Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University.

Slides:



Advertisements
Similar presentations
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Advertisements

Public Key Cryptosystem
Off-the-Record Communication, or, Why Not To Use PGP
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
7. Asymmetric encryption-
Reusable Anonymous Return Channels
CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the orderQuestions? Review.
Certificateless encryption and its infrastructures Dr. Alexander W. Dent Information Security Group Royal Holloway, University of London.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
A Designer’s Guide to KEMs Alex Dent
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Presented by Xiaoping Yu Cryptography and PKI Cosc 513 Operating System Presentation Presented to Dr. Mort Anvari.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Chapter 9 Cryptographic Protocol Cryptography-Principles and Practice Harbin Institute of Technology School of Computer Science and Technology Zhijun Li.
1 CIS 5371 Cryptography 9. Data Integrity Techniques.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Cryptography and Network Security Chapter 10. Chapter 10 – Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would venture.
Encryption. Introduction Computer security is the prevention of or protection against –access to information by unauthorized recipients –intentional but.
Computer Science Public Key Management Lecture 5.
Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Introduction to Public Key Cryptography
Public Key Model 8. Cryptography part 2.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
8. Data Integrity Techniques
Csci5233 Computer Security1 Bishop: Chapter 10 Key Management: Digital Signature.
Rachana Y. Patil 1 1.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
HW6 due tomorrow Teams T will get to pick their presentation day in the order Teams T will get to pick their presentation day in the order Teams mostly.
10/1/2015 9:38:06 AM1AIIS. OUTLINE Introduction Goals In Cryptography Secrete Key Cryptography Public Key Cryptograpgy Digital Signatures 2 10/1/2015.
Public-Key Cryptography CS110 Fall Conventional Encryption.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Cryptography and Network Security (CS435) Part Eight (Key Management)
1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.
Linkability of Some Blind Signature Schemes Swee-Huay Heng 1, Wun-She Yap 1 Khoongming Khoo 2 1 Multimedia University, 2 DSO National Laboratories.
Digital Signatures, Message Digest and Authentication Week-9.
ECE509 Cyber Security : Concept, Theory, and Practice Key Management Spring 2014.
1 Chapter 10: Key Management in Public key cryptosystems Fourth Edition by William Stallings Lecture slides by Lawrie Brown (Modified by Prof. M. Singhal,
Authenticated Key Exchange I. Definitions I. MAP I. matching conversations II. oracles II. (I)KA II. AKEP2 III. AKEP2 Security I. Session Keys II. Perfect.
Protocol Analysis. CSCE Farkas 2 Cryptographic Protocols Two or more parties Communication over insecure network Cryptography used to achieve goal.
Key Management Network Systems Security Mort Anvari.
1 Authenticated Key Exchange Rocky K. C. Chang 20 March 2007.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Cryptography and Network Security Chapter 10 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Introduction to Pubic Key Encryption CSCI 5857: Encoding and Encryption.
Fall 2006CS 395: Computer Security1 Key Management.
1 Chapter 3-3 Key Distribution. 2 Key Management public-key encryption helps address key distribution problems have two aspects of this: –distribution.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
1 Anonymity. 2 Overview  What is anonymity?  Why should anyone care about anonymity?  Relationship with security and in particular identification 
Systems Architecture Receiver Anonymity Matthias Füssel, Dennis Schneider June 5, 2007.
CS480 Cryptography and Information Security Huiping Guo Department of Computer Science California State University, Los Angeles 14. Digital signature.
Searchable Encryption in Cloud
Cryptographic Algorithms for Privacy in an Age of Ubiquitous Recording
Receiver Anonymity via Incomparable Public Keys
NET 311 Information Security
Presentation transcript:

Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University

Receiver Anonymity Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob. Bulletin Board alt.anonymous.messages Anonymous ID “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Bob Alice

Receiver Anonymity Anonymous Identity –Information allowing a sender to send messages to an anonymous receiver –May contain routing and encryption information Requirements –Receiver is anonymous even to the sender –Anonymous Identity can be used several times –Communication is secret (encrypted) –Messages are received efficiently

A Common Method Bulletin Board alt.anonymous.messages Alice Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bob Charlie

The Encryption Key is Part of the Identity Bulletin Board alt.anonymous.messages Alice Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bob Charlie

The Encryption Key is Part of the Identity Bulletin Board alt.anonymous.messages Alice Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bob Charlie Hang Gliding + Biology => Alice

Using an Independent Public Key per Sender Bulletin Board alt.anonymous.messages Alice Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. a45cd79e 207c5edb Bob Charlie Keys to Try 48b33c03 ae668f53

Using an Independent Public Key per Sender Bulletin Board alt.anonymous.messages Alice Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. a45cd79e 207c5edb Bob Charlie Keys to Try 48b33c03 43bca289 ae668f53 40b2f68c 2fce ca5ef b9034d40 86cf ba5 207defb1 70f4ba54 04d2a93c 398bac49 e3c8f522 b593f399 46cce276

Incomparable Public Keys Receiver generates a single secret key Receiver generates several Incomparable Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any message encrypted with any of the public keys Holders of Incomparable Public Keys cannot tell if any two keys are related (correspond to the same private key)

Using an Incomparable Public Keys to Receive Messages Efficiently Bulletin Board alt.anonymous.messages Alice Alice creates a one secret key and distributes a different Incomparable Public Key to each sender. a45cd79e 207c5edb Bob Charlie Keys to Try 59b39c03 207defb1 70f4ba54 04d2a93c 398bac49 e3c8f522 b593f399 46cce276

Key Generation Based on ElGamal encryption –All users share a global (strong) prime p –Operations are performed in group of Quadratic Residues of Z p Secret Key Generation: –Choose an ElGamal secret key a Generate a new Incomparable Public Key: –Pick random generator, g, of the group –Public key is (g,g a ) *

Security Intuition Cannot distinguish equivalent keys (g,g a ), (h,h a ) from non-equivalent ones (g,g a ), (h,h b ) –Assuming Decisional Diffie-Hellman is hard

Security Intuition Cannot distinguish equivalent keys (g,g a ), (h,h a ) from non-equivalent ones (g,g a ), (h,h b ) –Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message

Security Intuition Cannot distinguish equivalent keys (g,g a ), (h,h a ) from non-equivalent ones (g,g a ), (h,h b ) –Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Charlie (h,h a ) (g,g a )

Security Intuition Cannot distinguish equivalent keys (g,g a ), (h,h a ) from non-equivalent ones (g,g a ), (h,h b ) –Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Charlie (h,h a ) (g,g a ) Pair-wise multiply

Security Intuition Cannot distinguish equivalent keys (g,g a ), (h,h a ) from non-equivalent ones (g,g a ), (h,h b ) –Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Charlie (h,h a ) (g,g a ) Pair-wise multiply (gh,(gh) a ) Alice can decrypt messages encrypted with this new key.

Solution Record keys that were validly created The ciphertext will contain a “proof” about which key was used for encryption The private key holder can alternatively distribute each Incomparable Public Keys with its MAC

Encryption C = (g r,g ar K) –(g,g a ) is an Incomparable Public Key

Encryption C = (g r,g ar K), H(r), E K (r,(g,g a ), plaintext) –(g,g a ) is an Incomparable Public Key –H is a secure hash function –K is a random symmetric key –r is a random exponent

Decryption C = (g r,g ar K), H(r), E K (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K

Decryption C = (g r,g ar K), H(r), (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext

Decryption C = (g r,g ar K), H(r), (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed

Decryption C = (g r,g ar K), H(r), (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used –Hash r and check it against claimed hash of r

Decryption C = (g r,g ar K), H(r), (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used –Hash r and check it against claimed hash of r –Raise the public key to the r to check that it was used in the ElGamal encryption

Decryption C = (g r,g ar K), H(r), (r,(g,g a ), plaintext) Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used –Hash r and check it against claimed hash of r –Raise the public key to the r to check that it was used in the ElGamal encryption If all test pass accept the plaintext

Security Provably secure in the Random Oracle Model assuming DDH is hard We have another construction based only on general assumptions We can apply similar techniques to a CCA secure cryptosystem such as Cramer-Shoup

Efficiency Efficiency is comparable to standard ElGamal One exponentiation for encryption Two exponentiations for decryption and verification of a message

Comparison with Alternative Methods Several Independent Public Keys - Running time increases linearly with number of potential senders Several Independent Symmetric Keys + Encryption and decryption operations are faster - Running time increases linearly with number of potential senders - No secrecy of past messages if sender’s key is captured - Key must be distributed securely

Comparison with Alternative Methods (cont.) Message Markers Sender puts a random tag on each message that identifies him and which key to use TagKey 5d23498b2e6 3891c7ac023

Comparison with Alternative Methods (cont.) Message Markers Sender puts a random tag on each message that identifies him and which key to use + Potentially quick way for the receiver to identify her messages and discard messages destined for others - Cannot reuse a mark - Therefore both sender and receiver must update expected next mark – leads to problems if messages are lost TagKey 5d23498b2e6 3891c7ac023

Applications Use in anonymous communication between users –Users already employ newsgroups such as alt.anonymous.messages to send PGP encrypted messages to anonymous receivers Protection of anonymity in case of device compromise –Receiver distributes a set of sensor nodes that he does not want to be traced back to him –Initially trusts the devices, but they could be captured or otherwise compromised

Embedding Incomparable Public Keys in Security Protocols Use with other schemes to enhance anonymity and efficiency We adapted SKEME key exchange protocol to incorporate Incomparable Public Keys –Allows for establishment of efficient session key while maintaining anonymity guarantees Peer-to Peer systems –P 5 allows tradeoff anonymity and efficiency By making all public keys Incomparable we can enhance anonymity while still giving user a tradeoff option

Implementation Implemented Incomparable Public Keys by extending GnuPG (PGP) Available at

GnuPG (PGP) Background Users post encrypted messages to newsgroups to attempt receiver anonymity Software for automatically retrieving messages from newsgroups –Jack B. Nymble –Private Idaho

Implementation: Benefit Receivers can give have one private key to decrypt messages sent from any one of many Incomparable Public keys Interface is similar to original GnuPG interface Only a few changes needed to be made existing code (ElGamal encryption already exists in GnuPG)

Related Work Bellare et al. (2001) –Introduce notion of Key-Privacy –If Key-Privacy is maintained an adversary cannot match ciphertexts with the public keys used to create them –The authors do not consider anonymity from senders Pfitzmann and Waidner (1986) –Use of multicast address for receiver anonymity –Discuss implicit vs. explicit “marks”

Related Work (cont.) Chaum (1981) –Mix-nets for sender anonymity –Reply addresses usable only once –Other work follows this line

Conclusion The contents of public keys are important in protecting the receiver’s anonymity from the sender Incomparable Public Keys provide a secure and efficient way of accomplishing receiver anonymity Incomparable Public Keys are useful in practice with Key Exchange and P2P systems

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.