Download presentation

Presentation is loading. Please wait.

Published bySonny Brame Modified about 1 year ago

1
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013

2
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2 Context: Encryption and Anonymity Public-key encryption Short but eventful history, late 70s, 80s. Security usually defined using Games: IND-CPA, IND-CCA, … Anonymity Shorter eventful history, early 90s. Anonymity is arguably a more high-level property What if used together? Key privacy, robust encryption, formal analysis of onions Games prone to require iterations to find “right” notion

3
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 3 What is Anonymous Encryption? [PH08] Sender AnonymityReceiver Anonymity Anonymity not created, but preserved

4
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 4 Our contribution

5
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 5 Chosen Ciphertext Attack Security (IND-CCA) Challenger Dec Bit b d = b? m 0, m 1 Enc(m b ) bit d c Dec(c) pk

6
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 6 Key Privacy (IK-CCA) [BBDP01] Challenger Dec 1 Bit b d = b? m Enc(pk b; m) bit d c Dec 1 (c) Dec 0 c Dec 0 (c) pk 0, pk 1

7
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 7 Weak Robustness (WROB) [ABN10] Challenger c Enc(pk i, m) m, i, j Dec c,i Dec i (c) ≠ Dec(sk j, c) ? ┴ pk 1,..., pk n

8
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 8 Constructive Cryptography [MR11] Resources (existing/assumed, desired): Available to everyone, including adversary/simulator through interfaces Converters: Transform existing into desired resources Two interfaces, inner and outer Protocol: composition of many converters, one for each user Security: Correctness: without Eve the protocol works correctly Security: when Simulator connected, no-one can distinguish between assumed and desired worlds.

9
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 9 Confidential Receiver-Anonymous Channel

10
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 10

11
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 11 Constructing the Channel from Broadcast BnBn B2B2 B1B1 … n x (pk i ) m m m m ┴ Existing Resources

12
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 12 Constructing the Channel from Broadcast … n x (pk i ) Converters Encryption scheme that is: IND-CCA IK-CCA WROB m* m*, j … m m Existing Resources BnBn BjBj B1B1

13
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 13 Simulation (intuition) B1B1 … (c, i) c … … BjBj BiBi BnBn B1B1 … (m, i) … … BjBj BiBi BnBn Key-Generation: generate n keypairs (for each B i ), one separate (sk, pk) Ciphertext generation: get |m|, encrypt 0 |m| under pk to get c c c m, i Existing world Desired world D |m|

14
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 14 Simulation (intuition) B1B1 … (c, i) c … … c* (c*, j) BjBj BiBi BnBn … (m, i) … (m*, j) … m* Ciphertext delivery: deliver c* to B j : (c*, j) if c* not seen before decrypt under sk j and inject message m* into network Dec(c*) m* Existing world Desired world |m| D B1B1 BjBj BiBi BnBn

15
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 15 Simulation (intuition) B1B1 … (c, i) c … … c (c, i*) BjBj BiBi BnBn … (m, i) |m| … … m If i = i* (H, i*) H m Ciphertext delivery: deliver c to B j : (c, i*) if c seen before deliver corresponding msg. to correct receiver Intuition: this is where we need WROB – wrong receiver outputs error m=Dec(c) m Assumed world Desired world D B1B1 BjBj BiBi BnBn Trial Delivery

16
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 16 (More) Results in a Nutshell WROB sufficient SROB leads to a tighter reduction WROB necessary without WROB, achieve anonymity with erroneous transmission Impossibility: SROB does not construct better resource Constructive aspects: Model network with single sender, many receivers PK settings: use uni-directional authenticated channels Trial deliveries prevent better anonymity

17
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 17 Results in Picture Game-based analysisConstructive result IND-CCA IK-CCA SROB IND-CCA IK-CCA WROB

18
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 18 Strong Robustness (SROB) Challenger c, i, j Dec c,i Dec i (c) both ┴ ≠ Dec(sk i, c) ┴ ≠ Dec(sk j, c) pk 1,..., pk n

19
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 19

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google