Download presentation

Presentation is loading. Please wait.

Published bySonny Brame Modified over 2 years ago

1
Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013

2
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2 Context: Encryption and Anonymity Public-key encryption Short but eventful history, late 70s, 80s. Security usually defined using Games: IND-CPA, IND-CCA, … Anonymity Shorter eventful history, early 90s. Anonymity is arguably a more high-level property What if used together? Key privacy, robust encryption, formal analysis of onions Games prone to require iterations to find “right” notion

3
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 3 What is Anonymous Encryption? [PH08] Sender AnonymityReceiver Anonymity Anonymity not created, but preserved

4
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 4 Our contribution

5
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 5 Chosen Ciphertext Attack Security (IND-CCA) Challenger Dec Bit b d = b? m 0, m 1 Enc(m b ) bit d c Dec(c) pk

6
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 6 Key Privacy (IK-CCA) [BBDP01] Challenger Dec 1 Bit b d = b? m Enc(pk b; m) bit d c Dec 1 (c) Dec 0 c Dec 0 (c) pk 0, pk 1

7
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 7 Weak Robustness (WROB) [ABN10] Challenger c Enc(pk i, m) m, i, j Dec c,i Dec i (c) ≠ Dec(sk j, c) ? ┴ pk 1,..., pk n

8
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 8 Constructive Cryptography [MR11] Resources (existing/assumed, desired): Available to everyone, including adversary/simulator through interfaces Converters: Transform existing into desired resources Two interfaces, inner and outer Protocol: composition of many converters, one for each user Security: Correctness: without Eve the protocol works correctly Security: when Simulator connected, no-one can distinguish between assumed and desired worlds.

9
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 9 Confidential Receiver-Anonymous Channel

10
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 10

11
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 11 Constructing the Channel from Broadcast BnBn B2B2 B1B1 … n x (pk i ) m m m m ┴ Existing Resources

12
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 12 Constructing the Channel from Broadcast … n x (pk i ) Converters Encryption scheme that is: IND-CCA IK-CCA WROB m* m*, j … m m Existing Resources BnBn BjBj B1B1

13
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 13 Simulation (intuition) B1B1 … (c, i) c … … BjBj BiBi BnBn B1B1 … (m, i) … … BjBj BiBi BnBn Key-Generation: generate n keypairs (for each B i ), one separate (sk, pk) Ciphertext generation: get |m|, encrypt 0 |m| under pk to get c c c m, i Existing world Desired world D |m|

14
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 14 Simulation (intuition) B1B1 … (c, i) c … … c* (c*, j) BjBj BiBi BnBn … (m, i) … (m*, j) … m* Ciphertext delivery: deliver c* to B j : (c*, j) if c* not seen before decrypt under sk j and inject message m* into network Dec(c*) m* Existing world Desired world |m| D B1B1 BjBj BiBi BnBn

15
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 15 Simulation (intuition) B1B1 … (c, i) c … … c (c, i*) BjBj BiBi BnBn … (m, i) |m| … … m If i = i* (H, i*) H m Ciphertext delivery: deliver c to B j : (c, i*) if c seen before deliver corresponding msg. to correct receiver Intuition: this is where we need WROB – wrong receiver outputs error m=Dec(c) m Assumed world Desired world D B1B1 BjBj BiBi BnBn Trial Delivery

16
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 16 (More) Results in a Nutshell WROB sufficient SROB leads to a tighter reduction WROB necessary without WROB, achieve anonymity with erroneous transmission Impossibility: SROB does not construct better resource Constructive aspects: Model network with single sender, many receivers PK settings: use uni-directional authenticated channels Trial deliveries prevent better anonymity

17
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 17 Results in Picture Game-based analysisConstructive result IND-CCA IK-CCA SROB IND-CCA IK-CCA WROB

18
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 18 Strong Robustness (SROB) Challenger c, i, j Dec c,i Dec i (c) both ┴ ≠ Dec(sk i, c) ┴ ≠ Dec(sk j, c) pk 1,..., pk n

19
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 19

Similar presentations

OK

Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on nutrition and dietetics Ppt on story of human evolution Ppt on autism statistics Ppt on power sharing in democracy your vote Ppt on online examination system in php pdf Download ppt on software project management Ppt on peace and nonviolence Ppt on simple carburetors Free ppt on mobile number portability solutions Download ppt on harmonics in power system