key privacy and anonymous protocols

Post on 22-Feb-2016






Key Privacy and Anonymous Protocols


Paolo D’Arco and Alfredo De Santis

July 10, 2013

In all its forms, central issue in information technology

Current methods of communication and information processing give rise to many challenges

On wired and wireless networks: monitoring actions, transactions or activities, tracing movements, profiling users behaviours …


(CNN) -- President Barack Obama responded to outrage by European leaders over revelations of alleged U.S. spying on them by saying Monday that all nations, including those expressing the strongest protests, collect intelligence on each other. (June 2013)

“ U.S. authorities have access to phone calls, e-mails and other communications far beyond constitutional bounds.”

(Edward Snowden, ex-NSA contractor)June 2013


“There is now a menace which is called Twitter,” Erdogan said. “The best examples of lies can be found there. To me, social media is the worst menace to society.”

Privacy and Anonymity

In some “applications” methods to guarantee user privacy and anonymous computation/communication play a “crucial” role …

Turkish Prime Minister (May, 2013)

“Political Springs” and social networks

“Are you in Egypt? Send us your experiences, but please stay safe.

Cairo (CNN) – Just ...”

Privacy and Anonymity

Need tools enabling private and anonymous computation and communication

“Political Springs” and social networks

Focus of this paper

• Key-private public key encryption schemes. “Which public key has been used to produce encryption c”?

• Secret sets schemes “Who are the members of the set? How many?”

• Anonymous broadcast encryption schemes “Who are the recipients of the sent message?”

Contribution of this paper

1. key privacy and robustness imply security

2. formal model for secret set

3. secret set and anonymous broadcast are equivalent w.r.t. non adaptive adversary

4. security reductions for general and concrete secret set constructions

Public Key EncryptionΠ = (Gen, Enc, Dec) message space M, ciphertext space C

(pk, sk) <--- Gen (1k)

c <--- Encpk (m)

m = Decsk (c)


Pr[(pk, sk) <--- Gen (1k); m <--- M; c <--- Encpk (m): m = Decsk (c)] = 1


Semantic security: a ciphertext does not leak any partial information about the plaintext w.r.t a ppt Adv

Indistinguishability: given m0 and m1 and an encryption c of one of them, a ppt Adv in unable to tell to which message the ciphertext c corresponds to

The two notions are equivalent [GM 1984].The second can be thought of as a “characterization”.

Indistinguishability: ExperimentChallenger C , adversary A

C runs (pk, sk) <--- Gen (1k)

A receives pk, oracle access Decsk (c) poly (k) times, outputs m0 and m1




m0, m1C chooses b <--- {0,1}, computes c* <--- Encpk (mb)


m b’ A wins if b’ = b

Phase 1

Phase 2



Indistinguishability Experiments

Decsk(c)No Oracle access

Decsk(c) Oracle access only in Phase 1

Decsk(c) Oracle access in Phase 1 and Phase 2




By giving different power to the Adversary, we get different securitynotions

Key Privacy [Bellare et al. 2001]

Given pk0 and pk1 and an encryption c of a message m, obtained by using one of the two public keys, chosen uniformly at random, a ppt Adv in unable to tell with which one the ciphertext c has been computed

IK-CCA ExperimentChallenger C , adversary A

C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)

A receives pk0, pk1, oracle access Decsk0 (c) and Decsk1 (c) poly (k) times, outputs m*

pk0, pk1




m*C chooses b <--- {0,1}, computes c* <--- Encpkb (m*)



m b’ A wins if b’ = b

Phase 1

Phase 2



Concrete encryption schemes

Key privacy was introduced as an additional property for a secure encryption scheme.

It was shown that

• El Gamal encryption scheme is ik-cpa private

• Cramer-Shoup is ik-cca private

Some other schemes (e.g., RSA based versions) are not.

Given a key pair (pk0, sk0) and an encryption c of a message m obtained by using pk0, only sk0 enables decrypting c. There is no other key pair (pk1, sk1) such that Decsk1 (c) ≠ fail

Robustness [Abdalla et al. 2010]

WROB ExperimentChallenger C , adversary A

A wins if C outputs 1

If Decsk0 (c*) ≠ fail and Decsk1 (c*) ≠ fail then C outputs 1

C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)

A receives pk0, pk1, oracle access Decsk0 (c) and Decsk1 (c) poly (k) times

pk0, pk1


Outputs m* and computes c* using pk0



Key Privacy, Robustnessand Security

Question: is there any relation among them?

Non malleability

Roughly speaking, an encryption scheme is non malleable if, given a ciphertext c = Encpk(m), it is not feasible to produce a new ciphertext c’, which is an encryption of a message m’, somehow related to m.

[Dolev et al. 1991]

Non malleability under cca attack is equivalent to IND-CCA

1. Key Privacy and robustness imply security

Thm. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is non malleable.

Since non malleability is equivalent to ind-cca security, we get:

Cor. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is ind-cca-secure.


Proof Idea

Adv for NM

If there exists an efficient Adv which wins the NM experiment, then there exists an efficient Adv which wins the ik-cca experiment

Adv for ik-cca

Simulates theenvironment for the NM experiment,i.e., acts as thechallenger C of the NM experiment

By contradiction.

ik-cca experiment run by a challenger C

Secret Set and Anomymous Broadcast


Secret Set

any user of U can check if he is member of S

no one can check if another user is member

no one can determine the size of the set S

A representation of a set S of users ofa given universe U, satisfying

Universe of users U

Set S

[Molva and Tsudik 1998]

Secret societies

Priory of SionSecret societies at Yale University

Real and fictitious

A secret society is a club or organization whose activities and inner functionings are concealed from the non-members …

2. Secret Set Scheme: formal modelΣ = (Kgen, Srep, Mver) for universe of users U={u1, …, un}

(pub1, sec1) … (pubn, secn) <--- Kgen (1k)

SR <--- Srep(S, pub)

{0,1, fail} <--- Mver(SR, seci)

Correctness: for each set S and user ui in U, for each k,

Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); SR <--- Srep(S, pub): Mver(SR, seci) = mi] = 1

Membership Private

No coalition of users R is able to check the membership status mi of

user ui outside the coalition R

MSHIP ExperimentChallenger C , adversary A

C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)

A asks key queries and membership queries

pub1, …, pubn

Decsk(c)(SR, i) / i

mi / seci

ui, uj

C chooses b <--- {0,1}, S0=SU {ui}, S1=S U {uj} computes SR* <--- Srep(Sb, pub)


b’ A wins if b’ = b

Phase 1

Phase 2



(SR, i) / i

mi / seci

Size Hiding

No coalition of users R is able to determine the size of the secret set

SHIDE ExperimentChallenger C , adversary A

C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)

A asks key queries and membership queries

pub1, …, pubn

Decsk(c)(SR, i) / i

mi / seci

S0, S1 C chooses b <--- {0,1}, computes SR* <--- Srep(Sb, pub)


b’A wins if b’ = b

Phase 1

Phase 2



(SR, i) / i

mi / seci

Adversary Power

Decsk(c)No Oracle access

Decsk(c) Oracle access only in Phase 1

Decsk(c) Oracle access in Phase 1 and Phase 2




Anonymous Broadcast Encryption

The Broadcast Encryption Problem [Berkowitz 1991, Fiat and Naor 1994]




• A center C broadcasts a msg to a set N of receivers

• A subset P of privileged users should be able to decrypt

• P changes from time to time

Identities of priviliged users are

in the header of msg

[Barth et al. 2006, Libert et al. 2012]

Anonymous Broadcast EncryptionΣ = (Keygen, Encrypt, Decrypt) for universe of users U={u1, …, un}

(pub1, sec1) … (pubn, secn) <--- Keygen (1k)

c <--- Encrypt(P, pub, m)

{m, fail} <--- Decrypt(seci, c)

Correctness: for each set P and user ui in P, for each k,

Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); c <--- Encrypt(P, pub, m): Decrypt(seci, c) = m] = 1

Anonymous and semantically secure

No Adv through a cca attack is able to decrypt the message or to find out the identity of any recipient

A-IND-CCA ExperimentChallenger C , adversary A

C runs (pub1, sec1) … (pubn, secn) <--- Keygen (1k)

A asks key queries and decryption queries

pub1, …, pubn

Decsk(c)(c, i) / i

m / seci

S0, S1, m0, m1 C chooses b <--- {0,1}, computes c* <--- Encrypt(Sb, pub, mb)



A wins if b’ = b

Phase 1

Phase 2



(c, i) / i

m / seci

3. Equivalence between primitives

Thm 1. Anonymous broadcast encryption implies secret set

Thm 2. Secret set implies anonymous broadcast encryption w.r.t. non-adaptive adversaries

Security reductionsfor general and concrete

constructions[Revisitation of Molva and Tsudik’s constructions]

Signature SchemeΣ=(sGen, Sign, Ver), message space M

(vk, sk) <--- sGen (1k)

σ <--- Signsk (m)

{0,1} <--- Vervk (m, σ)

Correctness: for each k,

Pr[(vk, sk) <--- sGen (1k); m <--- M; σ <--- Signsk (m): Vervk (m, σ) =1] = 1

Unforgeability under cmaChallenger C , adversary A

A wins if C outputs 1

C runs (vk, sk) <--- sGen (1k)

A receives vk, oracle access to Signsk(m) poly (k) times, outputs m*,σ*


Signsk (m)m


m*,σ* (different from all m,σ)

If Ver(m*,σ*)=1 thenC outputs 1, else 0.

PK-based ConstructionΠ=(eGen, Enc, Dec) public key scheme, Σ=(sGen, Sign, Ver) signature scheme

Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k) pubj = pkj , secj= skj

Srep(S, pubU): (vk, sk) <--- sGen(1k)for j=1, …, n, cj=Encpkj(in|vk) if uj in S, cj=Encpkj(out|vk) if uj not in Sσ=Signsk(c1| … |cn)SR=[(c1 … cn, σ)]

Mver(SR, seci)m=Decski(ci)if m=in|vk and Vervk(c1| … |cn, σ)=1 then output 1if m=out|vk and Vervk(c1| … |cn, σ)=1 then output 0else output fail

4. Security Reduction (1/4)

Thm. Assuming

• Π = (eGen, Enc, Dec) is a cca-secure public-key encryption and

• Σ = (sGen, Sign, Ver) is an existentially unforgeable under chosen message attack signature scheme

the Pk-based Construction is a membership-private and size-hiding secret set scheme

Representation-length efficiency

Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k) pubj = pkj , secj= skj

Srep(S, pubS):

for j s.t. uj in S, cj=Encpkj(in|uj)SR=(c1 … c|S|)

Mver(SR, seci)for j=1, …, |S|, m=Decskj(ci)if m=in|uj , then output 1else if j=|S| then output 0

Π=(eGen, Enc, Dec) public key scheme

Thm. Assuming Π = (eGen, Enc, Dec) is a public-key encryption

• weakly robust

• ik-cca private

the Representation-length-efficient Pk-based Construction, is a weak membership-private secret set scheme.

non-adaptive adversary

4. Security Reduction (2/4)

DH-based Bit-Vector Construction

Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj

pubj = gaj, secj= aj

Srep(S, pubU): Choose b <--- Zq


Compute gb

for j=1, …, n, Kj=(gaj)b and if uj in S, set cj=MSB(Kj), else set cj=MSB(Kj)+1 mod2

SR=(gb,c1 … cn)

Mver(SR, seci)Compute Ki=(gb) ai and di =MSB(Ki)If di = ci, then output 1; else, output 0

G ciclic group of order q, g generator

Thm. Assuming

• CDH problem is hard in G

• MSB is a hard-core predicate

the DH-based bit-vector Construction is a weak membership-private and size-hiding secret set scheme

4. Security Reduction (3/4)

Hash-based Construction

Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj

pubj = gaj, secj= aj

Srep(S, pubS): Choose b <--- Zq


Compute gb

for j=1, …, |S|, Kj=(gaj)b and cj=H(Kj) SR=(gb,c1 … cn)

Mver(SR, seci)Compute Ki=(gai)b and h =H(Ki)If h ε {c1 … cs}, then output 1; else, output 0

G ciclic group of order q, g generator, H hash function

Thm. Assuming

• CDH problem is hard in G

• H is a random oracle

the Hash-based Construction is a weak membership-private secret set scheme

4. Security Reduction (4/4)

ConclusionsWe have

• shown that key privacy and robustness imply security

•introduced a formal model for secret set

• proved that secret set and anonymous brodcast are equivalent w.r.t. non adaptive adv

• provided security reductions for general and concrete secret set constructions

Open Problems

• anonymous broadcast and secret set: equivalent w.r.t. adaptive adversaries?

• does exist a length-efficient membership-private and size-hiding secret set construction?

• does exist a length-efficient membership-private secret set construction?


