1 / 31

Privacy and Anonymity Using Mix Network s* Nitesh Saxena CS392/6813

Privacy and Anonymity Using Mix Network s* Nitesh Saxena CS392/6813. Some slides borrowed from Philippe Golle, Markus Jacobson. Course Admin. HW6 solution provided; grading almost done HW7, HW8 to be graded; solutions to be provided HW9 will be posted by tomorrow

hhebron
Télécharger la présentation

Privacy and Anonymity Using Mix Network s* Nitesh Saxena CS392/6813

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Anonymity Using Mix Networks*Nitesh SaxenaCS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson

  2. Course Admin • HW6 solution provided; grading almost done • HW7, HW8 to be graded; solutions to be provided • HW9 will be posted by tomorrow • You should email me with the formation of your team (of 2 each); one email per team • I’ll create you an account on Vlab and send you instructions on how to access it • The final is on Thursday, 12/20, 6-8:30pm

  3. Contents • Mix Network (Mixnet) • Mixnet Applications • Mixnet Requirements • Robustness of Mixnets • Checking a Mixnet’s Robustness

  4. Inputs Outputs Definition: Mix Server Mix Server ? • A mix server: • Receives inputs • Produces “related” outputs • The relationship between inputs and outputs is secret

  5. Inputs Outputs Definition: Mix Network • Mix network • A group of mix servers that operate sequentially. Server 1 Server 2 Server 3 ? ? ?

  6. Applications • Hide:  “who voted for whom?”  “who paid whom?” “who communicated with whom?”  “what is the source of a message?” • Good for protecting privacy for election and communication • Used as a privacy building block

  7. Jerry Electronic Voting Demonstration • “Who do you like best?” • Put your ballot into an WHITEenvelope and put again in a RED one and sign on it • Washington • Lincoln • Roosevelt

  8. Electronic Voting Demo. (Cont’d) Administrators will • Verify signatures together • 1st Admin. shuffles and opens RED envelopes • Send them to 2nd Admin. • 2nd Admin. shuffles again and opens WHITE envelopes • Count ballots together

  9. Jerry • Washington • Lincoln • Roosevelt A real system for elections vote1 vote2 vote3 . . voten Mix Net Mix Net Sign voter 1 (encr(encr (vote1))) Sign voter 2 (encr(encr (vote2))) . . . Sign voter n (encr(encr (voten)))

  10. Jerry Electronic Payment Demo. • “Choose one person you like to pay $5” • Put your ballot into an WHITEenvelope and put again in a RED one and sign on it • Name of the person • ( ___________ )

  11. Electronic Voting Demo. (Cont’d) Administrators will • Verify signatures together • Deduct $5 from each account • 1st Admin. shuffles and opens RED envelopes • Send them to 2nd Admin. • 2nd Admin. shuffles again and opens WHITE envelopes • Credit $5 to recipients

  12. Jerry For payments payee1 payee2 payee3 . . payeen D E D U C T Sign payer 1 (encr(encr (payee1))) Sign payer 2 (encr(encr (payee2))) . . . . . Sign payer n (encr(encr (payeen))) Mix Net Credit Name (________ )

  13. Mix Net For email communication . . . encr (email1, addressee1) encr (email2, addressee2) . . . encr (emailn, addresseen) To: Jerry Don’t forget to have lunch. Deliver

  14. Other uses • Anonymous web browsing (LPWAAnonymizer) From LPWA homepage

  15. Other uses (Cont’d) • Location privacy for cellular devices • Location-based service is GOOD ! • Landline-phone calling to 911 in the US, 112 in Europe • All cellular carrier by December 2005 • RISK ! • Location-based spam • Harm to a reputation

  16. Other uses (Cont’d) • Anonymous bulletin boards Mix From A. Juels at WOTE’01

  17. Other uses (Cont’d) Sometimes abuses • Avoid legislation (e.g., piracy)

  18. Other Uses • Anonymous VoIP calls

  19. server 1 server 2 server 3 Message 1 Message 2 Chaum ’81 Principle Issues : Privacy Efficiency Trust Robustness

  20. I ignore his output STOP and produce my own But what about robustness? encr(Berry) encr(Kush) encr(Kush) Kush Kush Kush There is no robustness!

  21. Requirements • PrivacyNobody knows who said what • EfficiencyMixing is efficient (= practically useful) • Trust How many entities do we have to trust? • RobustnessWill replacement cheaters be caught? What if a certain number of mix servers fail?

  22. ? Inputs Outputs Zoology of Mix Networks • Decryption Mix Nets [Cha81,…]: • Inputs: ciphertexts • Outputs: decryption of the inputs. • Re-encryption Mix Nets[PIK93,…]: • Inputs: ciphertexts • Outputs: re-encryption of the inputs

  23. First Solution Chaum ’81, implemented by Syverson, Goldschlag Not robust (or: tolerates 0 cheaters for correctness) Requires every server to participate (and in the “right” order!)

  24. 1. Users encrypt their inputs: Input Input Pub-key 2. Encrypted inputs are mixed: Server 1 Server 2 Server 3 re-encrypt & mix re-encrypt & mix re-encrypt & mix Proof Proof Proof 3. A quorum of mix servers decrypts the outputs Priv-key Output Output Re-encryption Mixnet 0. Setup: mix servers generate a shared ElGamal key

  25. Recall: El Gamal encryption Public parameters: q is a prime p = 2kq+1 is a prime g generator of Gp Secret key of a user: x (where 0 < x < q) Public key of this user: y = gx mod p

  26. El Gamal Encryption (encrypt m using y) For message (or “plaintext”) : m • Pick a number k randomly from [0…q-1] • Compute a = yk. m mod p b = gk mod p • Output (a,b) Decryption technique (to decrypt (a,b) using x) Compute m a / bx (= yk. m = gxk. m) (gk)x gkx

  27. Re-encryption technique Input: a ciphertext (a,b) wrt public key y • Pick a number a randomly from [0…q-1] • Compute a’ = ya . a mod p b’ = ga . b mod p • Output (a’, b’) Same decryption technique! Compute m a’ / b’x (= yk. ya . m = gx (k+a). m) (gk . ga )x g (k+a)x

  28. R E - E N C R Y P T R E - E N C R Y P T A simple mix (a’1,b’1) (a’2,b’2) . . . (a’n,b’n) (a’’1,b’’1) (a’’2,b’’2) . . . (a’’n,b’’n) (a1, b1) (a2, b2) . . . (an, bn) Note: different cipher text, different re-encryption exponents!

  29. And to get privacy… permute, too! (a’’1,b’’1) (a’’2,b’’2) . . . (a’’n,b’’n) (a1, b1) (a2, b2) . . . (an, bn)

  30. Problem • Mix servers must prove correct re-encryption • Given n El Gamal ciphertexts E(mi)asinput • and n El Gamal ciphertexts E(m’i) asoutput • Compute: E( mi) and E(=m’i) • Ask Mix for ZK proof that these ciphertexts decrypt to same plaintexts

  31. Tor • A low-latency anonymizing network http://www.torproject.org/ • Currently 1000 or so routers distributed all over in the internet • Can run any SOCKS application on top of Tor • No mixing is employed • Peer-based: a client can choose to be a router • A request is routed to/fro a series of a circuit of three routers • A new circuit is chosen every 10 minutes • Let’s see Tor in practice

More Related