Privacy Technologies

1
Privacy Technologies

• Information Assurance
• Fall 2006

2
What is Privacy?

• The right to be let alone
• Confidentiality
• Anonymity
• Access Control
• Most privacy technologies focus on Anonymity

3
What is anonymity?

• Unobservability
• Unlinkability
• Sender anonymity
• Receiver anonymity

4
Overview of Anonymity Concepts

• Chaums MIX
• Dining Cryptographers
• Onion Routing
• Crowds

5
Applications beyond privacy

• Digital Cash
• Anonymous e-voting
• Censorship-resistant publishing
• Untraceable e-mail

6
Chaums MIX

• Presented first in 1981 by David Chaum
• Uses public key cryptography for anonymous e-mail
• Basic Idea
• E-mails would be sent to a Mix which would then
  forward them onto reciepents
• Key building block for anonymity systems

7
Example
Km(B, KA(A,M))
KA(A,M)
A
B
8
Example
Km(B, KA(A,M))
KD(D,M)
A
B
KA(A,M)
Km(E, KC(C,M))
C
Km(B, KD(D,M))
KC(C,M)
E
D
9
What does this buy us?

• Unlinkability
• The adversary knows all the senders and receivers
  but cannot link senders to receivers

10
MIX Cascade

• What if some of the mixes are controlled by
  adversaries?
• A cascade of mixes can be used to handle
  compromised mixes
• How many adversaries can this withstand?
• N-1

11
Dining Cryptographers

• Also introduced by Chaum
• Purpose is to release a public message in a
  perfectly untraceable manner

12
The Protocol

• N cryptographers are having dinner
• Waiter tells them that the dinner has been paid
  for but they want to know whether it was one of
  them that paid or the NSA agent in the corner

13
The Protocol

• Each diner flips a coin and shows it to his left
  neighbor
• Each diner announces whether he and his
  neighbors coin flips are the same or different.
  The payer lies
• Odd number of same gt NSA paperEven number of
  same gt one the diners paid

14
Example NSA Pays
Different
Same
Different
Same
15
Example Diner pays
Same
Same
Payer
Different
Same
16
Problems with DC

• Very Impractical
• Only one bit sent at a time
• Each party has to have pairwise secure channels
• Massive communication overhead

17
Communication overhead

• For N diners
• N messages sent to share coins
• N broadcast messages to share
• All this for 1 bit!
• A message that is M bits long will take 2MN
  messages!

18
How much anonymity is afforded to the sender in
DC?

• We know the sender is one of n diners
• This is called K-anonymity
• We know you are one of k persons, but thats the
  best we can do

19
Anonymity via Random Routing

• Hide message source through random routing
• Routers dont know for sure who the source of the
  message is

20
Many methods

• Onion routing
• Crowds
• Tor

21
Onion Routing

• Sender choices a random sequence of routers
• Some are honest, some arent
• Similar to mix cascade
• Goal Hostile routers shouldnt learn Alice is
  talking to Bob

22
The Onion

• Similar to a message sent in a mix
• Layers of encryption are used.
• Alice wants to send Bob a message through R1, R2,
  R3, and R4

Mpk(B)
B,K4pk(R4) K4
R4,K3pk(R3)
K3
R3,K2pk(R2)
K2
R2,K1pk(R1)

K1
23
Crowds

• Routers form a random path
• Different then onion routing because the routers
  choose path, not sender
• After receiving a message router flips a biased
  coin
• With probability p, the router forwards the
  message to another router
• With probability 1-p, the router forwards the
  message to the recipient

24
Example
R
R4
R2
R3
R
R
R
R1
Bob
Alice
25
Probabilistic Notions of Anonymity

• Beyond suspicion
• The observed source of the message is no more
  likely to be the true sender than anybody else
• Probable innocence
• Probability that the observed source of the
  message is the true sender is less than 50
• Guaranteed by Crowds if there are sufficiently
  many honest routers NgoodNbad
  pf/(pf-0.5)(Nbad 1)
• Possible innocence
• Non-trivial probability that the observed source
  of the message is not the true sender

26
A Couple of issues

• Is probable innocence enough?
• 1 1 1 49 1 1 1
• Multiple-paths vulnerability
• Can attacker relate multiple paths from same
  sender?
• E.g., browsing the same website at the same time
  of day
• Each new path gives attacker a new observation
• Cant keep paths static since members join and
  leave

27
Digital Cash

• Cash is a universally anonymous payment system
• How can we have anonymous payments online?
• Idea
• Alice can pay for something with a digital cash
  token
• If she uses the same token her identity should be
  revealed

28
Blind signatures

• Blind signatures are used when you want someone
  to sign something but you dont want them to see
  what they are signing
• E.x. A notary
• This is done by multiplying the message by a
  secret number (called blinding).
• The signer signs the blinded message
• The secret number can be divided out to get a
  signed version of the message

29
RSA Blind Signatures

• Alice wants Bob to sign message M.
• She gives him Mreb mod n
• Bob signs this giving Alice s(Mreb)db mod n
• Alice can then remove the blind by calculating s
  sr-1 mod n
• s sr-1 (Mreb)db r-1 Mdbrebdbr-1Mdb

30
Example

• Alices Message 28
• Bobs public key 17
• Bobs private key 53 (n 77)
• Alice asks Bob to sign 70(28617 mod 77)
• Bob signs 70 and sends Alice 42
• Alice multiplies 42 by 13 (mod 77) to get 7
• 2853 mod 77 7

31
Getting Cash

• Alice creates a bunch (lets say N) of money
  orders for the same amount (say 100)
• Each is given a unique identifier
• Each also includes an n pairs of identity bit
  strings

100 ID 1234567 Identity bit strings I1 (I1L,
I1R) I2 (I2L,
I2R) . . .
In (InL, InR)
32
How the identity bit strings were created

• Secret splitting!
• How it works
• Alice created an identity I
• She then picked n random numbers r1rn
• Then she calculates sj I ? rj
• Ij (sj, rj)
• Not that for all j, I sj ? rj

33
Getting Cash

• Alice blinds these messages and sends them to the
  bank to sign
• The bank asks Alice to unblind N-1 messages
  (banks choice)
• Alice complies and when the banks sees they are
  all well formed then sign the remaining money
  order
• Alice unblinds this remaining (signed) money
  order and spends it

34
Spending Cash

• Alice presents a token to a merchant
• The merchant asks Alice to randomly reveal either
  the right or left half of each identity bit
  string
• Essentially they send her a random bit string of
  length n, called a selector string.
• If bit j is 0, Alice reveals IjL and if bit j is
  1 Alice reveals IjR

35
Merchant cashes the token

• The merchant takes the token to the bank
• Note that the token has half of the identity bit
  strings revealed
• The bank verifies the signature and adds the
  token to a database of spent tokens

36
Catching Cheaters

• When the bank checks the signature on a token it
  also check to see if the token has previously
  been spent
• If it has Alices identity is likely to be
  revealed
• Why? Because its unlikely that both merchants
  sent her the same selector string
• This means that there is at least one identity
  pair for which the bank has both halves

37
Conclusion

• Anonymity is one of the technological foundations
  for privacy
• Mix nets are used to hide linkability between
  senders and receivers
• Onion routing and crowds are essentially
  implementations of Mix cascades
• DC nets allow for anonymous publishing
• Digital Cash allows for anonymous transactions