Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dining Cryptographers R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide.

Published byMadeleine Barber Modified over 8 years ago

Similar presentations

Presentation on theme: "Dining Cryptographers R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide."— Presentation transcript:

1 Dining Cryptographers R. Newman

2 Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity Metrics for Anonymity Applications of anonymity technology

3 Three cryptographers go out for dinner They are told that the bill has been paid Benefactor wishes to remain anonymous Could be one of them, or a fourth party (e.g., NSA) Want to know if one of them paid Respect desire to remain anonymous But want to find this piece of information Dining Cryptographer Problem

4 Each pair of cryptographers flips a fair coin This is done in secret, so only the pair can see it Each cryptographer states XOR of coins States whether the pair of coins they saw were same If one paid, reports the opposite result Each computes answer Odd number of differences => a cryptographer paid Even number of difference => someone else paid Dining Cryptographer Protocol

5 Why does this work? Assuming all cryptographers are honest 1. First, consider case where NSA paid 1a. All heads or all tails => no differences Even number of differences, So conclude NSA paid Dining Cryptographer Protocol

6 Case 1a: NSA Paid, all same A C B heads All same All report same Zero (even) diffs “Same”

7 Why does this work? Assuming all cryptographers are honest 1. First, consider case where NSA paid 1a. All heads or all tails => no differences 1b. Two of one and one of the other => two differences Either way, even number of differences! Dining Cryptographer Protocol

8 Case 1b: NSA Paid, one different A C B heads tails heads One different All report same Two (even) diffs “Same” “Different”

9 Why does this work? Assuming all cryptographers are honest 2. Now what if one cryptographer inverts report? 2a. All same => two say same, one says different => one difference Dining Cryptographer Protocol

10 Case 2a: Alice Paid, all same A C B heads All same B and C report same Alice inverts report One (odd) diff “Same” “Different”

11 Why does this work? Assuming all cryptographers are honest 2. Now what if one cryptographer inverts report? 2a. All same => one difference 2b/c. Two of one, one of other: 2b. Payer sees equal pair => says different, and other two see different pairs, say different => 3 differences (odd) Dining Cryptographer Protocol

12 Case 2b: Alice Paid, sees same A C B heads tails One different Alice sees same B, C report different Alice reports different Three (odd) diffs “Different”

13 Why does this work? Assuming all cryptographers are honest 2. Now what if one cryptographer inverts report? 2a. All same => 1 difference 2b/c. Two of one, one of other: 2b. Payer sees equal pair => 3 differences 2c. Payer sees unequal pair => says same One of the others sees equal, one sees unequal Hence 1 difference reported Dining Cryptographer Protocol

14 Case 2c: Alice Paid, sees different A C B heads tails heads One different Alice sees different B reports same C reports different A reports same One (odd) diff “Same” “Different” “Same”

15 Why does this work? 1. No cryptographers invert report 1a. All heads or all tails => 0 differences 1b. Two of one and one of the other => 2 differences Either way, even number of differences! 2. One cryptographer inverts report 2a. All same => 1 difference 2b/c. Two of one, one of other: 2b. Payer sees equal pair => 3 differences 2c. Payer sees unequal pair => 1 difference Always odd number of differences reported Dining Cryptographer Protocol

16 How does it preserve anonymity? View of non-paying cryptographer: If even difference, there is nothing to discover If odd difference, two cases: Cryptographer sees equal values One of the others said ”same”, other said ”different” Hidden coin is same => one who said ”different” paid Hidden coin different => one who said ”same” paid Each is equally likely! (Fair coin) Dining Cryptographer Protocol

17 How does it preserve anonymity? View of non-paying cryptographer: If even difference, there is nothing to discover If odd difference, two cases: Cryptographer sees unequal values Both of the others said ”different” => payer closest to coin that is same as hidden coin Both of the others said ”same” => payer closest to coin different from hidden coin Each is equally likely! (Fair coin) Dining Cryptographer Protocol

18 OK – so what? Now can send one bit anonymously Extend protocol to anonymously transmission Repeat protocol in rounds Each round, act like non-payer unless you have msg When you have message, start sending bits Invert report when sending 1’s, not when 0’s What about collisions? Use collision detection, backoff protocol CSMA/CD with backoff – like Ethernet! Dining Cryptographer Protocol

19 OK – so what? Now can send one bit anonymously For three senders Extend protocol to multiple senders Complete graph for N senders Each edge represents a fair coin Report XOR of all coins (or invert it for 1) Note that with N=2, only non-participants don’t know the sender (not secret from participants) Dining Cryptographer Protocol

20 Why does this work? Each bit appears in two sums In sum of sums, these cancel each other out If one cryptographer inverts, then odd number of sum of reports is 1, otherwise it is 0 Replace coin flips with key bits Each participant shares a key with each other participant Same number of bits in key as rounds of protocol Use key bits as coin values in protocol Dining Cryptographer Protocol

21 Two kinds of secret per participant: Secret pairwise keys shared with other participants Message bits Consider collusion later.... Remaining information: Which pairs share a key (not required to be secret) What each participant outputs each round Compute sum of outputs Modeling DC Nets

22 Model with graph: Each participant is a node Each key is represented by an edge Edge is incident on participants sharing key Graph is connected, may not be complete Modeling DC Nets

23 A C B Tails 0 Heads 1 1 Originally coin flips Replace with random bit Which is “key bit”

24 Model with graph Anonymity Set seen by a set of keys AS = Set of vertices in a connected component remaining in graph after removing edges corresponding to keys in set Two participants connected by non-compromised keys are in same AS, and are indistinguishable – only parity of report can be determined Modeling DC Nets

25 Non-participant observer All participants in same CC are in same AS (Graph remains connected after removing 0 edges) Complete key compromise All edges are removed All nodes are singletons No anonymity: Sent bit = XOR of key bits with report Examples

26 Modeling DC Nets A C B Kab=010 Kac=110 Kbc=101 Distribute keys Alice has message Others report sums Alice inverts her sums E D Kce=111 Kde=101 Kbe=001 Msg_A = 001 Sums_B = 110 Sums_C = 100 Sums_E = 010 Sums_D = 100 Sums_A = 100 Report_A = 101 Sum of sums: 101 110 100 010 001

27 Modeling DC Nets A C B Kab=010 Kac=110 Kbc=101 B and C collude Alice has message All report as before B and C know what A should have sent E D Kce=111 Kde=101 Kbe=001 Msg_A = 001 Sums_B = 110 Sums_C = 100 Sums_E = 010 Sums_D = 100 Sums_A = 100 Report_A = 101 Sum of A keys: Kab=010 Kac=110 100 What A reported: 101 What A said: 100 101 001

28 Modeling DC Nets A C B Kab=010 Kac=110 Kbc=101 B and C collude Notice that B and C Do not have to share All keys (Kce or Kbe) To attack Alice E D Kce=111 Kde=101 Kbe=001 Msg_A = 001 Sums_B = 110 Sums_C = 100 Sums_E = 010 Sums_D = 100 Sums_A = 100 Report_A = 101

29 Modeling DC Nets A C B Kab=010 Kac=110 Kbc=101 B and C collude Ed has message All report B and C know that A reported honestly, So D or E sent msg E D Kce=111 Kde=101 Kbe=001 Msg_E = 100 Sums_B = 110 Sums_C = 100 Sums_E = 010 Sums_D = 100 Sums_A = 100 Report_E = 110

30 Modeling DC Nets A C B Kab=010 Kac=110 Kbc=101 Bob by himself Cannot reduce AS E D Kce=111 Kde=101 Kbe=001 Msg_E = 100 Sums_B = 110 Sums_C = 100 Sums_E = 010 Sums_D = 100 Sums_A = 100 Report_E = 110

31 Biconnected graph All pairs of participants are connected by at least two node-disjoint paths No single participant can reduce AS size of other participants by itself Requires collusion to learn anything! All collusion buys is parity of sum of inversions of each connected component Inversions hidden by one or more key bits Examples

32 Connected component C: m nodes and n edges m x n incidence matrix M nodes = rows and edges = columns Stochastic variable keys K over GF(2 n ) One per edge, uniform random Stochastic variable msg bits I over GF(2 m ) One per vertex, uniform random A = (MK) + I = reports of the vertices Parity(A) = parity(I) since columns of M have even parity Formal Model Nota bene!

33 Formal Model A C B K1=0 K2=1 K3=1 E D K5=1 K6=1 K4=0 Sum_A = 1 Sum_B = 1 Sum_C = 1 Info_C = 0 Report_C = 1 Sum_E = 0 Sum_D = 1 Info_A = 1 Report_A = 0 1 2 3 4 5 6 A 1 1 0 0 0 0 B 1 0 1 1 0 0 C 0 1 1 0 1 0 D 0 0 0 1 0 1 E 0 0 0 0 1 1 K 0 1 1 0 1 1 S 1 1 1 1 0 X = S11110S11110 I 1 0 0 0 0 A 0 1 1 1 0 += edges nodes keyssums Incidence Matrix M sums msg bits reports 1 2 3 4 5 6

34 Thm: Let a be in GF(2 n ). For each i in GF(2 n ), which is assumed by I with non-zero probability, and which has the same parity as a, Prob(A=a | I=i) = 2 1-m. hence Prob(I=i | A=a) = prob(I=i) a priori. Prf: Since every proper subset of rows of M is is linearly independent, the rank of M is m-1, and any zero parity vector in GF(2 n ) can be written as a linear combination of the columns of M. So the system of linear equalities MK+i = a is solvable, since MK = a+i has zero parity. The system has exactly 2 n-m+1 solutions. Since K and I are mutually independent and K is uniformly distributed, the theorem follows. Formal Model

35 Thm: Let a be in GF(2 n ). For each i in GF(2 n ), which is assumed by I with non-zero probability, and which has the same parity as a, Prob(A=a | I=i) = 2 1-m. hence Prob(I=i | A=a) = prob(I=i) a priori. Prf: Since the rank of M is m-1, The system has exactly 2 n-m+1 solutions. Since K and I are mutually independent and K is uniformly distributed, the theorem follows. Formal Model

36 Complete graphs do not scale Can use a ring But any two colluders can partition ring If colluders surround a target node It is compromised! Building Graphs

37 Ring A H B G C D E F Ring is binconnected – removal of any one node does not partition graph

38 Ring A H B G C D E F But any two nodes that collude can partition graph and possibly compromise a single participant (C)

39 ”Trusted not to collude” clique – Subset of participants whom all believe will not collude Subset forms a clique All others share a key with each member of clique All members of clique must collude to compromise Building Graphs

40 Trusted not to Collude Clique A B C A, B, and C are mutually hostile Hence trusted not to collude They form a “root clique” All others nodes connect to each member of root clique DEFGH

41 Trusted not to Collude Clique A B C Size of clique = K Number of keys = K(K-1)/2 for clique Plus for N total nodes K(N-K) for others And the total is … K[(K-1)/2 + (N-K)] Example here: K=3 3[2/2 + (8-3)] = 18 Compared to N(N-1)/2 = 28 for complete graph DEFGH

42 Trusted not to Collude Clique A B C All members of root clique must collude to compromise any node Suppose B and C collude… DEFGH

43 Trusted not to Collude Clique A B C All members of root clique must collude to compromise any node Suppose B and C collude… Then A still connects all other nodes The AS is maximal! DEFGH

44 Well, can’t really prevent it... But can detect it and weed out disrupters Requires: Key-sharing graph is publically agreed on Each participant’s outputs are publically agreed on such that no participant can change their output for a round based on the other participant’s outputs for that round Some rounds contain inversions that would not compromise the untraceability of any non-disrupter Preventing Disruption

45 Key-sharing graph is publically agreed on Distributed consensus Participantd can’t change outputs Simultaneous broadcast channels Commitment protocols Contestable rounds that do not compromise the untraceability of any non-disrupter Slot reservation protocol Preventing Disruption

46 Messages sent in two blocks Reservation block with one bit per msg slot Message block with multiple message slots Sender reserves one or more slots Sets corresponding bit(s) in reservation block Sends message in corresponding slots For contestable rounds, all N participants must always make one reserveration each round Requires quadratic slots due to Birthday Paradox Disrupted reservation block likely to have Hamming weight unequal to N All bits of reserving block can be safely contested Slot Reservation Protocol

47 If it tells the truth about shared keys bits for contested bit, or lies about an even number of key bits, it implicates itself The sum of the claimed key bit values is not what it reported (apart from allowed inversion) If it lies about an odd number... Values it claims will differ from values claimed by those who share the keys it lies about Casting suspicion on itself and each of them But all disputed bits point to disrupter And falsely accused participants know disrupter And can refuse to share edge with disrupter in future Single Disrupter

48 At least one inversion revealed as illegit or at least one key bit disputed Since parity of outputs does not correspond to parity of legit inversions Result of each contested round Remove at least one edge, or Remove at least one vertex from agree graph If every disruption has non-zero probability of being contested Then bounded amount of disruption possible before disrupters excluded Removed (vertex) or Share no keys (edges) Multiple Disrupters

49 Deter antisocial use of network by... Allowing trace of any message by cooperation of most participants Example: court orders all participants to reveal their shared key bits for a round of the message Sender may try to spread blame by lying about and odd number of shared bits Digital signatures on shared bits can stop this Allow contested rounds to be fully resolved Allow accused senders to exonerate themselves Allow colluders to convince each other to trust them But allow sender self-incrimination: non-repudiation! Variant prevents self-incrimination Tracing by Consent

50 Variant prevents self-incrimination Each participant in a pair signs a differnt bit whose sum is the actual shared bit Sharers can tell if the signatures are good Others can’t tell what bit is if one is lying Helps resolve contested rounds Contester of a bit shows signature of other party Other party must reveal contester’s signature... or be considered a disrupter Split-bit Signatures

51 Mix-net relies on security of PKCS And maybe also symmetric crypto These are at best computationally secure DC-nets can offer unconditional security Underspecified system of equations Network load is an issue, though May not be able to handle traffic to root clique Mix-nets can also provide recipient untraceability And untraceable return addressing Compare to Mix-nets

Download ppt "Dining Cryptographers R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide."

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Some Graph Problems. LINIAL’S CONJECTURE Backgound: In a partially ordered set we have Dilworth’s Theorem; The largest size of an independent set (completely.

Some Graph Problems. LINIAL’S CONJECTURE Backgound: In a partially ordered set we have Dilworth’s Theorem; The largest size of an independent set (completely.
The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.

The Dining Cryptographer Problem Security Presentation Nitesh Patel 2005h425.
1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.

1 Introduction to Quantum Information Processing CS 467 / CS 667 Phys 467 / Phys 767 C&O 481 / C&O 681 Richard Cleve DC 3524 Course.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)

Packet Leashes: Defense Against Wormhole Attacks Authors: Yih-Chun Hu (CMU), Adrian Perrig (CMU), David Johnson (Rice)
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi

Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.

Explorations in Anonymous Communication Andrew Bortz with Luis von Ahn Nick Hopper Aladdin Center, Carnegie Mellon University, 8/19/2003.
Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.

Receipt-freeness and coercion-resistance: formal definitions and fault attacks Stéphanie Delaune / Steve Kremer / Mark D. Ryan.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.
Lecture 11. Matching A set of edges which do not share a vertex is a matching. Application: Wireless Networks may consist of nodes with single radios,

Lecture 11. Matching A set of edges which do not share a vertex is a matching. Application: Wireless Networks may consist of nodes with single radios,

Similar presentations

Ads by Google