Presentation is loading. Please wait.

Presentation is loading. Please wait.

K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University."— Presentation transcript:

1 k-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University

2 Adversary cannot identify the sender of a particular message Sender Anonymous Protocol

3 Adversary cannot identify the receiver of a particular message Receiver Anonymous Protocol Adversary cannot identify the sender of a particular message Sender Anonymous Protocol

4 Some Applications Distribution of Music Anonymous Crime Tips Secret Love Letters

5 Sender and receiver anonymity can be achieved with a trusted third party

6

7 In This Talk We will present a scheme for anonymous communication that is efficient and requires no trusted third parties

8 The Model Reliable Communication The adversary can own some of the participants A participant owned by the adversary may act arbitrarily The adversary can see all communications in network

9 The Rest of the Talk An efficient scheme DC Nets Why DC Nets have never been implemented k-Anonymity

10 DC Nets: Key Idea Divide time into small steps If party j doesn’t want to send a message at step t, they must send M j =0 At step t, party i wants to send message M i  Z m

11 DC Nets: Key Idea Divide time into small steps At step t, party i wants to send message M i  Z m If party j doesn’t want to send a message at step t, they must send M j =0 Each party i splits M i into n random shares M i = s i,1 + s i,2 + … + s i,n-1 + (M i – (s i,1 + … + s i,n-1 )) s i,n

12 DC Nets: Key Idea Party 1 Party 2 Party 3 Party n Party i s i,1 s i,2 s i,3 s i,n Each party distributes their n shares

13 DC Nets: Key Idea All parties add up every share that they have received and broadcast the result (Let B i denote Party i’s broadcast) B i = s 1,i + s 2,i + … + s n,i

14 DC Nets: Key Idea M i = s i,1 + s i,2 + … + s i,n-1 + s i,n B i = s 1,i + s 2,i + … + s n,i B 1 + B 2 +…+ B n = M 1 + M 2 +…+ M n All parties add up every share that they have received and broadcast the result (Let B i denote Party i’s broadcast)

15 DC Nets: Key Idea If only one of the M i is nonzero, then: B 1 + B 2 +…+ B n = M i

16 DC Nets: Problems It is very easy for the adversary to jam the channel! Communication complexity is O(n 2 )

17 Full Anonymity Versus k-Anonymity We will relax the requirement that the adversary learns nothing about the origin of a given message We will accept k-anonymity, in which the adversary can only narrow down his search to k participants

18 The Rest of the Talk An efficient scheme DC Nets Why DC Nets have never been implemented k-Anonymity

19 k-anonymous message transmission (k-AMT) Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M t as (group, msg) pair P1 P2 P3 P4 s 1,1 +s 1,2 +s 1,3 +s 1,4 = (G t,M t ) s 1,2 s 1,3 s 1,4

20 How to compromise k-anonymity If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee. So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using onymous means.

21 How to break k-AMT (I) Don’t follow the protocol: after receiving shares s 1,i,…,s k,i, instead of broadcasting s i, generate a random value r and broadcast that instead. This will randomize the result of the DC- Net protocol, preventing Alice from transmitting.

22 Stopping the “randomizing” attack Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input. These commitments allow verification of her subsequent actions.

23 k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to s i,1 …s i,k viaPedersen commitment C(s,r)=g s h r P1 P2 P3 P4 s 1,1 +s 1,2 +s 1,3 +s 1,4 = x 1 = (G i,M i ) C1 1g s 1,1 h r 1,1 2g s 1,2 h r 1,2 3g s 1,3 h r 1,3 4g s 1,4 h r 1,4 C1C1 C1C1 C1C1

24 k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to s i,1 …s i,k viaPedersen commitment C(s,r)=g s h r P1 P2 P3 P4 s 1,1 +s 1,2 +s 1,3 +s 1,4 = x 1 = (G i,M i ) C1…k 1g s 1,1 h r 1,1 g s k,1 h r k,1 gs1hrgs1hr 2g s 1,2 h r 1,2 g s k,2 h r k,2 gs2hrgs2hr 3g s 1,3 h r 1,3 g s k,3 h r k,3 gs3hrgs3hr 4g s 1,4 h r 1,4 g s k,4 h r k,4 gs4hrgs4hr gx1hrgx1hr gxkhrgxkhr C2C2 C3C3 C4C4

25 How to break k-AMT (II) The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn. So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.

26 Accommodating more than one sender per turn Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values. If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.

27 Accommodating more than one sender per turn Before starting, each player picks slot s, sets x i,s = (G t,M t ), x i,1 =…=x i,2k = 0, and chooses s i,j,m so that  m s i,j,m =x i,j P1 P2 P3 P4 C1,1…1,2k 1g s 1,1,1 h r 1,1 g s 1,2k,1 h r k,1 2g s 1,1,2 h r 1,2 g s 1,2k,2 h r k,2 3g s 1,1,3 h r 1,3 g s 1,2k,,3 h r k,3 4g s 1,1,4 h r 1,4 g s 1,2k,4 h r k,4 g x 1,1 h r g x 1,k h r C 1,1..2k

28 Accommodating more than one sender per turn Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit. If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?

29 Catching a cheater Idea: each party can use her committed values to prove (in zero knowledge) that she transmitted in at most one slot, without revealing that slot. If someone did cheat, she will have a very low probability of convincing the group she did not.

30 Zero-Knowledge proof of protocol conformance P i  (All): Pick permutation ρ on {1…2k} Send C(x’) = C(x ρ(0), r’ 0 ),…, C(x ρ(2k),r’ 2k ) (All)  P i : b  {0,1} P i  (All): if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x)

31 Efficiency O(k 2 ) protocol messages to transmit O(k) anonymous messages: O(k) message overhead Cheaters are caught with high probability Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)

Download ppt "K-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University."

Similar presentations

Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.

Efficient Zero-Knowledge Argument for Correctness of a Shuffle Stephanie Bayer University College London Jens Groth University College London.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.

Cryptography for Unconditionally Secure Message Transmission in Networks Kaoru Kurosawa.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.

Efficient Two-party and Multiparty Computation against Covert Adversaries Vipul Goyal Payman Mohassel Adam Smith Penn Sate UCLAUC Davis.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.

Rennes, 24/10/2014 Cristina Onete CIDRE/ INRIA Sigma Protocols and (Non-Interactive) Zero Knowledge.
Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.

Computational Security. Overview Goal: Obtain computational security against an active adversary. Hope: under a reasonable cryptographic assumption, obtain.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!

Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.

Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
Short course on quantum computing Andris Ambainis University of Latvia.

Short course on quantum computing Andris Ambainis University of Latvia.
Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.

Efficient Zero-Knowledge Proof Systems Jens Groth University College London FOSAD 2014.
Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.

Improving the Round Complexity of VSS in Point-to-Point Networks Jonathan Katz (University of Maryland) Chiu-Yuen Koo (Google Labs) Ranjit Kumaresan (University.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Zero-Knowledge.
Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.

Zero-Knowledge Proofs J.W. Pope M.S. – Mathematics May 2004.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

COVERT MULTI-PARTY COMPUTATION YINMENG ZHANG ALADDIN REU 2005 LUIS VON AHN MANUEL BLUM.

Similar presentations

Ads by Google