1 / 48

Key Privacy and Anonymous Protocols

July 10, 2013. Key Privacy and Anonymous Protocols. b y Paolo D’Arco and Alfredo De Santis. Privacy. In all its forms , central issue in information technology Current methods of communication and information processing give rise to many challenges

donnan
Télécharger la présentation

Key Privacy and Anonymous Protocols

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. July 10, 2013 Key Privacy and AnonymousProtocols by Paolo D’Arco and Alfredo De Santis

  2. Privacy • In allitsforms, centralissue in information technology • Currentmethodsofcommunication and information processing give rise tomanychallenges • On wired and wireless networks: monitoringactions, transactions or activities, tracingmovements, profilingusersbehaviours…

  3. Privacy “ U.S. authoritieshaveaccesstophonecalls, e-mails and othercommunications far beyondconstitutionalbounds.” (Edward Snowden, ex-NSA contractor) June 2013 (CNN) --PresidentBarackObamarespondedtooutragebyEuropeanleadersoverrevelationsofalleged U.S. spying on thembysayingMondaythatallnations, includingthoseexpressing the strongestprotests, collect intelligence on eachother. (June 2013)

  4. Privacy and Anonymity “Political Springs” and social networks “Thereisnow a menacewhichiscalledTwitter,” Erdogansaid. “The best examplesoflies can befoundthere. To me, social media is the worstmenaceto society.” Turkish Prime Minister (May, 2013) In some “applications” methodstoguaranteeuser privacy and anonymouscomputation/communication play a “crucial”role…

  5. Privacy and Anonymity “Political Springs” and social networks “Are you in Egypt? Sendusyourexperiences, butplease stay safe. Cairo (CNN) – Just ...” Needtoolsenabling private and anonymouscomputation and communication

  6. Focus ofthispaper • Key-private public key encryptionschemes. • “Which public key hasbeenusedto produce encryptionc”? • Secret setsschemes • “Who are the membersof the set? Howmany?” • Anonymous broadcast encryptionschemes • “Who are the recipientsof the sent message?”

  7. Contributionofthispaper key privacy and robustnessimply security formalmodelfor secret set secret set and anonymous broadcast are equivalentw.r.t. non adaptiveadversary security reductionsforgeneral and concrete secret set constructions

  8. Public Key Encryption Π = (Gen, Enc, Dec) message space M, ciphertext space C (pk, sk) <--- Gen (1k) c <--- Encpk (m) m = Decsk (c) Correctness: Pr[(pk, sk) <---Gen (1k); m <---M; c <---Encpk (m):m = Decsk (c)] = 1

  9. Security Semantic security: a ciphertextdoesnotleakanypartial informationabout the plaintextw.r.t a pptAdv Indistinguishability: givenm0 and m1 and an encryptionc of one of them, a pptAdvin unable to tell to whichmessage the ciphertextccorresponds to The twonotions are equivalent [GM 1984]. The second can bethoughtofas a “characterization”.

  10. Indistinguishability: Experiment Challenger C , adversary A pk Cruns(pk, sk) <---Gen (1k) Areceivespk, oracleaccessDecsk (c) poly (k) times, outputs m0 and m1 Decsk(c) c m Phase1 m0, m1 Challenge Cchoosesb <--- {0,1}, computesc* <---Encpk (mb) c* Decsk(c) c m A winsif b’ = b b’ Phase2

  11. IndistinguishabilityExperiments Bygivingdifferentpowerto the Adversary, wegetdifferent security notions Decsk(c) No Oracle access IND-CPA Decsk(c) IND-CCA1 Oracle accessonly in Phase1 Decsk(c) Oracle access in Phase1 and Phase2 IND-CCA2

  12. Key Privacy [Bellareet al. 2001] Givenpk0and pk1 and anencryptioncof a messagem, obtainedbyusingoneof the two public keys, chosenuniformly at random, a pptAdvin unabletotellwithwhichone the ciphertextchasbeencomputed

  13. IK-CCA Experiment Challenger C , adversary A pk0, pk1 Cruns(pk0, sk0) <---Gen (1k), (pk1, sk1) <---Gen (1k) Areceivespk0, pk1, oracleaccessDecsk0 (c) and Decsk1 (c) poly (k) times, outputsm* Decsk0(c) Decsk1(c) c m Phase1 m* Challenge Cchoosesb <--- {0,1}, computesc* <---Encpkb (m*) c* Decsk0(c) Decsk1(c) c m A winsif b’ = b b’ Phase2

  14. Concrete encryptionschemes • Key privacy wasintroducedasanadditionalpropertyfor a secureencryptionscheme. • Itwasshownthat • ElGamalencryptionschemeisik-cpa private • Cramer-Shoupisik-cca private • Some otherschemes (e.g., RSA basedversions) are not.

  15. Robustness [Abdallaet al. 2010] Given a key pair (pk0, sk0) and anencryptioncof a messagemobtainedbyusingpk0, onlysk0enablesdecrypting c. There is no other key pair (pk1, sk1) such that Decsk1 (c) ≠ fail

  16. WROB Experiment Challenger C , adversary A pk0, pk1 Cruns(pk0, sk0) <---Gen (1k), (pk1, sk1) <---Gen (1k) Areceivespk0, pk1, oracle accessDecsk0 (c) and Decsk1 (c) poly (k) times Decsk0(c) Decsk1(c) c m Outputsm* and computesc*usingpk0 If Decsk0 (c*) ≠ fail and Decsk1 (c*) ≠ fail then C outputs 1 A winsifCoutputs1

  17. Key Privacy, Robustness and Security Question: isthereany relation amongthem?

  18. Non malleability [Dolevet al. 1991] Roughlyspeaking, anencryptionschemeis non malleableif, given a ciphertextc= Encpk(m), itisnotfeasibleto produce a newciphertextc’, whichisanencryptionof a messagem’, somehowrelatedtom. Non malleability under ccaattack isequivalentto IND-CCA

  19. 1. Key Privacy and robustnessimply security Thm. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is non malleable. Since non malleabilityisequivalenttoind-cca security, weget: Cor. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is ind-cca-secure.

  20. Proof Idea Non ik-ccaexperimentrunby a challenger C Bycontradiction. Advforik-cca Simulates the environmentfor the NM experiment, i.e., actsas the challenger Cof the NM experiment IfthereexistsanefficientAdvwhichwins the NM experiment, thenthereexistsanefficientAdvwhichwins the ik-ccaexperiment Advfor NM

  21. Secret Set and Anomymous Broadcast Encryption

  22. Secret Set [Molva and Tsudik 1998] A representationof a set Sofusersof a givenuniverseU, satisfying UniverseofusersU • anyuserofU can checkifheismemberofS • no one can checkifanotheruserismember • no one can determine the sizeof the set S Set S

  23. Secret societies Real and fictitious Secret societies at Yale University Prioryof Sion A secret society is a club or organizationwhoseactivities and innerfunctionings are concealedfrom the non-members…

  24. 2. Secret Set Scheme: formalmodel Σ = (Kgen, Srep, Mver) for universe of users U={u1, …, un} (pub1, sec1) … (pubn, secn) <--- Kgen (1k) SR <--- Srep(S, pub) {0,1, fail} <---Mver(SR, seci) Correctness: foreach set S and useruiinU, foreachk, Pr[(pub1, sec1) … (pubn, secn) <---Kgen (1k); SR <---Srep(S, pub): Mver(SR, seci) = mi] = 1

  25. Membership Private No coalitionofusersRisabletocheck the membership status mi ofuseruioutside the coalitionR

  26. MSHIP Experiment Challenger C , adversary A pub1, …, pubn Cruns(pub1, sec1) … (pubn, secn) <---Kgen (1k) Aaskskeyqueries andmembershipqueries Decsk(c) (SR, i) / i mi / seci Phase1 ui, uj Challenge Cchoosesb <--- {0,1}, S0=SU {ui}, S1=S U {uj} computesSR* <---Srep(Sb, pub) SR* Decsk(c) (SR, i) / i mi / seci A winsif b’ = b b’ Phase2

  27. SizeHiding No coalitionofusersRisabletodetermine the sizeof the secret set

  28. SHIDE Experiment Challenger C , adversary A pub1, …, pubn Cruns(pub1, sec1) … (pubn, secn) <---Kgen (1k) Aaskskeyqueries andmembershipqueries Decsk(c) (SR, i) / i mi / seci Phase1 Challenge S0, S1 Cchoosesb <--- {0,1}, computesSR* <---Srep(Sb, pub) SR* Decsk(c) (SR, i) / i mi / seci A winsif b’ = b b’ Phase2

  29. AdversaryPower Decsk(c) No Oracle access Static Decsk(c) Non-adaptive Oracle accessonly in Phase1 Decsk(c) Oracle access in Phase1 and Phase2 Adaptive

  30. Anonymous Broadcast Encryption [Barthet al. 2006, Libertet al. 2012] The Broadcast Encryption Problem [Berkowitz 1991, Fiat and Naor 1994] • A center C broadcastsa msg to a set N of receivers • A subsetPofprivilegedusersshouldbeabletodecrypt • Pchangesfromtimetotime C msg Identities of priviliged users are in the header of msg forbidden priviliged

  31. Anonymous Broadcast Encryption Σ = (Keygen, Encrypt, Decrypt) for universe of users U={u1, …, un} (pub1, sec1) … (pubn, secn) <--- Keygen (1k) c <--- Encrypt(P, pub, m) {m, fail} <---Decrypt(seci, c) Correctness: foreach set P and useruiinP, foreachk, Pr[(pub1, sec1) … (pubn, secn) <---Kgen (1k); c <---Encrypt(P, pub, m): Decrypt(seci, c) = m] = 1

  32. Anonymous and semanticallysecure No Advthrough a ccaattackisabletodecrypt the message or tofind out the identityofanyrecipient

  33. A-IND-CCA Experiment Challenger C , adversary A pub1, …, pubn Cruns(pub1, sec1) … (pubn, secn) <---Keygen (1k) Aaskskeyqueries and decryptionqueries Decsk(c) (c, i) / i m/ seci Phase1 Challenge S0, S1, m0, m1 Cchoosesb <--- {0,1}, computesc* <---Encrypt(Sb, pub, mb) c* Decsk(c) (c, i) / i m/ seci A winsif b’ = b b’ Phase2

  34. 3. Equivalencebetweenprimitives Thm1. Anonymous broadcast encryptionimplies secret set Thm2. Secret set impliesanonymous broadcast encryption w.r.t.non-adaptiveadversaries

  35. Security reductions forgeneral and concrete constructions [Revisitationof Molva and Tsudik’sconstructions]

  36. SignatureScheme Σ=(sGen, Sign, Ver), message space M (vk, sk) <--- sGen (1k) σ <--- Signsk (m) {0,1} <--- Vervk (m, σ) Correctness: foreachk, Pr[(vk, sk) <--- sGen (1k); m <--- M; σ <--- Signsk (m):Vervk (m, σ) =1] = 1

  37. Unforgeability under cma Challenger C , adversary A Cruns(vk, sk) <---sGen (1k) A receives vk, oracleaccesstoSignsk(m) poly (k) times, outputs m*,σ* vk Signsk(m) m σ m*,σ* (different from all m,σ) If Ver(m*,σ*)=1 then C outputs 1, else 0. A wins ifCoutputs 1

  38. PK-basedConstruction Π=(eGen, Enc, Dec) public key scheme, Σ=(sGen, Sign, Ver) signature scheme Kgen (1k): for j=1, …, n, (pkj, skj) <---eGen(1k) pubj = pkj, secj=skj Srep(S, pubU): (vk, sk) <---sGen(1k) for j=1, …, n, cj=Encpkj(in|vk) ifuj in S, cj=Encpkj(out|vk) ifujnot in S σ=Signsk(c1| … |cn) SR=[(c1 … cn, σ)] Mver(SR, seci) m=Decski(ci) if m=in|vk and Vervk(c1| … |cn, σ)=1 then output 1 if m=out|vk and Vervk(c1| … |cn, σ)=1 then output 0 else output fail

  39. 4. Security Reduction (1/4) • Thm. Assuming • Π = (eGen, Enc, Dec) is a cca-secure public-key encryption and • Σ = (sGen, Sign, Ver) is an existentially unforgeable under chosen message attack signature scheme • the Pk-based Construction is a membership-private and size-hiding secret set scheme

  40. Representation-lengthefficiency Π=(eGen, Enc, Dec) public key scheme Kgen (1k): for j=1, …, n, (pkj, skj) <---eGen(1k) pubj = pkj, secj=skj Srep(S, pubS): forj s.t. uj in S, cj=Encpkj(in|uj) SR=(c1… c|S|) Mver(SR, seci) for j=1, …, |S|, m=Decskj(ci) if m=in|uj , then output 1 else if j=|S| then output 0

  41. 4. Security Reduction (2/4) • Thm. Assuming Π = (eGen, Enc, Dec) is a public-key encryption • weaklyrobust • ik-cca private • theRepresentation-length-efficientPk-based Construction, is a weakmembership-private secret set scheme. non-adaptiveadversary

  42. DH-basedBit-VectorConstruction Gciclicgroupoforderq, ggenerator Kgen (1k): for j=1, …, n,, aj <---Zq*, computegaj pubj = gaj, secj=aj Srep(S, pubU): Choose b <--- Zq* Compute gb for j=1, …, n, Kj=(gaj)b and ifuj in S, set cj=MSB(Kj), else set cj=MSB(Kj)+1 mod2 SR=(gb,c1 … cn) Mver(SR, seci) ComputeKi=(gb) ai and di =MSB(Ki) If di = ci, then output 1; else, output 0

  43. 4. Security Reduction (3/4) • Thm. Assuming • CDHproblemis hard in G • MSBis a hard-core predicate • the DH-based bit-vectorConstructionis a weakmembership-private and size-hiding secret set scheme

  44. Hash-basedConstruction Gciclicgroupoforderq, ggenerator, Hhashfunction Kgen (1k): for j=1, …, n,, aj <---Zq*, computegaj pubj = gaj, secj=aj Srep(S, pubS): Chooseb <---Zq* Computegb for j=1, …, |S|, Kj=(gaj)b and cj=H(Kj) SR=(gb,c1…cn) Mver(SR, seci) ComputeKi=(gai)b and h=H(Ki) If h ε {c1 …cs}, then output 1; else, output 0

  45. 4. Security Reduction (4/4) • Thm. Assuming • CDHproblemis hard in G • His a randomoracle • the Hash-based Construction is a weakmembership-private secret set scheme

  46. Conclusions • Wehave • shownthat key privacy and robustnessimply security • introduced a formalmodelfor secret set • provedthat secret set and anonymousbrodcast are equivalentw.r.t. non adaptiveadv • provided security reductionsforgeneral and concrete secret set constructions

  47. Open Problems • anonymous broadcast and secret set: equivalentw.r.t.adaptiveadversaries? • doesexist a length-efficientmembership-private and size-hiding secret set construction? • doesexist a length-efficientmembership-private secret set construction?

  48. Thanks!

More Related