robust sender anonymity tamara rezk
DESCRIPTION
Robust Sender Anonymity Tamara Rezk. FMCrypto (work in progress) G.Barthe , A.Hevia , Z.Luo , T.Rezk , B.Warinschi April, 28 th – Campinas, Brazil. Anonymity Protocols. Hide the identity associated to a message The message may be public. Example:voting - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/1.jpg)
Robust Sender AnonymityTamara Rezk
FMCrypto (work in progress)G.Barthe, A.Hevia, Z.Luo, T.Rezk, B.Warinschi
April, 28th – Campinas, Brazil
![Page 2: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/2.jpg)
Anonymity Protocols
• Hide the identity associated to a message
• The message may be public. Example:voting
• Different kind of anonymity properties
![Page 3: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/3.jpg)
Anonymity Properties• Receiver anonymity• Sender Unlinkability (SUL)• Receiver Unlinkability (RUL)• Sender-Receiver Unlinkability (UL)• Sender Anonymity (SA)• Strong Sender Anonymity (SA*)• Receiver Anonymity (RA)• Strong Receiver Anonymity (RA*)• Sender-Receiver Anonymity (SRA)• Unobservability (UO)• Sender Unlinkability (SUL)• Receiver Unlinkability (RUL)• Sender-Receiver Unlinkability (UL)• Sender Anonymity (SA)• Strong Sender Anonymity (SA*)• Receiver Anonymity (RA)• Strong Receiver Anonymity (RA*)• Sender-Receiver Anonymity (SRA)• Unobservability (UO)
![Page 4: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/4.jpg)
Anonymity Properties Characterizations [Micciancio&Hevia06]
cab
a
4
3
2
1
8
7
6
5
c
a
b
a
4
3
2
1
8
7
6
5
4321 8765
d d
mij = sets of messages from party i to party j
M =
7
(Thanks Alejandro for this slide)
![Page 5: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/5.jpg)
Capturing information leaks
• By restricting the matrix pair M0,M1
– Let f(M) be the information leaked– Requirement: f(M0) = f(M1)
M0
c
dd
c=multiset
for each row i
M1
Example of leaked information:
(Thanks Alejandro for this slide)
![Page 6: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/6.jpg)
The anonymity property for protocol PHypothesis: f(M0) = f(M1)
CA:=b := {0,1};
if (b = 0)
then {m := M0}
else {m := M1};
S P(m)g A(S,f(m))
| Pr[CA; g = b] - ½ | is negligible on the security parameter
![Page 7: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/7.jpg)
Motivation
• Anonymity in the case of active adversaries
• Case study: DC-Nets
![Page 8: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/8.jpg)
Motivation
• Anonymity in the case of active adversaries
• Case study: DC-Nets
• Robustness was not what we expected it to be
• Work: definition of robustness
![Page 9: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/9.jpg)
Robust anonymous protocol
1) A protocol that is anonymous (it does not leak the identity of the participants)
![Page 10: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/10.jpg)
Robust anonymous protocol
1) A protocol that is anonymous even if some of the participants are corrupt
![Page 11: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/11.jpg)
Robust anonymous protocol
1) A protocol that is anonymous even if some of the participants are corrupt
2) Honest messages can be delivered even if dishonest participants do not follow the protocol
![Page 12: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/12.jpg)
Robust anonymous protocol
1) Anonymity property for active adversaries
2) Robustness property
![Page 13: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/13.jpg)
The anonymity property for protocol Pfor active adversariesHypothesis: f(M0) = f(M1)
CRA:=b := {0,1};
if (b = 0)
then {m := M0}
else {m := M1};
g A[P(m)] (f(m))
| Pr[CRA; g = b] - ½ | is negligible on the security parameter
![Page 14: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/14.jpg)
Dinning Cryptographers:all started in a restaurant …
![Page 15: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/15.jpg)
Dinning Cryptographers Protocol (DC-nets)
• Bitwise XOR [Chaum88]– Not robust
• Bilinear Maps [GolleJuels04]– Robust
What does exactly the word “robust” assure?
![Page 16: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/16.jpg)
The robust DC-nets protocol 1/4
inizializationinizialization
In this phase: • a non-degenerate pairing e : G1 x G1 G2• generators g, h of a cyclic group G1• a hash function H: {0,1}* G1• a private key xi and public key yi = g^xi (secret xi is (t,n)-shared ) • a common reference string
![Page 17: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/17.jpg)
The robust DC-nets protocol 2/4
inizializationinizialization
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
![Page 18: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/18.jpg)
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
n
i
2
1
1/3
![Page 19: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/19.jpg)
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
n
i
2
1
2/3
e(H(s||2), yj)^xi*cji
![Page 20: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/20.jpg)
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
n
i
2
1
3/3
e(H(s||2), yj)^xi*cji
Padding participant i. Coefficient c is 1 if i<j or -1 otherwise.
![Page 21: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/21.jpg)
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
n
i
2
1
3/3
e(H(s||2), yj)^xi*cji
*m
Message m transmission
![Page 22: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/22.jpg)
If each participant transmits exactly one message without collisions then multiplication of vectors yields the messages.
transmissiontransmission
n
2
1
n
2
1
n
2
1
* * …
Vector Party 1 Vector Party n
=
n
2
1 m1m2 …
mn
![Page 23: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/23.jpg)
Example for 2 paticipants: n=2 1/9
transmissiontransmission
![Page 24: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/24.jpg)
Example for 2 paticipants: n=2 2/9
transmissiontransmission
Vector Party 1
2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2
![Page 25: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/25.jpg)
Example for 2 paticipants: n=2 3/9
transmissiontransmission
Vector Party 1 Vector Party 2
2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2
![Page 26: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/26.jpg)
Example for 2 paticipants: n=2 4/9
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 27: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/27.jpg)
Example for 2 paticipants: n=2 5/9
e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 28: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/28.jpg)
Example for 2 paticipants: n=2 6/9
e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining}
e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 29: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/29.jpg)
Example for 2 paticipants: n=2 7/9
e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining}
e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity}
e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 30: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/30.jpg)
Example for 2 paticipants: n=2 8/9
e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining}
e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity}
e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity}
e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 31: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/31.jpg)
Example for 2 paticipants: n=2 9/9
e(H(s||1), y2)^x1 * e(H(s||1), y1)^-x2 * m1 = {public key inlining}
e(H(s||1), x2g)^x1 * e(H(s||1), x1g)^-x2 * m1 = {bilinearity}
e(H(s||1), x1x2g) * e(H(s||1), x2x1g)^-1 * m1 = {conmutativity}
e(H(s||1), x1x2g) * e(H(s||1), x1x2g)^-1 * m1 ={inverse *}
m1
transmissiontransmission
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||1), y2)^x1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1
m2
transmission result
![Page 32: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/32.jpg)
If there is a collision, or the padding is incorrect, or there is more than one message in the vector, recuperation of messages fail!
transmissiontransmission
n
2
1
n
2
1
n
2
1
* * …
Vector Party 1 Vector Party n
=
n
2
1 m1m2 …
mn
![Page 33: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/33.jpg)
Vectors are transmitted with a proof of knowledge (zkpk)
transmissiontransmission
For all positions in the vector there is a valid padding, except for at most one position.
![Page 34: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/34.jpg)
The robust DC-nets protocol 3/4
inizializationinizialization
In this phase: each participant computes a vector that contains a “padding” and a unique message that cannot be distinguished from the padding.
transmissiontransmission
reconstructionreconstruction
![Page 35: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/35.jpg)
In this phase: if a proof of knowledge does not verify then the vector of the dishonest participant is reconstructed using trheshold cryptography
reconstructionreconstruction
After this phase, we are left with a set of valid vectors , that is :
For all positions in the vector there is a valid padding, except for at most one position.
![Page 36: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/36.jpg)
The robust DC-nets protocol 4/4
inizializationinizialization
transmissiontransmission
reconstructionreconstruction
recuperationrecuperation
![Page 37: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/37.jpg)
In this phase: All vectors are correct (honest participants or recovered vectors). Messages are recuperated by multiplication.
recuperationrecuperation
n
2
1
n
2
1
n
2
1
* * …
Vector Party 1 Vector Party n
=
n
2
1 m1m2 …
mn
![Page 38: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/38.jpg)
What does exactly the word “robust” assure?
• If the vector is correct, then there is a unique message in the vector
• An adversary may violate the slot reservation protocol to intentionally produce a collision
• For each collision, one honest message is not delivered
![Page 39: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/39.jpg)
ROBUSTNESS PROPERTYWe propose to state this formally by definning a:
![Page 40: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/40.jpg)
Sender robustness, t-n
SR:= M,N A0 m := M++N;
S P[A](m) if (#(MПS) < 2t-n)
then b’:=1 else b’:=0
|Pr[SR; b’=1] is negligible on the security parameter
![Page 41: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/41.jpg)
Sender Robustness Violation 1 Example for 2 paticipants: n=2
*
Vector Party 1 Vector Party 2
=2
1 1
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 ????
m2
transmission result
![Page 42: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/42.jpg)
Sender Robustness Violation 2 Example for 2 paticipants: n=2
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||2), y2)^x1*m2
e(H(s||2), y2)^x1*m2 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 ????
m2
transmission result
![Page 43: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/43.jpg)
Sender RobustnessExample for 2 paticipants: n=2
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||2), y2)^x1*m2
e(H(s||2), y2)^x1 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1*m2
m2
transmission result
This is considered secure!
![Page 44: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/44.jpg)
A stronger robustness propertyConfusion resistant t-n
CR:= M,N A0 m := M++N;
S P[A(m)] if honest received < honest-
dishonestthen b’:=1 else b’:=0 |Pr[CR; b’=1] is negligible on the security parameter
![Page 45: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/45.jpg)
A stronger robustness propertyConfusion resistant t-n
CR:= M,N A0 m := M++N;
S P[A(m)] if honest not
received+dishonest received > dishonest.
then b’:=1 else b’:=0
|Pr[CR; b’=1] is negligible on the security parameter
![Page 46: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/46.jpg)
A stronger robustness propertyConfusion resistant t-n
CR:= M,N A0 m := M++N;
S P[A(m)] if (#(S\M) + #(M\S) > n-t)
then b’:=1 else b’:=0
|Pr[CR; b’=1] is negligible on the security parameter
![Page 47: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/47.jpg)
Confussion Resistant ViolationExample for 2 paticipants: n=2
*
Vector Party 1 Vector Party 2
=2
1 e(H(s||2), y2)^x1*m2
e(H(s||2), y2)^x1 2
1 e(H(s||1), y1)^-x2 *m1
e(H(s||2), y1)^-x2 2
1 m1*m2
m2
transmission result
![Page 48: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/48.jpg)
Theorems and Remarks
• Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust• Remark: DC-Nets is not confussion resistant
![Page 49: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/49.jpg)
Theorems and Remarks
• Theo: DC-Nets is sender anonymous • Theo: DC-Nets is sender robust• Remark: DC-Nets is not confussion resistant
Solution? : messages should be “sealed” in such a way that multiplication of two seals produces another seal only with negligible probability
![Page 50: Robust Sender Anonymity Tamara Rezk](https://reader036.vdocuments.net/reader036/viewer/2022062408/5681433c550346895dafaff9/html5/thumbnails/50.jpg)
Conclusions
• We have a proposed 2 properties to formally specify robustness of sender anonymous protocols
• We have detected GJ protocol satisfies only a weak form of robustness, and proposed a stronger version of the protocol
• Open questions: how to implement the stronger GJ?, how all these definitions extend to other forms of anonymity? generic conversion to stronger robustness?