Reusable Anonymous Return Channels

1
Reusable AnonymousReturn Channels

• Philippe Golle, Stanford / PARC
• Markus Jakobsson, RSA Labs

WPES 03
2
Anonymous Communication

• Model Parties exchange messages
• Goal keeping confidential who converses with
  whom, and when they converse Chaum
• Global eavesdropping adversary
• Solution mix network
• Alice submits EMIX(Bob M)
• Mixnet decrypts and delivers messages in random
  order

Alice
Bob
How do we reply to an anonymous message?
3
Simple solution

• Communication protocol
• Alice submits to the mixnet a message
• EMIX(Bob EBob (Alice M))
• Bob receives EBOB (Alice M), decrypts it and
  replies with
• EMIX(Alice EAlice (Bob R))
• Property external anonymity
• Alice and Bob know each others identity
• They hide from everyone else the fact that they
  are communicating
• In this talk
• Complete anonymity Bob does not learn Alices
  identity
• Example applications love letters, ransom notes
• No straightforward solution with mixnets

4
Outline

• Chaumian mixnets
• Processing of (forward) messages
• Untraceable return address
• Why return addresses cant be reused
• Replies and traffic analysis
• Our new protocol
• Based on a re-encryption mixnet
• Allows for unlimited replies
• Filtering policies

5
Chaumian Mixnet
Alice
Mix 2
Mix 1
Bob
Mix 3
6
Untraceable Return Address
Alice

7
Return Address

• Single use return envelope
• Privacy compromised if a return address is
  reused
• Bob replies twice with same envelope
• Decryption of return address is deterministic
• The mixnet produces the same output in both cases
• To allow for N replies, Alice must give Bob N
  different envelopes

8
Return channels and Traffic Analysis

• Traffic analysis attack
• Bob sends K replies in one batch and observes who
  picks up K messages
• Bob sends one reply every hour and computes the
  intersection of the sets of recipients
• Solutions from asynchronous mixes
• Random delays
• Pool mixing
• Make multiple copies of some messages

9
Our Approach

• Reusable return addresses
• Alice distributes the same return address to all
  her correspondents (Bob, Charlie, Dave, )
• Property cannot test whether two return
  addresses lead to the same person or different
  people
• Note cannot reuse Chaumian return addresses
• Helps defeat traffic analysis attacks
• If Bob sends K replies Alice receives more than
  K
• Intersection attack complicated by the fact that
  multiple correspondents reply to Alice
• Works best when combined with other defenses

10
ElGamal Cryptosystem

• ElGamal is a randomized public-key cryptosystem
• Key generation (SK, PK)
• Encryption m, PK, r ? Er (m)
• Decryption Er (m) , SK ? m
• El Gamal allows for Re-encryption
• Re-encryption Er(m) , PK , s ? Ers(m)
• Requires only public key
• Given Er(m) an adversary cant distinguish
  Ers(m) from a random ciphertext.

11
Re-encryption Mixnet

• ElGamal encrypted inputs EMIX (M)
• Mixing each mix server
• Receives a set of inputs
• Re-encrypts these inputs
• Gives them in random order to the next server
• Outputs
• Mixnet decrypts and outputs plaintext M

12
Protocol (outline)

• Alice submits her input
• (Emix(AlicePKA) Emix(M) Emix(BobPKB))
• Inputs are mixed and re-encrypted
• Delivery of messages
• Mixnet decrypts the value BobPKB
• Converts Emix(M) into EPKB(M)
• Delivers to Bob EPKB(M), Emix(AlicePKA).

13
Protocol (contd)

• Submitting a reply
• Bob has received EPKB(M), Emix(AlicePKA)
• Bob submits to the mixnet the reply
• (Emix(BobPKB) Emix(R) Emix(AlicePKA))
• Note the return envelope Emix(AlicePKA) can be
  reused multiple times, for multiple correspondents

14
Properties

• Reusable multiple replies possible
• Composable allows for replies to replies, etc
• Transferable anyone can reply
• Compatible replies and messages are processed in
  almost the same way
• Efficient 4 times as expensive as normal
  re-encryption mixnet
• Filtering policies specifies which replies are
  allowed

15
Input Filtering

• Submission of messages
• (Emix(AlicePKA) E(M) Emix(BobPKB)
  E(FM))
• Mixing and delivery
• as before
• Reply
• (Emix(BobPKB) E(R) Emix(AlicePKA)
  E(FM))

16
Conclusion

• Reusable return channels based on re-encryption
  mixnets
• Helps defend against traffic analysis
• Thanks to Ari Juels and Paul Syverson!