Presentation is loading. Please wait.

Presentation is loading. Please wait.

Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013.

Published bySonny Brame Modified over 9 years ago

Similar presentations

Presentation on theme: "Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013."— Presentation transcript:

1 Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013

2 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2 Context: Encryption and Anonymity  Public-key encryption  Short but eventful history, late 70s, 80s.  Security usually defined using Games: IND-CPA, IND-CCA, …  Anonymity  Shorter eventful history, early 90s.  Anonymity is arguably a more high-level property  What if used together?  Key privacy, robust encryption, formal analysis of onions  Games prone to require iterations to find “right” notion

3 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 3 What is Anonymous Encryption? [PH08] Sender AnonymityReceiver Anonymity Anonymity not created, but preserved

4 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 4 Our contribution

5 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 5 Chosen Ciphertext Attack Security (IND-CCA) Challenger Dec Bit b d = b? m 0, m 1 Enc(m b ) bit d c Dec(c) pk

6 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 6 Key Privacy (IK-CCA) [BBDP01] Challenger Dec 1 Bit b d = b? m Enc(pk b; m) bit d c Dec 1 (c) Dec 0 c Dec 0 (c) pk 0, pk 1

7 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 7 Weak Robustness (WROB) [ABN10] Challenger c  Enc(pk i, m) m, i, j Dec c,i Dec i (c) ≠ Dec(sk j, c) ? ┴ pk 1,..., pk n

8 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 8 Constructive Cryptography [MR11]  Resources (existing/assumed, desired):  Available to everyone, including adversary/simulator through interfaces  Converters:  Transform existing into desired resources  Two interfaces, inner and outer  Protocol: composition of many converters, one for each user  Security:  Correctness: without Eve the protocol works correctly  Security: when Simulator connected, no-one can distinguish between assumed and desired worlds.

9 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 9 Confidential Receiver-Anonymous Channel

10 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 10

11 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 11 Constructing the Channel from Broadcast BnBn B2B2 B1B1 … n x (pk i ) m m m m ┴ Existing Resources

12 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 12 Constructing the Channel from Broadcast … n x (pk i ) Converters Encryption scheme that is:  IND-CCA  IK-CCA  WROB m* m*, j … m m Existing Resources BnBn BjBj B1B1

13 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 13 Simulation (intuition) B1B1 … (c, i) c … … BjBj BiBi BnBn B1B1 … (m, i) … … BjBj BiBi BnBn  Key-Generation: generate n keypairs (for each B i ), one separate (sk, pk)  Ciphertext generation: get |m|, encrypt 0 |m| under pk to get c c c m, i Existing world Desired world D |m|

14 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 14 Simulation (intuition) B1B1 … (c, i) c … … c* (c*, j) BjBj BiBi BnBn … (m, i) … (m*, j) … m*  Ciphertext delivery: deliver c* to B j : (c*, j) if c* not seen before decrypt under sk j and inject message m* into network Dec(c*) m* Existing world Desired world |m| D B1B1 BjBj BiBi BnBn

15 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 15 Simulation (intuition) B1B1 … (c, i) c … … c (c, i*) BjBj BiBi BnBn … (m, i) |m| … … m If i = i* (H, i*) H m  Ciphertext delivery: deliver c to B j : (c, i*) if c seen before deliver corresponding msg. to correct receiver Intuition: this is where we need WROB – wrong receiver outputs error m=Dec(c) m Assumed world Desired world D B1B1 BjBj BiBi BnBn Trial Delivery

16 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 16 (More) Results in a Nutshell  WROB sufficient  SROB leads to a tighter reduction  WROB necessary  without WROB, achieve anonymity with erroneous transmission  Impossibility: SROB does not construct better resource  Constructive aspects:  Model network with single sender, many receivers  PK settings: use uni-directional authenticated channels  Trial deliveries prevent better anonymity

17 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 17 Results in Picture Game-based analysisConstructive result IND-CCA IK-CCA SROB IND-CCA IK-CCA WROB

18 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 18 Strong Robustness (SROB) Challenger c, i, j Dec c,i Dec i (c) both ┴ ≠ Dec(sk i, c) ┴ ≠ Dec(sk j, c) pk 1,..., pk n

19 PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 19

Download ppt "Anonymity-preserving Public-Key Encryption Markulf Kohlweiss Ueli Maurer, Cristina Onete, Björn Tackmann, and Daniele Venturi PETS 2013."

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST

TWO STEP EQUATIONS 1. SOLVE FOR X 2. DO THE ADDITION STEP FIRST
6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.

6.1.2 Overview DES is a block cipher, as shown in Figure 6.1.
Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.

Efficient Lattice (H)IBE in the standard model Shweta Agrawal, Dan Boneh, Xavier Boyen.
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,

Bellwork If you roll a die, what is the probability that you roll a 2 or an odd number? P(2 or odd) 2. Is this an example of mutually exclusive, overlapping,
Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.
1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.

1 Chapter 40 - Physiology and Pathophysiology of Diuretic Action Copyright © 2013 Elsevier Inc. All rights reserved.
By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.

By D. Fisher Geometric Transformations. Reflection, Rotation, or Translation 1.
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13

Jeopardy Q 1 Q 6 Q 11 Q 16 Q 21 Q 2 Q 7 Q 12 Q 17 Q 22 Q 3 Q 8 Q 13
0 - 0.

0 - 0.
DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

DIVIDING INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)

MULTIPLYING MONOMIALS TIMES POLYNOMIALS (DISTRIBUTIVE PROPERTY)
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
Cryptography encryption authentication digital signatures

Cryptography encryption authentication digital signatures
1 Pretty Good Privacy (PGP) Security for Electronic Email.

1 Pretty Good Privacy (PGP) Security for Electronic .

Similar presentations

Ads by Google