Practical(?) And Provably Secure Anonymity

1
Practical(?) And Provably Secure Anonymity

• Nick Hopper

2
Sender-Anonymous Communication The Love Letter
Problem
Who?
You have a secret admirer!
Alex
Eve, The Net Admin
3
Receiver-Anonymous Communication The
Whistleblowers problem
Eve
?
EPK(AUDIT ACME!)
IRS
Alex
4
Previous Work on anonymous communication

• Mix-Net/Onion routing
• Efficient, but not (yet) provably secure
• DC-Nets
• Provably secure, but not efficient

5
Mix-Net
E
EMIX(C,M3)
EMIX(D,M1)
EMIX(E,M5)
A
D
Mix
EMIX(E,M2)
EMIX(D,M4)
C
B
6
Mix-Net
E
EMIX(D,M1)
EMIX(E,M2)
A
EMIX(C,M3)
D
Mix
EMIX(D,M4)
EMIX(E,M5)
C
B
7
Mix-Net
E
D,ED(M1)
E,EE(M2)
A
C,EC(M3)
D
Mix
D,ED(M4)
E,EE(M5)
C
B
8
Mix-Net
E
D,ED(M1)
E,EE(M2)
A
C,EC(M3)
D
Mix
D,ED(M4)
E,EE(M5)
C
B
9
Mix-Net
EE(M5)
EE(M2)
E
ED(M1)
A
ED(M4)
D
Mix
EC(M3)
C
B
10
Onion Routing
E
A
G
C
B
F
D
H
11
Onion Routing
E
A
G
C
B
F
D
H
12
Onion Routing
E
A
G
C
B
F
D
H
13
Onion Routing
EH(M)
E
A
G
C
B
F
D
H
14
Onion Routing
EF(H,EH(M))
E
A
G
C
B
F
D
H
15
Onion Routing
EB(F,EF(H,EH(M)))
E
A
G
C
B
F
D
H
16
Onion Routing
EE(B,EB(F,EF(H,EH(M))))
E
A
G
C
B
F
D
H
17
Onion Routing
EB(F,EF(H,EH(M)))
E
A
G
C
B
F
D
H
18
Onion Routing
E
A
G
C
EF(H,EH(M))
B
F
D
H
19
Onion Routing
E
A
G
C
B
F
EH(M)
D
H
20
Onion Routing
E
A
G
C
B
F
M
D
H
21
DC Net Multiparty Sum
XA
A
XC
XB
C
B
XD
D
22
DC Net Multiparty Sum
XA SAASABSACSAD XA
A
XC
XB
C
B
SCASCBSCCSCD XB
SBASBBSBCSBD XB
XD
D
SDASDBSDCSDD XD
23
DC Net Multiparty Sum
XA SAASABSACSAD XA
A
SAB
SAC
XC
XB
SAD
C
B
SCASCBSCCSCD XB
SBASBBSBCSBD XB
XD
D
SDASDBSDCSDD XD
24
DC Net Multiparty Sum
XA SAASABSACSAD XA SA SAA SBA SCASDA
A
SA
XC
SC
SB
XB
C
B
SD
SCASCBSCCSCD XB SC SAC SBC SCCSDC
SBASBBSBCSBD XB SB SAB SBB SCBSDB
XD
D
SDASDBSDCSDD XD SD SAD SBD SCDSDD
25
DC Net Multiparty Sum
XA SAASABSACSAD XA SA SAA SBA SCASDA
X SA SB SC SD XA XB XC XD
XC
XB
C
B
SCASCBSCCSCD XB SC SAC SBC SCCSDC
SBASBBSBCSBD XB SB SAB SBB SCBSDB
XD
D
SDASDBSDCSDD XD SD SAD SBD SCDSDD
26
How to use multiparty sum for anonymity

• If XA XB XC 0 then XXD!
• If more than one non-zero collision
• Use standard networking techniques
• Provably, Perfectly secure against passive
  adversary.
• Problems
• Inefficient O(n3) protocol messages/ anonymous
  message
• Easy to JAM it!

27
Efficiency Issue

• Perfect security requires ?(n2) protocol
  messages per anonymous message
• Relax to k-anonymity every message could have
  been from or to k participants

28
k-anonymous message transmission (k-AMT)

• Idea Divide N parties into small DC-Nets of
  size O(k). Encode M as (group, msg) pair

P2
P3
s1,2
s1,3
s1,4
P1
P4
s1,1s1,2s1,3s1,4 (Gt,Mt)
29
How to compromise k-anonymity

• If everyone follows the protocol, its impossible
  to compromise the anonymity guarantee.
• So instead, dont follow the protocol if Alice
  can never send anonymously, she will have to
  communicate using traceable means.

30
How to break k-AMT (I)

• Dont follow the protocol after receiving
  shares s1,i,,sk,i, instead of broadcasting si,
  generate a random value r and broadcast that
  instead.
• This will randomize the result of the DC-Net
  protocol, preventing Alice from transmitting.

31
Stopping the randomizing attack

• Solution Use Verifiable Secret Sharing. Every
  player in the group announces (by broadcast) a
  commitment to all of the shares of her input.
• These commitments allow verification of her
  subsequent actions.

32
k-anonymous message transmission (k-AMT) with VSS

• Before starting, each player commits to si,1
  si,k viaPedersen commitment C(s,r)gshr

s1,1s1,2s1,3s1,4 x1 (Gi,Mi)
C1
C1
C1
33
k-anonymous message transmission (k-AMT) with VSS

• Before starting, each player commits to si,1
  si,k viaPedersen commitment C(s,r)gshr

s1,1s1,2s1,3s1,4 x1 (Gi,Mi)
P2
P3
C2
C3
P1
P4
C4
34
How to break k-AMT (II)

• The multiparty sum protocol gives k participants
  a single shared channel at most one person can
  successfully transmit each turn.
• So Transmit every turn! VSS still perfectly
  hides the value of each input no one will know
  who is hogging the line.

35
Accommodating more than one sender per turn

• Idea we can run several turns in parallel.
  Instead of sending commitments to shares of a
  single value, generate shares of 2k values.
• If Alice picks a random turn to transmit in,
  she should have probability at least ½ of
  successfully transmitting.

36
Accommodating more than one sender per turn

• Before starting, each player picks slot l, sets
  xi,l (G,M), xi,1xi,2k 0, and chooses si,j,t
  so that ?msi,j,t xi,j

P2
P3
C1,1..2k
C1,1..2k
P1
P4
C1,1..2k
37
Accommodating more than one sender per turn

• Suppose at the end of the protocol, at least k of
  the 2k parallel turns were empty (zero). Then
  Alice should be happy she had probability ½ to
  transmit.
• If not, somebody has cheated and used at least 2
  turns. How do we catch the cheater?

38
Catching a cheater

• Idea each party can use her committed values to
  prove (in zero knowledge) that she transmitted in
  at most one slot, without revealing that slot.
• If someone did cheat, she will have a very low
  probability of convincing the group she did not.

39
Zero-Knowledge proof of protocol conformance

• Pi ? (All)
• Pick permutation ? on 12k
• Send C(x) C(x?(0), r0),, C(x?(2k),r2k)
• (All) ? Pi b ? 0,1
• Pi ? (All)
• if b 0 open 2k-1 0 values
• else reveal ?, prove (in ZK) x ?(x)

40
Efficiency

• O(k2) protocol messages to transmit O(k)
  anonymous messages O(k) message overhead
• Cheaters are caught with high probability
• Zero Knowledge proofs are Honest Verifier and can
  be done non-interactively in the Random Oracle
  Model, or interactively via an extra round
  (commit to verifier coins)

41
Another problem Abuse

• Anonymous communications could be used for bad
  things
• Kidnapping Ransom Notes
• Child Pornography
• Libel
• Excessive Multi Posting
• How to deal with it fairly?

42
Selective Tracing

• Participants agree to a tracing policy
• Set of voters V
• Set of sets of voters V.
• Anytime a bad message is sent, when any set of
  users v 2 V agree, the message can be traced to
  its sender.

43
Example Tracing Policies

• Threshold tracing if at least t users agree
  (e.g. 90)
• Court tracing if at least 5/9 justices agree
• LEA tracing if FBI, CIA, NSA, DHS, ATF, or DEA
  want to trace.

44
Support for selective traceability

• Assume for now singleton voter V.
• V publishes ElGamal public key GX.
• Recall that for each slot we have
• R ? ri,
• S ?i Ci gMhR
• For each slot compute
• a GR
• b g-MyR
• ? ZKlogg a loghy Sb

45
Support for selective traceability

• V publishes ElGamal public key GX.
• For each slot compute
• a GR
• b g-MyR
• V can trace M by checking for each user whether
  aXb g-M.
• Extend to arbitrary tracing policy using
  Threshold Cryptography

46
Open Questions

• What is a good way to model security of
  onion-routing type protocols?
• Is k-AMT really practical? Can it be improved
  on?
• Can we make a provably secure variant of onion
  routing with selective traceability?
• Coercibility.