Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil.

Similar presentations


Presentation on theme: "Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil."— Presentation transcript:

1 Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil

2 Anonymity Protocols Hide the identity associated to a message The message may be public. Example:voting Different kind of anonymity properties

3 Anonymity Properties Receiver anonymity Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO) Sender Unlinkability (SUL) Receiver Unlinkability (RUL) Sender-Receiver Unlinkability (UL) Sender Anonymity (SA) Strong Sender Anonymity (SA*) Receiver Anonymity (RA) Strong Receiver Anonymity (RA*) Sender-Receiver Anonymity (SRA) Unobservability (UO)

4 Anonymity Properties Characterizations [Micciancio&Hevia06] c a b a 4 3 2 1 8 7 6 5 c a b a 4 3 2 1 8 7 6 5 43218765 d d m ij = sets of messages from party i to party j M = 7 (Thanks Alejandro for this slide)

5 Capturing information leaks By restricting the matrix pair M 0,M 1 – Let f(M) be the information leaked – Requirement: f(M 0 ) = f(M 1 ) M0M0 c d d c = multiset for each row i M1M1 Example of leaked information: (Thanks Alejandro for this slide)

6 The anonymity property for protocol P Hypothesis: f( M0 ) = f( M1 ) CA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; S P( m ) g A( S,f(m) ) | Pr[CA; g = b] - ½ | is negligible on the security parameter

7 Motivation Anonymity in the case of active adversaries Case study: DC-Nets

8 Motivation Anonymity in the case of active adversaries Case study: DC-Nets Robustness was not what we expected it to be Work: definition of robustness

9 Robust anonymous protocol 1)A protocol that is anonymous (it does not leak the identity of the participants)

10 Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt

11 Robust anonymous protocol 1)A protocol that is anonymous even if some of the participants are corrupt 2)Honest messages can be delivered even if dishonest participants do not follow the protocol

12 Robust anonymous protocol 1)Anonymity property for active adversaries 2)Robustness property

13 The anonymity property for protocol P for active adversaries Hypothesis: f(M0) = f(M1) CRA:=b := {0,1}; if (b = 0) then {m := M0} else {m := M1}; g A[P( m )] ( f(m) ) | Pr[CRA; g = b] - ½ | is negligible on the security parameter

14 Dinning Cryptographers: all started in a restaurant …

15 Dinning Cryptographers Protocol (DC-nets) Bitwise XOR [Chaum88] – Not robust Bilinear Maps [GolleJuels04] – Robust What does exactly the word robust assure?

16 The robust DC-nets protocol 1/4 inizialization In this phase: a non-degenerate pairing e : G1 x G1 G2 generators g, h of a cyclic group G1 a hash function H: {0,1}* G1 a private key xi and public key yi = g^xi (secret xi is (t,n)- shared ) a common reference string

17 The robust DC-nets protocol 2/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission

18 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 1/3

19 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 2/3 e(H(s||2), yj)^xi*c j i

20 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i Padding participant i. Coefficient c is 1 if i { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/5/1582215/slides/slide_20.jpg", "name": "In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding.", "description": "transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i Padding participant i. Coefficient c is 1 if i

21 In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission n i 2 1 3/3 e(H(s||2), yj)^xi*c j i * m Message m transmission

22 If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages. transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

23 Example for 2 paticipants: n=2 1/9 transmission

24 Example for 2 paticipants: n=2 2/9 transmission Vector Party 1 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2

25 Example for 2 paticipants: n=2 3/9 transmission Vector Party 1Vector Party 2 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2

26 Example for 2 paticipants: n=2 4/9 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

27 Example for 2 paticipants: n=2 5/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

28 Example for 2 paticipants: n=2 6/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

29 Example for 2 paticipants: n=2 7/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

30 Example for 2 paticipants: n=2 8/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

31 Example for 2 paticipants: n=2 9/9 e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining} e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity} e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity} e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 = {inverse *} m1 transmission * Vector Party 1Vector Party 2 = 2 1 e(H(s||1), y2)^x1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1 m2 transmission result

32 If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail! transmission n 2 1 n 2 1 n 2 1 ** … Vector Party 1Vector Party n = n 2 1 m1 m2 … mn

33 Vectors are transmitted with a proof of knowledge (zkpk) transmission For all positions in the vector there is a valid padding, except for at most one position.

34 The robust DC-nets protocol 3/4 inizialization In this phase: each participant computes a vector that contains a padding and a unique message that cannot be distinguished from the padding. transmission reconstruction

35 In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography reconstruction After this phase, we are left with a set of valid vectors, that is : For all positions in the vector there is a valid padding, except for at most one position.

36 The robust DC-nets protocol 4/4 inizialization transmission reconstruction recuperation

37 In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication. recuperation n 2 1 n 2 1 n 2 1 ** … Vector Party 1 Vector Party n = n 2 1 m1 m2 … mn

38 What does exactly the word robust assure? If the vector is correct, then there is a unique message in the vector An adversary may violate the slot reservation protocol to intentionally produce a collision For each collision, one honest message is not delivered

39 ROBUSTNESS PROPERTY We propose to state this formally by definning a:

40 Sender robustness, t-n SR:= M,N A0 m := M++N; S P[A]( m ) if (#(MПS) < 2t-n) then b:=1 else b:=0 |Pr[SR; b=1] is negligible on the security parameter

41 Sender Robustness Violation 1 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

42 Sender Robustness Violation 2 Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 ???? m2 transmission result

43 Sender Robustness Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result This is considered secure!

44 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest received < honest- dishonest then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

45 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if honest not received+dishonest received > dishonest. then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

46 A stronger robustness property Confusion resistant t-n CR:= M,N A0 m := M++N; S P[A( m )] if (#(S\M) + #(M\S) > n-t) then b:=1 else b:=0 |Pr[CR; b=1] is negligible on the security parameter

47 Confussion Resistant Violation Example for 2 paticipants: n=2 * Vector Party 1Vector Party 2 = 2 1 e(H(s||2), y2)^x1*m2 e(H(s||2), y2)^x1 2 1 e(H(s||1), y1)^-x2 *m1 e(H(s||2), y1)^-x2 2 1 m1*m2 m2 transmission result

48 Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant

49 Theorems and Remarks Theo: DC-Nets is sender anonymous Theo: DC-Nets is sender robust Remark: DC-Nets is not confussion resistant Solution? : messages should be sealed in such a way that multiplication of two seals produces another seal only with negligible probability

50 Conclusions We have a proposed 2 properties to formally specify robustness of sender anonymous protocols We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?


Download ppt "Robust Sender Anonymity Tamara Rezk FMCrypto (work in progress) G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi April, 28 th – Campinas, Brazil."

Similar presentations


Ads by Google