Presentation is loading. Please wait.

Presentation is loading. Please wait.

Receiver Anonymity via Incomparable Public Keys

Published byHendri Kusuma Modified over 6 years ago

Similar presentations

Presentation on theme: "Receiver Anonymity via Incomparable Public Keys"— Presentation transcript:

1 Receiver Anonymity via Incomparable Public Keys
Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University

2 Receiver Anonymity Alice can give Bob information that he can use to send messages to Alice, while keeping her true identity secret from Bob. Anonymous ID “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Bulletin Board alt.anonymous.messages Bob Alice

3 Receiver Anonymity Anonymous Identity Requirements
Information allowing a sender to send messages to an anonymous receiver May contain routing and encryption information Requirements Receiver is anonymous even to the sender Anonymous Identity can be used several times Communication is secret (encrypted) Messages are received efficiently

4 A Common Method Alice anonymously receives encrypted message from both Bob and Charlie by reading a newsgroup. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e

5 The Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they are encrypting with the same public key and thus are sending messages to the same person. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e

6 The Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each know about the Anonymous Receiver and are able to compromise her anonymity. Anonymous ID 1 “Where are good Hang Gliding spots?” Send to: alt.anonymous.messages Encrypt with: a45cd79e Bulletin Board alt.anonymous.messages Bob Alice Hang Gliding + Biology => Alice Charlie Anonymous ID 2 “What Biology conferences are interesting?” Send to: alt.anonymous.messages Encrypt with: a45cd79e

7 Using an Independent Public Key per Sender
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice Keys to Try 48b33c03 ae668f53 Charlie 207c5edb

8 Using an Independent Public Key per Sender
Alice creates a separate public/private key pair for each sender. Upon receiving a message on the newsgroup Alice tries all her private keys until one matches or she has tried them all. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 48b33c03 43bca289 ae668f53 40b2f68c 2fce8473 075ca5ef b9034d40 86cf1943 56734ba5 04d2a93c Charlie 398bac49 207c5edb 70f4ba54 e3c8f522 46cce276

9 Incomparable Public Keys
Receiver generates a single secret key Receiver generates several Incomparable Public Keys (one for each Anonymous Identity) Receiver use the secret key to decrypt any message encrypted with any of the public keys Holders of Incomparable Public Keys cannot tell if any two keys are related (correspond to the same private key)

10 Using an Incomparable Public Keys to Receive Messages Efficiently
Alice creates a one secret key and distributes a different Incomparable Public Key to each sender. Bulletin Board alt.anonymous.messages Bob a45cd79e Alice 207defb1 b593f399 Keys to Try 59b39c03 04d2a93c Charlie 398bac49 207c5edb 70f4ba54 e3c8f522 46cce276

11 Key Generation Based on ElGamal encryption Secret Key Generation:
All users share a global (strong) prime p Operations are performed in group of Quadratic Residues of Zp Secret Key Generation: Choose an ElGamal secret key a Generate a new Incomparable Public Key: Pick random generator, g, of the group Public key is (g,ga) *

12 Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard

13 Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message

14 Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob (g,ga) Charlie (h,ha)

15 Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply (g,ga) Charlie (h,ha)

16 Security Intuition Cannot distinguish equivalent keys (g,ga), (h,ha) from non-equivalent ones (g,ga), (h,hb) Assuming Decisional Diffie-Hellman is hard However, this is not enough if the receiver might respond to a message Bob Pair-wise multiply Alice can decrypt messages encrypted with this new key. (g,ga) (gh,(gh)a) Charlie (h,ha)

17 Solution Record keys that were validly created
The ciphertext will contain a “proof” about which key was used for encryption The private key holder can alternatively distribute each Incomparable Public Keys with its MAC

18 Encryption C = (gr,garK) (g,ga) is an Incomparable Public Key

19 Encryption C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
(g,ga) is an Incomparable Public Key H is a secure hash function K is a random symmetric key r is a random exponent

20 Decryption C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K

21 Decryption C = (gr,garK), H(r), (r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext

22 Decryption C = (gr,garK), H(r), (r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed

23 Decryption C = (gr,garK), H(r), (r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used Hash r and check it against claimed hash of r

24 Decryption C = (gr,garK), H(r), (r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used Hash r and check it against claimed hash of r Raise the public key to the r to check that it was used in the ElGamal encryption

25 Decryption C = (gr,garK), H(r), (r,(g,ga), plaintext)
Use secret key a to decrypt the ElGamal encrypted ciphertext and learn the symmetric key K Use K to decrypt the symmetrically encrypted ciphertext Check that the public key inside the envelope has been distributed Check that the claimed public key was used Hash r and check it against claimed hash of r Raise the public key to the r to check that it was used in the ElGamal encryption If all test pass accept the plaintext

26 Security Provably secure in the Random Oracle Model assuming DDH is hard We have another construction based only on general assumptions We can apply similar techniques to a CCA secure cryptosystem such as Cramer-Shoup

27 Efficiency Efficiency is comparable to standard ElGamal
One exponentiation for encryption Two exponentiations for decryption and verification of a message

28 Comparison with Alternative Methods
Several Independent Public Keys Running time increases linearly with number of potential senders Several Independent Symmetric Keys + Encryption and decryption operations are faster No secrecy of past messages if sender’s key is captured Key must be distributed securely

29 Comparison with Alternative Methods (cont.)
Message Markers Sender puts a random tag on each message that identifies him and which key to use Tag Key 5d234 98b2e6 3891c 7ac023

30 Comparison with Alternative Methods (cont.)
Message Markers Sender puts a random tag on each message that identifies him and which key to use Tag Key 5d234 98b2e6 3891c 7ac023 + Potentially quick way for the receiver to identify her messages and discard messages destined for others - Cannot reuse a mark - Therefore both sender and receiver must update expected next mark – leads to problems if messages are lost

31 Applications Use in anonymous communication between users
Users already employ newsgroups such as alt.anonymous.messages to send PGP encrypted messages to anonymous receivers Protection of anonymity in case of device compromise Receiver distributes a set of sensor nodes that he does not want to be traced back to him Initially trusts the devices, but they could be captured or otherwise compromised

32 Embedding Incomparable Public Keys in Security Protocols
Use with other schemes to enhance anonymity and efficiency We adapted SKEME key exchange protocol to incorporate Incomparable Public Keys Allows for establishment of efficient session key while maintaining anonymity guarantees Peer-to Peer systems P5 allows tradeoff anonymity and efficiency By making all public keys Incomparable we can enhance anonymity while still giving user a tradeoff option

33 Implementation Implemented Incomparable Public Keys by extending GnuPG (PGP) 1.2.0 Available at

34 GnuPG (PGP) Background
Users post encrypted messages to newsgroups to attempt receiver anonymity Software for automatically retrieving messages from newsgroups Jack B. Nymble Private Idaho

35 Implementation: Benefit
Receivers can give have one private key to decrypt messages sent from any one of many Incomparable Public keys Interface is similar to original GnuPG interface Only a few changes needed to be made existing code (ElGamal encryption already exists in GnuPG)

36 Related Work Bellare et al. (2001) Pfitzmann and Waidner (1986)
Introduce notion of Key-Privacy If Key-Privacy is maintained an adversary cannot match ciphertexts with the public keys used to create them The authors do not consider anonymity from senders Pfitzmann and Waidner (1986) Use of multicast address for receiver anonymity Discuss implicit vs. explicit “marks”

37 Related Work (cont.) Chaum (1981) Mix-nets for sender anonymity
Reply addresses usable only once Other work follows this line

38 Conclusion The contents of public keys are important in protecting the receiver’s anonymity from the sender Incomparable Public Keys provide a secure and efficient way of accomplishing receiver anonymity Incomparable Public Keys are useful in practice with Key Exchange and P2P systems

39

Download ppt "Receiver Anonymity via Incomparable Public Keys"

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.

1 Key Exchange Solutions Diffie-Hellman Protocol Needham Schroeder Protocol X.509 Certification.
Public Key Cryptosystem

Public Key Cryptosystem
Off-the-Record Communication, or, Why Not To Use PGP

Off-the-Record Communication, or, Why Not To Use PGP
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
7. Asymmetric encryption-

7. Asymmetric encryption-
Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.

Pass in HW6 now Can use up to 2 late days Can use up to 2 late days But one incentive not to burn them all: teams will get to pick their presentation day.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University.

Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.
Andreas Steffen, 17.10.2011, 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.

Andreas Steffen, , 4-PublicKey.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications.
1 Lecture 18: E-Mail Security issues specific to email security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.
Rachana Y. Patil 1 1.

Rachana Y. Patil 1 1.
Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.

Page 1 Secure Communication Paul Krzyzanowski Distributed Systems Except as otherwise noted, the content of this presentation.
Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS 4362 - CIS 5357 Network Security.

Lecture 14 ISAKMP / IKE Internet Security Association and Key Management Protocol / Internet Key Exchange CIS CIS 5357 Network Security.
4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.
Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.

Chapter 3 (B) – Key Management; Other Public Key Cryptosystems.
Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Advanced Database Course (ESED5204) Eng. Hanan Alyazji University of Palestine Software Engineering Department.

Similar presentations

Ads by Google