1 / 31

k-Anonymous Message Transmission

k-Anonymous Message Transmission. Luis von Ahn Andrew Bortz Nick Hopper. The Aladdin Center Carnegie Mellon University. Sender Anonymous Protocol. Adversary cannot identify the sender of a particular message. Sender Anonymous Protocol.

onofre
Télécharger la présentation

k-Anonymous Message Transmission

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. k-Anonymous Message Transmission Luis von Ahn Andrew Bortz Nick Hopper The Aladdin Center Carnegie Mellon University

  2. Sender Anonymous Protocol Adversary cannot identify the sender of a particular message

  3. Sender Anonymous Protocol Adversary cannot identify the sender of a particular message Receiver Anonymous Protocol Adversary cannot identify the receiver of a particular message

  4. Some Applications Secret Love Letters Anonymous Crime Tips Distribution of Music

  5. Sender and receiver anonymity can be achieved with a trusted third party

  6. Sender and receiver anonymity can be achieved with a trusted third party

  7. In This Talk We will present a scheme for anonymous communication that is efficient and requires no trusted third parties

  8. The Model Reliable Communication The adversary can see all communications in network The adversary can own some of the participants A participant owned by the adversary may act arbitrarily

  9. The Rest of the Talk DC Nets Why DC Nets have never been implemented k-Anonymity An efficient scheme

  10. DC Nets: Key Idea Divide time into small steps At stept, party i wants to send message Mi Zm If party j doesn’t want to send a message at step t, they must send Mj=0

  11. DC Nets: Key Idea Divide time into small steps At stept, party i wants to send message Mi Zm If party j doesn’t want to send a message at step t, they must send Mj=0 Each party i splits Mi into n random shares Mi = si,1 + si,2 + … + si,n-1 + (Mi – (si,1 + … + si,n-1)) si,n

  12. Party n Party 1 Party i Party 2 Party 3 DC Nets: Key Idea Each party distributes their n shares si,n si,1 si,2 si,3

  13. DC Nets: Key Idea All parties add up every share that they have received and broadcast the result (Let Bi denote Party i’s broadcast) Bi = s1,i + s2,i + … + sn,i

  14. DC Nets: Key Idea All parties add up every share that they have received and broadcast the result (Let Bi denote Party i’s broadcast) Mi = si,1 + si,2 + … + si,n-1 + si,n Bi = s1,i + s2,i + … + sn,i B1 + B2 +…+ Bn = M1 + M2 +…+ Mn

  15. DC Nets: Key Idea If only one of the Mi is nonzero, then: B1 + B2 +…+ Bn = Mi

  16. DC Nets: Problems It is very easy for the adversary to jam the channel! Communication complexity is O(n2)

  17. Full Anonymity Versus k-Anonymity We will relax the requirement that the adversary learns nothing about the origin of a given message We will accept k-anonymity, in which the adversary can only narrow down his search to k participants

  18. The Rest of the Talk DC Nets Why DC Nets have never been implemented k-Anonymity An efficient scheme

  19. k-anonymous message transmission (k-AMT) Idea: Divide N parties into “small” DC-Nets of size O(k). Encode Mt as (group, msg) pair P2 P3 s1,2 s1,3 s1,4 P1 P4 s1,1+s1,2+s1,3+s1,4 = (Gt,Mt)

  20. How to compromise k-anonymity • If everyone follows the protocol, it’s impossible to compromise the anonymity guarantee. • So instead, don’t follow the protocol: if Alice can never send anonymously, she will have to communicate using onymous means.

  21. How to break k-AMT (I) • Don’t follow the protocol: after receiving shares s1,i,…,sk,i, instead of broadcasting si, generate a random value r and broadcast that instead. • This will randomize the result of the DC-Net protocol, preventing Alice from transmitting.

  22. Stopping the “randomizing” attack • Solution: Use Verifiable Secret Sharing. Every player in the group announces (by broadcast) a commitment to all of the shares of her input. • These commitments allow verification of her subsequent actions.

  23. P2 P3 P1 P4 k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) C1 C1 C1

  24. k-anonymous message transmission (k-AMT) with VSS Before starting, each player commits to si,1 …si,k viaPedersen commitment C(s,r)=gshr s1,1+s1,2+s1,3+s1,4= x1= (Gi,Mi) P2 P3 C2 C3 P1 P4 C4

  25. How to break k-AMT (II) • The multiparty sum protocol gives k participants a single shared channel: at most one person can successfully transmit each turn. • So: Transmit every turn! VSS still perfectly hides the value of each input; no one will know who is hogging the line.

  26. Accommodating more than one sender per turn • Idea: we can run several turns in parallel. Instead of sending commitments to shares of a single value, generate shares of 2k values. • If Alice picks a random “turn” to transmit in, she should have probability at least ½ of successfully transmitting.

  27. Accommodating more than one sender per turn Before starting, each player picks slot s, sets xi,s= (Gt,Mt), xi,1=…=xi,2k= 0, and chooses si,j,m so that msi,j,m =xi,j P2 P3 C1,1..2k C1,1..2k P1 P4 C1,1..2k

  28. Accommodating more than one sender per turn • Suppose at the end of the protocol, at least k of the 2k parallel turns were empty (zero). Then Alice should be happy; she had probability ½ to transmit. • If not, somebody has cheated and used at least 2 turns. How do we catch the cheater?

  29. Catching a cheater • Idea: each party can use her committed values to prove (in zero knowledge)that she transmitted in at most one slot, without revealing that slot. • If someone did cheat, she will have a very low probability of convincing the group she did not.

  30. Zero-Knowledge proof of protocol conformance • Pi (All): Pick permutation ρ on {1…2k} Send C(x’) = C(xρ(0), r’0),…, C(xρ(2k),r’2k) • (All)  Pi: b  {0,1} • Pi (All): if b = 0: open 2k-1 0 values; else reveal ρ, prove (in ZK) x’ = ρ(x)

  31. Efficiency • O(k2) protocol messages to transmit O(k) anonymous messages: O(k) message overhead • Cheaters are caught with high probability • Zero Knowledge proofs are Honest Verifier and can be done non-interactively in the Random Oracle Model, or interactively via an extra round (commit to verifier coins)

More Related