Download presentation
Presentation is loading. Please wait.
1
UMBC Protocol Meeting 10/01/03 Universal Re-encryption: For Mix-Nets and Other Applications (to appear CT-RSA ’04) Paul Syverson NRL Markus Jakobsson Ari Juels RSA Labs Philippe Golle Stanford (now at PARC)
2
Extra Acknowledgements Most Mix illustrations cribbed from a talk by Ari Juels Some RFID slides cribbed from Markus Jakobsson’s ACM WiSe’03 talk See their Web pages for originals
3
Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Bulletin Board, RFID Privacy Security Arguments
4
What does a mix network do? message 1 message 2 message 3 message 4 Randomly permutes and decrypts inputs Mix network
5
What does a mix network do? message 2 Key property: Adversary can’t tell which ciphertext corresponds to a given message ?
6
Example application: Anonymizing bulletin board or e-mail From Bob From Charlie From Alice
7
From Bob From Charlie From Alice “I love Alice” “Nobody loves Bob” “I love Charlie” Is it Bob, Charlie, self-love, or other? Example application: Anonymizing bulletin board or e-mail
8
A look under the hood
9
Basic Mix (Chaum ‘81) Server 1 Server 2 Server 3 PK 1 PK 2 PK 3
10
Encryption of Message PK 1 PK 2 PK 3 message Ciphertext = E PK1 [E PK2 [E PK3 [message]]]
11
Basic Chaumian Mix Server 1 Server 2 Server 3 m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1
12
Basic Chaumian Mix m1 m2 m3 m2 m3 m1 decrypt and permute m2 m1 m3 decrypt and permute decrypt and permute m2 m3 m1 Observe: As long as one server is honest, privacy is preserved
13
Basic Chaumian Mix Server 1 Server 2 Server 3 m3 ?
14
What if one server fails? Server 1 Server 2 Server 3 SK 2 Previous solution ideas: Robustness: Share key among other mixes Twinning Splitting Reliability: Track and use reputable mixes
15
What if one server fails? Server 1 Server 2 Server 3 SK 2 New Idea: Mixing without keys No need to depend on any server (recovery mechanism) No need to trust servers to protect keys No need for PKI X
16
A look further under the hood
17
Basic Re-encryption Mixnet Inputs are ciphertexts Outputs are a re-encryption of the inputs. ElGamal public key encryption: –Anyone can encrypt with the public key e –Those who know the secret key d can also decrypt –Malleable: can produce E 2 (m) from E 1 (m) without knowing d –Verifiable –Multiplicative homomorphism: given E(m) and E(m’) I can produce E(mm’)
18
Universal Re-encryption Mixnet Inputs are ciphertexts Outputs are a re-encryption of the inputs. ElGamal public key encryption: –Anyone can encrypt without the public key e –Those who know the secret key d can also decrypt –Messages encrypted with different keys are indistinguishable
19
Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Bulletin Board, RFID Privacy Security Arguments
20
Randomized Public-Key Cryptosystem (PK, SK) KG:generate key pairs C E(m, r, PK):encryption of m m D(SK, C):decryption of C
21
Semantic Security Adversary chooses (m 0, m 1 ) Messages are encrypted (C 0, C 1 ) = (E(m 0, r 0, PK), E(m 1, r 1, PK)) and randomly permuted If adversary determines order correctly no better than by guessing (within ) system is semantically secure
22
Re-encryption Given: Randomized public-key cryptosystem Ciphertexts of form C = E(m, r, PK) C’ Re(C, r’, PK) :Re-encryption of m
23
Semantic Security under Re-encryption Adversary chooses (C 0, C 1 ) Messages are re-encrypted (C 0 ’, C 1 ’ ) = (Re(C 0, r 0 ’, PK), Re(C 1, r 1 ’, PK)) and randomly permuted If adversary gets order correct no better than by guessing (within ) system is semantically secure under re-encryption
24
Key-Privacy (Anonymity) Adversary chooses message m m is encrypted under PK 0 and PK 1 E(m, PK 0 ) = C 0 E(m, PK 1 ) = C 1 If adversary guesses correspondence of ciphertext with public key with negligible advantage, scheme satisfies key-privacy Bellare et al. (ASIACRYPT’01) showed ElGamal provides anonymity under chosen- ciphertext assuming DDH.
25
Given: Randomized public-key cryptosystem Ciphertexts of form C = E(m, r, PK) C’ URe(C, r’, PK) : Universal re-encryption of m Universal Re-encryption X
26
Universal Semantic Security under Re-encryption Combines semantic security and key-privacy Given PK 0 and PK 1 adversary chooses (m 0, m 1, r 0, r 1 ) to produce (C 0, C 1 ) Messages are universal re-encrypted (C 0 ’, C 1 ’ ) = (URe(C 0, r 0 ’), URe(C 1, r 1 ’)) Ciphertexts are randomly ordered (C b ’, C 1-b ’ ) If adversary gets order correct no better than by guessing (within ) system is universal semantically secure under re-encryption
27
Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties ElGamal based Universal Re-encryption Applications: Bulletin Board, RFID Privacy Security Arguments
28
ElGamal Encryption P,Q are prime, P = 2Q + 1 G Q subgroup of Z P * of order Q g generator of G Q x G Q is private key y = g x mod P is public key E(m) = (g r, my r ) where r G Q,r random D(G,M) = M/G x = my r /g xr = m
29
ElGamal with Re-encryption Ciphertext (G,M) Re-encryption (G’,M’) = (Gg r’, My r’ ) Needs public key y but not private key D(G’,M’) = M’/G’ x = my rr’ /g xrr’ = m Introduced for voting Much work on efficient provable shuffles
30
Universal Re-encryption (a,b) = (E[m]; E[1]) E is ElGamal enc (a’,b’) = (R[b,k]a; R[b,k ’]) R[*,k] is re-encryption with random k (E[m]’, E[1]’)= ([(my r y kr’, g r g kr’ ), (y r’k’, g r’k’ )] D(E[m]’) = M’/G’ x = my krr’ /g xkrr’ = m
31
Symmetric-hybrid Encryption U[k 1 ],U[1],e[k 1,m] U[1] is universal blank can be converted to U[m i ] can be reused e[k 1,m] is symmetric encryption of m Final message U[k 1 ],U[k 2 ],…U[k n ],e[k n,e[k n-1,…e[k 1,m]…] Can also do an asymmetric hybrid
32
Talk Outline Background and Motivation for mixes and universal re-encryption Definitions, Security Properties Implementation using ElGamal Applications: Low Volume Bulletin Board, RFID Privacy Security Arguments
33
Universal Mixnet (Bulletin Board) Senders post messages universally encrypted for recipients Proof of Knowledge if nonmalleability desired Any server can download, mix, and repost any or all messages Servers can be dynamic Shuffle proof if desired No PKI and less trust of each server No robustness/reliability issues with server failure No overhead or threats from replay (universal semantic security)
34
Low Volume Bulletin Board Suppose a bulletin board as above Can mix with previous messages on board Advantage: less delay retrieving new posts Advantage: no need to detect replay (sort of) Disadvantage: Must try decrypting all messages to find ones for you Mitigate growth with message removal after PoK?
35
RFID Tags EZ Pass automated toll payment Supermarket shipment tracking, stock monitoring, theft prevention Consumer stock monitoring, ordering Consumer theft-protection of belongings Implants in family pets Monitoring cash flows (500 Euro notes)
36
Privacy Problems
37
Privacy Solutions?
39
Method 2: “Put to sleep” RFID tags Problems: No continuous use Complexity, key management, trust
40
Privacy Solution: Blocker Tags (Juels, Rivest & Szydlo)
41
Universal Re-encryption for RFID Tag Privacy (Example) Alice at supermarket checkout. Uses PK Alice from fidelity card. Cashier creates universal ciphertexts on Alice’s purchase IDs. As Alice walks home passes readers that re- encrypt her tags or does it herself. Alice enters home, tags decrypted for home use.
42
Security of ElGamal based BB Correctness: Can do shuffle proofs of correct mixing Communication privacy: If the universal cryptosystem is universal semantic- secure, then bulletin board construct provides communication privacy. For ElGamal implementation, communication privacy reduced to DDH.
43
Conclusions Universal Re-encryption: New primitive Proven Security: ElGamal BB is correct (wrt mixing) ElGamal BB reducible to DDH. Applications: Reduced trust in mixes Less complex mixnets (no PKI) Privacy preserving RFID tags Future Reduce receiver overhead in bulletin board Meteor Mixing (with George Danezis)
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.