Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813

Published byAndrea Dawson Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813"— Presentation transcript:

1 Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813
* Some slides borrowed from Philippe Golle, Markus Jacobson 1/18/2019

2 Course Admin Midterm is still being graded
Sorry for the delay! Solution will be posted soon HW4 solution will be provided HW5 will be posted soon 1/18/2019

3 A Case History: AOL Web Search Query Log Leakage
AOL's disturbing glimpse into users' lives, CNET News, August 7, 2006 21 million search queries posed over a 3-month long period; 650,000 users No user identification information released per se, but?? Search Log still available: 1/18/2019

4 Outline Mix Network (Mixnet) Mixnet Applications Mixnet Requirements
Robustness of Mixnets Types of Mixnets Decryption based (Onion Routing) Re-encryption based 1/18/2019

5 Definition: Mix Server (or Relay)
? Inputs Outputs A mix server: Receives inputs Produces “related” outputs The relationship between inputs and outputs is secret a mix server receives a set of inputs and produces related outputs so that the relationship between inputs and outputs can not be learned by anyone but the mix server. 1/18/2019

6 Definition: Mix Network
A group of mix servers that operate sequentially. Server 1 Server 2 Server 3 Inputs Outputs ? ? ? a mix server receives a set of inputs and produces related outputs so that the relationship between inputs and outputs can not be learned by anyone but the mix server. 1/18/2019

7 Applications Hide:  “who voted for whom?”  “who paid whom?”
 “who communicated with whom?”  “what is the source of a message?” Good for protecting privacy for election and communication Used as a privacy building block 1/18/2019

8 Electronic Voting Demonstration
“Who do you like best?” Put your ballot into a WHITE envelope and put again in a RED one and sign on it Washington Lincoln Roosevelt Jerry 1/18/2019

9 Electronic Voting Demo. (Cont’d)
Administrators will Verify signatures together 1st Admin. shuffles and opens RED envelopes Send them to 2nd Admin. 2nd Admin. shuffles again and opens WHITE envelopes Count ballots together 1/18/2019

10 A real system for elections
Sign voter 1 (encr(encr (vote1))) Sign voter 2 (encr(encr (vote2))) . Sign voter n (encr(encr (voten))) vote1 vote2 vote3 . voten Mix Net Mix Net Jerry Washington Lincoln Roosevelt 1/18/2019

11 Electronic Payment Demo.
“Choose one person you like to pay $5” Put your ballot into an WHITE envelope and put again in a RED one and sign on it Name of the person ( ___________ ) Jerry 1/18/2019

12 Electronic Voting Demo. (Cont’d)
Administrators will Verify signatures together Deduct $5 from each account 1st Admin. shuffles and opens RED envelopes Send them to 2nd Admin. 2nd Admin. shuffles again and opens WHITE envelopes Credit $5 to recipients 1/18/2019

13 For payments payee1 payee2 payee3 . payeen
Sign payer 1 (encr(encr (payee1))) Sign payer 2 (encr(encr (payee2))) . Sign payer n (encr(encr (payeen))) D E U C T Mix Net Jerry Credit Name (________ ) 1/18/2019

14 For email communication
. encr ( 1, addressee1) encr ( 2, addressee2) . encr ( n, addresseen) Mix Net To: Jerry Don’t forget to have lunch. Deliver 1/18/2019

15 Other uses Anonymous web browsing; web searching (Anonymizer)
From LPWA homepage 1/18/2019

16 Other uses (Cont’d) Location privacy for cellular devices
Location-based service is GOOD ! Landline-phone calling to 911 in the US, 112 in Europe All cellular carrier by December 2005 RISK ! Location-based spam Harm to a reputation 1/18/2019

17 Other Uses Anonymous VoIP calls Anonymous patch aquisition 1/18/2019

18 Other uses (Cont’d) Sometimes abuses Avoid legislation (e.g., piracy)
P2P sharing of copyright content Terrorism: communication with media Mumbai attacks 1/18/2019

19 Principle Issues : Chaum ’81 Message 1 Message 2 Privacy Efficiency
server 1 server 2 server 3 Issues : Privacy Efficiency Trust Robustness 1/18/2019

20 But what about robustness?
I ignore his output and produce my own STOP encr(Berry) encr(Kush) Kush There is no robustness! 1/18/2019

21 Requirements Privacy Nobody knows who said what
Efficiency Mixing is efficient (= practically useful) Trust How many entities do we have to trust? Robustness Will replacement cheaters be caught? What if a certain number of mix servers fail? 1/18/2019

22 Zoology of Mix Networks
Inputs Outputs ? Decryption Mix Nets [Cha81,…]: Inputs: ciphertexts Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: Outputs: re-encryption of the inputs 1/18/2019

23 First Solution Chaum ’81, implemented by Syverson, Goldschlag
Not robust (or: tolerates 0 cheaters for correctness) Requires every server to participate (and in the “right” order!) 1/18/2019

24 Re-encryption Mixnet 0. Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key Server 1 Server 2 Server 3 re-encrypt & mix 2. Encrypted inputs are mixed: Proof 3. A quorum of mix servers decrypts the outputs Output Priv-key 1/18/2019

25 Recall: Discrete Logarithm Assumption
p, q primes such that q|p-1 g is an element of order q and generates a group Gq of order q x in Zq, y = gx mod p Given (p, q, g, y), it is computationally hard to compute x No polynomial time algorithm known p should be 1024-bits and q be 160-bits x becomes the private key and y becomes the public key 1/18/2019

26 ElGamal Encryption Encryption (of m in Gq): Decryption of (k,c)
Choose random r in Zq k = gr mod p c = myr mod p Output (k,c) Decryption of (k,c) M = ck-x mod p Secure under discrete logarithm assumption 1/18/2019

27 ElGamal Example: dummy
Let’s construct an example KeyGen: p = 11, q = 2 or 5; let’s say q = 5 2 is a generator of Z11* g = 22 = 4 x = 2; y = 42 mod 11 = 5 Enc(3): r = 4  k = 44 mod 11 = 3 c = 3*54 mod 11 = 5 Dec(3,5): m = 5*3-2 mod 11 = 3 1/18/2019

28 Re-encryption technique
Input: a ciphertext (k,c) wrt public key y Pick a number r’ randomly from [0…q-1] Compute k’ = kgr’ mod p c’ = cyr’ mod p Output (k’, c’) Same decryption technique! Compute m k’c’-x 1/18/2019

29 A simple mix (k1, c1) (k2, c2) . (kn, cn) (k’1,c’1) (k’2,c’2) .
R E - N C Y P T R E - N C Y P T (k1, c1) (k2, c2) . (kn, cn) (k’1,c’1) (k’2,c’2) . (k’n,c’n) (k’’1,c’’1) (k’’2,c’’2) . (k’’n,c’’n) Note: different cipher text, different re-encryption exponents! 1/18/2019

30 And to get privacy… permute, too!
(k1, c1) (k2, c2) . (kn, cn) (k’’1,c’’1) (k’’2,c’’2) . (k’’n,c’’n) 1/18/2019

31 Problem Mix servers must prove correct re-encryption
Given n El Gamal ciphertexts E(mi)as input and n El Gamal ciphertexts E(m’i) as output Compute: E( mi) and E(=m’i) Ask Mix for ZK proof that these ciphertexts decrypt to same plaintexts 1/18/2019

32 Anonymizing Network in practice: Tor
A low-latency anonymizing network Currently 1000 or so routers distributed all over in the internet Can run any SOCKS application on top of Tor Peer-based: a client can choose to be a router A request is routed to/fro a series of a circuit of three routers A new circuit is chosen every 10 minutes 1/18/2019

Download ppt "Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813"

Similar presentations

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Chapter 3 Encryption Algorithms & Systems (Part C)

Chapter 3 Encryption Algorithms & Systems (Part C)

Similar presentations

Ads by Google