Dining Cryptographers, Glenn Fink 1CS 6204, Spring 2005

Dining Cryptographers

Paper by David Chaum (1988)Presentation by Glenn Fink

Dining Cryptographers, Glenn Fink 2CS 6204, Spring 2005

Dining Cryptographers: Overview

Who says all the tough papers are at the end of the semester?– Anyone know what the Frobenius

automorphism of the Galois group GF(pn) is? But apart from this, there is still much of

practical utility in the paper.

Dining Cryptographers, Glenn Fink 3CS 6204, Spring 2005

Dining Cryptographers

“Same”“Same”

“Same”Result:

#Diffs: 0 (Even)NSA Pays

Act I: Three of a kind

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 4CS 6204, Spring 2005

Dining Cryptographers

“Same”“Different”

“Different”Result:

#Diffs: 2 (Even)NSA Pays

Act II: Two of a kind

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 5CS 6204, Spring 2005

Dining Cryptographers

“Different”* Inverted *

“Different”

“Different”Result:

#Diffs: 3 (Odd)Some Cryptographer Pays

Act III: Two of a kind + Inversion

I’m paying, but no one

knows it’s me!

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 6CS 6204, Spring 2005

Proof Sketch (By Induction) All heads or all tails: 0 Diffs One tail, rest heads: 2 Diffs

– On each side of tail Two tails, rest heads: 2 cases:

I. Two tails are adjacent: 2 DiffsII. Two tails nonadjacent: 4 Diffs

N+1 tails, rest heads: three cases:

I. New tail is adjacent to one string of tails: No change

II. New tail is nonadjacent to any string of tails: Two more diffs

III. New tail connects two strings of tails: Two fewer diffs

H

H

T

H

T

H

Diffs

H

H

T

T

H

H

Diffs

H

H

H

H

H

H

H

H

T

H

H

H

Diffs

Result: If everyone tells the truth, there will always be an even number of differences

H

H

T

T

H

H

Diffs

T

T

T

Dining Cryptographers, Glenn Fink 7CS 6204, Spring 2005

Anonymity Set 0

AnonymitySet 1

Anonymity Set

Graph Theory Interpretation

Persons=Nodes Keys=Edges

– Shared by nodes Anonymity Set:

– The set of nodes whose transmissions are indistinguishable

Collusion– Sharing keys to expose

another person’s transmissions

Partial Collusion: Not all keys shared

Dining Cryptographers, Glenn Fink 8CS 6204, Spring 2005

SharedSharedKeysKeys

Keys and Compromises

A “key” is really just a history of all the quarters that will ever be flipped between two participants.– E.g., a string of bits

Key compromise means that a third party also knows the results of each flip.

Dining Cryptographers, Glenn Fink 9CS 6204, Spring 2005

Practical Considerations Key Generation

– Generate a true one-time pad via a physical random process

– Generate a short key and expand it via pseudo-random process

Key Distribution– Covertly: in person or via pre-shared symmetric cipher– Publicly: via a public-key-enabled key exchange

Key Usage– Everyone sees the stream of bits from the message– Everyone sees the sum of the outputs of all the nodes– Comparing the sum at each round tells whether someone

is transmitting, but…– … No one knows the originator of the message

Dining Cryptographers, Glenn Fink 10CS 6204, Spring 2005

Transmission Example

1001

0010 0100

0111

1011

1100

10 = 110 = 1

10 = 1

00 = 0

00 = 0

10 = 1

y1=x

x1=y

y1=x

y0=y

x1=yy0=y

y

Round 1yx

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 11CS 6204, Spring 2005

Transmission Example

1001

0010 0100

0111

1011

1100

00 = 000 = 0

10 = 1 0

11 = 0

11 = 0

01 = 1

“yx”

y0=y

y0=y

y0=y

x0=x

y1=xx0=x

yx

Round 2yx

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 12CS 6204, Spring 2005

Transmission Example

1001

0010 0100

0111

1011

1100

10 = 111 = 0

11 = 0 1

01 = 1

00 = 0

00 = 0

“yx”

x1=y

y0=y

y1=x

x0=x

x0=xx1=y

yx

Round 3

y

yx

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 13CS 6204, Spring 2005

Transmission Example

1001

0010 0100

0111

1011

1100

11 = 011 = 0

11 = 0

01 = 1

00 = 0

10 = 1

y0=y

y0=y

y0=y

x0=x

y1=xx1=y

yx

Round 4

yx

yx

• Flip Coins

• Make Observations

• Count Observations

Dining Cryptographers, Glenn Fink 14CS 6204, Spring 2005

Transmission Example

yx

Summary

yx

yx

y xyx0110

“ ”yx

AnonymousTransmission

Dining Cryptographers, Glenn Fink 15CS 6204, Spring 2005

Attacking the Dining Cryptographers

“1”

By partitioning a non-fully-connected network

Sum = 1; Someone transmitted.

Sum = 1;Transmitter is on this side.

Sum = 0;Transmitter is not on this side.

Ring network can be attacked in n log n rounds

Fully-connected network requires n-1 attackers!

Dining Cryptographers, Glenn Fink 16CS 6204, Spring 2005

Conclusion Chaum’s protocol allows parties to transmit

anonymous messages in public. The protocol is highly resistant to collusion

attacks.– But attacks are possible because anonymity degrades

with time.– Protocol does not protect physical path tracing.– Protocol does not provide for message confidentiality.

Communication via this protocol is four times less efficient on average than traceable transmission protocols.

Protocol forms the basis for Chaum’s DC-Net.

Dining Cryptographers, Glenn Fink 17CS 6204, Spring 2005

Other References

Good source of information on all sorts of anonymity schemes:– http://www.freehaven.net/anonbib

Tutorial presentation given at ACM CCS 2004 on anonymity:– http://www.cs.georgetown.edu/~clay/ccs-

anon.ppt