practical(?) and provably secure anonymity

Practical(?) And Provably Secure Anonymity

Nick Hopper

Nick Hopper - Crypto/Security Seminar 204/19/23

Sender-Anonymous Communication: The “Love Letter Problem”

You have a secret

admirer!

Alex Eve,The Net Admin

Who?


Receiver-Anonymous Communication: The Whistleblower’s problem

Alex

Eve

IRS

??EPK(“AUDIT ACME!”)


Previous Work on anonymous communication Mix-Net/Onion routing:

Efficient, but not (yet) provably secure DC-Nets

Provably secure, but not efficient


Mix-Net

Mix

A

E

D

CB

EMIX(D,M1)

EMIX(E,M2)

EMIX(C,M3)

EMIX(D,M4)

EMIX(E,M5)


Mix-Net

Mix

A

E

D

CB

D,ED(M1)

E,EE(M2)

C,EC(M3)

D,ED(M4)

E,EE(M5)


Mix-Net

Mix

A

E

D

CB

ED(M1)

EE(M2)

EC(M3)

ED(M4)

EE(M5)


Onion Routing

A

B

C

D

F

E

H

G


Onion Routing

A

B

C

D

F

E

H

G

EH(M)


Onion Routing

A

B

C

D

F

E

H

G

EF(H,EH(M))


Onion Routing

A

B

C

D

F

E

H

G

EB(F,EF(H,EH(M)))


Onion Routing

A

B

C

D

F

E

H

G

EE(B,EB(F,EF(H,EH(M))))


Onion Routing

A

B

C

D

F

E

H

G

EB(F,EF(H,EH(M)))


Onion Routing

A

B

C

D

F

E

H

G

EF(H,EH(M))


Onion Routing

A

B

C

D

F

E

H

G

EH(M)


Onion Routing

A

B

C

D

F

E

H

G

M


DC Net: Multiparty Sum

A

BC

D

XA

XB

XD

XC



A

BC

D

XA

SAA+SAB+SAC+SAD = XA

XB

XD

XC

SDA+SDB+SDC+SDD = XD

SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB



A

BC

D

XA


XB

XD

XC


SBA+SBB+SBC+SBD = XBSCA+SCB+SCC+SCD = XB

SAB

SAD

SAC



A

BC

D

XA


SA = SAA + SBA + SCA+SDA

XB

XD

XC


SD = SAD + SBD + SCD+SDD

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

SB

SA

SC

SD



BC

D

XA


SA = SAA + SBA + SCA+SDA

XB

XD

XC


SD = SAD + SBD + SCD+SDD

SBA+SBB+SBC+SBD = XB

SB = SAB + SBB + SCB+SDB

SCA+SCB+SCC+SCD = XB

SC = SAC + SBC + SCC+SDC

X = SA + SB + SC + SD

= XA + XB + XC + XD


How to use multiparty sum for anonymity If XA = XB = XC = 0 then X=XD! If more than one non-zero: collision Use standard networking techniques Provably, Perfectly secure against passive

adversary. Problems:

Inefficient – O(n3) protocol messages/ anonymous message

Easy to JAM it!


Efficiency “Issue”

“Perfect” security requires (n2) protocol messages per anonymous message

Relax to k-anonymity: every message could have been from or to k participants


k-anonymous message transmission (k-AMT)

Idea: Divide N parties into “small” DC-Nets of size O(k). Encode M as (group, msg) pair

P1

P2

P3

P4s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)

s1,2

s1,3

s1,4


How to compromise k-anonymity

If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee.

So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using traceable means.


How to break k-AMT (I)

Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead.

This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.


Stopping the “randomizing” attack

Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input.

These commitments allow verification of her subsequent actions.


k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1

…si,k viaPedersen commitment C(s,r)=gshr

P1

P2

P3

P4

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

C 1

1 gs1,1hr1,1

2 gs1,2hr1,2

3 gs1,3hr1,3

4 gs1,4hr1,4

C1

C1

C1


k-anonymous message transmission (k-AMT) with VSS

Before starting, each player commits to si,1

…si,k viaPedersen commitment C(s,r)=gshr

P1

P2

P3

P4

s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi)

C 1… k

1 gs1,1hr1,1 gsk,1hrk,1 gs1hr




gx1hr gxkhr

C2

C3

C4


How to break k-AMT (II)

The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn.

So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.


Accommodating more than one sender per turn Idea: we can run several turns in parallel.

Instead of sending commitments to shares of a single value, generate shares of 2k values.

If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.


Accommodating more than one sender per turn

Before starting, each player picks slot l, sets xi,l= (G,M), xi,1=…=xi,2k= 0, and chooses si,j,t

so that msi,j,t =xi,j

P1

P2

P3

P4

C 1,1… 1,2k

1 gs1,1,1hr1,1 gs1,2k,1hrk,1

2 gs1,1,2hr1,2 gs1,2k,2hrk,2

3 gs1,1,3hr1,3 gs1,2k,,3hrk,3

4 gs1,1,4hr1,4 gs1,2k,4hrk,4

gx1,1hr gx1,khr

C1,1..2k

C1,1..2k

C1,1..2k


Accommodating more than one sender per turn Suppose at the end of the protocol, at

least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit.

If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?


Catching a cheater

Idea: each party can use her committed values to prove (in zero knowledge) that she transmitted in at most one slot, without revealing that slot.

If someone did cheat, she will have a very low probability of convincing the group she did not.


Zero-Knowledge proof of protocol conformance Pi (All):

Pick permutation ρ on {1…2k}

Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) (All) Pi: b {0,1} Pi (All):

if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x)


Efficiency

O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead

Cheaters are caught with high probability Zero Knowledge proofs are Honest Verifier

and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)


Another problem: Abuse

Anonymous communications could be used for bad things:Kidnapping & Ransom NotesChild PornographyLibelExcessive Multi Posting

How to deal with it fairly?


Selective Tracing

Participants agree to a “tracing policy:”Set of voters VSet of sets of voters V.

Anytime a “bad” message is sent, when any set of users v 2 V agree, the message can be traced to its sender.


Example Tracing Policies

Threshold tracing: if at least t users agree (e.g. 90%)

Court tracing: if at least 5/9 justices agree LEA tracing: if FBI, CIA, NSA, DHS, ATF,

or DEA want to trace.


Support for selective traceability

Assume for now singleton voter V. V publishes ElGamal public key GX. Recall that for each slot we have

R = ri,

S = i Ci = gMhR

For each slot compute a = GR

b = g-MyR

= ZK{logg a = loghy Sb}


Support for selective traceability

V publishes ElGamal public key GX. For each slot compute

a = GR

b = g-MyR

V can trace M by checking for each user whether aXb = g-M.

Extend to arbitrary tracing policy using “Threshold Cryptography”


Open Questions

What is a good way to model security of onion-routing type protocols?

Is k-AMT really practical? Can it be improved on?

Can we make a provably secure variant of onion routing with selective traceability?

Coercibility.

practical(?) and provably secure anonymity

Documents

xdsba sbb sbc sbd

xbsca scb scc scd

sac sbc scc sdcx

xaxbxdxcsda sdb sdc

net adminwho

anonymous messagerelax

n2 protocol messages

securedcnetsprovably