Unlinkability and Redundancy in Anonymous Publication Systems

Transcription

1 Unlinkability and Redundancy in Anonymous Publication Systems Christian Boesgaard Department of Computer Science University of Copenhagen Denmark January 22, Introduction An anonymous publication system 1 (APS) is an Internet-based system where a person can publish a document (that can be any kind of file) by uploading a file to the system, where it is stored on one or more storage servers. A person can inform others about a published document and they will be able to download a set of files to make a copy of the published document using a recipe containing the information necessary to locate and reassemble a copy of the document. An APS is used to provide people with the ability to publish their thoughts anonymously and protected against censorship. The APS must protect the privacy of the people using the system by making it difficult to identify them and the servers in the system must also be protected against censorship. Availability of documents is another concern and because APSs are often based on a set of unstable or vulnerable servers, the infrastructure must support redundancy. In most nations there are limits on free speech, an APS is a means to provide free speech. APSs deploy a set of countermeasures to prevent censorship, for example anonymity of users or servers. If there is a connection between the content on storage servers and documents, a person or organization can possibly use this connection to exercise censorship by using a legal system to force an storage server operator to remove the offending content. The organization Scientology has for example done this multiple times against people who have used the Internet to publish critical material on the organization. 2 Furthermore, a storage server operator might be punished for storing content that can be connected to certain documents. I 1 The distinction between publication and storage systems is not relevant for the subject of this report and the conclusions hold for storage systems as well. 2 Scientology vs. the Internet, Wikipedia. Scientology_vs._the_Internet (January 2004). 1

2 will refer to such attacks as legal attacks and use illegal document to denote a document that can be used to mount a legal attack. In this report, I discuss storage schemes where the connection between content on storage servers and documents is hidden to prevent legal attacks, thereby providing unlinkability and which also provide redundant storage. This work is an extended version of a paper that will be submitted to PET2004: Workshop on Privacy Enhancing Technologies [2]. The work is a followup to some of the work done in relation to my master s thesis on the APS YÅPS [1]. 1.1 Problem In most APSs, for example Freenet [3] or Free Haven [4], an encrypted version of a document is stored in on one or more storage servers and the operator of a storage server will not easily be able to find the key for the content, she stores. This makes it possible for a storage operator to plausibly deny that she has any knowledge of the stored content. In such an approach, there is a direct connection between content on a storage server and a document. In Freenet, documents are stored on a single storage server; in Free Haven a document is divided into a number of pieces using IDA (see Section 5), which are stored together with information that links the pieces together. 3 The direct connection between content on storage servers and documents can create problems: In APSs where storage servers are not anonymous, an adversary who finds information on how to recreate an illegal document can mount a legal attack against the storage servers that store content connected to the document. In APSs with anonymous storage servers, an adversary can: take control over a set of servers in an APS and search the set of servers and find out what documents are connected to which storage servers and use this as a basis for legal attacks if any illegal documents are found. use information on how to recreate an illegal document to direct attacks against the set of storage servers to reveal their operators identity and mount legal attacks. A storage scheme which solves these problems by hiding the connection between content and documents should also support redundant storage. 1.2 Approach In this report, I explore how it can be made hard or impossible for an adversary to make a connection between content on storage servers and documents. I define the requirement as unlinkability between content and documents and discuss practical requirements to a solution. 3 It is however not possible to find the other pieces given one piece. 2

3 I discuss how so-called secret sharing and information dispersal can be used in an APS to provide unlinkability and how these schemes can be used to provide storage schemes that provide unlinkability as well as redundant storage. 2 Related Work I have used work on definitions of anonymity [7] as an inspiration to formalize the connection between content and documents using unlinkability. Unlinkability is also related to Shannon s definition of perfect secrecy [11]. Secret sharing [5, Section 12.7 ] is a way to divide a document into a number of shares in such a way that the document can be recreated from a subset of the shares. Secret sharing is traditionally used to protect confidential material, for example, by using it to distribute a cryptographic key to a number of trusted people, such that even if some of the people are untrustworthy, they cannot give the confidential material away unencrypted. A secret-sharing scheme is said to be perfect, if nothing can be known about a document from a set of shares that cannot be used to recreate the document. Secret sharing can be used with APSs to divide documents into shares and store the shares at different storage servers, such that there is no apparent connection between content on storage servers and documents. I discuss this in Section 4. Entanglement is a scheme which reuse shares in an APS to further remove connections between shares and documents. Even though a share could in theory be used to create any document, the possession of all shares would show the real connections if each shares could only be used to create one unique document. This issue can be reduced by entanglement. Entanglement in APSs was introduced in Tangler[12] (a centralized APS) to prevent censorship by removal of shares, because removal could affect a number of documents. The idea of Tangler has been discussed in relation to plausible deniability, because it removes the relation between retrieving a specific share and a specific document, 4 but to protect the users (not the server operators). If an adversary gets access to all shares in an APS it would be hard to mount a legal attack against a storage server operator if the shares on her server could be used to recreate a set of documents (where at least some where protected as legal by the legal system). As previously explained, a storage scheme must also provide redundancy. Replication is a simple solution to provide redundancy, but other solutions are more space efficient (or provides better redundancy), such as Rabin s information dispersal algorithm [8] (in the following I refer to this as just IDA). IDA is used to divide a document into a number of pieces in such a way that if a document requires m shares to be recreated, IDA can be used to create n shares, where every subset of m different shares can be used to recreate the block. Furthermore, the size of m shares is comparable to the document. I will discuss how IDA can be used to provide both unlinkability and redundancy in Section 5. 4 Roger Dingledine of the Free Haven project, discusses entanglement on the development mailing list, April , msg00007.html (January 2004). 3

4 In my master s thesis [1], I present an APS where a document is generally saved using a combination of secret sharing and IDA, but it does not support entanglement. I discuss this in Section 6. 3 Unlinkability To propose a scheme that hides the connection between content on storage servers and documents, this connection must be defined. In the following I formalize the concept of a connection and define unlinkability to describe a hidden connection. 3.1 Definition of Unlinkability I use share to denote content on storage servers and link to describe the connection between shares and documents. If in an APS with a specific storage scheme it is impossible to demonstrate a link between one share and one document, the share is unlinkable with the document: Unlinkability is a state where a share s can be used to recreate all documents in a set of at least two different documents. It must be possible, in practice, to show that a share can be used to recreate different documents if unlinkability should provide a realistic protection. Example: Given a share s, which can be used to create parts of The Catcher in the Rye and The Holy Bible it is not possible to show which document s represents. The share s is unlinkable with a specific document. If a share can be used to recreate any document, I use the term perfect unlinkability: Perfect unlinkability is a state where a share s can be used to recreate all documents in the infinite set of all documents. Example: Given any share s, it is not possible show that s represents a part of The Catcher in the Rye, rather than a part of any other document. The share s unlinkable with any finite set of documents. It must be possible, in practice, to show that s could be used to recreate any document. Note that perfect unlinkability is a variant of Shannon s definition of perfect secrecy [11] used to define links in an APS. 3.2 The Effect of Unlinkability Perfect unlinkability makes it impossible for an adversary to use a share as a basis for a legal attack. Even if an adversary can publish a document d, by storing a share s, and later finds s on Bob s server, the adversary cannot show 4

5 that the s on Bob s server originated from d. 5 Furthermore, it is impossible for Bob to know anything about the documents that the shares on his server originates from. Even if it is shown that a document d can be recreated from a share on Bob s server, this cannot be used to demonstrate anything about the origin of the share on Bob s server (as anyone would be able to generate information to recreate another document from the share on Bob s server). Non-perfect unlinkability does only provide protection for a storage server storing the share s if it is possible to create documents that cannot be used as a basis for legal attack. Unlinkability is realized using a scheme to create a set of shares, which are stored on storage servers. Because it is hard to verify that a share is created from a scheme providing unlinkability, it is possible to place content at servers that are not unlinkable to a document. An adversary who wish to harm an storage server operator could for example place an encrypted illegal document as a share on a storage server and make a legal attack on the server. In theory, this share is still unlinkable with any document, but in practice, it would be extremely unlikely that a random share can produce a meaningful document given an encryption key, and I think it would be hard to convince a jury that the share did not have any connection with the presented document. However, if the document represented something the adversary considered as illegal, and the adversary placed the material, the case might actually be hard to win. 6 4 Secret Sharing Secret sharing is a scheme used to divide a document into pieces such that a subset of the pieces is needed to recreate the document. Example: You re setting up a launch program for a nuclear missile. You want to make sure that no single raving lunatic can initiate a launch. You want to make sure that no two raving lunatics can initiate a launch. You want at least three out of five officers to be raving lunatics before you allow a launch [9, Section 3.7]. In this case you could use a secret sharing scheme to divide the launch codes into five pieces and give each officer a piece. It would then require three of the officers and their pieces to recreate the launch codes. In the following I explain how secret sharing can be used to provide perfect unlinkability. I use block to denote a part of a document. In a secret sharing scheme a document is divided into n pieces and k (where k n) pieces are needed to recreate the document. The following holds for a secret sharing scheme: k pieces can be used to recreate the document, but k 1 or fewer 5 However, if the adversary can prove that the publication process did store S on Bob s server, the adversary would probably still be able to convince a court that Bob stored a piece of d. 6 Even a multi-level unlinkability scheme, with shares produced by users further transformed by storage servers, will not work. The storage servers would need to store the produced shares on other servers, which again would need to provide unlinkability, and so on. 5

6 shares cannot. In a perfect secret sharing scheme the possession of k 1 or fewer shares cannot be used to learn anything about the document. A (k, n)- threshold secret sharing scheme is a scheme that makes it possible to divide a block B into n shares, where any subset of k distinct shares can be used to recreate B (where n and k can be freely chosen as long k n). Example: Shamir s threshold scheme [10] is an example of an (k, n)-threshold secret sharing scheme. Shamir s threshold scheme is based on polynomial equations in a finite field Z p (where p is a prime). The scheme is based on the creation of a k-degree polynomial based on the secret, the polynomial is evaluated for n different values. Any subset of the n values can be used to recreate the original polynomial. A disadvantage of Shamir s scheme for use in storage systems is that in addition to the shares, data of the same size as a share is needed to recreate a block. If a perfect secret-sharing scheme should provide perfect unlinkability, it only has to divide a block into two shares, as this would guarantee that nothing could be known about the block given one share. Even if an adversary is able to collect a set of shares, containing the share s from Bob s server, which can be used to create the document d, anyone can demonstrate that s could also be used with another set of shares to create another document d. This means that the requirement is a (2, 2)-threshold scheme. A simple (2, 2)-threshold scheme can be made using exclusive-or, which does not require information in addition to the shares to recreate a block. Such a scheme can be described as a variant of the one-time pad [5, Note 6.1], an encryption algorithm that provides unconditional security (confidentiality). Given a plaintext P, this is transformed into a ciphertext C, by exclusive- OR ing a random key k, the same length as P, to P (I use to represent this operation): C = P k. Decryption is trivial because the exclusive-or operation with k is its own inverse: P = C k. The security is unconditional because given a ciphertext, there exists a key for any possible plaintext (the key space is the same size as the plaintext space, and each different key maps to a different ciphertext) and because k is random, C is also random. 7 This scheme can be used to provide perfect unlinkability: given a block B, and an arbitrary share s 1, another share s 2 can be created: s 2 = B s 1. 7 k cannot be reused, as this would provide an adversary with information about the plaintext (an exclusive-or of two ciphertexts produced with the same k, would result in a string representing the exclusive-or of the two plaintexts). 6

7 The scheme provides perfect unlinkability because the two shares s 1 and s 2 are unlinkable with any specific block: for any share s, and any block, B there exists a share s that can be used to recreate B: s b s : s = B s. Note that s can easily be generated. Given a share, nothing can be said of the block the share originated from. Even if s 1 is not really random, s 1 or s 2 alone cannot be linked to a specific block. In an APS, this scheme can be used by dividing documents into n blocks, and the blocks used to create a set of 2n shares from a set of n random generated shares. This scheme would increase the space requirements by a factor 2. 8 I shall use XOR scheme to refer this scheme in the following. Entanglement can easily be implemented with the XOR scheme if an APS provides users with the ability to retrieve randomly chosen shares: users can retrieve randomly chosen shares and use these for secret sharing and store the resulting share on a storage server. This use can also reduce the space requirements for storing a document down towards the size of the document (if all shares are generated using existing shares the space usage would correspond to the size of all the documents). The XOR scheme does not, however, provide any kind of redundancy. 5 Information Dispersal Information dispersal algorithms are used to provide redundant storage or communication. In the following I explore how information dispersal algorithms also can be used to provide unlinkability in an APS. I use block to denote a piece of data that could be a share created from secret sharing or part of a document. Furthermore, I use share (analogous to previous use) to denote pieces that can be used to recreate a block. As noted previously, replication is a simple means that can be used to provide redundancy. The disadvantage of replication is that it is an expensive scheme in terms of space because replication requires a specific subset of storage servers to be available: if a block requires m shares to be recreated, and each block is replicated p times, only p m combinations out of the possible ( ) p m m can be used to recreate the block. An alternative approach is to use an information dispersal algorithm 9, such as Rabin s information dispersal algorithm [8] (IDA). IDA can be used to store 8 As each share are the same size as the original block, the scheme is ideal. The total amount of space needed for recreation of a document is two times the size of the document, this is an absolute lower bound for a perfect secret sharing scheme. This is a lower bound because (1) the share resulting from the exclusive-or must be able hold the same information as the original document, and (2) the exclusive-or is a mapping defined by a share, and the mapping must be able to produce all possible shares, for documents of length n bits. As there are 2 n possible shares, at least n bits are necessary to represent them all. 9 Work belonging in the same area include erasure codes and forward error correction (FEC). 7

8 a block in a redundant way: if a block requires space equal to m shares to be recreated, IDA can be used to create n shares, where every subset of m different shares can be used to recreate the block. To compare this to simple replication, IDA can create p m shares where m shares are needed to recreate the block, and all possible ( ) p m m subsets of m different shares can be used to recreate the block. Example: If I need 6 shares to recreate a block, and replicate each share 5 times (using 30 shares of space), there are 5 6 = subsets of shares that allows me to recreate the document. If I use IDA instead, I can create 30 distinct shares, but will now be able to recreate the document from any subset with 6 distinct elements. That is, all ( ) 30 6 > possible subsets with 6 elements. If I assume that the availability of the shares are 50%, the availability using replication is (1 (1 0.7) 5 ) 6 < 98.6%, whereas the corresponding value for IDA is 30 ( 30 ) i= i (1 0.7) 30 i > %. The example shows that IDA provides better redundancy using about the same amount of space as replication. Also note that for larger documents the availability falls exponentialy using replication, whereas the availability can increase for IDA using stable servers and large values for n compared to m. There is a space overhead on IDA, of a matrix of size O(n m). For small values of n and m the matrix can be stored together with the information on recreation of a block (eventually from multiple blocks, as the matrix can be reused). For large values of n or m the rows can be stored together with the shares. In the following, I will explain how IDA works and relates to unlinkabiliy and entanglement. 5.1 Rabin s IDA IDA is used to divide a block F of size L into n shares of size s = L/m, where any subset of m distinct pieces can be used to recreate the block. I will use share to denote such a piece. n is chosen such that n = m + k, where k is the number of shares that are redundant. IDA is based on computations in a finite field Z p (where p is a prime). The block is treated as a list of numbers, b 1,..., b k, where b i < p. F is divided into pieces each consisting of m numbers: F 1,..., F s (F = (b 1,..., b m ); (b m+1,..., b 2m );...). In IDA a n m dispersal matrix D is used to create the shares. The matrix must be constructed such that it contains n rows that are linearly independent. Another m s matrix F is created with F 1,..., F s as the columns. The two matrices are multiplied to get an n s matrix R where each row corresponds to a share. To recreate F from a set of shares, the shares as well as the corresponding row in D are needed. The rows from D is used to create a matrix D, the shares to create R matrix. When D 1 is multiplicated with R, the result is a matrix containing F. 8

9 IDA Example: I will disperse F = (4, 2) using Z 257 into 4 shares such that only two pieces are needed to recreate F. That is, L = 2, m = 2, n = 4, and s = 1, which means the block is treated as one piece. First I choose a D: D = D is then multiplied with F to get R: R = D F = [ 4 2 ] = It is then possible to recreate F from two of the four pairs: p 1 = ([1 2][8]), p 2 = ([3 4][20]), p 3 = ([5 6][32]), p 4 = ([7 8][44]). In the following I will show the recreation from p 1 and p 2, using these to construct D and R F = D 1 R = [ ] 1 [ 8 20 ] = [ ] [ 8 20 ] = [ 4 2 ] 5.2 Using IDA in an APS In the following, I discuss IDA in relation to unlinkability and entanglement. I will begin with the use of IDA where the rows in D is saved in the shares and then consider the use where D is kept together with the information on how to recreate a block Shares with Rows from D and R If the rows d from D is saved together with the shares r from R, the maximum size of the original block is given by the m elements in the row from D. This makes perfect unlinkability impossible (because the size of the block limits the possible blocks). The possible Fs is limited by a set of s linear equations in m variables with coefficients from a row in D that defines the s columns in F and variables that define a column in R. The scheme can therefore not provide perfect unlinkability as not all variable combinations will be solutions for the equations. However, if each block is padded with a random row of s elements before IDA is used to create the shares, then every block (ending in s random elements) can be recreated from a share, as only one variable in an equation cannot be choosen freely. 9

10 This scheme provides unlinkability, as all possible blocks (padded with s random elements) can be represented, and also supports limited entanglement as a random share can be reused in the generation of the D when a block is to be shared Shares with Rows from R Only If the rows from D is not saved together with the shares, D must be significant smaller than F (because D is needed to recreate F). 10 That is n m m s n s. Note that in this use of IDA nothing can be learned about the size of F. This scheme cannot provide perfect unlinkability, because given an arbitrary share (a row in R) it would require that a row in D could be created, which mapped an arbitrary F into the share. But as a row in R contains s elements and a row in D m contains elements, this is impossible for m s (as the row in D cannot be used to create all the possible mappings). However, if a row of s random elements are padded to F before IDA is applied, this variant of the scheme can be used as previously described to provide both perfect unlinkability and entanglement. The unlinkability is perfect because the size of the block cannot be determined from the share. 6 Providing Unlinkability and Redundancy In the following, I give an overview over different schemes that provides unlinkability and redundancy using the XOR scheme and IDA. 6.1 IDA only As described in Section 5.2, IDA can be used to provide perfect unlinkability and entanglement if IDA is used with a small overhead in space, corresponding to the size of a s. This scheme uses IDA as normal, but requires that a block is padded with a random string the size of s, before IDA is applied. This scheme provides redundancy close to the normal use of IDA. Entanglement is limited as only one out of the n shares IDA produces is a reuse. In most APSs it is required that shares on storage servers are of a fixed size. This is a problem with this scheme, as fixed size shares means that m and n changes with the size of documents. For small documents D can be saved together with the recipe, but for larger documents this is not feasable. One alternative is to save the rows from D as part of the shares together with the rows from R, this is however also a problem as the size of the rows in D is the size of the variable m, which means the share will not be a fixed size. A possible solution is to save D for large documents as either a replicated share or a document using IDA. The disadvantage of this approach is that it requires more space to provide the same amount of redundancy as solutions saving the rows from D either as part of the shares or the recipe. 10 If D is larger or around the same size of F, it does not make sense to use IDA as it would be necessary to distribute D about the same size or larger than F itself. 10

11 Example: Given a share size of 100kB, I want to store a document of 5000kB, it requires 50 shares to recreate the document and I create 75 shares, which requires a D-matrix. D can be saved as a share itself, and replicated. If it is replicated 4 times and the availability of the servers are 0.8, the availability of the document is > For D larger than a share, it could be saved in multiple shares using IDA, with a small D that could be saved in the recipe for the document. 6.2 YÅPS: the XOR Scheme and IDA In YÅPS [1] the XOR scheme and IDA is combined. A document is first secret shared to create two blocks the size of the document and each block is divided into a number of shares using IDA. In this scheme IDA is not used to provide unlinkability, but only redundancy. This scheme provides perfect unlinkability but does not provide entanglement. However, the scheme could be changed as described in to provide limited entanglement. The use of secret sharing in YÅPS increases the amount of space needed with a factor two. This scheme does not provide any advantages over the previously described IDA-based scheme, but it wastes more space. 6.3 Alternative Scheme Based on XOR and IDA The previously described scheme from YÅPS can be changed to allow entanglement: a document is divided into x pieces of a fixed size s x, then exclusive- OR is used on the pieces to create a set of 2x blocks each of size s x. Finally, IDA is used to create a set of shares for each of the 2x blocks. The idea is to make the information on how to recreate blocks public, such that this information can be used to reuse blocks to support entanglement. This provides perfect unlinkability and the blocks can easily be reused for entanglement. The advantage of this scheme is that the blocks reused for entanglement when a document is stored can easily be of the same size as the document. The disadvantages of this scheme is that the double amount of blocks is needed to store a document, and that the aviailability decreases exponentionally with the number of blocks in the document. 6.4 Summary I have summarized the properties of the presented solutions in Table 1 (the figures are not exact and should only be used for a rough comparison). In short, the scheme using only IDA is the most space effiecient and provides better availability using half the space as the other schemes, however, this scheme does only support limited entanglement. The scheme from YÅPS does not provide any advantages over the two other schemes. The alternative XOR and 11

12 Scheme space usage availability entanglement IDA only O(S) p 1 YÅPS O(2S) p 2 1 Alternative XOR and IDA O(2S) p 2S S Table 1 Overview of storage schemes where comparisons is made to the IDA-only scheme. S represents the document size and p the probability that a server is available. Under entanglement it is noted how many existing shares can be reused when a document is published. IDA scheme is the least space efficient, but it provides optimal possibilities for entanglement. The IDA-only scheme provides only limited entanglement, the effect of this is that only one existing share can be entangled with the publication of a document. This should be compared with the alternative scheme where the number of shares that are entangled is determined by the size of the document. This has the effect that entanglement only a small fraction of the shares in such a system can be expected to be entangled, which results in limited protection from entanglement. The choice for an APS should be the IDA-only scheme, unless the limited possibilities of entanglement create problems. In that case, the alternative XOR and IDA scheme is the best option. I have not discussed the possibility of using only secret sharing, this is compared indirectly to IDA-based solutions in Section 5. 7 Conclusion In this report, I have defined unlinkability and explored the use of secret sharing and IDA in a storage scheme for APSs that provides unlinkability and redundancy. I have proved that a simple variant of IDA provides perfect unlinkability and showed how this scheme can be used in an APS and compared it to other schemes based on IDA and secret sharing. The scheme is more space efficient than the alternatives but only provides limited possibilities for entanglement. 12

13 References [1] Christian Boesgaard. YÅPS: Yet another anonymous publication system. Master s thesis, Department of Computer Science, University of Copenhagen, December Report Number , haven/. [2] Christian Boesgaard. Unlinkability and redundancy of content in anonymous publication systems. Submitted to PET2004: Workshop on Privacy Enhancing Technologies, January [3] Ian Clarke, Oskar Sandberg, Brandon Wiley, and Theodore W. Hong. Freenet: A Distributed Anonymous Information Storage and Retrieval System. In Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability, Berkeley, CA, USA, July 2000, volume 2009 of Lecture Notes in Computer Science, pages Springer-Verlag, Heidelberg, URL citeseer.nj.nec.com/ clarke00freenet.html. [4] Roger Dingledine, Michael J. Freedman, and David Molnar. The Free Haven Project: Distributed Anonymous Storage Service. In Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability, Berkeley, CA, USA, July 2000, volume 2009 of Lecture Notes in Computer Science, pages Springer-Verlag, Heidelberg, URL citeseer.nj.nec.com/dingledine00free.html. [5] Alfred J. Menezes, Paul C. Van Oorschot, and Scott A. Vanstone. Handbook of Applied Cryptography. The CRC Press series on discrete mathematics and its applications. CRC Press, ISBN [6] Andreas Pfitzmann and Maria Köhntopp. Anonymity, Unobservability, and Pseudonymity A Proposal for Terminology. In Hannes Federath, editor, Designing Privacy Enhancing Technologies, volume 2009 of Lecture Notes in Computer Science, pages 1 9. Springer-Verlag, Heidelberg, [7] Andreas Pfitzmann and Maria Köhntopp. Anonymity, Unobservability, and Pseudonymity A Proposal for Terminology, Draft v0.14, based on [6]. [8] Michael O. Rabin. Efficient dispersal of information for security, load balancing, and fault tolerance. Journal of the ACM, 36(2): , ISSN [9] Bruce Schneier. Applied Cryptography: Protocols, Algorithms, and Source Code in C. John Wiley and Sons, Inc., New York, NY, USA, ISBN (paper). [10] Adi Shamir. How to Share a Secret. Communications of the ACM, 22(11): , November ISSN [11] Claude Elwood Shannon. Communication theory of secrecy systems. Bell System Technical Journal, 28(4): , edu/ jkong/research/security/shannon.html. 13

14 [12] Marc Waldman and David Mazi. Tangler: a censorship-resistant publishing system based on document entanglements. In ACM Conference on Computer and Communications Security, pages , URL citeseer.nj.nec.com/waldman01tangler.html. 14