Presentation is loading. Please wait.

Presentation is loading. Please wait.

Some slides borrowed from Philippe Golle, Markus Jacobson

Published byOlivia Cannon Modified over 5 years ago

Similar presentations

Presentation on theme: "Some slides borrowed from Philippe Golle, Markus Jacobson"— Presentation transcript:

1 Some slides borrowed from Philippe Golle, Markus Jacobson
Privacy and Anonymity Using Anonymizing Networks –II CS 436/636/736 Spring Nitesh Saxena Some slides borrowed from Philippe Golle, Markus Jacobson

2 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Course Admin Mid-term exams returned HW3 to be posted very soon Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

3 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
Today’s Outline Re-encryption based mix networks Secret sharing Research flavor Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

4 Principle Requirements : Chaum ’81 Message 1 Message 2 Privacy
server 1 server 2 server 3 Requirements : Privacy Efficiency Trust Robustness

5 But what about robustness?
I ignore his output But what about robustness? and produce my own STOP encr(Berry) encr(Kush) Kush There is no robustness!

6 Zoology of Mix Networks
Inputs Outputs ? Decryption Mix Nets [Cha81,…]: Inputs: ciphertexts Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: Outputs: re-encryption of the inputs Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

7 First Solution Chaum ’81, implemented by Syverson, Goldschlag
Not robust (or: tolerates 0 cheaters for correctness) Requires every server to participate (and in the “right” order!)

8 Re-encryption Mixnet 0. Setup: mix servers generate a shared key
1. Users encrypt their inputs: Input Pub-key Server 1 Server 2 Server 3 re-encrypt & mix 2. Encrypted inputs are mixed: Proof 3. A quorum of mix servers decrypts the outputs Output Priv-key

9 Recall: Discrete Logarithm Assumption
p, q primes such that q|p-1 g is an element of order q and generates a group Gq of order q x in Zq, y = gx mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

10 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
ElGamal Encryption Encryption (of m in Gq): Choose random r in Zq k = gr mod p c = myr mod p Output (k,c) Decryption of (k,c) M = ck-x mod p Secure under discrete logarithm assumption Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

11 ElGamal Example: dummy
Let’s construct an example KeyGen: p = 11, q = 2 or 5; let’s say q = 5 2 is a generator of Z11* g = 22 = 4 x = 2; y = 42 mod 11 = 5 Enc(3): r = 4  k = 44 mod 11 = 3 c = 3*54 mod 11 = 5 Dec(3,5): m = 5*3-2 mod 11 = 3 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

12 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
(t+1,n)- Secret Sharing Motivation: to secure the cryptosystem against t (< n/2) corruptions Split the secret among n entities so that any set of t+1 or more entities can recover the secret an adversary who corrupts at most t entities, learns nothing about the secret Tool: Shamir’s Polynomial Secret Sharing f(z)  degree t polynomial (mod q) f(0)  x f(i)  ssi SECURE Polynomial interpolation: for any G, s.t. |G|=t+1 INSECURE (n=7, t=3) Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

13 Re-encryption technique
Input: a ciphertext (k,c) wrt public key y Pick a number r’ randomly from [0…q-1] Compute k’ = kgr’ mod p c’ = cyr’ mod p Output (k’, c’) Same decryption technique! Compute m k’c’-x Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

14 A simple Mix (k1, c1) (k2, c2) . (kn, cn) (k’1,c’1) (k’2,c’2) .
R E - N C Y P T R E - N C Y P T (k1, c1) (k2, c2) . (kn, cn) (k’1,c’1) (k’2,c’2) . (k’n,c’n) (k’’1,c’’1) (k’’2,c’’2) . (k’’n,c’’n) Note: different cipher text, different re-encryption exponents!

15 And to get privacy… permute, too!
(k1, c1) (k2, c2) . (kn, cn) (k’’1,c’’1) (k’’2,c’’2) . (k’’n,c’’n) Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

16 Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks
And, finally…the Proof Mix servers must prove correct re-encryption Given n El Gamal ciphertexts E(mi) as input and n El Gamal ciphertexts E(m’i) as output Compute: E( mi) and E(=m’i) Ask Mix for Zero-Knowledge proof that these ciphertexts decrypt to same plaintexts Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

17 Anonymizing Network in practice: Tor
A low-latency anonymizing network Currently 1000 or so routers distributed all over in the internet Can run any SOCKS application on top of Tor Peer-based: a client can choose to be a router A request is routed to/fro a series of a circuit of three routers A new circuit is chosen every 10 minutes No real-world implementation of re-encryption mix as yet Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

Download ppt "Some slides borrowed from Philippe Golle, Markus Jacobson"

Similar presentations

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

CSCI 172/283 Fall 2010 Public Key Cryptography. New paradigm introduced by Diffie and Hellman The mailbox analogy: Bob has a locked mailbox Alice can.

Similar presentations

Ads by Google