Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research Center Markus Jakobsson School of Informatics Indiana University at Bloomington

Page 1 Mix Networks PublicPrivatePublic Mixing to make tracing impossible Used as a building block to protect privacy or keep something anonymous A sequence of mix servers

Page 2 What can be wrong in mix-nets Random permutation is secret Mix-server 1Mix-server 2Mix-server 3

Page 3 Possible Attacks Aims to –Leak secret permutations –Leak private keys –Leak any security-critical information Although no side channel is allowed, leaking is possible through public channel Information leak is noticeable only to designated accomplices (by using a covert-channel)

Page 4 Vulnerable Good time to launch an attack Key generation Commitment Mixing phase Verification Safe Time Safe Mix-server Observer Tamper-evident

Page 5 How to verify – Intuitive idea Cut-and-choose: 50% error rate Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2 k error rate

Page 6 Review: Re-encryption mix-nets Two operations in a mix server El-Gamal re-encryption is homomorphic –There exist two integers β and δ s.t. α = β + δ –Re-encryption(ReEnc) satisfies ReEnc(m, α) = ReEnc(ReEnc(m, β), δ) El-Gamal Re-encryption Permutation α1α1 α2α2 αnαn Encrypted Messages Re- encrypted and Permuted Messages π (1) π (2) π (n)

Page 7 Homomorphism El-Gamal re-encryption Encrypted Messages Re- encrypted Messages α = β + δ βδ Permutation =

Page 8 An example of a covert channel Replacing a random number generator El-Gamal Re-encryption Permutation α1α1 α2α2 αnαn Inputs Random Number Generator Outputs π (1) π (2) π (n)

Page 9 Solution overview Data flow Key Generation Mixing Phase Observer Commitment Witness Re-encrypted Message

Page 10 Permutation τ Permutation σ Key generation Conditions: α i = β i + δ i, π = τ ◦ σ Publicize a commitment α1α1 α2α2 αnαn Permutation π The same inputs The same outputs β1β1 β2β2 βnβn δ1δ1 δ2δ2 δnδn π (1) π (2) π (n) σ (1) σ (2) σ (n) τ (1) τ (2) τ (n)

Page 11 Mixing phase Output re-encrypted messages {A’ i } and witnesses {W i } Permutation τ Permutation σ β1β1 β2β2 βnβn δ1δ1 δ2δ2 δnδn W1W1 W2W2 WnWn α1α1 α2α2 αnαn Permutation π A1A1 A2A2 AnAn A’ 1 A’ 2 A’ n π (1) π (2) π (n) σ (1) σ (2) σ (n) τ (1) τ (2) τ (n)

Page 12 Interactive verification Permutation τ Permutation σ β1β1 β2β2 βnβn δ1δ1 δ2δ2 δnδn A1A1 A2A2 AnAn A’ 1 A’ 2 A’ n W1W1 W2W2 WnWn ObserverMix Server 1. Choose either 0(LEFT) or 1(RIGHT) 2. Open corresponding values and hashes of the others 3. Verify that there is no variation from the previous commitment τ (1) τ (2) τ (n) σ (1) σ (2) σ (n)

Page 13 Security improvement #1 Proof of tamper-freeness –Probability of cheating : 1/2 –Number of commitments κ  Acceptable cheating probability < 1/2 κ κ proofs

Page 14 Security improvement #2 Undercover observer –Challenges are automatically chosen from κ bits of output hash({A’ i }) –Non-interactive proof  Stealthy observation –Attackers are hard to find non-interactive observers. Thus we called undercover observers Key Generation Mixing Phase Commitment Witness

Page 15 Conclusion A covert-channel in mix networks threatens privacy New notion of security : Tamper-evidence, detecting variations from prescribed commitments Stealthy operation of non-interactive observer Or, Send me an

Page 16 Key generation Commitment : Root of a Merkle hash tree σ τ β1β1 … ρ … δ1δ1 δnδn Hash function β2β2 δ2δ2 δ n-1