Embed Size (px)
Citation preview
Lecturer: Moni Naor
Foundations of PrivacyFormal Lecture
Zero-Knowledge and Deniable Authentication
Giving talks
Advice on giving Academic Talks
• Giving an Academic Talk by Jonathan Shewchuk • Oral Presentation Advice by Mark D. Hill • Pointers on giving a talk by David Messerschmitt • How to give a good talk by Hany Farid • Giving Talks by Tom Cormen
Authentication and Non-Repudiation• Key idea of modern cryptography [Diffie-Hellman]:
can make authentication (signatures) transferable to third party - Non-repudiation.
– Essential to contract signing, e-commerce…• Digital Signatures: last 25 years major effort in
– Research• Notions of security• Computationally efficient constructions
– Technology, Infrastructure (PKI), Commerce, Legal
Is non-repudiation always desirable?
Not necessarily so:• Privacy of conversation, no (verifiable) record.
– Do you want everything you ever said to be held against you?
• If Bob pays for the authentication, shouldn't be able to transfer it for free
• Perhaps can gain efficiency
Alternative: (Plausible) DeniabilityIf the recipient (or any recipient) could have generated the conversation himself
or an indistinguishable one
Deniable AuthenticationSetting:• Sender has a public key known to receiver• Want to an authentication scheme such that the receiver
keeps no receipt of conversation.
This means:• Any receiver could have generated the conversation itself.
– There is a simulator that for any message m and verifier V* generates an indistinguishable conversation.
– Exactly as in Zero-Knowledge!– An example where zero-knowledge is the ends, not the means!
Proof of security consists of Unforgeability and Deniability
Encryption• Assume a public key encryption scheme E• Public key Pk – knowing Pk can encrypt message m
– Compute Y=E(Pk, m)• With corresponding secret key Ps, given y can
retrieve mm=D(Ps, E(Pk, m))
• Process is probabilistic: to actually encrypt choose random string and compute Y=E(PK, x, ).
Plaintext
ciphertext
Deniable AuthenticationCompleteness for any good sender and receiver possible to complete
the authentication on any message
Unforgeability Existential unforgeable against adaptive chosen message attack – Adversary can ask to authenticate any sequence m1, m2, …– Has to succeed in making V accept a message m not
previously authenticated– Has complete control over the channels
Deniability – For any(?) verifier, there is simulator that can generate
computationally indistinguishable conversations.
Interactive AuthenticationP wants to convince V that he is approving message m
P has a public key Pk and a secret key Ps of encryption scheme E.
To authenticate a message m:• V P: Choose x 2R {0,1}n. Send c=E(PK, m ° x)• P V: Receiving c
Decrypt c using Ps
Verify that prefix of plaintext is m. If yes - send x.V is satisfied if he receives the same x he chose
Is it Safe?Want: Existential unforgeability against adaptive chosen message
attack– Adversary can ask to authenticate any sequence m1, m2, …
– Has to succeed in making V accept a message m not authenticated– Has complete control over the channels
• Intuition of security: if E does not leak information about plaintext – Nothing is leaked about x
Unforgeability: depends on the strength of E• Sensitive to malleability:
– if given E(PK, mx, ) can generate E(PK, m’x’, ’) where m’ is related to m and x’ is related to x then can forge.
Security of the schemeUnforgeability: depends on the strength of E• Sensitive to malleability:
– if given E(PK, mr, ) can generate E(PK, m’r’, ’) where m’ is related to m and r’ is related to x then can forge.
• The protocol allows a chosen ciphertext attack on E.– Even of the post-processing kind!
• Can prove that any strategy for existential forgery can be translated into a CCA strategy on E
• Works even against concurrent executions.
Deniability: does V retain a receipt??– It does not retain one for an honest V– Need to prove knowledge of r
There are encryption schemes satisfying the desired requirements
No receipts
• Can the verifier convince third party that the prover approved a certain message?
Simulator for honest receiverChoose x R {0,1}n.
Output: hY=E(PK, mx, ), x, i
Has exactly the same distribution as a real conversation when the verifier is following the protocolStatistical indistinguishability
Verifier might cheat by checking whether certain ciphertext have as a prefix mNo known concrete way of doing harm this way
Commitment Schemes
– Hiding: A computationally bounded receiver learns nothing about X.
– Binding: s can only be “opened” to the value X.
ReceiverSenderCommit
Phase
Sender ReceiverX
s
Reveal
Phase v
X
X
Reveal Verification Algorithm
s, v, X
yes/no
Encryption as Commitment
When the public key PK is fixed and known Y=E(PK, x, ) can be seen as commitment to x
To open x: reveal , the random bits used to create Y
Perfect binding: from unique decryption For any Y there are no two different x and x’ and and ’ s.t.
Y=E(PK, x, ) =E(PK, x’, ’)
Secrecy: no information about x is leaked to those not knowing private key PS
Deniable Protocol P has a public key PK of an encryption scheme E.
To authenticate message m:• V P: Choose xR{0,1}n. Send Y=E(PK, mx, )
• P V: Decrypt Y=E(PKj, mx, ),
Send E(PK, x, )• V P: Send x and - opening Y=E(PK, mx, )• P V: Verify consistency and open E(PK, x, ) by
sending .
P commits to the value x.
Does not reveal it yet
Security of the schemeUnforgeability: as before - depends on the strength of E
can simulate previous scheme (with access to D(PK , . ))
Important property: E(PK, x, ) is a non-malleable commitment (wrt the encryption) to x.
Deniability: can run simulator:• Extract x by running with E(PK, garbage, ) and
rewinding– Expected polynomial time
• Need the semantic security of E - acts as a commitment scheme
In Step 2.Instead of E(PK, x, )
Complexity of the scheme
Sender: single decryption, single encryption and singe encryption verification
Receiver: same
Communication Complexity: O(1) public-key encryptions
Ring Signatures and AuthenticationWant to keep the sender anonymous by proving
that the signer is a member of an ad hoc set – Other members do not cooperate– Use their `regular’ public-keys– Should be indistinguishable which member of the set
is actually doing the authentication
Bob
Alice? Eve
Ring Authentication Setting• A ring is an arbitrary set of participants including the
authenticator • Each member i of the ring has a public encryption
key PKi
– Only i knows the corresponding secret key PSi
• To run a ring authentication protocol both sides need to know PK1
, PK2, …, PKn
the public keys of the ring members
...
Deniable Ring AuthenticationCompleteness for any good sender and receiver possible to complete the
authentication on any message Unforgeability Existential unforgeable against adaptive chosen message attack
Deniability – For any verifier, for any arbitrary set of keys, some good some bad,
there is simulator that can generate computationally indistinguishable conversations.
Source Hiding:– For any verifier, for any arbitrary set of keys, some good some bad, the
source is computationally indistinguishable among the good keys
Source Hiding and Deniability – incomparable
An almost Good Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, 1), E(PK2, mx, 2), …, E(PKn
, mx, n)
P V: Decrypt E(PKj, mx, j), using PSj
and
Send E(PK1, x, 1), E(PK2
, x, 2), …, E(PKn, x, n)
V P: open all the E(PKi, mx, i)’s by
Send x and 1, 2 ,…, n
P V: Verify consistency and open all E(PKi, x, i) by
Send x and 1, 2 ,… n
Problem: what if not all suffixes (x‘s) are equal
And the adversary knows one the keys!
The Ring Authentication ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with jth decryption key PSj:
V P: Choose x {0,1}n. Send E(PK1
, mx, 1), E(PK2, mx, 2), …, E(PKn
, mx, n)
P V: Decrypt E(PKj, mx, j), using PSj
and
Send E(PK1, x1, 1), E(PK2
, x2, 2), …, E(PKn, xn, n)
Where x=x1+x2 + xn
V P: open all the E(PKj, mx, j)’s, by
Send x and 1, 2 ,…, n
P V: Verify consistency and open all E(PKi, x, i) by
Send x1, x2, …, xn and 1, 2 ,… n
Complexity of the scheme
Sender: single decryption, n encryptions and n encryption verifications
Receiver: n encryptions and n encryption verifications
Communication Complexity: O(n) public-key encryptions
Security of the scheme
Unforgeability: as before (assuming all keys are well chosen) since
E(PK1, x1, t1), E(PK2
, x2, t2),…,E(PK1, xn, tn)
where x=x1+x2 + xn
is a non-malleable commitment to x
Source Hiding: which key was used (among well chosen keys) is – Computationally indistinguishable during protocol– Statistically indistinguishable after protocol
• If ends successfully
Deniability: Can run simulator `as before’
Properties of the Scheme
• Works with any good encryption scheme - members of the ring are unwilling participants.
• Fairly efficient scheme:– Need n encryptions n verifications and one decryption
• Can extend the scheme so that convince a verifier that At least k members confirm the message.
Extended ProtocolRing has public keys PK1
, PK2, …, PKn
of encryption scheme E
To authenticate message m with subset T of decryption keys: :
To authenticate message m with subset T of decryption keys:• V P: Choose r {0,1}n. and split into shares x1, x2, … xn
Send E(PK1, mx1, r1), E(PK2
, mx2, r2), …, E(PK1, mxn, rn)
• P V: For each jT decrypt E(PKj, mxj, rj) using PSj
and reconstruct r Send E(PK1
, x’1, 1), E(PK2, x’2, 2), …, E(PKn
, x’n, n)
Where r=x’1+x’2 + x’n
• V P: open all the E(PKi, mxj, ri) by
Send x1, x2, … xn and r1, r2 ,… rn
• P V: Verify consistency and open all E(PKi, x, ti) by
Send t1, t2 ,… tn and x’1, x’2 ,…, x’n
Ring Signatures [RST]
Rivest, Shamir and Tauman proposed Ring Signatures:• Signature on message m by a member of an ad hoc set of
participants– Using existing Infrastructure for signatures
• For a generated signature the source is (statistically) indistinguishable
• Non-repudiation - recipient can convince a third party of the authenticity of a signature
• Non-interactive - single round • Efficient - if underlying signature is low exponent RSA/Rabin
– Need Ideal Cipher for combining function
• What are the social implications of the existence of ring authentication and signatures?
Related NotionsDeniability and anonymity can have many meanings…, long
history in Crypto• Deniable Encryption• Undeniable signatures
– Chameleon signatures (Krawczyk and Rabin 98).• Group signatures
The signature is intended for ultimate adjudication by a third party (judge).
– Not deniable if secret keys are revealed!• Designated verifier proofs
Coming Lectures • Randomized Response
– Stanley L. Warner, Randomized Response: A Survey Technique for Eliminating Evasive Answer Bias,
– Moran and Naor, Polling with Physical Envelopes: A Rigorous Analysis of a Human-Centric Protocol,
• More Randomized Response – Evfimievski, Gehrke, and Srikant.
Limiting Privacy Breaches in Privacy Preserving Data Mining. (PODS 2003). – Nina Mishra and Mark Sandler, Privacy via Pseudorandom Sketches, PODS 2006
• K- Anonymity and Linkability – Latanya Sweeney. k-anonymity: a model for protecting privacy. International Journal on
Uncertainty, Fuzziness and Knowledge-based Systems, 10 (5), 2002; 557-570. – A. Narayanan, V. Shmatikov. How To Break Anonymity of the Netflix Prize Dataset. – Machanavajjhala, Gehrke, Kifer, and M. Venkitasubramaniam,
L-diversity: Privacy beyond k-anonymity. In Proc. 22nd Int Conf. Data Eng. (ICDE), page 24, 2006.
– Ninghui Li, Tiancheng Li, Suresh Venkatasubramanian. t-closeness: Privacy Beyond k-Anonymity and l-Diversity ICDE 2007.
• Auditing– J. Kleinberg, C. Papadimitriou, P. Raghavan, Auditing Boolean Attributes, PODS 2000. – Krishnaram Kenthapadi, Nina Mishra, Kobbi Nissim, Simulatable Auditing, PODS 2005.
Coming Lectures
– Irit Dinur and Kobbi Nissim, Revealing information while preserving privacy. PODS, 2003. – Cynthia Dwork, Frank McSherry and Kunal Talwar,
The price of privacy and the limits of LP decoding. STOC 2007, • Differntial Privacy
– Cynthia Dwork, Frank McSherry, Kobbi Nissim and Adam Smith: Calibrating Noise to Sensitivity in Private Data Analysis. TCC 2006,
– A. Blum, C. Dwork, F. McSherry, and K. Nissim, Practical Privacy: The SuLQ Framework, PODS, 2005.
• Contingency Tables– Boaz Barak, Kamalika Chaudhuri, Cynthia Dwork, Satyen Kale, Frank McSherry and Kunal
Talwar, Privacy, accuracy, and consistency too: a holistic solution to contingency table release. PODS 2007: 273-282
– Lars Backstrom, Cynthia Dwork and Jon M. Kleinberg: Wherefore art thou r3579x?: Anonymized social networks, hidden patterns, and structural steganography. WWW 2007
• Application of Differential Privacy– Kunal Talwar and Frank McSherry, Mechanism Design via Differential Privacy. FOCS, 2007. – Kobbi Nissim, Sofya Raskhodnikova and Adam Smith. Smooth Sensitivity and Sampling in
Private Data Analysis , STOC 2007,
Extras
• Fuzzy Extractors
• RFIDs, – Yossi Oren and Adi Shamir, Power Analysis of RFID Tags – Stephen A. Weis Security of HB+
• Face\Vision Crowd – Enabling Video Privacy through Computer Vision – E. Newton, L. Sweeney, and B. Malin. Preserving Privacy by De-
identifying Facial Images
