Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from...
![Page 1: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/1.jpg)
Privacy and Anonymity Using Mix Networks*
Nitesh SaxenaCS392/6813
Some slides borrowed from Philippe Golle, Markus Jacobson
![Page 2: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/2.jpg)
Course Admin
• HW6 solution provided; grading almost done• HW7, HW8 to be graded; solutions to be provided• HW9 will be posted by tomorrow
– You should email me with the formation of your team (of 2 each); one email per team
– I’ll create you an account on Vlab and send you instructions on how to access it
• The final is on Thursday, 12/20, 6-8:30pm
![Page 3: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/3.jpg)
Contents
• Mix Network (Mixnet)
• Mixnet Applications
• Mixnet Requirements
• Robustness of Mixnets
• Checking a Mixnet’s Robustness
![Page 4: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/4.jpg)
Definition: Mix Server
• A mix server:
• Receives inputs
• Produces “related” outputs
• The relationship between inputs and outputs is secret
Inputs Outputs?
Mix Server
![Page 5: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/5.jpg)
Definition: Mix Network
• Mix network
A group of mix servers that operate sequentially.
Server 1 Server 2 Server 3
Inputs Outputs
? ? ?
![Page 6: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/6.jpg)
Applications
• Hide:
“who voted for whom?”
“who paid whom?”
“who communicated with whom?”
“what is the source of a message?”
• Good for protecting privacy for
election and communication
• Used as a privacy building block
![Page 7: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/7.jpg)
1. “Who do you like best?”
2. Put your ballot into
an WHITE envelope
and put again in a RED one and sign on it
Electronic Voting Demonstration
Jerry
Washington Lincoln Roosevelt
![Page 8: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/8.jpg)
Administrators will
1. Verify signatures together
2. 1st Admin. shuffles and opens RED envelopes
3. Send them to 2nd Admin.
4. 2nd Admin. shuffles again and opens WHITE envelopes
5. Count ballots together
Electronic Voting Demo. (Cont’d)
![Page 9: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/9.jpg)
Jerry
Sign voter 1 (encr(encr (vote1)))
Sign voter 2 (encr(encr (vote2)))
.
.
.Sign voter n (encr(encr (voten)))
A real system for elections
vote1
vote2
vote3
.
.
voten
MixNet
Washington Lincoln Roosevelt
MixNet
![Page 10: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/10.jpg)
• “Choose one person you like to pay $5”
• Put your ballot into an WHITE envelope and put again in a RED
one and sign on itJerry
Name of the person ( ___________ )
Electronic Payment Demo.
![Page 11: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/11.jpg)
Electronic Voting Demo. (Cont’d)Administrators will
1. Verify signatures together
2. Deduct $5 from each account
3. 1st Admin. shuffles and opens RED envelopes
4. Send them to 2nd Admin.
5. 2nd Admin. shuffles again and opens WHITE envelopes
6. Credit $5 to recipients
![Page 12: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/12.jpg)
For payments
Sign payer 1 (encr(encr (payee1)))
Sign payer 2 (encr(encr (payee2)))
.
.
.
.
.Sign payer n (encr(encr (payeen)))
payee1
payee2
payee3
.
.
payeen
DEDUCT
Credit
Jerry
Name
(________ )
MixNet
![Page 13: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/13.jpg)
For email communication
encr (email1, addressee1)
encr (email2, addressee2)
.
.
.encr (emailn, addresseen)
.
.
.
MixNet
DeliverTo: Jerry
Don’t forget to have lunch.
![Page 14: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/14.jpg)
Other uses
• Anonymous web browsing (LPWA Anonymizer)
From LPWA homepage
![Page 15: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/15.jpg)
Other uses (Cont’d)
• Location privacy for cellular devices
– Location-based service is GOOD ! • Landline-phone calling to 911 in the US,
112 in Europe
• All cellular carrier by December 2005
– RISK !• Location-based spam
• Harm to a reputation
![Page 16: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/16.jpg)
Other uses (Cont’d)
• Anonymous bulletin boards
From A. Juels at WOTE’01
Mix
![Page 17: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/17.jpg)
Other uses (Cont’d)
Sometimes abuses
• Avoid legislation (e.g., piracy)
![Page 18: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/18.jpg)
Other Uses
• Anonymous VoIP calls
![Page 19: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/19.jpg)
Principle Chaum ’81
Message 1
Message 2
server 1 server 2 server 3
PrivacyEfficiencyTrustRobustness
Issues :
![Page 20: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/20.jpg)
But what about robustness?
encr(Berry)
encr(Kush)
encr(Kush)
Kush
Kush
Kush
STOP
I ignore his
outputand
produce my own
There is no robustness!
![Page 21: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/21.jpg)
Requirements
1. Privacy
Nobody knows who said what
2. Efficiency
Mixing is efficient (= practically useful)
3. Trust How many entities do we have to trust?
4. Robustness
Will replacement cheaters be caught? What if a certain number of mix servers fail?
![Page 22: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/22.jpg)
Zoology of Mix Networks
• Decryption Mix Nets [Cha81,…]:– Inputs: ciphertexts
– Outputs: decryption of the inputs.
• Re-encryption Mix Nets[PIK93,…]:– Inputs: ciphertexts
– Outputs: re-encryption of the inputs
Inputs Outputs?
![Page 23: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/23.jpg)
First SolutionChaum ’81, implemented by Syverson, Goldschlag
Not robust (or: tolerates cheaters for correctness)
Requires every server to participate (and in the “right” order!)
![Page 24: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/24.jpg)
Re-encryption Mixnet
0. Setup: mix servers generate a shared ElGamal key
1. Users encrypt their inputs: Input Input Pub-key
3. A quorum of mix servers decrypts the outputs
Output OutputPriv-key
Server 1 Server 2 Server 3
re-encrypt
& mix
re-encrypt
& mix
re-encrypt
& mix
2. Encrypted inputs are mixed:
Proof ProofProof
![Page 25: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/25.jpg)
Recall: El Gamal encryption
Public parameters: q is a prime
p = 2kq+1 is a prime
g generator of Gp
Secret key of a user: x (where 0 < x < q)
Public key of this user: y = gx mod p
![Page 26: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/26.jpg)
El Gamal Encryption (encrypt m using y)
For message (or “plaintext”) : m
1. Pick a number k randomly from [0…q-1]
2. Compute a = yk. m mod p b = gk mod p
3. Output (a,b)
Decryption technique (to decrypt (a,b) using x)
Compute m a / bx (= yk. m = gxk. m) (gk)x gkx
![Page 27: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/27.jpg)
Re-encryption technique
Input: a ciphertext (a,b) wrt public key y
1. Pick a number randomly from [0…q-1]
2. Compute a’ = y . a mod p b’ = g . b mod p
3. Output (a’, b’)
Same decryption technique!
Compute m a’ / b’x (= yk. y . m = gx (k+. m) (gk . g )x g
(k+x
![Page 28: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/28.jpg)
A simple mix
(a1, b1)
(a2, b2).
.
.(an, bn)
RE-ENCRYPT
RE-ENCRYPT
(a’1,b’1)
(a’2,b’2).
.
.(a’n,b’n)
(a’’1,b’’1)
(a’’2,b’’2).
.
.(a’’n,b’’n)
Note: different cipher text, different re-encryption exponents!
![Page 29: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/29.jpg)
And to get privacy… permute, too!
(a1, b1)
(a2, b2).
.
.(an, bn)
(a’’1,b’’1)
(a’’2,b’’2).
.
.(a’’n,b’’n)
![Page 30: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/30.jpg)
Problem
• Mix servers must prove correct re-encryption– Given n El Gamal ciphertexts E(mi)as input
– and n El Gamal ciphertexts E(m’i) as output
– Compute: E( mi) and E(=m’i) – Ask Mix for ZK proof that these ciphertexts decrypt to
same plaintexts
![Page 31: Privacy and Anonymity Using Mix Networks* Nitesh Saxena CS392/6813 Some slides borrowed from Philippe Golle, Markus Jacobson.](https://reader036.fdocuments.us/reader036/viewer/2022062421/56649d3f5503460f94a18550/html5/thumbnails/31.jpg)
Tor
• A low-latency anonymizing networkhttp://www.torproject.org/
• Currently 1000 or so routers distributed all over in the internet
• Can run any SOCKS application on top of Tor• No mixing is employed• Peer-based: a client can choose to be a router• A request is routed to/fro a series of a circuit of three
routers• A new circuit is chosen every 10 minutes• Let’s see Tor in practice