Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy Enhancing Technologies Spring 2012. What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies.

Published byRussell Atkinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Privacy Enhancing Technologies Spring 2012. What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies."— Presentation transcript:

1 Privacy Enhancing Technologies Spring 2012

2 What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies focus on Anonymity

3 What is anonymity? Unobservability Unlinkability Sender anonymity Receiver anonymity

4 Overview of Anonymity Concepts Chaum’s MIX Dining Cryptographers Onion Routing Crowds

5 Applications beyond privacy Digital Cash Anonymous e-voting Censorship-resistant publishing Untraceable e-mail

6 Chaum’s MIX Presented first in 1981 by David Chaum Uses public key cryptography for anonymous e-mail Basic Idea: –E-mails would be sent to a “Mix” which would then forward them onto reciepents Key building block for anonymity systems

7 Example A B K m (B, K B (A,M)) K B (A,M)

8 Example A B C D E K m (B, K B (D,M)) K m (B, K B (A,M)) K m (E, K E (C,M)) K E (C,M) K B (D,M) K B (A,M)

9 What does this buy us? Unlinkability –The adversary knows all the senders and receivers but cannot link senders to receivers

10 MIX Cascade What if some of the mixes are controlled by adversaries? A cascade of mixes can be used to handle compromised mixes How many adversaries can this withstand? –N-1

11 Dining Cryptographers Also introduced by Chaum Purpose is to release a public message in a perfectly untraceable manner

12 The Protocol N cryptographers are having dinner Waiter tells them that the dinner has been paid for They want to know whether it was paid by one of them or the NSA agent in the corner

13 The Protocol 1.Each diner flips a coin and shows it to his left neighbor 2.Each diner announces whether he and his neighbor’s coin flips are the same or different. The payer lies. 3.Even number of “same” => NSA paid Odd number of “same” => one the diners paid

14 Example – NSA Pays Different Same

15 Example – Diner Pays Payer Same Different Same

16 Problems with DC Very Impractical –Only one bit sent at a time –Each party has to have pairwise secure channels –Massive communication overhead

17 How much anonymity is afforded to the sender in DC? We know the sender is one of N diners This is sometimes called K-anonymity –We know you are one of k persons, but that’s the best we can do –This is term is used especially with respect to databases

18 Anonymity via Random Routing Hide message source through random routing Routers don’t know for sure who the source of the message is

19 Many methods Onion routing Crowds Tor …

20 Onion Routing Sender chooses a random sequence of routers –Some are honest, some aren’t –Similar to MIX cascade Goal: Hostile routers shouldn’t learn Alice is talking to Bob

21 Onion Routing Onion encryption: { R 2, { R 3, { Bob, {M} K4 } K3 } K2 } K1 R1, K1R2, K2R3, K3 Bob, K4Alice, K1, K2, K3, K4

22 Crowds Routers form a random path –Different than onion routing because the routers choose path, not sender After receiving a message router flips a biased coin –With probability p, the router forwards the message to another router –With probability 1-p, the router forwards the message to the recipient

23 Example R1 R2 R3 R4 R R R R Alice Bob From: R3 To: Bob

24 Probabilistic Notions of Anonymity Beyond suspicion –The observed source of the message is no more likely to be the true sender than anybody else Probable innocence –Probability that the observed source of the message is the true sender is less than 50% –Guaranteed by Crowds if there are sufficiently many honest routers: Ngood+Nbad ≥ pf/(pf-0.5)(Nbad +1) Possible innocence –Non-trivial probability that the observed source of the message is not the true sender

25 A Couple of issues Is probable innocence enough? 1% 1% 1% 49% 1% 1% … 1% Multiple-paths vulnerability –Can attacker relate multiple paths from same sender? E.g., browsing the same website at the same time of day –Each new path gives attacker a new observation –Can’t keep paths static since members join and leave

26 Digital Cash Cash is a universally anonymous payment system How can we have anonymous payments online? Idea –Alice can pay for something with a digital cash token –If she double-spent a digital cash, her identity should be revealed

27 Blind signatures Blind signatures are used when you want someone to sign something but you don’t want them to see what they are signing –E.g. A notary This is done by multiplying the message by a secret number (called blinding). The signer signs the blinded message The secret number can be divided out to get a signed version of the message

28 RSA Blind Signatures Alice wants Bob to sign message M. She gives him M*r eb mod n Bob signs this giving Alice s’=(M*r eb ) db mod n = M db r eb*db mod n = M db r mod n Alice can then remove the blind by calculating s= s’*r -1 mod n = M db mod

29 Example Alice’s Message: 28 Bob’s public key: 17 Bob’s private key: 53 (n = 77) Alice asks Bob to sign 70(=28*6 17 mod 77) Bob signs 70 and sends Alice 42 Alice multiplies 42 by 13 (mod 77) to get 7 –28 53 mod 77 = 7

30 Getting Cash Alice creates a bunch (lets say N) of money orders for the same amount (say $100) –Each is given a unique identifier –Each includes n pairs of identity bit strings $100 ID: 1234567 Identity bit strings: I 1 = (I 1L, I 1R ) I 2 = (I 2L, I 2R )... I n = (I nL, I nR )

31 How the identity bit strings were created Secret splitting! How it works: –Alice created an identity I –She then picked n random numbers: r 1 …r n –Then she calculates s j = I  r j –I j = (s j, r j ) –For all j, I = s j  r j

32 Getting Cash Alice blinds these messages and sends them to the bank to sign The bank asks Alice to unblind n-1 messages (banks choice) Alice complies and when the banks sees they are all “well formed” then sign the remaining money order Alice unblinds this remaining (signed) money order and spends it

33 Spending Cash Alice presents a token to a merchant The merchant asks Alice to randomly reveal either the right or left half of each identity bit string –Essentially they send her a random bit string of length n, called a selector string. –If bit j is 0, Alice reveals I jL and if bit j is 1 Alice reveals I jR

34 Merchant cashes the token The merchant takes the token to the bank –Note that the token has half of the identity bit strings revealed The bank verifies the signature and adds the token to a database of spent tokens

35 Catching Cheaters When the bank checks the signature on a token it also check to see if the token has previously been spent If it has, Alice’s identity is likely to be revealed –Why? Because its unlikely that both merchants sent her the same selector string –This means that there is at least one identity pair for which the bank has both halves

36 Secure Multi-party Computation Imagine that you want to compute something (say an average salary), but you don’t want the people you are computing with to find out your inputs. Solution: Secure Multi-party computation

37 Secure Multi-party Computation Dining Cryptographers is a special case of this problem –The diners want to compute who paid without admitting they paid Computing an average is an easy case of Secure Multi-party computation

38 Secure Sum Imagine that Alice, Bob, Carol and Dave want to compute the average of their salaries. Also, assume they all have public and private keys (E a, D a respectively for Alice)

39 Secure Sum 1.Alice picks a random number r and adds it to her salary (S a ). 2.Alice sends Bob C b = E b (S a + r) 3.Bob decrypts C b and adds his salary to the result and sends Carol C c = (S b +S a + r) 4.And so forth until… 5.Dave then sends C a =E a (S d +S c + S b +S a + r) to Alice 6.Alice computes (D a (C a ) – r) and divides it by 4 to get the average salary 7.Alice then broadcasts the result to Bob, Carol, and Dave

40 Problems with Secure Sum This protocol depends on Alice being honest. –Alice can use 2 different r’s and misrepresent the average This can be prevented using a bit commitment scheme –This allows the others to guarantee later that Alice used the same r –But! Then Bob could figure out her salary

41 Conclusion Anonymity is one of the technological foundations for privacy MIX nets are used to hide linkability between senders and receivers –Onion routing and crowds are essentially implementations of MIX cascades DC nets allow for anonymous publishing Digital Cash allows for anonymous transactions

Download ppt "Privacy Enhancing Technologies Spring 2012. What is Privacy? “The right to be let alone” Confidentiality Anonymity Access Control Most privacy technologies."

Similar presentations

Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.

David Evans CS588: Cryptography University of Virginia Computer Science Lecture 17: Public-Key Protocols.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.

Modelling and Analysing of Security Protocol: Lecture 10 Anonymity: Systems.
Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.

Protocols for Anonymity CS 395T. Overview uBasic concepts of anonymity Chaum’s MIX Dining cryptographers Knowledge-based definitions of anonymity uProbabilistic.
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.

Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
20-763 ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS FALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.

Introduction to Modern Cryptography, Lecture 13 Money Related Issues ($$$) and Odds and Ends.
Network Security – Part 2 Public Key Cryptography Spring 2007 V.T. Raja, Ph.D., Oregon State University.

Network Security – Part 2 Public Key Cryptography Spring 2007 V.T. Raja, Ph.D., Oregon State University.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
20-751 ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.

ECOMMERCE TECHNOLOGY SUMMER 2002 COPYRIGHT © 2002 MICHAEL I. SHAMOS Cryptographic Security.
ELECTRONIC PAYMENT SYSTEMS 20-763 SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 11 Electronic Cash.

ELECTRONIC PAYMENT SYSTEMS SPRING 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 11 Electronic Cash.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.
Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)

Electronic Voting Schemes and Other stuff. Requirements Only eligible voters can vote (once only) No one can tell how voter voted Publish who voted (?)
Introduction to Signcryption November 22, 2004. 22/11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Introduction to Signcryption November 22, /11/2004 Signcryption Public Key (PK) Cryptography Discovering Public Key (PK) cryptography has made.

Similar presentations

Ads by Google