Receiver Anonymity via Incomparable Public Keys - PowerPoint PPT Presentation

About This Presentation
Title:

Receiver Anonymity via Incomparable Public Keys

Description:

'Where are good Hang Gliding spots?' Send to: alt.anonymous. ... Hang Gliding Biology = Alice. Using an Independent Public Key per Sender. Bulletin Board ... – PowerPoint PPT presentation

Number of Views:59
Avg rating:3.0/5.0
Slides: 40
Provided by: brentw
Category:

less

Transcript and Presenter's Notes

Title: Receiver Anonymity via Incomparable Public Keys


1
Receiver Anonymity via Incomparable Public Keys
Brent R. Waters, Edward W. Felten, and Amit
Sahai Department of Computer Science Princeton
University
2
Receiver Anonymity
  • Alice can give Bob information that he can use to
    send messages to Alice, while keeping her true
    identity secret from Bob.

Bulletin Board alt.anonymous.messages
Anonymous ID Where are good Hang Gliding spots?

Send to alt.anonymous.messages
Bob
Alice
3
Receiver Anonymity
  • Anonymous Identity
  • Information allowing a sender to send messages to
    an anonymous receiver
  • May contain routing and encryption information
  • Requirements
  • Receiver is anonymous even to the sender
  • Anonymous Identity can be used several times
  • Communication is secret (encrypted)
  • Messages are received efficiently

4
A Common Method
Alice anonymously receives encrypted message from
both Bob and Charlie by reading a newsgroup.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding spots
? Send to alt.anonymous.messages Encrypt with
a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are inte
resting? Send to alt.anonymous.messages Encryp
t with a45cd79e
5
The Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they
are encrypting with the same public key and thus
are sending messages to the same person.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding spots
? Send to alt.anonymous.messages Encrypt with
a45cd79e
Bob
Alice
Charlie
Anonymous ID 2 What Biology conferences are inte
resting? Send to alt.anonymous.messages Encryp
t with a45cd79e
6
The Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each
know about the Anonymous Receiver and are able to
compromise her anonymity.
Bulletin Board alt.anonymous.messages
Anonymous ID 1 Where are good Hang Gliding spots
? Send to alt.anonymous.messages Encrypt with
a45cd79e
Bob
Alice
Hang Gliding Biology Alice
Charlie
Anonymous ID 2 What Biology conferences are inte
resting? Send to alt.anonymous.messages Encryp
t with a45cd79e
7
Using an Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
Keys to Try 48b33c03 ae668f53
Charlie
207c5edb
8
Using an Independent Public Key per Sender
Alice creates a separate public/private key pair
for each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until
one matches or she has tried them all.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 48b33c03 43bca289 ae668f53 40b2f68
c 2fce8473 075ca5ef b9034d40 86cf1943 56734ba
5
04d2a93c
Charlie
398bac49
207c5edb
70f4ba54
e3c8f522
46cce276
9
Incomparable Public Keys
  • Receiver generates a single secret key
  • Receiver generates several Incomparable Public
    Keys (one for each Anonymous Identity)
  • Receiver use the secret key to decrypt any
    message encrypted with any of the public keys
  • Holders of Incomparable Public Keys cannot tell
    if any two keys are related (correspond to the
    same private key)

10
Using an Incomparable Public Keys to Receive
Messages Efficiently
Alice creates a one secret key and distributes a
different Incomparable Public Key to each sender.
Bulletin Board alt.anonymous.messages
Bob
a45cd79e
Alice
207defb1
b593f399
Keys to Try 59b39c03
04d2a93c
Charlie
398bac49
207c5edb
70f4ba54
e3c8f522
46cce276
11
Key Generation
  • Based on ElGamal encryption
  • All users share a global (strong) prime p
  • Operations are performed in group of Quadratic
    Residues of Zp
  • Secret Key Generation
  • Choose an ElGamal secret key a
  • Generate a new Incomparable Public Key
  • Pick random generator, g, of the group
  • Public key is (g,ga)


12
Security Intuition
  • Cannot distinguish equivalent keys (g,ga), (h,ha)
    from non-equivalent ones (g,ga), (h,hb)
  • Assuming Decisional Diffie-Hellman is hard

13
Security Intuition
  • Cannot distinguish equivalent keys (g,ga), (h,ha)
    from non-equivalent ones (g,ga), (h,hb)
  • Assuming Decisional Diffie-Hellman is hard
  • However, this is not enough if the receiver might
    respond to a message

14
Security Intuition
  • Cannot distinguish equivalent keys (g,ga), (h,ha)
    from non-equivalent ones (g,ga), (h,hb)
  • Assuming Decisional Diffie-Hellman is hard
  • However, this is not enough if the receiver might
    respond to a message

Bob
(g,ga)
Charlie
(h,ha)
15
Security Intuition
  • Cannot distinguish equivalent keys (g,ga), (h,ha)
    from non-equivalent ones (g,ga), (h,hb)
  • Assuming Decisional Diffie-Hellman is hard
  • However, this is not enough if the receiver might
    respond to a message

Bob
Pair-wise multiply
(g,ga)
Charlie
(h,ha)
16
Security Intuition
  • Cannot distinguish equivalent keys (g,ga), (h,ha)
    from non-equivalent ones (g,ga), (h,hb)
  • Assuming Decisional Diffie-Hellman is hard
  • However, this is not enough if the receiver might
    respond to a message

Bob
Pair-wise multiply
Alice can decrypt messages encrypted with this
new key.
(g,ga)
(gh,(gh)a)
Charlie
(h,ha)
17
Solution
  • Record keys that were validly created
  • The ciphertext will contain a proof about which
    key was used for encryption
  • The private key holder can alternatively
    distribute each Incomparable Public Keys with its
    MAC

18
Encryption
  • C (gr,garK)
  • (g,ga) is an Incomparable Public Key

19
Encryption
  • C (gr,garK), H(r), EK(r,(g,ga), plaintext)
  • (g,ga) is an Incomparable Public Key
  • H is a secure hash function
  • K is a random symmetric key
  • r is a random exponent

20
Decryption
  • C (gr,garK), H(r), EK(r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K

21
Decryption
  • C (gr,garK), H(r), (r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K
  • Use K to decrypt the symmetrically encrypted
    ciphertext

22
Decryption
  • C (gr,garK), H(r), (r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K
  • Use K to decrypt the symmetrically encrypted
    ciphertext
  • Check that the public key inside the envelope has
    been distributed

23
Decryption
  • C (gr,garK), H(r), (r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K
  • Use K to decrypt the symmetrically encrypted
    ciphertext
  • Check that the public key inside the envelope has
    been distributed
  • Check that the claimed public key was used
  • Hash r and check it against claimed hash of r

24
Decryption
  • C (gr,garK), H(r), (r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K
  • Use K to decrypt the symmetrically encrypted
    ciphertext
  • Check that the public key inside the envelope has
    been distributed
  • Check that the claimed public key was used
  • Hash r and check it against claimed hash of r
  • Raise the public key to the r to check that it
    was used in the ElGamal encryption

25
Decryption
  • C (gr,garK), H(r), (r,(g,ga), plaintext)
  • Use secret key a to decrypt the ElGamal encrypted
    ciphertext and learn the symmetric key K
  • Use K to decrypt the symmetrically encrypted
    ciphertext
  • Check that the public key inside the envelope has
    been distributed
  • Check that the claimed public key was used
  • Hash r and check it against claimed hash of r
  • Raise the public key to the r to check that it
    was used in the ElGamal encryption
  • If all test pass accept the plaintext

26
Security
  • Provably secure in the Random Oracle Model
    assuming DDH is hard
  • We have another construction based only on
    general assumptions
  • We can apply similar techniques to a CCA secure
    cryptosystem such as Cramer-Shoup

27
Efficiency
  • Efficiency is comparable to standard ElGamal
  • One exponentiation for encryption
  • Two exponentiations for decryption and
    verification of a message

28
Comparison with Alternative Methods
  • Several Independent Public Keys
  • Running time increases linearly with number of
    potential senders
  • Several Independent Symmetric Keys
  • Encryption and decryption operations are
    faster
  • Running time increases linearly with number of
    potential senders
  • No secrecy of past messages if senders key is
    captured
  • Key must be distributed securely

29
Comparison with Alternative Methods (cont.)
Message Markers Sender puts a random tag on each
message that identifies him and which key to use
30
Comparison with Alternative Methods (cont.)
Message Markers Sender puts a random tag on each
message that identifies him and which key to use
Potentially quick way for the receiver to
identify her messages and discard messages
destined for others - Cannot reuse a mark - The
refore both sender and receiver must update
expected next mark leads to problems if
messages are lost
31
Applications
  • Use in anonymous communication between users
  • Users already employ newsgroups such as
    alt.anonymous.messages to send PGP encrypted
    messages to anonymous receivers
  • Protection of anonymity in case of device
    compromise
  • Receiver distributes a set of sensor nodes that
    he does not want to be traced back to him
  • Initially trusts the devices, but they could be
    captured or otherwise compromised

32
Embedding Incomparable Public Keys in Security
Protocols
  • Use with other schemes to enhance anonymity and
    efficiency
  • We adapted SKEME key exchange protocol to
    incorporate Incomparable Public Keys
  • Allows for establishment of efficient session key
    while maintaining anonymity guarantees
  • Peer-to Peer systems
  • P5 allows tradeoff anonymity and efficiency
  • By making all public keys Incomparable we can
    enhance anonymity while still giving user a
    tradeoff option

33
Implementation
  • Implemented Incomparable Public Keys by extending
    GnuPG (PGP) 1.2.0
  • Available at http//www.cs.princeton.edu/bwaters/
    research/

34
GnuPG (PGP) Background
  • Users post encrypted messages to newsgroups to
    attempt receiver anonymity
  • Software for automatically retrieving messages
    from newsgroups
  • Jack B. Nymble
  • Private Idaho

35
Implementation Benefit
  • Receivers can give have one private key to
    decrypt messages sent from any one of many
    Incomparable Public keys
  • Interface is similar to original GnuPG interface
  • Only a few changes needed to be made existing
    code (ElGamal encryption already exists in GnuPG)

36
Related Work
  • Bellare et al. (2001)
  • Introduce notion of Key-Privacy
  • If Key-Privacy is maintained an adversary cannot
    match ciphertexts with the public keys used to
    create them
  • The authors do not consider anonymity from
    senders
  • Pfitzmann and Waidner (1986)
  • Use of multicast address for receiver anonymity
  • Discuss implicit vs. explicit marks

37
Related Work (cont.)
  • Chaum (1981)
  • Mix-nets for sender anonymity
  • Reply addresses usable only once
  • Other work follows this line

38
Conclusion
  • The contents of public keys are important in
    protecting the receivers anonymity from the
    sender
  • Incomparable Public Keys provide a secure and
    efficient way of accomplishing receiver
    anonymity
  • Incomparable Public Keys are useful in practice
    with Key Exchange and P2P systems

39
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com