Malicious Participants Comparing various attempts of detecting malicious participants in DC networks
Approaches Chaum: Trap messages Golle & Juels: Proof with bilinear maps Ahn, Bortz and Hopper: k-anonymous message transmission (for the case k=n)
Chaum: Trap Messages n Participants exchanging 1-bit keys pairwise XOR of all keys equals to 0 One or zero participants send a 1-bit message Known and agreed key graph Commitment before publishing At least some throughput Existence of non-private blocks
Chaum: Trap Messages How to make non-private blocks? Reservation scheme: Each participant reserves one block each round (easy detection of collisions in reservation block) Reservation block is non-private itself Commitment on dummy data to detect disturbers Improvement in Pfitzmann & Waidner (disco) 100n² bits in reservation block for 99% non- collision probability (Bos&Boer'90)
Chaum: Trap Messages How to set a trap: Reservation block Data or Trap Data or Trap Data or Trap How to set a trap: Publish after Reservation: encs( r || i ) (r: random number, i: block index) Publish as trap data: r Publish after Trap: s (encryption secret key)
Golle & Juels Two protocols: short and long Short: Overwhelming secure but limited block size Long: Arbitrary block size but only high secure Works on D-H generators over elliptic curves Reconstruction of messages for missing participants by threshold sharing of secret keys Basic idea is proof of both statements: The sum of keys is correct OR there is a message added There is at most one message added
Golle & Juels: Short DC n Participants Participant i publish: Vi = ( Vi(0), ... , Vi(n) ) Vi(k) = m(k)·Wi(k), Wi(k) = ∏j ê( hash(k), yj )d·xi m(k) is message for a random k; 1 otherwise d is 1 for i<j; 0 for i=j; -1 for i>j xi resp. yi is secret / public key ê is an elliptic curve function Summary: multiplied in G, not added in GF(2)
Golle & Juels: Short DC Additional to Vi publish a verification vector σi g and h are random generators in G r1 .. rn are random numbers w(k) = g·hrk when msg sent in k; hrk otherwise σi = logh(g -1 ∏w) ??? Summary – Proof either one of: Wi(k) is correct AND knows logh(wk) OR knows logh(wk / g)
Golle & Juels: Short DC Unclear: Why does this prevent from sending multiple messages in one round?
Golle & Juils: Long DC PRNG(seed) like short DC and XOR message Choose subset S = ( p1, ..., pn/2 ) without choosing the message pmsg Publish xi·hash(k) for all elements in S Idea: Attacker can not arbitrary select many places k for disturbing.