Download presentation

Presentation is loading. Please wait.

Published byFranklin Napper Modified over 3 years ago

1
Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil

2
Anonymity Protocols Hide the identity associated to a message The message may be public. Example:voting Different kind of anonymity properties

3
Anonymity Properties Receiver anonymity Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO) Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO)

4
Anonymity Properties Characterizations [Micciancio&Hevia06] c a b a 4 3 2 1 8 7 6 5 c a b a 4 3 2 1 8 7 6 5 43218765 d d m ij = sets of messages from party i to party j M = 7 (Thanks Alejandro for this slide)

5
Capturing information leaks By restricting the matrix pair M 0,M 1 – Let f(M) be the information leaked – Requirement: f(M 0 ) = f(M 1 ) M0M0 c d d c = multiset for each row i M1M1 Example of leaked information: (Thanks Alejandro for this slide)

6
The anonymity property for protocol P Hypothesis: f( M0 ) = f( M1 ) CA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; S P( m ) g A( S,f(m) ) | Pr[CA; g = b] - ½ | is negligible on the security parameter

7
Motivation Anonymity in the case of active adversaries Case study: DC-Nets

8
Motivation Anonymity in the case of active adversaries Case study: DC-Nets Robustness was not what we expected it to be Work: definition of robustness

9
Robust anonymous protocol 1)A protocol that is anonymous (it does not leak the identity of the participants)

10
Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt

11
Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt 2)Honest messages can be delivered even if dishonest participants do not follow the protocol

12
Robust anonymous protocol 1)Anonymity property for active adversaries 2)Robustness property

13
The anonymity property for protocol P for active adversaries Hypothesis: f(M0) = f(M1) CRA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; g A[P( m )] ( f(m) ) | Pr[CRA; g = b] - ½ | is negligible on the security parameter

14
Dinning Cryptographers: all started in a restaurant …

15
Dinning Cryptographers Protocol (DC-nets) Bitwise XOR [Chaum88] – Not robust Bilinear Maps [GolleJuels04] – Robust What does exactly the word robust assure?

16
The robust DC-nets protocol 1/4 inizialization In this phase: a non-degenerate pairing e : G1 x G1 G2 generators g, h of a cyclic group G1 a hash function H: {0,1}* G1 a private key xi and public key yi = g^xi (secret xi is (t,n)- shared ) a common reference string

17
The robust DC-nets protocol 2/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission

18
In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 1/3

19
In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 2/3 e(H(s||2), yj)^xi*c j i

20
In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i Padding participant i. Coefficient c is 1 if i

21
In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i * m Message m transmission

22
If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages. transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

23
Example for 2 paticipants: n=2 1/9 transmission

24
Example for 2 paticipants: n=2 2/9 transmission Vector Party 1 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2

25
Example for 2 paticipants: n=2 3/9 transmission Vector Party 1Vector Party 2 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2

26
Example for 2 paticipants: n=2 4/9 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

27
Example for 2 paticipants: n=2 5/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

28
Example for 2 paticipants: n=2 6/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

29
Example for 2 paticipants: n=2 7/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

30
Example for 2 paticipants: n=2 8/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

31
Example for 2 paticipants: n=2 9/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 = {inverse *} m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

32
If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail! transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1Vector Party n = n 2 1 m1 m2 … mn

33
Vectors are transmitted with a proof of knowledge (zkpk) transmission For all positions in the vector there is a valid padding, except for at most one position.

34
The robust DC-nets protocol 3/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission reconstruction

35
In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography reconstruction After this phase, we are left with a set of valid vectors, that is : For all positions in the vector there is a valid padding, except for at most one position.

36
The robust DC-nets protocol 4/4 inizialization transmission reconstruction recuperation

37
In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication. recuperation n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

38
What does exactly the word robust assure? If the vector is correct, then there is a unique message in the vector An adversary may violate the slot reservation protocol to intentionally produce a collision For each collision, one honest message is not delivered

39
ROBUSTNESS PROPERTY We propose to state this formally by definning a:

40
Sender robustness, t-n SR:= M,N A0 m := M++N; S P[A]( m ) if (#(MПS) < 2t-n) then b:=1 else b:=0 |Pr[SR; b=1] is negligible on the security parameter

41
Sender Robustness Violation 1 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

42
Sender Robustness Violation 2 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

43
Sender Robustness Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result This is considered secure!

44
A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest received < honest- dishonest then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

45
A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest not received+dishonest received > dishonest. then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

46
A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if (#(S\M) + #(M\S) > n-t) then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

47
Confussion Resistant Violation Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result

48
Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant

49
Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant Solution? : messages should be sealed in such a way that multiplication of two seals produces another seal only with negligible probability

50
Conclusions We have a proposed 2 properties to formally specify robustness of sender anonymous protocols We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?

Similar presentations

OK

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

Non-Malleable Hash Functions FORMACRYPT, 2007 Alexandra Boldyreva David Cash Marc Fischlin Bogdan Warinschi.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google