Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University.

Download Report

Transcript Receiver Anonymity via Incomparable Public Keys Brent R. Waters, Edward W. Felten, and Amit Sahai Department of Computer Science Princeton University. 

Receiver Anonymity via
Incomparable Public Keys
Brent R. Waters, Edward W. Felten, and Amit Sahai
Department of Computer Science
Princeton University
Receiver Anonymity
Alice can give Bob information that he can use to
send messages to Alice, while keeping her true
identity secret from Bob.
Anonymous ID
“Where are good Hang
Gliding spots?”
Send to:
alt.anonymous.messages
Bulletin Board
Bob
alt.anonymous.messages
Alice
Receiver Anonymity
• Anonymous Identity
– Information allowing a sender to send messages to
an anonymous receiver
– May contain routing and encryption information
• Requirements
–
–
–
–
Receiver is anonymous even to the sender
Anonymous Identity can be used several times
Communication is secret (encrypted)
Messages are received efficiently
A Common Method
Alice anonymously receives encrypted message
from both Bob and Charlie by reading a newsgroup.
Anonymous ID 1
“Where are good Hang
Gliding spots?”
Bulletin Board
Bob
alt.anonymous.messages
Send to:
alt.anonymous.messages
Alice
Encrypt with: a45cd79e
Charlie
Anonymous ID 2
“What Biology conferences
are interesting?”
Send to:
alt.anonymous.messages
Encrypt with: a45cd79e
The Encryption Key is Part of the Identity
Bob and Charlie collude and discover that they are
encrypting with the same public key and thus are
sending messages to the same person.
Anonymous ID 1
“Where are good Hang
Gliding spots?”
Bulletin Board
Bob
alt.anonymous.messages
Send to:
alt.anonymous.messages
Alice
Encrypt with: a45cd79e
Charlie
Anonymous ID 2
“What Biology conferences
are interesting?”
Send to:
alt.anonymous.messages
Encrypt with: a45cd79e
The Encryption Key is Part of the Identity
Bob and Charlie then aggregate what they each
know about the Anonymous Receiver and are able
to compromise her anonymity.
Anonymous ID 1
“Where are good Hang
Gliding spots?”
Bulletin Board
Bob
alt.anonymous.messages
Send to:
alt.anonymous.messages
Alice
Encrypt with: a45cd79e
Hang Gliding + Biology => Alice
Charlie
Anonymous ID 2
“What Biology conferences
are interesting?”
Send to:
alt.anonymous.messages
Encrypt with: a45cd79e
Using an Independent Public Key per
Sender
Alice creates a separate public/private key pair for
each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until one
matches or she has tried them all.
Bulletin Board
Bob
alt.anonymous.messages
a45cd79e
Alice
Keys to Try
Charlie
48b33c03
ae668f53
207c5edb
Using an Independent Public Key per
Sender
Alice creates a separate public/private key pair for
each sender. Upon receiving a message on the
newsgroup Alice tries all her private keys until one
matches or she has tried them all.
Bulletin Board
Bob
alt.anonymous.messages
a45cd79e
Alice
207defb1
b593f399
Keys to Try
04d2a93c
Charlie
398bac49
48b33c03 43bca289
ae668f53
207c5edb
40b2f68c
2fce8473
e3c8f522
70f4ba54
075ca5ef
b9034d40
46cce276
86cf1943
56734ba5
Incomparable Public Keys
• Receiver generates a single secret key
• Receiver generates several Incomparable Public
Keys (one for each Anonymous Identity)
• Receiver use the secret key to decrypt any
message encrypted with any of the public keys
• Holders of Incomparable Public Keys cannot tell
if any two keys are related (correspond to the
same private key)
Using an Incomparable Public Keys to
Receive Messages Efficiently
Alice creates a one secret key and distributes a
different Incomparable Public Key to each sender.
Bulletin Board
Bob
alt.anonymous.messages
a45cd79e
Alice
207defb1
b593f399
Keys to Try
04d2a93c
Charlie
398bac49
e3c8f522
207c5edb
70f4ba54
46cce276
59b39c03
Key Generation
• Based on ElGamal encryption
– All users share a global (strong) prime p
– Operations are performed in group of Quadratic
Residues of Zp*
• Secret Key Generation:
– Choose an ElGamal secret key a
• Generate a new Incomparable Public Key:
– Pick random generator, g, of the group
– Public key is (g,ga)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)
– Assuming Decisional Diffie-Hellman is hard
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)
– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
respond to a message
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)
– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
respond to a message
Bob
(g,ga)
Charlie
(h,ha)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)
– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
respond to a message
Bob
Charlie
Pair-wise
multiply
(g,ga)
(h,ha)
Security Intuition
• Cannot distinguish equivalent keys (g,ga), (h,ha)
from non-equivalent ones (g,ga), (h,hb)
– Assuming Decisional Diffie-Hellman is hard
• However, this is not enough if the receiver might
respond to a message
Bob
Charlie
Pair-wise
multiply
(g,ga)
Alice can decrypt messages
encrypted with this new key.
(gh,(gh)a)
(h,ha)
Solution
• Record keys that were validly created
• The ciphertext will contain a “proof” about which
key was used for encryption
• The private key holder can alternatively distribute
each Incomparable Public Keys with its MAC
Encryption
C = (gr,garK)
– (g,ga) is an Incomparable Public Key
Encryption
C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
–
–
–
–
(g,ga) is an Incomparable Public Key
H is a secure hash function
K is a random symmetric key
r is a random exponent
Decryption
C = (gr,garK), H(r), EK(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
Decryption
C = (gr,garK), H(r),
(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted
ciphertext
Decryption
C = (gr,garK), H(r),
(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted
ciphertext
• Check that the public key inside the envelope has
been distributed
Decryption
C = (gr,garK), H(r),
(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted
ciphertext
• Check that the public key inside the envelope has
been distributed
• Check that the claimed public key was used
– Hash r and check it against claimed hash of r
Decryption
C = (gr,garK), H(r),
(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted
ciphertext
• Check that the public key inside the envelope has
been distributed
• Check that the claimed public key was used
– Hash r and check it against claimed hash of r
– Raise the public key to the r to check that it was
used in the ElGamal encryption
Decryption
C = (gr,garK), H(r),
(r,(g,ga), plaintext)
• Use secret key a to decrypt the ElGamal encrypted
ciphertext and learn the symmetric key K
• Use K to decrypt the symmetrically encrypted
ciphertext
• Check that the public key inside the envelope has
been distributed
• Check that the claimed public key was used
– Hash r and check it against claimed hash of r
– Raise the public key to the r to check that it was
used in the ElGamal encryption
• If all test pass accept the plaintext
Security
• Provably secure in the Random Oracle Model
assuming DDH is hard
• We have another construction based only on
general assumptions
• We can apply similar techniques to a CCA secure
cryptosystem such as Cramer-Shoup
Efficiency
• Efficiency is comparable to standard ElGamal
• One exponentiation for encryption
• Two exponentiations for decryption and
verification of a message
Comparison with Alternative Methods
Several Independent Public Keys
- Running time increases linearly with number of potential
senders
Several Independent Symmetric Keys
+ Encryption and decryption operations are faster
- Running time increases linearly with number of potential
senders
- No secrecy of past messages if sender’s key is captured
- Key must be distributed securely
Comparison with Alternative Methods
(cont.)
Message Markers
Sender puts a random tag on each message that
identifies him and which key to use
Tag
5d234
3891c
Key
98b2e6
7ac023
Comparison with Alternative Methods
(cont.)
Message Markers
Sender puts a random tag on each message that
identifies him and which key to use
Tag
5d234
3891c
Key
98b2e6
7ac023
+ Potentially quick way for the receiver to identify her
messages and discard messages destined for others
- Cannot reuse a mark
- Therefore both sender and receiver must update
expected next mark – leads to problems if messages are
lost
Applications
• Use in anonymous communication between users
– Users already employ newsgroups such as
alt.anonymous.messages to send PGP encrypted
messages to anonymous receivers
• Protection of anonymity in case of device
compromise
– Receiver distributes a set of sensor nodes that he
does not want to be traced back to him
– Initially trusts the devices, but they could be
captured or otherwise compromised
Embedding Incomparable Public Keys
in Security Protocols
Use with other schemes to enhance anonymity and
efficiency
• We adapted SKEME key exchange protocol to
incorporate Incomparable Public Keys
– Allows for establishment of efficient session key
while maintaining anonymity guarantees
• Peer-to Peer systems
– P5 allows tradeoff anonymity and efficiency
• By making all public keys Incomparable we can
enhance anonymity while still giving user a tradeoff
option
Implementation
•
Implemented Incomparable Public Keys by
extending GnuPG (PGP) 1.2.0
•
Available at
http://www.cs.princeton.edu/~bwaters/research/
GnuPG (PGP) Background
• Users post encrypted messages to newsgroups to
attempt receiver anonymity
• Software for automatically retrieving messages
from newsgroups
– Jack B. Nymble
– Private Idaho
Implementation: Benefit
• Receivers can give have one private key to decrypt
messages sent from any one of many
Incomparable Public keys
• Interface is similar to original GnuPG interface
• Only a few changes needed to be made existing
code (ElGamal encryption already exists in
GnuPG)
Related Work
• Bellare et al. (2001)
– Introduce notion of Key-Privacy
– If Key-Privacy is maintained an adversary cannot
match ciphertexts with the public keys used to
create them
– The authors do not consider anonymity from
senders
• Pfitzmann and Waidner (1986)
– Use of multicast address for receiver anonymity
– Discuss implicit vs. explicit “marks”
Related Work (cont.)
• Chaum (1981)
– Mix-nets for sender anonymity
– Reply addresses usable only once
– Other work follows this line
Conclusion
• The contents of public keys are important in
protecting the receiver’s anonymity from the
sender
• Incomparable Public Keys provide a secure and
efficient way of accomplishing receiver anonymity
• Incomparable Public Keys are useful in practice
with Key Exchange and P2P systems