 2003 Seo, Seung-Hyun Dept. of Computer Science and.

E W H A W U New Nominative Proxy Signature Scheme for Mobile Communication April Seo, Seung-Hyun Dept. of Computer Science and.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Privacy in signatures. Hiding in rings, hiding in groups.
Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:

Computational Privacy. Overview Goal: Allow n-private computation of arbitrary funcs. –Impossible in information-theoretic setting Computational setting:
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
SECURITY AND VERIFICATION

SECURITY AND VERIFICATION
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
From: Cryptographers’ Track of the RSA Conference 2008 Date:2011-11-29 Reporter: Yi-Chun Shih 1.

From: Cryptographers’ Track of the RSA Conference 2008 Date: Reporter: Yi-Chun Shih 1.
Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

Similar presentations

Ads by Google