Privacy at the communication layer The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability David Chaum 1988 CS-721 Carmela Troncoso http://carmelatroncoso.com/ (borrowed slides from G. Danezis)
The Dining Cryptographers Did the NSA pay? I didn t pay m a =0 I paid m r =1 Ron Adi I didn t pay m w =0 Wit
The Dining Cryptographers Did the NSA pay? I didn t pay m a =0 c ar I paid m r =1 Ron c rw Adi c wa I didn t pay m w =0 Wit
The Dining Cryptographers Did the NSA pay? b r = m r + c ar + c rw I didn t pay m a =0 c ar I paid m r =1 Ron c rw b a = m a + c ar + c wa Adi c wa I didn t pay m w =0 Wit b w = m w + c wa + c rw
The Dining Cryptographers Did the NSA pay? b r = m r + c ar + c rw I didn t pay m a =0 c ar I paid m r =1 Ron c rw b a = m a + c ar + c wa Adi Combine: B = b a + b r + b w = = m a + m r +m w = m r (mod 2) c wa Wit I didn t pay m w =0 b w = m w + c wa + c rw
The Dining Cryptographers Generalization Towards Large messages: bit string c ar Ron c rw Adi c wa Wit
The Dining Cryptographers Generalization Towards Large messages: sum mod 2 m b r = m r + c ar + c rw I am not sending m a =0 c ar I want to send m r =10101010 b a = m a + c ar + c wa Adi Ron c rw Repeat one bit per round Combine: B = b a + b r + b w = = m a + m r +m w = m r (mod 2) c wa Wit I am not sending m w =0 b w = mw + cwa + c rw OR Parallel Xors
The Dining Cryptographers Generalization Towards Large messages: sum mod 2 m I am not sending m a =0 c ar I want to send m r =message Ron c rw Adi c wa I am not sending m w =0 Wit
The Dining Cryptographers Generalization Towards Large messages: sum mod 2 m b r = m r + c ar - c rw I am not sending m a =0 c ar I want to send m r =message Ron c rw b a = m a - c ar + c wa Adi c wa Combine: B = b a + b r + b w = = m a + m r +m w = m r (mod 2 m ) Wit I am not sending m w =0 b w = m w - c wa + c rw
Key sharing graph - Security Alice broadcasts b a = c ab + c ac + m a C B A Shared key Kab
Key sharing graph - Security Alice broadcasts b a = c ab + c ac + m a If B and C corrupt C B A Shared key Kab
Key sharing graph - Security Alice broadcasts b a = c ab + c ac + m a If B and C corrupt C Adversary s view b a = c ab + c ac + m a + c ab + c ac No Anonymity!! B A Shared key Kab
Key sharing graph - Security Adversary nodes partition the graph into a red and yellow subgraphs C B A
Key sharing graph - Security Adversary nodes partition the graph into a red and yellow subgraphs Calculate: B red = b j, j is red B yellow = b i, i is yellow C Substract known keys B red + K red-green = m j B yellow + K yellow-green = m i B A
Key sharing graph - Security Adversary nodes partition the graph into a red and yellow subgraphs Calculate: B red = b j, j is red B yellow = b i, i is yellow C Substract known keys B red + K red-green = m j B yellow + K yellow-green = m i B Anonymity set size = 4 (not 11 or 8!) A Discover the originating subgraph Reduction in anonymity!!
Implementing DC-nets b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast Combine: B = Σb i = m r (mod 2 m ) Aggregator
Implementing DC-nets: P2P b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring?
Implementing DC-nets: P2P b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Tree?
Predecessor attack, does it work? b i broadcast graph Combine: B = Σb i = m r (mod 2 m ) Aggregator
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring?
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A B
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A B
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A B
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A B
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? YES!! A B
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? A B B A
Predecessor attack, does it work? b i broadcast graph No DoS unless split in graph Communication in 2 phases: 1) Key sharing (off-line) 2) Round sync & broadcast (peer-to-peer?) Ring? YES!! A B B A
The Dining Cryptographers Collisions b r = m r + c ar - c rw I am not sending m a =0 c ar I want to send m r =message Ron c rw b a = m a - c ar + c wa Adi c wa I am not sending m w =message Wit b w = m w - c wa + c rw
The Dining Cryptographers Collisions b r = m r + c ar - c rw I am not sending m a =0 c ar I want to send m r =message Ron c rw b a = m a - c ar + c wa Adi c wa Combine: B = b a + b r + b w = = m a + m r +m w = collision (mod 2 m ) Wit b w = m w - c wa + c rw I am not sending m w =message
How to resolve collisions? Ethernet: detect collision and random re-transmission DC-nets: Collisions do not destroy all information B = b a + b r + b w = m a + m r +m w = = collision (mod m) = message 1 + message 2 (mod m)
How to resolve collisions? Ethernet: detect collision and random re-transmission DC-nets: Collisions do not destroy all information B = b a + b r + b w = m a + m r +m w = = collision (mod m) = message 1 + message 2 (mod m) N collisions can be decoded in N transmissions!
DC-net takeaways Security is great! Full key sharing graph perfect anonymity Communication cost BAD (N broadcasts for each message!) Naive: O(N 2 ) cost, O(1) Latency Not so naive: O(N) messages, O(N) latency Ring structure for broadcast Expander graph: O(N) messages, O(logN) latency? Centralized: O(N) messages, O(1) latency Not practical for large(r) N! Local wireless communications? Perfect Anonymity
Hervibore Entry control Distribute nodes Avoid choice Cost to enter min(size)=k Round Reserve Transmission Exit (avoid intersection)
We have seen several techniques for anonymous communications And different attacks Next week Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems.