Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson

Course Admin HW6 solution provided; grading almost done HW7, HW8 to be graded; solutions to be provided HW9 will be posted by tomorrow –You should me with the formation of your team (of 2 each); one per team –I’ll create you an account on Vlab and send you instructions on how to access it The final is on Thursday, 12/20, 6-8:30pm

Contents Mix Network (Mixnet) Mixnet Applications Mixnet Requirements Robustness of Mixnets Checking a Mixnet’s Robustness

Definition: Mix Server A mix server: Receives inputs Produces “related” outputs The relationship between inputs and outputs is secret InputsOutputs ? Mix Server

Definition: Mix Network Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ???

Applications Hide:  “who voted for whom?”  “who paid whom?”  “who communicated with whom?”  “what is the source of a message?” Good for protecting privacy for election and communication Used as a privacy building block

1.“Who do you like best?” 2.Put your ballot into an WHITE envelope and put again in a RED one and sign on it Electronic Voting Demonstration Jerry  Washington  Lincoln  Roosevelt

Administrators will 1.Verify signatures together 2.1 st Admin. shuffles and opens RED envelopes 3.Send them to 2 nd Admin. 4.2 nd Admin. shuffles again and opens WHITE envelopes 5.Count ballots together Electronic Voting Demo. (Cont’d)

Jerry Sign voter 1 (encr(encr (vote 1 ))) Sign voter 2 (encr(encr (vote 2 ))). Sign voter n (encr(encr (vote n ))) A real system for elections vote 1 vote 2 vote 3. vote n Mix Net  Washington  Lincoln  Roosevelt Mix Net

“Choose one person you like to pay $5” Put your ballot into an WHITE envelope and put again in a RED one and sign on it Jerry Name of the person ( ___________ ) Electronic Payment Demo.

Electronic Voting Demo. (Cont’d) Administrators will 1.Verify signatures together 2.Deduct $5 from each account 3.1 st Admin. shuffles and opens RED envelopes 4.Send them to 2 nd Admin. 5.2 nd Admin. shuffles again and opens WHITE envelopes 6.Credit $5 to recipients

For paymentspayments Sign payer 1 (encr(encr (payee 1 ))) Sign payer 2 (encr(encr (payee 2 ))). Sign payer n (encr(encr (payee n ))) payee 1 payee 2 payee 3. payee n DEDUCTDEDUCT Credit Jerry Name (________ ) Mix Net

For communication encr ( 1, addressee 1 ) encr ( 2, addressee 2 ). encr ( n, addressee n ) Mix Net Deliver To: Jerry Don’t forget to have lunch.

Other uses Anonymous web browsing (LPWA Anonymizer)LPWAAnonymizer From LPWA homepage

Other uses (Cont’d) Location privacy for cellular devices – Location-based service is GOOD ! Landline-phone calling to 911 in the US, 112 in Europe All cellular carrier by December 2005 – RISK ! Location-based spam Harm to a reputation

Other uses (Cont’d) Anonymous bulletin boards From A. Juels at WOTE’01 Mix

Other uses (Cont’d) Sometimes abuses Avoid legislation (e.g., piracy)

Other Uses Anonymous VoIP calls

Principle Chaum ’81 Message 1 Message 2 server 1server 2server 3 Privacy Efficiency Trust Robustness Issues :

But what about robustness? encr(Berry) encr(Kush) Kush STOP I ignore his output and produce my own There is no robustness!

Requirements 1.Privacy Nobody knows who said what 2.Efficiency Mixing is efficient (= practically useful) 3.Trust How many entities do we have to trust? 4.Robustness Will replacement cheaters be caught? What if a certain number of mix servers fail?

Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?

First Solution Chaum ’81, implemented by Syverson, GoldschlagSyverson, Goldschlag Not robust (or: tolerates  cheaters for correctness) Requires every server to participate (and in the “right” order!)

Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof

Recall: El Gamal encryption Public parameters: q is a prime p = 2 k q+1is a prime ggenerator of G p Secret key of a user: x (where 0 < x < q) Public key of this user: y = g x mod p

El Gamal Encryption (encrypt m using y) For message (or “plaintext”) : m 1.Pick a number k randomly from [0…q-1] 2.Compute a = y k. m mod p b = g k mod p 3.Output (a,b) Decryption technique (to decrypt (a,b) using x) Compute m a / b x (= y k. m = g xk. m) (g k ) x g kx

Re-encryption technique Input: a ciphertext (a,b) wrt public key y 1.Pick a number  randomly from [0…q-1] 2.Compute a’ = y . a mod p b’ = g . b mod p 3.Output (a’, b’) Same decryption technique! Compute m a’ / b’ x (= y k. y . m = g x (k+ . m) (g k. g  ) x g (k+  x

A simple mix (a 1, b 1 ) (a 2, b 2 ). (a n, b n ) RE-ENCRYPTRE-ENCRYPT RE-ENCRYPTRE-ENCRYPT (a’ 1,b’ 1 ) (a’ 2,b’ 2 ). (a’ n,b’ n ) (a’’ 1,b’’ 1 ) (a’’ 2,b’’ 2 ). (a’’ n,b’’ n ) Note: different cipher text, different re-encryption exponents!

And to get privacy… permute, too! (a 1, b 1 ) (a 2, b 2 ). (a n, b n ) (a’’ 1,b’’ 1 ) (a’’ 2,b’’ 2 ). (a’’ n,b’’ n )

Problem Mix servers must prove correct re-encryption –Given n El Gamal ciphertexts E(m i )as input –and n El Gamal ciphertexts E(m’ i ) as output –Compute: E(  mi) and E(  =m’i) –Ask Mix for ZK proof that these ciphertexts decrypt to same plaintexts

Tor A low-latency anonymizing network Currently 1000 or so routers distributed all over in the internet Can run any SOCKS application on top of Tor No mixing is employed Peer-based: a client can choose to be a router A request is routed to/fro a series of a circuit of three routers A new circuit is chosen every 10 minutes Let’s see Tor in practice