receiver anonymity via incomparable public keys
DESCRIPTION
Receiver Anonymity via Incomparable Public Keys. Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University. Receiver Anonymity. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/1.jpg)
Receiver Anonymity via Incomparable Public Keys
Brent R. Waters, Edward W. Felten, and Amit Sahai
Department of Computer Science
Princeton University
![Page 2: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/2.jpg)
Receiver Anonymity
Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob.
Bulletin Board
alt.anonymous.messages
Anonymous ID
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Bob
Alice
![Page 3: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/3.jpg)
Receiver Anonymity
• Anonymous Identity– Information allowing a sender to send messages to
an anonymous receiver
– May contain routing and encryption information
• Requirements– Receiver is anonymous even to the sender
– Anonymous Identity can be used several times
– Communication is secret (encrypted)
– Messages are received efficiently
![Page 4: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/4.jpg)
A Common Method
Bulletin Board
alt.anonymous.messages
Alice
Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
![Page 5: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/5.jpg)
The Encryption Key is Part of the Identity
Bulletin Board
alt.anonymous.messages
Alice
Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
![Page 6: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/6.jpg)
The Encryption Key is Part of the Identity
Bulletin Board
alt.anonymous.messages
Alice
Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity.
Anonymous ID 1
“Where are good Hang Gliding spots?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Anonymous ID 2
“What Biology conferences are interesting?”
Send to: alt.anonymous.messages
Encrypt with: a45cd79e
Bob
Charlie
Hang Gliding + Biology => Alice
![Page 7: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/7.jpg)
Using an Independent Public Key per Sender
Bulletin Board
alt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
Charlie
Keys to Try
48b33c03
ae668f53
![Page 8: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/8.jpg)
Using an Independent Public Key per Sender
Bulletin Board
alt.anonymous.messages
Alice
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all.
a45cd79e
207c5edb
Bob
Charlie
Keys to Try
48b33c03 43bca289
ae668f53
40b2f68c
2fce8473
075ca5ef
b9034d40
86cf1943
56734ba5
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
![Page 9: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/9.jpg)
Incomparable Public Keys
• Receiver generates a single secret key• Receiver generates several Incomparable Public
Keys (one for each Anonymous Identity)• Receiver use the secret key to decrypt any
message encrypted with any of the public keys• Holders of Incomparable Public Keys cannot tell
if any two keys are related (correspond to the same private key)
![Page 10: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/10.jpg)
Using an Incomparable Public Keys to Receive Messages Efficiently
Bulletin Board
alt.anonymous.messages
Alice
Alice creates a one secret key and distributes a different Incomparable Public Key to each sender.
a45cd79e
207c5edb
Bob
Charlie
Keys to Try
59b39c03
207defb1
70f4ba54
04d2a93c
398bac49
e3c8f522
b593f399
46cce276
![Page 11: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/11.jpg)
Key Generation
• Based on ElGamal encryption– All users share a global (strong) prime p
– Operations are performed in group of Quadratic Residues of Zp
• Secret Key Generation: – Choose an ElGamal secret key a
• Generate a new Incomparable Public Key:– Pick random generator, g, of the group
– Public key is (g,ga)
*
![Page 12: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/12.jpg)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb)– Assuming Decisional Diffie-Hellman is hard
![Page 13: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/13.jpg)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb)– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might respond to a message
![Page 14: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/14.jpg)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb)– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha)
(g,ga)
![Page 15: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/15.jpg)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) – Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha)
(g,ga)
Pair-wise multiply
![Page 16: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/16.jpg)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) – Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might respond to a message
Bob
Charlie(h,ha)
(g,ga)
Pair-wise multiply
(gh,(gh)a)
Alice can decrypt messages encrypted with this new key.
![Page 17: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/17.jpg)
Solution
• Record keys that were validly created
• The ciphertext will contain a “proof” about which key was used for encryption
• The private key holder can alternatively distribute each Incomparable Public Keys with its MAC
![Page 18: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/18.jpg)
Encryption
C = (gr,garK)
– (g,ga) is an Incomparable Public Key
![Page 19: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/19.jpg)
Encryption
C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
– (g,ga) is an Incomparable Public Key
– H is a secure hash function
– K is a random symmetric key
– r is a random exponent
![Page 20: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/20.jpg)
Decryption
C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
![Page 21: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/21.jpg)
Decryption
C = (gr,garK), H(r), (r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted ciphertext
![Page 22: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/22.jpg)
Decryption
C = (gr,garK), H(r), (r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted ciphertext
• Check that the public key inside the envelope has been distributed
![Page 23: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/23.jpg)
Decryption
C = (gr,garK), H(r), (r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted ciphertext
• Check that the public key inside the envelope has been distributed
• Check that the claimed public key was used– Hash r and check it against claimed hash of r
![Page 24: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/24.jpg)
Decryption
C = (gr,garK), H(r), (r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted ciphertext
• Check that the public key inside the envelope has been distributed
• Check that the claimed public key was used– Hash r and check it against claimed hash of r– Raise the public key to the r to check that it was
used in the ElGamal encryption
![Page 25: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/25.jpg)
Decryption
C = (gr,garK), H(r), (r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted ciphertext
• Check that the public key inside the envelope has been distributed
• Check that the claimed public key was used– Hash r and check it against claimed hash of r– Raise the public key to the r to check that it was
used in the ElGamal encryption• If all test pass accept the plaintext
![Page 26: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/26.jpg)
Security
• Provably secure in the Random Oracle Model assuming DDH is hard
• We have another construction based only on general assumptions
• We can apply similar techniques to a CCA secure
cryptosystem such as Cramer-Shoup
![Page 27: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/27.jpg)
Efficiency
• Efficiency is comparable to standard ElGamal
• One exponentiation for encryption
• Two exponentiations for decryption and verification of a message
![Page 28: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/28.jpg)
Comparison with Alternative Methods
Several Independent Public Keys
- Running time increases linearly with number of potential senders
Several Independent Symmetric Keys
+ Encryption and decryption operations are faster
- Running time increases linearly with number of potential senders
- No secrecy of past messages if sender’s key is captured
- Key must be distributed securely
![Page 29: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/29.jpg)
Comparison with Alternative Methods (cont.)
Message Markers
Sender puts a random tag on each message that identifies him and which key to use
Tag Key
5d234 98b2e6
3891c 7ac023
![Page 30: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/30.jpg)
Comparison with Alternative Methods (cont.)
Message Markers
Sender puts a random tag on each message that identifies him and which key to use
+ Potentially quick way for the receiver to identify her messages and discard messages destined for others
- Cannot reuse a mark
- Therefore both sender and receiver must update expected next mark – leads to problems if messages are lost
Tag Key
5d234 98b2e6
3891c 7ac023
![Page 31: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/31.jpg)
Applications
• Use in anonymous communication between users– Users already employ newsgroups such as
alt.anonymous.messages to send PGP encrypted messages to anonymous receivers
• Protection of anonymity in case of device compromise– Receiver distributes a set of sensor nodes that he
does not want to be traced back to him
– Initially trusts the devices, but they could be captured or otherwise compromised
![Page 32: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/32.jpg)
Embedding Incomparable Public Keys in Security Protocols
Use with other schemes to enhance anonymity and efficiency
• We adapted SKEME key exchange protocol to incorporate Incomparable Public Keys– Allows for establishment of efficient session key
while maintaining anonymity guarantees • Peer-to Peer systems
– P5 allows tradeoff anonymity and efficiency• By making all public keys Incomparable we can
enhance anonymity while still giving user a tradeoff option
![Page 33: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/33.jpg)
Implementation
• Implemented Incomparable Public Keys by extending GnuPG (PGP) 1.2.0
• Available at http://www.cs.princeton.edu/~bwaters/research/
![Page 34: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/34.jpg)
GnuPG (PGP) Background
• Users post encrypted messages to newsgroups to attempt receiver anonymity
• Software for automatically retrieving messages from newsgroups– Jack B. Nymble
– Private Idaho
![Page 35: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/35.jpg)
Implementation: Benefit
• Receivers can give have one private key to decrypt messages sent from any one of many Incomparable Public keys
• Interface is similar to original GnuPG interface
• Only a few changes needed to be made existing code (ElGamal encryption already exists in GnuPG)
![Page 36: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/36.jpg)
Related Work
• Bellare et al. (2001) – Introduce notion of Key-Privacy
– If Key-Privacy is maintained an adversary cannot match ciphertexts with the public keys used to create them
– The authors do not consider anonymity from senders
• Pfitzmann and Waidner (1986)– Use of multicast address for receiver anonymity
– Discuss implicit vs. explicit “marks”
![Page 37: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/37.jpg)
Related Work (cont.)
• Chaum (1981)– Mix-nets for sender anonymity
– Reply addresses usable only once
– Other work follows this line
![Page 38: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/38.jpg)
Conclusion
• The contents of public keys are important in protecting the receiver’s anonymity from the sender
• Incomparable Public Keys provide a secure and efficient way of accomplishing receiver anonymity
• Incomparable Public Keys are useful in practice with Key Exchange and P2P systems
![Page 39: Receiver Anonymity via Incomparable Public Keys](https://reader036.vdocument.in/reader036/viewer/2022081514/56813c50550346895da5d11a/html5/thumbnails/39.jpg)