anonymity-preserving public-key encryption markulf kohlweiss ueli maurer, cristina onete, björn...

Anonymity-preserving Public-Key Encryption

Markulf KohlweissUeli Maurer, Cristina Onete,

Björn Tackmann, and Daniele Venturi

PETS 2013

PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2

Context: Encryption and Anonymity

Public-key encryption

Short but eventful history, late 70s, 80s.

Security usually defined using Games: IND-CPA, IND-CCA, …

Anonymity

Shorter eventful history, early 90s.

Anonymity is arguably a more high-level property

What if used together?

Key privacy, robust encryption, formal analysis of onions

Games prone to require iterations to find “right” notion


What is Anonymous Encryption? [PH08]

Sender Anonymity Receiver Anonymity

Anonymity not created, but preserved


Our contribution


Chosen Ciphertext Attack Security (IND-CCA)

Challenger

Dec

Bit b

d = b?

m0, m1

Enc(mb)

bit d

c Dec(c)

pk


Key Privacy (IK-CCA) [BBDP01]

Challenger

Dec1

Bit b

d = b?

m

Enc(pkb; m)

bit d

c Dec1(c)

Dec0

c Dec0 (c)

pk0, pk1


Weak Robustness (WROB) [ABN10]

Challenger

c Enc(pki, m)

m, i, j

Dec

c,i

Dec

i (c)

≠ Dec(skj, c) ?┴

pk1, ..., pkn


Constructive Cryptography [MR11]

Resources (existing/assumed, desired):

Available to everyone, including adversary/simulator through interfaces

Converters:

Transform existing into desired resources

Two interfaces, inner and outer

Protocol: composition of many converters, one for each user

Security:

Correctness: without Eve the protocol works correctly

Security: when Simulator connected, no-one can distinguish between

assumed and desired worlds.


Confidential Receiver-Anonymous Channel


Constructing the Channel from Broadcast

Bn

B2

B1

…

n x(pki)

m

m

m

m

┴

Existing Resources


Constructing the Channel from Broadcast

…

n x(pki)

Converters

Encryption scheme that is:

IND-CCA IK-CCA WROBm*

m*, j

…m

m

Existing Resources

Bn

Bj

B1


Simulation (intuition)

B1

…

(c, i)

c

…

…Bj

Bi

Bn

B1

…

(m, i)

…

…Bj

Bi

Bn

Key-Generation: generate n keypairs (for each Bi), one separate (sk, pk) Ciphertext generation: get |m|, encrypt 0|m| under pk to get c

c cm, i

m, i

Existing world Desired world

D

|m|



B1

…

(c, i)

c

…

…c*

(c*, j)

Bj

Bi

Bn

…

(m, i)

…

(m*, j)

…m*

Ciphertext delivery: deliver c* to Bj:

(c*, j) (c*, j)

• if c* not seen before decrypt under skj and inject message m* into network

Dec(c*)

m*

Existing world Desired world

|m|

D

B1

Bj

Bi

Bn



B1

…

(c, i)

c

…

…c

(c, i*)

Bj

Bi

Bn

…

(m, i)

|m|

…

…m

If i = i*

(H, i*)

H <-> m

Ciphertext delivery: deliver c to Bj:

(c, i*) (c, i*)

• if c seen before deliver corresponding msg. to correct receiverIntuition: this is where we need WROB – wrong receiver outputs error

m=

Dec(c)

m

Assumed world Desired world

D

B1

Bj

Bi

Bn

Trial Delivery


(More) Results in a Nutshell

WROB sufficientSROB leads to a tighter reduction

WROB necessarywithout WROB, achieve anonymity with erroneous transmission

Impossibility: SROB does not construct better resource

Constructive aspects:Model network with single sender, many receivers

PK settings: use uni-directional authenticated channels

Trial deliveries prevent better anonymity


Results in Picture

Game-based analysis Constructive result

IND

-CC

A

IK-C

CASROB IN

D-C

CA

IK-C

CAWROB


Strong Robustness (SROB)

Challenger c, i, j

Dec

c,i Dec

i (c)

both

┴ ≠ Dec(ski, c)

┴ ≠ Dec(skj, c)

pk1, ..., pkn

anonymity-preserving public-key encryption markulf kohlweiss ueli maurer, cristina onete, björn...

Documents

pke slide

markulf kohlweiss anonymity

contribution slide

preserved slide

pk n slide

d c decc pk slide

right notion slide

i c decsk j