key privacy and anonymous protocols
DESCRIPTION
July 10, 2013. Key Privacy and Anonymous Protocols. b y Paolo D’Arco and Alfredo De Santis. Privacy. In all its forms , central issue in information technology Current methods of communication and information processing give rise to many challenges - PowerPoint PPT PresentationTRANSCRIPT
Key Privacy and Anonymous Protocols
by
Paolo D’Arco and Alfredo De Santis
July 10, 2013
In all its forms, central issue in information technology
Current methods of communication and information processing give rise to many challenges
On wired and wireless networks: monitoring actions, transactions or activities, tracing movements, profiling users behaviours …
Privacy
(CNN) -- President Barack Obama responded to outrage by European leaders over revelations of alleged U.S. spying on them by saying Monday that all nations, including those expressing the strongest protests, collect intelligence on each other. (June 2013)
“ U.S. authorities have access to phone calls, e-mails and other communications far beyond constitutional bounds.”
(Edward Snowden, ex-NSA contractor)June 2013
Privacy
“There is now a menace which is called Twitter,” Erdogan said. “The best examples of lies can be found there. To me, social media is the worst menace to society.”
Privacy and Anonymity
In some “applications” methods to guarantee user privacy and anonymous computation/communication play a “crucial” role …
Turkish Prime Minister (May, 2013)
“Political Springs” and social networks
“Are you in Egypt? Send us your experiences, but please stay safe.
Cairo (CNN) – Just ...”
Privacy and Anonymity
Need tools enabling private and anonymous computation and communication
“Political Springs” and social networks
Focus of this paper
• Key-private public key encryption schemes. “Which public key has been used to produce encryption c”?
• Secret sets schemes “Who are the members of the set? How many?”
• Anonymous broadcast encryption schemes “Who are the recipients of the sent message?”
Contribution of this paper
1. key privacy and robustness imply security
2. formal model for secret set
3. secret set and anonymous broadcast are equivalent w.r.t. non adaptive adversary
4. security reductions for general and concrete secret set constructions
Public Key EncryptionΠ = (Gen, Enc, Dec) message space M, ciphertext space C
(pk, sk) <--- Gen (1k)
c <--- Encpk (m)
m = Decsk (c)
Correctness:
Pr[(pk, sk) <--- Gen (1k); m <--- M; c <--- Encpk (m): m = Decsk (c)] = 1
Security
Semantic security: a ciphertext does not leak any partial information about the plaintext w.r.t a ppt Adv
Indistinguishability: given m0 and m1 and an encryption c of one of them, a ppt Adv in unable to tell to which message the ciphertext c corresponds to
The two notions are equivalent [GM 1984].The second can be thought of as a “characterization”.
Indistinguishability: ExperimentChallenger C , adversary A
C runs (pk, sk) <--- Gen (1k)
A receives pk, oracle access Decsk (c) poly (k) times, outputs m0 and m1
pk
Decsk(c)c
m
m0, m1C chooses b <--- {0,1}, computes c* <--- Encpk (mb)
Decsk(c)c
m b’ A wins if b’ = b
Phase 1
Phase 2
c*
Challenge
Indistinguishability Experiments
Decsk(c)No Oracle access
Decsk(c) Oracle access only in Phase 1
Decsk(c) Oracle access in Phase 1 and Phase 2
IND-CPA
IND-CCA1
IND-CCA2
By giving different power to the Adversary, we get different securitynotions
Key Privacy [Bellare et al. 2001]
Given pk0 and pk1 and an encryption c of a message m, obtained by using one of the two public keys, chosen uniformly at random, a ppt Adv in unable to tell with which one the ciphertext c has been computed
IK-CCA ExperimentChallenger C , adversary A
C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)
A receives pk0, pk1, oracle access Decsk0 (c) and Decsk1 (c) poly (k) times, outputs m*
pk0, pk1
Decsk0(c)Decsk1(c)
c
m
m*C chooses b <--- {0,1}, computes c* <--- Encpkb (m*)
Decsk0(c)Decsk1(c)
c
m b’ A wins if b’ = b
Phase 1
Phase 2
c*
Challenge
Concrete encryption schemes
Key privacy was introduced as an additional property for a secure encryption scheme.
It was shown that
• El Gamal encryption scheme is ik-cpa private
• Cramer-Shoup is ik-cca private
Some other schemes (e.g., RSA based versions) are not.
Given a key pair (pk0, sk0) and an encryption c of a message m obtained by using pk0, only sk0 enables decrypting c. There is no other key pair (pk1, sk1) such that Decsk1 (c) ≠ fail
Robustness [Abdalla et al. 2010]
WROB ExperimentChallenger C , adversary A
A wins if C outputs 1
If Decsk0 (c*) ≠ fail and Decsk1 (c*) ≠ fail then C outputs 1
C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)
A receives pk0, pk1, oracle access Decsk0 (c) and Decsk1 (c) poly (k) times
pk0, pk1
Decsk0(c)Decsk1(c)
Outputs m* and computes c* using pk0
c
m
Key Privacy, Robustnessand Security
Question: is there any relation among them?
Non malleability
Roughly speaking, an encryption scheme is non malleable if, given a ciphertext c = Encpk(m), it is not feasible to produce a new ciphertext c’, which is an encryption of a message m’, somehow related to m.
[Dolev et al. 1991]
Non malleability under cca attack is equivalent to IND-CCA
1. Key Privacy and robustness imply security
Thm. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is non malleable.
Since non malleability is equivalent to ind-cca security, we get:
Cor. Let Π = (eGen, Enc, Dec) be a robust public-key encryption scheme. Π is ik-cca secure only if Π is ind-cca-secure.
Non
Proof Idea
Adv for NM
If there exists an efficient Adv which wins the NM experiment, then there exists an efficient Adv which wins the ik-cca experiment
Adv for ik-cca
Simulates theenvironment for the NM experiment,i.e., acts as thechallenger C of the NM experiment
By contradiction.
ik-cca experiment run by a challenger C
Secret Set and Anomymous Broadcast
Encryption
Secret Set
any user of U can check if he is member of S
no one can check if another user is member
no one can determine the size of the set S
A representation of a set S of users ofa given universe U, satisfying
Universe of users U
Set S
[Molva and Tsudik 1998]
Secret societies
Priory of SionSecret societies at Yale University
Real and fictitious
A secret society is a club or organization whose activities and inner functionings are concealed from the non-members …
2. Secret Set Scheme: formal modelΣ = (Kgen, Srep, Mver) for universe of users U={u1, …, un}
(pub1, sec1) … (pubn, secn) <--- Kgen (1k)
SR <--- Srep(S, pub)
{0,1, fail} <--- Mver(SR, seci)
Correctness: for each set S and user ui in U, for each k,
Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); SR <--- Srep(S, pub): Mver(SR, seci) = mi] = 1
Membership Private
No coalition of users R is able to check the membership status mi of
user ui outside the coalition R
MSHIP ExperimentChallenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)
A asks key queries and membership queries
pub1, …, pubn
Decsk(c)(SR, i) / i
mi / seci
ui, uj
C chooses b <--- {0,1}, S0=SU {ui}, S1=S U {uj} computes SR* <--- Srep(Sb, pub)
Decsk(c)
b’ A wins if b’ = b
Phase 1
Phase 2
SR*
Challenge
(SR, i) / i
mi / seci
Size Hiding
No coalition of users R is able to determine the size of the secret set
SHIDE ExperimentChallenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)
A asks key queries and membership queries
pub1, …, pubn
Decsk(c)(SR, i) / i
mi / seci
S0, S1 C chooses b <--- {0,1}, computes SR* <--- Srep(Sb, pub)
Decsk(c)
b’A wins if b’ = b
Phase 1
Phase 2
SR*
Challenge
(SR, i) / i
mi / seci
Adversary Power
Decsk(c)No Oracle access
Decsk(c) Oracle access only in Phase 1
Decsk(c) Oracle access in Phase 1 and Phase 2
Static
Non-adaptive
Adaptive
Anonymous Broadcast Encryption
The Broadcast Encryption Problem [Berkowitz 1991, Fiat and Naor 1994]
forbiddenpriviliged
C
msg
• A center C broadcasts a msg to a set N of receivers
• A subset P of privileged users should be able to decrypt
• P changes from time to time
Identities of priviliged users are
in the header of msg
[Barth et al. 2006, Libert et al. 2012]
Anonymous Broadcast EncryptionΣ = (Keygen, Encrypt, Decrypt) for universe of users U={u1, …, un}
(pub1, sec1) … (pubn, secn) <--- Keygen (1k)
c <--- Encrypt(P, pub, m)
{m, fail} <--- Decrypt(seci, c)
Correctness: for each set P and user ui in P, for each k,
Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); c <--- Encrypt(P, pub, m): Decrypt(seci, c) = m] = 1
Anonymous and semantically secure
No Adv through a cca attack is able to decrypt the message or to find out the identity of any recipient
A-IND-CCA ExperimentChallenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Keygen (1k)
A asks key queries and decryption queries
pub1, …, pubn
Decsk(c)(c, i) / i
m / seci
S0, S1, m0, m1 C chooses b <--- {0,1}, computes c* <--- Encrypt(Sb, pub, mb)
Decsk(c)
b’
A wins if b’ = b
Phase 1
Phase 2
c*
Challenge
(c, i) / i
m / seci
3. Equivalence between primitives
Thm 1. Anonymous broadcast encryption implies secret set
Thm 2. Secret set implies anonymous broadcast encryption w.r.t. non-adaptive adversaries
Security reductionsfor general and concrete
constructions[Revisitation of Molva and Tsudik’s constructions]
Signature SchemeΣ=(sGen, Sign, Ver), message space M
(vk, sk) <--- sGen (1k)
σ <--- Signsk (m)
{0,1} <--- Vervk (m, σ)
Correctness: for each k,
Pr[(vk, sk) <--- sGen (1k); m <--- M; σ <--- Signsk (m): Vervk (m, σ) =1] = 1
Unforgeability under cmaChallenger C , adversary A
A wins if C outputs 1
C runs (vk, sk) <--- sGen (1k)
A receives vk, oracle access to Signsk(m) poly (k) times, outputs m*,σ*
vk
Signsk (m)m
σ
m*,σ* (different from all m,σ)
If Ver(m*,σ*)=1 thenC outputs 1, else 0.
PK-based ConstructionΠ=(eGen, Enc, Dec) public key scheme, Σ=(sGen, Sign, Ver) signature scheme
Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k) pubj = pkj , secj= skj
Srep(S, pubU): (vk, sk) <--- sGen(1k)for j=1, …, n, cj=Encpkj(in|vk) if uj in S, cj=Encpkj(out|vk) if uj not in Sσ=Signsk(c1| … |cn)SR=[(c1 … cn, σ)]
Mver(SR, seci)m=Decski(ci)if m=in|vk and Vervk(c1| … |cn, σ)=1 then output 1if m=out|vk and Vervk(c1| … |cn, σ)=1 then output 0else output fail
4. Security Reduction (1/4)
Thm. Assuming
• Π = (eGen, Enc, Dec) is a cca-secure public-key encryption and
• Σ = (sGen, Sign, Ver) is an existentially unforgeable under chosen message attack signature scheme
the Pk-based Construction is a membership-private and size-hiding secret set scheme
Representation-length efficiency
Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k) pubj = pkj , secj= skj
Srep(S, pubS):
for j s.t. uj in S, cj=Encpkj(in|uj)SR=(c1 … c|S|)
Mver(SR, seci)for j=1, …, |S|, m=Decskj(ci)if m=in|uj , then output 1else if j=|S| then output 0
Π=(eGen, Enc, Dec) public key scheme
Thm. Assuming Π = (eGen, Enc, Dec) is a public-key encryption
• weakly robust
• ik-cca private
the Representation-length-efficient Pk-based Construction, is a weak membership-private secret set scheme.
non-adaptive adversary
4. Security Reduction (2/4)
DH-based Bit-Vector Construction
Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj
pubj = gaj, secj= aj
Srep(S, pubU): Choose b <--- Zq
*
Compute gb
for j=1, …, n, Kj=(gaj)b and if uj in S, set cj=MSB(Kj), else set cj=MSB(Kj)+1 mod2
SR=(gb,c1 … cn)
Mver(SR, seci)Compute Ki=(gb) ai and di =MSB(Ki)If di = ci, then output 1; else, output 0
G ciclic group of order q, g generator
Thm. Assuming
• CDH problem is hard in G
• MSB is a hard-core predicate
the DH-based bit-vector Construction is a weak membership-private and size-hiding secret set scheme
4. Security Reduction (3/4)
Hash-based Construction
Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj
pubj = gaj, secj= aj
Srep(S, pubS): Choose b <--- Zq
*
Compute gb
for j=1, …, |S|, Kj=(gaj)b and cj=H(Kj) SR=(gb,c1 … cn)
Mver(SR, seci)Compute Ki=(gai)b and h =H(Ki)If h ε {c1 … cs}, then output 1; else, output 0
G ciclic group of order q, g generator, H hash function
Thm. Assuming
• CDH problem is hard in G
• H is a random oracle
the Hash-based Construction is a weak membership-private secret set scheme
4. Security Reduction (4/4)
ConclusionsWe have
• shown that key privacy and robustness imply security
•introduced a formal model for secret set
• proved that secret set and anonymous brodcast are equivalent w.r.t. non adaptive adv
• provided security reductions for general and concrete secret set constructions
Open Problems
• anonymous broadcast and secret set: equivalent w.r.t. adaptive adversaries?
• does exist a length-efficient membership-private and size-hiding secret set construction?
• does exist a length-efficient membership-private secret set construction?
Thanks!