Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson."— Presentation transcript:

1 Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson

2 Course Admin HW6 solution provided; grading almost done HW7, HW8 to be graded; solutions to be provided HW9 will be posted by tomorrow –You should email me with the formation of your team (of 2 each); one email per team –I’ll create you an account on Vlab and send you instructions on how to access it The final is on Thursday, 12/20, 6-8:30pm

3 Contents Mix Network (Mixnet) Mixnet Applications Mixnet Requirements Robustness of Mixnets Checking a Mixnet’s Robustness

4 Definition: Mix Server A mix server: Receives inputs Produces “related” outputs The relationship between inputs and outputs is secret InputsOutputs ? Mix Server

5 Definition: Mix Network Mix network A group of mix servers that operate sequentially. Server 1Server 2Server 3 InputsOutputs ???

6 Applications Hide:  “who voted for whom?”  “who paid whom?”  “who communicated with whom?”  “what is the source of a message?” Good for protecting privacy for election and communication Used as a privacy building block

7 1.“Who do you like best?” 2.Put your ballot into an WHITE envelope and put again in a RED one and sign on it Electronic Voting Demonstration Jerry  Washington  Lincoln  Roosevelt

8 Administrators will 1.Verify signatures together 2.1 st Admin. shuffles and opens RED envelopes 3.Send them to 2 nd Admin. 4.2 nd Admin. shuffles again and opens WHITE envelopes 5.Count ballots together Electronic Voting Demo. (Cont’d)

9 Jerry Sign voter 1 (encr(encr (vote 1 ))) Sign voter 2 (encr(encr (vote 2 ))). Sign voter n (encr(encr (vote n ))) A real system for elections vote 1 vote 2 vote 3. vote n Mix Net  Washington  Lincoln  Roosevelt Mix Net

10 “Choose one person you like to pay $5” Put your ballot into an WHITE envelope and put again in a RED one and sign on it Jerry Name of the person ( ___________ ) Electronic Payment Demo.

11 Electronic Voting Demo. (Cont’d) Administrators will 1.Verify signatures together 2.Deduct $5 from each account 3.1 st Admin. shuffles and opens RED envelopes 4.Send them to 2 nd Admin. 5.2 nd Admin. shuffles again and opens WHITE envelopes 6.Credit $5 to recipients

12 For paymentspayments Sign payer 1 (encr(encr (payee 1 ))) Sign payer 2 (encr(encr (payee 2 ))). Sign payer n (encr(encr (payee n ))) payee 1 payee 2 payee 3. payee n DEDUCTDEDUCT Credit Jerry Name (________ ) Mix Net

13 For email communication encr (email 1, addressee 1 ) encr (email 2, addressee 2 ). encr (email n, addressee n )...... Mix Net Deliver To: Jerry Don’t forget to have lunch.

14 Other uses Anonymous web browsing (LPWA Anonymizer)LPWAAnonymizer From LPWA homepage

15 Other uses (Cont’d) Location privacy for cellular devices – Location-based service is GOOD ! Landline-phone calling to 911 in the US, 112 in Europe All cellular carrier by December 2005 – RISK ! Location-based spam Harm to a reputation

16 Other uses (Cont’d) Anonymous bulletin boards From A. Juels at WOTE’01 Mix

17 Other uses (Cont’d) Sometimes abuses Avoid legislation (e.g., piracy)

18 Other Uses Anonymous VoIP calls

19 Principle Chaum ’81 Message 1 Message 2 server 1server 2server 3 Privacy Efficiency Trust Robustness Issues :

20 But what about robustness? encr(Berry) encr(Kush) Kush STOP I ignore his output and produce my own There is no robustness!

21 Requirements 1.Privacy Nobody knows who said what 2.Efficiency Mixing is efficient (= practically useful) 3.Trust How many entities do we have to trust? 4.Robustness Will replacement cheaters be caught? What if a certain number of mix servers fail?

22 Zoology of Mix Networks Decryption Mix Nets [Cha81,…]: –Inputs: ciphertexts –Outputs: decryption of the inputs. Re-encryption Mix Nets[PIK93,…]: –Inputs: ciphertexts –Outputs: re-encryption of the inputs InputsOutputs ?

23 First Solution Chaum ’81, implemented by Syverson, GoldschlagSyverson, Goldschlag Not robust (or: tolerates  cheaters for correctness) Requires every server to participate (and in the “right” order!)

24 Re-encryption Mixnet 0.Setup: mix servers generate a shared ElGamal key 1. Users encrypt their inputs: Input Pub-key 3. A quorum of mix servers decrypts the outputs Output Priv-key Server 1Server 2Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix 2. Encrypted inputs are mixed: Proof

25 Recall: El Gamal encryption Public parameters: q is a prime p = 2 k q+1is a prime ggenerator of G p Secret key of a user: x (where 0 < x < q) Public key of this user: y = g x mod p

26 El Gamal Encryption (encrypt m using y) For message (or “plaintext”) : m 1.Pick a number k randomly from [0…q-1] 2.Compute a = y k. m mod p b = g k mod p 3.Output (a,b) Decryption technique (to decrypt (a,b) using x) Compute m a / b x (= y k. m = g xk. m) (g k ) x g kx

27 Re-encryption technique Input: a ciphertext (a,b) wrt public key y 1.Pick a number  randomly from [0…q-1] 2.Compute a’ = y . a mod p b’ = g . b mod p 3.Output (a’, b’) Same decryption technique! Compute m a’ / b’ x (= y k. y . m = g x (k+ . m) (g k. g  ) x g (k+  x

28 A simple mix (a 1, b 1 ) (a 2, b 2 ). (a n, b n ) RE-ENCRYPTRE-ENCRYPT RE-ENCRYPTRE-ENCRYPT (a’ 1,b’ 1 ) (a’ 2,b’ 2 ). (a’ n,b’ n ) (a’’ 1,b’’ 1 ) (a’’ 2,b’’ 2 ). (a’’ n,b’’ n ) Note: different cipher text, different re-encryption exponents!

29 And to get privacy… permute, too! (a 1, b 1 ) (a 2, b 2 ). (a n, b n ) (a’’ 1,b’’ 1 ) (a’’ 2,b’’ 2 ). (a’’ n,b’’ n )

30 Problem Mix servers must prove correct re-encryption –Given n El Gamal ciphertexts E(m i )as input –and n El Gamal ciphertexts E(m’ i ) as output –Compute: E(  mi) and E(  =m’i) –Ask Mix for ZK proof that these ciphertexts decrypt to same plaintexts

31 Tor A low-latency anonymizing network http://www.torproject.org/ Currently 1000 or so routers distributed all over in the internet Can run any SOCKS application on top of Tor No mixing is employed Peer-based: a client can choose to be a router A request is routed to/fro a series of a circuit of three routers A new circuit is chosen every 10 minutes Let’s see Tor in practice

Download ppt "Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson."

Similar presentations

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.

Civitas Verifiability and Coercion Resistance for Remote Voting University of South Alabama August 15, 2012 Michael Clarkson The George Washington University.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,

Cryptographic Techniques Instructor: Jerry Gao Ph.D. San Jose State University URL: May,
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

CS 105 – Introduction to the World Wide Web  HTTP Request*  Domain Name Translation  Routing  HTTP Response*  Privacy and Cryptography  Adapted.

Similar presentations

Ads by Google