Upload
sonny-brame
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
Anonymity-preserving Public-Key Encryption
Markulf KohlweissUeli Maurer, Cristina Onete,
Björn Tackmann, and Daniele Venturi
PETS 2013
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2
Context: Encryption and Anonymity
Public-key encryption
Short but eventful history, late 70s, 80s.
Security usually defined using Games: IND-CPA, IND-CCA, …
Anonymity
Shorter eventful history, early 90s.
Anonymity is arguably a more high-level property
What if used together?
Key privacy, robust encryption, formal analysis of onions
Games prone to require iterations to find “right” notion
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 3
What is Anonymous Encryption? [PH08]
Sender Anonymity Receiver Anonymity
Anonymity not created, but preserved
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 5
Chosen Ciphertext Attack Security (IND-CCA)
Challenger
Dec
Bit b
d = b?
m0, m1
Enc(mb)
bit d
c Dec(c)
pk
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 6
Key Privacy (IK-CCA) [BBDP01]
Challenger
Dec1
Bit b
d = b?
m
Enc(pkb; m)
bit d
c Dec1(c)
Dec0
c Dec0 (c)
pk0, pk1
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 7
Weak Robustness (WROB) [ABN10]
Challenger
c Enc(pki, m)
m, i, j
Dec
c,i
Dec
i (c)
≠ Dec(skj, c) ?┴
pk1, ..., pkn
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 8
Constructive Cryptography [MR11]
Resources (existing/assumed, desired):
Available to everyone, including adversary/simulator through interfaces
Converters:
Transform existing into desired resources
Two interfaces, inner and outer
Protocol: composition of many converters, one for each user
Security:
Correctness: without Eve the protocol works correctly
Security: when Simulator connected, no-one can distinguish between
assumed and desired worlds.
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 9
Confidential Receiver-Anonymous Channel
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 11
Constructing the Channel from Broadcast
Bn
B2
B1
…
n x(pki)
m
m
m
m
┴
Existing Resources
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 12
Constructing the Channel from Broadcast
…
n x(pki)
Converters
Encryption scheme that is:
IND-CCA IK-CCA WROBm*
m*, j
…m
m
Existing Resources
Bn
Bj
B1
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 13
Simulation (intuition)
B1
…
(c, i)
c
…
…Bj
Bi
Bn
B1
…
(m, i)
…
…Bj
Bi
Bn
Key-Generation: generate n keypairs (for each Bi), one separate (sk, pk) Ciphertext generation: get |m|, encrypt 0|m| under pk to get c
c cm, i
m, i
Existing world Desired world
D
|m|
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 14
Simulation (intuition)
B1
…
(c, i)
c
…
…c*
(c*, j)
Bj
Bi
Bn
…
(m, i)
…
(m*, j)
…m*
Ciphertext delivery: deliver c* to Bj:
(c*, j) (c*, j)
• if c* not seen before decrypt under skj and inject message m* into network
Dec(c*)
m*
Existing world Desired world
|m|
D
B1
Bj
Bi
Bn
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 15
Simulation (intuition)
B1
…
(c, i)
c
…
…c
(c, i*)
Bj
Bi
Bn
…
(m, i)
|m|
…
…m
If i = i*
(H, i*)
H <-> m
Ciphertext delivery: deliver c to Bj:
(c, i*) (c, i*)
• if c seen before deliver corresponding msg. to correct receiverIntuition: this is where we need WROB – wrong receiver outputs error
m=
Dec(c)
m
Assumed world Desired world
D
B1
Bj
Bi
Bn
Trial Delivery
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 16
(More) Results in a Nutshell
WROB sufficientSROB leads to a tighter reduction
WROB necessarywithout WROB, achieve anonymity with erroneous transmission
Impossibility: SROB does not construct better resource
Constructive aspects:Model network with single sender, many receivers
PK settings: use uni-directional authenticated channels
Trial deliveries prevent better anonymity
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 17
Results in Picture
Game-based analysis Constructive result
IND
-CC
A
IK-C
CASROB IN
D-C
CA
IK-C
CAWROB
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 18
Strong Robustness (SROB)
Challenger c, i, j
Dec
c,i Dec
i (c)
both
┴ ≠ Dec(ski, c)
┴ ≠ Dec(skj, c)
pk1, ..., pkn