Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reusable Anonymous Return Channels

Published byAnnis Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Reusable Anonymous Return Channels"— Presentation transcript:

1 Reusable Anonymous Return Channels
Philippe Golle, Stanford / PARC Markus Jakobsson, RSA Labs WPES ‘03

2 Anonymous Communication
Model: Parties exchange messages Goal: “keeping confidential who converses with whom, and when they converse” [Chaum] Global eavesdropping adversary Solution: mix network Alice submits EMIX(Bob || M) Mixnet decrypts and delivers messages in random order Alice E(M) Mixnet M Bob How do we reply to an anonymous message?

3 Simple solution… Communication protocol: Property: external anonymity
Alice submits to the mixnet a message EMIX(Bob || EBob (Alice || M)) Bob receives EBOB (Alice || M), decrypts it and replies with EMIX(Alice || EAlice (Bob || R)) Property: external anonymity Alice and Bob know each other’s identity They hide from everyone else the fact that they are communicating In this talk Complete anonymity: Bob does not learn Alice’s identity Example applications: love letters, ransom notes No straightforward solution with mixnets

4 Outline Chaumian mixnets: Replies and traffic analysis
Processing of (forward) messages Untraceable return address Why return addresses can’t be reused Replies and traffic analysis Our new protocol Based on a re-encryption mixnet Allows for unlimited replies Filtering policies

5 Chaumian Mixnet Alice Mix 1 Mix 2 Mix 3 Bob M Bob M Bob N X M Bob M
P Y P Y P Y P Y M Bob N X

6 Untraceable Return Address
Alice Mix 2 Mix 1 Bob Mix 3 k1 k2 k3 k1 k2 k1 = M Bob M Bob M Bob M Bob k1 k2 k3 R k1 k2 R R k1 R

7 Return Address Single use return envelope
Privacy compromised if a return address is reused: Bob replies twice with same envelope Decryption of return address is deterministic The mixnet produces the same output in both cases To allow for N replies, Alice must give Bob N different envelopes

8 Return channels and Traffic Analysis
Traffic analysis attack Bob sends K replies in one batch and observes who picks up K messages Bob sends one reply every hour and computes the intersection of the sets of recipients Solutions from asynchronous mixes Random delays Pool mixing Make multiple copies of some messages

9 Our Approach Reusable return addresses
Alice distributes the same return address to all her correspondents (Bob, Charlie, Dave, …) Property: cannot test whether two return addresses lead to the same person or different people Note: cannot reuse Chaumian return addresses Helps defeat traffic analysis attacks If Bob sends K replies: Alice receives more than K Intersection attack: complicated by the fact that multiple correspondents reply to Alice Works best when combined with other defenses

10 ElGamal Cryptosystem ElGamal is a randomized public-key cryptosystem:
Key generation: (SK, PK) Encryption: m, PK, r  Er (m) Decryption: Er (m) , SK  m El Gamal allows for Re-encryption: Re-encryption: Er(m) , PK , s  Er+s(m) Requires only public key Given Er(m) an adversary can’t distinguish Er+s(m) from a random ciphertext.

11 Re-encryption Mixnet ElGamal encrypted inputs: EMIX (M)
Mixing: each mix server Receives a set of inputs Re-encrypts these inputs Gives them in random order to the next server Outputs Mixnet decrypts and outputs plaintext M

12 Protocol (outline) (Emix(Alice||PKA) ; Emix(M) ; Emix(Bob||PKB))
Alice submits her input (Emix(Alice||PKA) ; Emix(M) ; Emix(Bob||PKB)) Inputs are mixed and re-encrypted Delivery of messages Mixnet decrypts the value Bob||PKB Converts Emix(M) into EPKB(M) Delivers to Bob EPKB(M), Emix(Alice||PKA).

13 (Emix(Bob||PKB) ; Emix(R) ; Emix(Alice||PKA))
Protocol (cont’d) Submitting a reply Bob has received EPKB(M), Emix(Alice||PKA) Bob submits to the mixnet the reply (Emix(Bob||PKB) ; Emix(R) ; Emix(Alice||PKA)) Note: the return envelope Emix(Alice||PKA) can be reused multiple times, for multiple correspondents

14 Properties Reusable: multiple replies possible
Composable: allows for replies to replies, etc… Transferable: anyone can reply Compatible: replies and messages are processed in almost the same way Efficient: 4 times as expensive as normal re-encryption mixnet Filtering policies: specifies which replies are allowed

15 (Emix(Alice||PKA) ; E(M) ; Emix(Bob||PKB) ; E(FM))
Input Filtering Submission of messages (Emix(Alice||PKA) ; E(M) ; Emix(Bob||PKB) ; E(FM)) Mixing and delivery: as before Reply: (Emix(Bob||PKB) ; E(R) ; Emix(Alice||PKA) ; E(FM))

16 Conclusion Reusable return channels based on re-encryption mixnets
Helps defend against traffic analysis Thanks to Ari Juels and Paul Syverson!

Download ppt "Reusable Anonymous Return Channels"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.

Rennes, 23/10/2014 Cristina Onete Putting it all together: using multiple primitives together.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Universal Re-encryption: For Mix-Nets

Universal Re-encryption: For Mix-Nets
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google