Presentation is loading. Please wait.

Presentation is loading. Please wait.

UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari."— Presentation transcript:

1 UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari Juels RSA Labs Philippe Golle Stanford (now at PARC)

2 Extra Acknowledgements Most Mix illustrations cribbed from a talk by Ari Juels Some RFID slides cribbed from Markus Jakobsson’s ACM WiSe’03 talk See their Web pages for originals

3 Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Bulletin Board, RFID Privacy Security Arguments

4 What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network

5 What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message ?

6 Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice

7 From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail

8 A look under the hood

9 Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3

10 Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]

11 Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1

12 Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved

13 Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?

14 What if one server fails? Server 1 Server 2 Server 3 SK 2 Previous solution ideas: Robustness: Share key among other mixes Twinning  Splitting Reliability: Track and use reputable mixes

15 What if one server fails? Server 1 Server 2 Server 3 SK 2 New Idea: Mixing without keys No need to depend on any server (recovery mechanism) No need to trust servers to protect keys No need for PKI X

16 A look further under the hood

17 Basic Re-encryption Mixnet Inputs are ciphertexts Outputs are a re-encryption of the inputs. ElGamal public key encryption: –Anyone can encrypt with the public key e –Those who know the secret key d can also decrypt –Malleable: can produce E 2 (m) from E 1 (m) without knowing d –Verifiable –Multiplicative homomorphism: given E(m) and E(m’) I can produce E(mm’)

18 Universal Re-encryption Mixnet Inputs are ciphertexts Outputs are a re-encryption of the inputs. ElGamal public key encryption: –Anyone can encrypt without the public key e –Those who know the secret key d can also decrypt –Messages encrypted with different keys are indistinguishable

19 Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Bulletin Board, RFID Privacy Security Arguments

20 Randomized Public-Key Cryptosystem (PK, SK)  KG:generate key pairs C  E(m, r, PK):encryption of m m  D(SK, C):decryption of C

21 Semantic Security Adversary chooses (m 0, m 1 ) Messages are encrypted (C 0, C 1 ) = (E(m 0, r 0, PK), E(m 1, r 1, PK)) and randomly permuted If adversary determines order correctly no better than by guessing (within  ) system is semantically secure

22 Re-encryption Given: Randomized public-key cryptosystem Ciphertexts of form C = E(m, r, PK) C’  Re(C, r’, PK) :Re-encryption of m

23 Semantic Security under Re-encryption Adversary chooses (C 0, C 1 ) Messages are re-encrypted (C 0 ’, C 1 ’ ) = (Re(C 0, r 0 ’, PK), Re(C 1, r 1 ’, PK)) and randomly permuted If adversary gets order correct no better than by guessing (within  ) system is semantically secure under re-encryption

24 Key-Privacy (Anonymity) Adversary chooses message m m is encrypted under PK 0 and PK 1 E(m, PK 0 ) = C 0 E(m, PK 1 ) = C 1 If adversary guesses correspondence of ciphertext with public key with negligible advantage, scheme satisfies key-privacy Bellare et al. (ASIACRYPT’01) showed ElGamal provides anonymity under chosen- ciphertext assuming DDH.

25 Given: Randomized public-key cryptosystem Ciphertexts of form C = E(m, r, PK) C’  URe(C, r’, PK) : Universal re-encryption of m Universal Re-encryption X

26 Universal Semantic Security under Re-encryption Combines semantic security and key-privacy Given PK 0 and PK 1 adversary chooses (m 0, m 1, r 0, r 1 ) to produce (C 0, C 1 ) Messages are universal re-encrypted (C 0 ’, C 1 ’ ) = (URe(C 0, r 0 ’), URe(C 1, r 1 ’)) Ciphertexts are randomly ordered (C b ’, C 1-b ’ ) If adversary gets order correct no better than by guessing (within  ) system is universal semantically secure under re-encryption

27 Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties ElGamal based Universal Re-encryption Applications: Bulletin Board, RFID Privacy Security Arguments

28 ElGamal Encryption P,Q are prime, P = 2Q + 1 G Q subgroup of Z P * of order Q g generator of G Q x  G Q is private key y = g x mod P is public key E(m) = (g r, my r ) where r  G Q,r random D(G,M) = M/G x = my r /g xr = m

29 ElGamal with Re-encryption Ciphertext (G,M) Re-encryption (G’,M’) = (Gg r’, My r’ ) Needs public key y but not private key D(G’,M’) = M’/G’ x = my rr’ /g xrr’ = m Introduced for voting Much work on efficient provable shuffles

30 Universal Re-encryption (a,b) = (E[m]; E[1]) E is ElGamal enc (a’,b’) = (R[b,k]a; R[b,k ’]) R[*,k] is re-encryption with random k (E[m]’, E[1]’)= ([(my r y kr’, g r g kr’ ), (y r’k’, g r’k’ )] D(E[m]’) = M’/G’ x = my krr’ /g xkrr’ = m

31 Symmetric-hybrid Encryption U[k 1 ],U[1],e[k 1,m] U[1] is universal blank can be converted to U[m i ] can be reused e[k 1,m] is symmetric encryption of m Final message U[k 1 ],U[k 2 ],…U[k n ],e[k n,e[k n-1,…e[k 1,m]…] Can also do an asymmetric hybrid

32 Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Low Volume Bulletin Board, RFID Privacy Security Arguments

33 Universal Mixnet (Bulletin Board) Senders post messages universally encrypted for recipients Proof of Knowledge if nonmalleability desired Any server can download, mix, and repost any or all messages Servers can be dynamic Shuffle proof if desired No PKI and less trust of each server No robustness/reliability issues with server failure No overhead or threats from replay (universal semantic security)

34 Low Volume Bulletin Board Suppose a bulletin board as above Can mix with previous messages on board Advantage: less delay retrieving new posts Advantage: no need to detect replay (sort of) Disadvantage: Must try decrypting all messages to find ones for you Mitigate growth with message removal after PoK?

35 RFID Tags EZ Pass automated toll payment Supermarket shipment tracking, stock monitoring, theft prevention Consumer stock monitoring, ordering Consumer theft-protection of belongings Implants in family pets Monitoring cash flows (500 Euro notes)

36 Privacy Problems

37 Privacy Solutions?

38

39 Method 2: “Put to sleep” RFID tags Problems: No continuous use Complexity, key management, trust

40 Privacy Solution: Blocker Tags (Juels, Rivest & Szydlo)

41 Universal Re-encryption for RFID Tag Privacy (Example) Alice at supermarket checkout. Uses PK Alice from fidelity card. Cashier creates universal ciphertexts on Alice’s purchase IDs. As Alice walks home passes readers that re- encrypt her tags or does it herself. Alice enters home, tags decrypted for home use.

42 Security of ElGamal based BB Correctness: Can do shuffle proofs of correct mixing Communication privacy: If the universal cryptosystem is universal semantic- secure, then bulletin board construct provides communication privacy. For ElGamal implementation, communication privacy reduced to DDH.

43 Conclusions Universal Re-encryption: New primitive Proven Security: ElGamal BB is correct (wrt mixing) ElGamal BB reducible to DDH. Applications: Reduced trust in mixes Less complex mixnets (no PKI) Privacy preserving RFID tags Future Reduce receiver overhead in bulletin board Meteor Mixing (with George Danezis)

Download ppt "UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.

RPC Mixing: Making Mix-Nets Robust for Electronic Voting Ron Rivest MIT Markus Jakobsson Ari Juels RSA Laboratories.
Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.

Auditable Privacy: On Tamper-Evident Mix Networks Jong Youl Choi Dept. of Computer Science Indiana University at Bloomington Philippe Golle Palo Alto Research.
Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.

Lecture 7.1: Privacy and Anonymity Using Anonymizing Networks - I CS 436/636/736 Spring 2012 Nitesh Saxena Some slides borrowed from Philippe Golle, Markus.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.

Receipt-free Voting Joint work with Markus Jakobsson, C. Andy Neff Ari Juels RSA Laboratories.
7. Asymmetric encryption-

7. Asymmetric encryption-
Reusable Anonymous Return Channels

Reusable Anonymous Return Channels
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.

Secret Handshakes from CA-Oblivious Encryption Asiacrypt 2004, Jeju-do, Korea Claude Castelluccia, Stanisław Jarecki, Gene Tsudik UC Irvine.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.

Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs.

Similar presentations

Ads by Google