1 / 32

Foundations of Privacy Formal Lecture Zero-Knowledge and Deniable Authentication

Foundations of Privacy Formal Lecture Zero-Knowledge and Deniable Authentication. Lecturer: Moni Naor. Giving talks. Advice on giving Academic Talks Giving an Academic Talk by Jonathan Shewchuk Oral Presentation Advice by Mark D. Hill Pointers on giving a talk by David Messerschmitt

sanam
Télécharger la présentation

Foundations of Privacy Formal Lecture Zero-Knowledge and Deniable Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Foundations of PrivacyFormal LectureZero-Knowledge and Deniable Authentication Lecturer:Moni Naor

  2. Giving talks Advice on giving Academic Talks • Giving an Academic Talk by Jonathan Shewchuk • Oral Presentation Advice by Mark D. Hill • Pointers on giving a talk by David Messerschmitt • How to give a good talk by Hany Farid • Giving Talks by Tom Cormen

  3. Authentication and Non-Repudiation • Key idea of modern cryptography [Diffie-Hellman]: can make authentication (signatures) transferable to third party - Non-repudiation. • Essential to contract signing, e-commerce… • Digital Signatures: last 25 years major effort in • Research • Notions of security • Computationally efficient constructions • Technology, Infrastructure (PKI), Commerce, Legal

  4. Isnon-repudiation always desirable? Not necessarily so: • Privacy of conversation, no (verifiable) record. • Do you want everything you ever said to be held against you? • If Bob pays for the authentication, shouldn't be able to transfer it for free • Perhaps can gain efficiency • Alternative: (Plausible) Deniability • If the recipient (or any recipient) could have generated the conversation himself • or an indistinguishable one

  5. Deniable Authentication Setting: • Sender has a public key known to receiver • Want to an authentication scheme such that the receiver keeps no receipt of conversation. This means: • Any receiver could have generated the conversation itself. • There is a simulator that for any message m and verifier V* generates an indistinguishable conversation. • Exactly as in Zero-Knowledge! • An example where zero-knowledge is theends, not the means! Proof of security consists of Unforgeability and Deniability

  6. Encryption ciphertext Plaintext • Assume a public key encryption scheme E • Public key Pk – knowing Pk can encrypt message m • Compute Y=E(Pk, m) • With corresponding secret key Ps, givenycan retrieve m m=D(Ps, E(Pk, m)) • Process is probabilistic: to actually encrypt choose random string  and computeY=E(PK, x, ).

  7. Deniable Authentication Completeness for any good sender and receiver possible to complete the authentication on any message Unforgeability Existential unforgeable against adaptive chosen message attack • Adversary can ask to authenticate any sequence m1,m2, … • Has to succeed in making V accept a message m not previously authenticated • Has complete control over the channels Deniability • For any(?) verifier, there is simulator that can generate computationally indistinguishable conversations.

  8. Interactive Authentication Pwants to convince V that he is approving message m Phas a public key Pk and a secret key Psof encryption scheme E. To authenticate a message m: • V  P: Choose x 2R {0,1}n. Send c=E(PK, m°x) • PV: Receiving c Decrypt c using Ps Verify that prefix of plaintext is m. If yes - sendx. V is satisfied if he receives the samex he chose

  9. Is it Safe? Want: Existential unforgeability against adaptive chosen message attack • Adversary can ask to authenticate any sequence m1,m2, … • Has to succeed in making V accept a message m not authenticated • Has complete control over the channels • Intuition of security: if Edoes not leak information about plaintext • Nothing is leaked about x Unforgeability: depends on the strength of E • Sensitive to malleability: • if given E(PK, m°x, ) can generate E(PK, m’°x’, ’) where m’ is related to m andx’ is related to x then can forge.

  10. Security of the scheme Unforgeability: depends on the strength of E • Sensitive to malleability: • if given E(PK, m°r, ) can generate E(PK, m’°r’, ’) where m’ is related to m andr’ is related to x then can forge. • The protocol allows a chosen ciphertext attack on E. • Even of the post-processing kind! • Can prove that any strategy for existential forgery can be translated into a CCA strategy on E • Works even against concurrent executions. Deniability: does Vretain a receipt?? • It does not retain one for an honestV • Need to prove knowledge of r There are encryption schemes satisfying the desired requirements

  11. No receipts • Can the verifier convince third party that the prover approved a certain message?

  12. Simulator for honest receiver Choose x R {0,1}n. Output: hY=E(PK, m°x, ), x, i Has exactly the same distribution as a real conversation when the verifier is following the protocol Statistical indistinguishability Verifier might cheat by checking whether certain ciphertext have as a prefix m No known concrete way of doing harm this way

  13. Commitment Schemes • Hiding: A computationally bounded receiver learns nothing about X. • Binding:s can only be “opened” to the value X. X Commit Phase Sender Receiver s X Reveal Phase Sender X Receiver v s, v, X Reveal Verification Algorithm yes/no

  14. Encryption as Commitment When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment tox Toopenx:reveal,the random bits used to create Y Perfect binding: from unique decryption For any Y there are no two different xandx’and  and ’ s.t. Y=E(PK, x, ) =E(PK, x’, ’) Secrecy: no information about xis leaked to thosenotknowing private key PS

  15. Deniable Protocol P has a public key PK of an encryption scheme E. To authenticate message m: • V  P: Choose xR{0,1}n. Send Y=E(PK, m°x, ) • P V: Decrypt Y=E(PKj, m°x, ), SendE(PK, x, ) • V P: Sendx and  - opening Y=E(PK, m°x, ) • P V: Verify consistency and open E(PK, x, )bysending . • P commits to the value x. • Does not reveal it yet

  16. Security of the scheme Unforgeability: as before - depends on the strength of E can simulate previous scheme (with access to D(PK , . )) Important property: E(PK, x, ) is a non-malleable commitment (wrt the encryption) to x. Deniability: can run simulator: • Extractxby running with E(PK, garbage, ) and rewinding • Expected polynomial time • Need the semantic security of E - acts as a commitment scheme In Step 2. Instead of E(PK, x, )

  17. Complexity of the scheme Sender: single decryption, single encryption and singeencryption verification Receiver: same Communication Complexity: O(1) public-key encryptions

  18. Ring Signatures and Authentication Want to keep the sender anonymous by proving that the signer is a member of an ad hoc set • Other members do not cooperate • Use their `regular’ public-keys • Should be indistinguishable which member of the set is actually doing the authentication Bob Alice? Eve

  19. Ring Authentication Setting • A ring is an arbitrary set of participants including the authenticator • Each memberiof the ring has a public encryption key PKi • Only iknows the corresponding secret key PSi • To run a ring authentication protocol both sides need to know PK1, PK2, …, PKn the public keys of the ring members ...

  20. Deniable Ring Authentication Completeness for any good sender and receiver possible to complete the authentication on any message Unforgeability Existential unforgeable against adaptive chosen message attack Deniability • For any verifier, for any arbitrary set of keys, some good some bad, there is simulator that can generate computationally indistinguishable conversations. Source Hiding: • For any verifier, for any arbitrary set of keys, some good some bad, the source is computationally indistinguishable among the good keys Source Hiding andDeniability – incomparable

  21. An almost Good Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate messagemwith jth decryption key PSj: V  P: Choose x {0,1}n. SendE(PK1, m°x, 1), E(PK2, m°x, 2), …, E(PKn, m°x, n) P V: Decrypt E(PKj, m°x, j), using PSjand SendE(PK1, x, 1), E(PK2, x, 2), …, E(PKn, x, n) V P: open all the E(PKi, m°x, i)’s by Sendx and1, 2 ,…,n P V: Verify consistency and open allE(PKi, x, i) by Sendxand1, 2 ,…n And the adversary knows one the keys! Problem: what if not all suffixes (x‘s) are equal

  22. The Ring Authentication Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate messagemwith jth decryption key PSj: V  P: Choose x {0,1}n. SendE(PK1, m°x, 1), E(PK2, m°x, 2), …, E(PKn, m°x, n) P V: Decrypt E(PKj, m°x, j), using PSjand SendE(PK1, x1, 1), E(PK2, x2, 2), …, E(PKn, xn, n) Where x=x1+x2 +  xn V P: open all the E(PKj, m°x, j)’s, by Sendx and1, 2 ,…,n P V: Verify consistency and open allE(PKi, x, i) by Sendx1, x2, …, xnand1, 2 ,…n

  23. Complexity of the scheme Sender: single decryption, n encryptions and nencryption verifications Receiver:n encryptions and n encryption verifications Communication Complexity: O(n) public-key encryptions

  24. Security of the scheme Unforgeability: as before (assuming all keys are well chosen) since E(PK1, x1, t1), E(PK2, x2, t2),…,E(PK1, xn, tn) where x=x1+x2 + L xn is a non-malleable commitment to x Source Hiding: which key was used (among well chosen keys) is • Computationally indistinguishable during protocol • Statistically indistinguishableafter protocol • If ends successfully Deniability: Can run simulator `as before’

  25. Properties of the Scheme • Works with any good encryption scheme - members of the ring are unwilling participants. • Fairly efficient scheme: • Need n encryptionsnverifications and one decryption • Can extend the scheme so that convince a verifier that At least k members confirm the message.

  26. Extended Protocol Ring has public keys PK1, PK2, …, PKn of encryption scheme E To authenticate messagemwith subset T of decryption keys:: To authenticate message m with subset T of decryption keys: • V  P: Choose r {0,1}n. and split into shares x1, x2, … xn SendE(PK1, m°x1, r1), E(PK2, m°x2, r2), …, E(PK1, m°xn, rn) • P V: For each jT decrypt E(PKj, m°xj, rj) using PSjand reconstruct r SendE(PK1, x’1, 1), E(PK2, x’2, 2), …, E(PKn, x’n, n) Where r=x’1+x’2 +  x’n • V P: open all the E(PKi, m°xj, ri) by Sendx1, x2, … xn andr1, r2 ,…rn • P V: Verify consistency and open allE(PKi, x, ti) by Sendt1, t2 ,…tn and x’1, x’2 ,…, x’n

  27. Ring Signatures [RST] Rivest, Shamir and Tauman proposed Ring Signatures: • Signature on message m by a member of an ad hoc set of participants • Using existing Infrastructure for signatures • For a generated signature the source is (statistically) indistinguishable • Non-repudiation - recipient can convince a third party of the authenticity of a signature • Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin • Need Ideal Cipher for combining function

  28. What are the social implications of the existence of ring authentication and signatures?

  29. Related Notions Deniability and anonymity can have many meanings…, long history in Crypto • Deniable Encryption • Undeniable signatures • Chameleon signatures (Krawczyk and Rabin 98). • Group signatures The signature is intended for ultimate adjudication by a third party (judge). • Not deniable if secret keys are revealed! • Designated verifier proofs

  30. Coming Lectures • Randomized Response • Stanley L. Warner, Randomized Response: A Survey Technique for Eliminating Evasive Answer Bias, • Moran and Naor, Polling with Physical Envelopes: A Rigorous Analysis of a Human-Centric Protocol, • More Randomized Response • Evfimievski, Gehrke, and Srikant. Limiting Privacy Breaches in Privacy Preserving Data Mining. (PODS 2003). • Nina Mishra and Mark Sandler, Privacy via Pseudorandom Sketches, PODS 2006 • K- Anonymity and Linkability • Latanya Sweeney. k-anonymity: a model for protecting privacy. International Journal on Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570. • A. Narayanan, V. Shmatikov. How To Break Anonymity of the Netflix Prize Dataset.   • Machanavajjhala, Gehrke, Kifer, and M. Venkitasubramaniam, L-diversity: Privacy beyond k-anonymity. In Proc. 22nd Int Conf. Data Eng. (ICDE), page 24, 2006. • Ninghui Li, Tiancheng Li, Suresh Venkatasubramanian. t-closeness: Privacy Beyond k-Anonymity and l-Diversity ICDE 2007. • Auditing • J. Kleinberg, C. Papadimitriou, P. Raghavan, Auditing Boolean Attributes, PODS 2000. • Krishnaram Kenthapadi, Nina Mishra, Kobbi Nissim, Simulatable Auditing,  PODS 2005.

  31. Coming Lectures • Irit Dinur and Kobbi  Nissim, Revealing information while preserving privacy. PODS, 2003. • Cynthia Dwork, Frank McSherry and Kunal Talwar, The price of privacy and the limits of LP decoding. STOC 2007, • Differntial Privacy • Cynthia Dwork, Frank McSherry, Kobbi Nissim and Adam Smith: Calibrating Noise to Sensitivity in Private Data Analysis. TCC 2006, • A. Blum, C. Dwork, F. McSherry, and K. Nissim, Practical Privacy: The SuLQ Framework, PODS, 2005. • Contingency Tables • Boaz Barak, Kamalika Chaudhuri, Cynthia Dwork, Satyen Kale, Frank McSherry and Kunal Talwar, Privacy, accuracy, and consistency too: a holistic solution to contingency table release. PODS 2007: 273-282 • Lars Backstrom, Cynthia Dwork and Jon M. Kleinberg: Wherefore art thou r3579x?: Anonymized social networks, hidden patterns, and structural steganography. WWW 2007 • Application of Differential Privacy • Kunal Talwar and Frank McSherry, Mechanism Design via Differential Privacy. FOCS, 2007. • Kobbi Nissim, Sofya Raskhodnikova and Adam Smith. Smooth Sensitivity and Sampling in Private Data Analysis , STOC 2007,

  32. Extras • Fuzzy Extractors • RFIDs, • Yossi Oren and Adi Shamir, Power Analysis of RFID Tags • Stephen A. Weis Security of HB+ • Face\Vision Crowd • Enabling Video Privacy through Computer Vision • E. Newton, L. Sweeney, and B. Malin. Preserving Privacy by De-identifying Facial Images

More Related