View
212
Download
0
Tags:
Embed Size (px)
Citation preview
UMBC Protocol Meeting 10/01/03
Universal Re-encryption:For Mix-Nets and Other Applications
(to appear CT-RSA ’04)
Paul SyversonNRL
Markus Jakobsson Ari Juels RSA Labs
Philippe GolleStanford
(now at PARC)
Extra Acknowledgements
• Most Mix illustrations cribbed from a talk by Ari Juels
• Some RFID slides cribbed from Markus Jakobsson’s ACM WiSe’03 talk
• See their Web pages for originals
Talk Outline
• Background and Motivation for mixes and universal re-encryption
• Definitions, Security Properties• Implementation using ElGamal• Applications: Bulletin Board, RFID
Privacy• Security Arguments
What does a mix network do?
message 1
message 2
message 3
message 4
Randomly permutes and decrypts inputs
Mix network
What does a mix network do?
message 2
Key property: Adversary can’t tell which ciphertext corresponds
to a given message
?
Example application: Anonymizing bulletin board or e-mail
From Bob
From CharlieFrom Alice
From Bob
From CharlieFrom Alice
“I love
Alice”
“Nobody loves Bob”
“Ilove
Charlie”
Is it Bob, Charlie,
self-love, or other?
Example application: Anonymizing bulletin board or e-mail
A look under the hood
Basic Mix (Chaum ‘81)
Server 1 Server 2 Server 3
PK1 PK2PK3
Encryption of Message
PK1 PK2PK3
message
Ciphertext = EPK1[EPK2[EPK3[message]]]
Basic Chaumian Mix
Server 1 Server 2 Server 3
m1
m2
m3
m2
m3
m1
decrypt
and
permute
m2
m1
m3
decrypt
and
permute
decrypt
and
permute
m2
m3
m1
Basic Chaumian Mix
m1
m2
m3
m2
m3
m1
decrypt
and
permute
m2
m1
m3
decrypt
and
permute
decrypt
and
permute
m2
m3
m1
Observe: As long as one server is honest,
privacy is preserved
Basic Chaumian Mix
Server 1 Server 2 Server 3
m3?
What if one server fails?
Server 1 Server 2 Server 3
SK2
•Previous solution ideas: •Robustness: Share key among other mixes
•Twinning Splitting•Reliability: Track and use reputable mixes
What if one server fails?
Server 1 Server 2 Server 3
SK2
•New Idea: Mixing without keys•No need to depend on any server (recovery mechanism)•No need to trust servers to protect keys•No need for PKI
X
A look further under the hood
Basic Re-encryption Mixnet
• Inputs are ciphertexts• Outputs are a re-encryption of the inputs.
• ElGamal public key encryption:– Anyone can encrypt with the public key e– Those who know the secret key d can also decrypt – Malleable: can produce E2(m) from E1(m) without knowing d– Verifiable– Multiplicative homomorphism: given E(m) and E(m’) I can
produce E(mm’)
Universal Re-encryption Mixnet
• Inputs are ciphertexts• Outputs are a re-encryption of the inputs.
• ElGamal public key encryption:– Anyone can encrypt without the public key e– Those who know the secret key d can also decrypt – Messages encrypted with different keys are
indistinguishable
Talk Outline
• Background and Motivation for mixes and universal re-encryption
• Definitions, Security Properties• Implementation using ElGamal• Applications: Bulletin Board, RFID
Privacy• Security Arguments
Randomized Public-Key Cryptosystem
• (PK, SK) KG:generate key pairs• C E(m, r, PK) :encryption of m• m D(SK, C) :decryption of C
Semantic Security
• Adversary chooses (m0 , m1 )
• Messages are encrypted• (C0 , C1 ) = (E(m0, r0, PK), E(m1, r1, PK))
and randomly permuted• If adversary determines order correctly
no better than by guessing (within ) system is semantically secure
Re-encryption
• Given:• Randomized public-key cryptosystem• Ciphertexts of form C = E(m, r, PK)
• C’ Re(C, r’, PK) :Re-encryption of m
Semantic Security underRe-encryption
• Adversary chooses (C0 , C1 )
• Messages are re-encrypted• (C0’, C1’ ) = (Re(C0, r0’, PK), Re(C1, r1’, PK))
and randomly permuted
• If adversary gets order correct no better than by guessing (within ) system is semantically secure under re-encryption
Key-Privacy (Anonymity)
• Adversary chooses message m• m is encrypted under PK0 and PK1
E(m, PK0 ) = C0 E(m, PK1 ) = C1
• If adversary guesses correspondence of ciphertext with public key with negligible advantage, scheme satisfies key-privacy
• Bellare et al. (ASIACRYPT’01) showed ElGamal provides anonymity under chosen-ciphertext assuming DDH.
• Given:• Randomized public-key cryptosystem• Ciphertexts of form C = E(m, r, PK)
• C’ URe(C, r’, PK) :
Universal re-encryption of m
Universal Re-encryption
X
Universal Semantic Security under Re-encryption
• Combines semantic security and key-privacy• Given PK0 and PK1 adversary chooses
(m0, m1, r0, r1 ) to produce (C0, C1 ) • Messages are universal re-encrypted
(C0’, C1’ ) = (URe(C0, r0’), URe(C1, r1’))• Ciphertexts are randomly ordered (Cb’, C1-b’ ) • If adversary gets order correct no better than by
guessing (within ) system is universal semantically secure under re-encryption
Talk Outline
• Background and Motivation for mixes and universal re-encryption
• Definitions, Security Properties• ElGamal based Universal Re-encryption• Applications: Bulletin Board, RFID
Privacy• Security Arguments
ElGamal Encryption
• P,Q are prime, P = 2Q + 1• GQ subgroup of ZP* of order Q
• g generator of GQ
• x GQ is private key
• y = gx mod P is public key • E(m) = (gr, myr) where r GQ ,r random
• D(G,M) = M/Gx = myr /gxr = m
ElGamal with Re-encryption
• Ciphertext (G,M)• Re-encryption (G’,M’) = (Ggr’, Myr’)
• Needs public key y but not private key
• D(G’,M’) = M’/G’x = myrr’ /gxrr’ = m• Introduced for voting• Much work on efficient provable shuffles
Universal Re-encryption
• (a,b) = (E[m]; E[1]) E is ElGamal enc• (a’,b’) = (R[b,k]a; R[b,k ’])
• R[*,k] is re-encryption with random k• (E[m]’, E[1]’)= ([(myr ykr’, gr gkr’), (yr’k’, gr’k’)] • D(E[m]’) = M’/G’x = mykrr’ /gxkrr’ = m
Symmetric-hybrid Encryption
• U[k1],U[1],e[k1,m]• U[1] is universal blank
can be converted to U[mi] can be reused• e[k1,m] is symmetric encryption of m
• Final message
U[k1],U[k2],…U[kn],e[kn,e[kn-1,…e[k1,m]…]• Can also do an asymmetric hybrid
Talk Outline
• Background and Motivation for mixes and universal re-encryption
• Definitions, Security Properties• Implementation using ElGamal• Applications: Low Volume Bulletin
Board, RFID Privacy• Security Arguments
Universal Mixnet (Bulletin Board)
• Senders post messages universally encrypted for recipients• Proof of Knowledge if nonmalleability desired
• Any server can download, mix, and repost any or all messages• Servers can be dynamic• Shuffle proof if desired• No PKI and less trust of each server• No robustness/reliability issues with server failure
• No overhead or threats from replay (universal semantic security)
Low Volume Bulletin Board
• Suppose a bulletin board as above• Can mix with previous messages on board• Advantage: less delay retrieving new posts• Advantage: no need to detect replay (sort
of)• Disadvantage: Must try decrypting all
messages to find ones for you• Mitigate growth with message removal after PoK?
RFID Tags
• EZ Pass automated toll payment• Supermarket shipment tracking, stock
monitoring, theft prevention• Consumer stock monitoring, ordering• Consumer theft-protection of belongings• Implants in family pets• Monitoring cash flows (500 Euro notes)
Privacy Problems
500 Eurosin wallet
Serial numbers:597387,389473…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital(paid with Amex card 345882299)
Pack of cigarettes(fourth pack this week)
500 Eurosin wallet
Serial numbers:597387,389473…
Wigmodel #4456
(cheap polyester)
30 items of lingerie
Das Kapital(paid with Amex card 345882299)
Pack of cigarettes(fourth pack this week)
Privacy Solutions?Method 1:Place RFID-tagsin protective meshor foil
Problem: makes locomotiondifficult… perhapsuseful for wallets
Privacy Solutions?Method 2:“Kill” RFID tags
Problem: RFID tags aremuch too useful…
Privacy Solutions?Method 2:“Put to sleep” RFID tags
Problems: • No continuous use• Complexity, key management, trust
1,2,3, …, 2023 pairs of sneakers and…(reading fails)…
1,2,3, …, 2023 pairs of sneakers and…(reading fails)…
Blocker simulates all (billions of)possible tag serial numbers!!
Privacy Solution: Blocker Tags(Juels, Rivest & Szydlo)
Universal Re-encryption for RFID Tag Privacy (Example)
• Alice at supermarket checkout.• Uses PKAlice from fidelity card.
• Cashier creates universal ciphertexts on Alice’s purchase IDs.
• As Alice walks home passes readers that re-encrypt her tags or does it herself.
• Alice enters home, tags decrypted for home use.
Security of ElGamal based BB
• Correctness: Can do shuffle proofs of correct mixing
• Communication privacy: If the universal cryptosystem is universal semantic-secure, then bulletin board construct provides communication privacy.
• For ElGamal implementation, communication privacy reduced to DDH.
Conclusions
• Universal Re-encryption: New primitive• Proven Security:
• ElGamal BB is correct (wrt mixing)• ElGamal BB reducible to DDH.
• Applications:• Reduced trust in mixes• Less complex mixnets (no PKI)• Privacy preserving RFID tags
• Future• Reduce receiver overhead in bulletin board• Meteor Mixing (with George Danezis)