Breaking and Mending Resilient Mix-nets Lan Nguyen and Rei - PowerPoint PPT Presentation

Breaking and Mending Resilient Mix-nets 1 Breaking and Mending Resilient Mix-nets Lan Nguyen and Rei Safavi-Naini School of IT and CS University of Wollongong Wollongong 2522 Australia email: [ldn01,rei]@uow.edu.au PET’03

Breaking and Mending Resilient Mix-nets 2 Outline • Mix-net description and its requirements • Cryptographic tools for discussed mix-nets • Furukawa-Sako mix-net[1] and Millimix[2] • Attacking Furukawa-Sako scheme and Millimix • Countermeasures and their efficiency and security analysis. PET’03

Breaking and Mending Resilient Mix-nets 3 Mix-net Mix-net protects privacy of messages in network communication. A mix-net consists of a set of mix servers, each receiving as input a list of ciphertexts and outputting either a permuted list of the re-encrypted ciphertexts, or a permuted list of the corresponding plaintexts. Mix-net participants: • Users send messages to mix-net. • Mix servers perform mixing of the input messages and produce an output, which is used as input to other mix-servers. PET’03

Breaking and Mending Resilient Mix-nets 4 • Verifier verifies correctness of the mix-net operation. • Bulletin board is a shared memory where all participants have read access to and can append messages after being authenticated. It simulates an authenticated broadcast channel. • Adversary tries to compromise resiliency of the mix-net. We assume static adversary . PET’03

Breaking and Mending Resilient Mix-nets 5 Mix-net Requirements A mix-net is resilient if it satisfies privacy , robustness and verifiability . • privacy: the adversary cannot output a pair of input and the corresponding output with probability non-negligibly greater than random guess. • verifiability: the verification can detect and reveal the identities of the cheating servers with overwhelming probability. If only publicly available information is used, the mix-net is called universally verifiable . • robustness: ensures that the probability of producing incorrect output is negligibly less than 1. PET’03

Breaking and Mending Resilient Mix-nets 6 Cryptographic tools El Gamal encryption p and q are primes, p = 2 kq + 1, g is a generator of subgroup G q of order q in Z ∗ p . Private key is x ∈ Z q , public key is ( y, g ) where y = g x . A ciphertext of message m ∈ G q is ( α, β ) where α = my s , β = g s , s ∈ R Z q . The plaintext is computed as m := α/β x . A re-encryption of ciphertext ( α, β ) is ( α × y r , β × g r ), where r ∈ R Z q . Schnorr identification P shows knowledge of private key x to V → V : a commitment w = g e , where e ∈ R Z q 1. P − 2. P ← − V : a challenge c ∈ R Z q 3. P − → V : a response s = e + cx mod q V then verifies that g s = wy c . PET’03

Breaking and Mending Resilient Mix-nets 7 Disjunctive Schnorr identification P shows he knows one of private keys x 1 or x 2 to V . Assume P possesses x 1 . → V : two commitments w 1 = g e 1 1 , w 2 = g s 2 2 y − c 2 1. P − , where 2 e 1 , e 2 , c 2 , s 2 ∈ R Z q 2. P ← − V : a challenge c ∈ R Z q 3. P − → V : responses s 1 = e 1 + c 1 x 1 mod q , s 2 , c 1 = c ⊕ c 2 , c 2 V then checks if g s i i = w i y c i for i ∈ { 1 , 2 } . i Pairwise permutation network A pairwise permutation network is a permutation that is constructed from switching gates and requires n log 2 n − n + 1 switching gates. A switching gate is a permutation for two input items. PET’03

Breaking and Mending Resilient Mix-nets 8 Permutation Matrix A matrix ( A ij ) n × n is a permutation matrix ⇔ ∃ φ so that ∀ i, j ∈ { 1 , ..., n }  1 mod q if φ ( i ) = j  A ij = 0 mod q otherwise  Theorem 1 ( A ij ) n × n is a permutation matrix ⇔ ∀ i, j, k ∈ { 1 , ..., n }  n 1 mod q if i = j  � A hi A hj = (1) 0 mod q otherwise  h =1  n 1 mod q if i = j = k  � A hi A hj A hk = (2) 0 mod q otherwise  h =1 PET’03

Breaking and Mending Resilient Mix-nets 9 Furukawa-Sako01 Mix-net Input to a mix-server is El Gamal ciphertexts { ( g i , m i ) | i = 1 , ..., n } encrypted by ( y, g ). Output is { ( g ′ i , m ′ i ) | i = 1 , ..., n } The mix-server proves knowledge of a permutation matrix ( A ij ) n × n and { r i | i = 1 , ..., n } n g A ji g ′ � g r i = (3) i j j =1 n m A ji � m ′ y r i = (4) i j j =1 PET’03

Breaking and Mending Resilient Mix-nets 10 Based on Theorem 1, this can be done by proving: • { g ′ i } can be expressed as (3) using a matrix satisfying (1). • { g ′ i } can be expressed as (3) using a matrix satisfying (2). • The matrix and { r i } in these statements are the same. • For each ( g ′ i , m ′ i ), the same r i and { A ij } is used. PET’03

Breaking and Mending Resilient Mix-nets 11 Furukawa-Sako01 Verification Protocol Suppose { ˜ g, ˜ g 1 , ..., ˜ g n } so that under discrete logarithm assumption, a i = 1. g a � n infeasible to obtain { a i } and a satisfying ˜ i =1 ˜ g i 1. P generates: δ, ρ, τ, α, α i , λ, λ i ∈ R Z q , i = 1 , ..., n 2. P computes: t = g τ , v = g ρ , w = g δ , u = g λ , u i = g λ i , i = 1 , ..., n n � ′ g r i A ji , i = 1 , ..., n g i ˜ = ˜ g j ˜ (5) j =1 n � g ′ g α α j ˜ = ˜ g j ˜ (6) j =1 PET’03

Breaking and Mending Resilient Mix-nets 12 n g α j � g ′ g α = (7) j j =1 n m α j m ′ � y α = (8) j j =1 � n j =1 3 α j A ji + τλ i , i = 1 , ..., n ˙ t i = g (9) � n j =1 3 α 2 j A ji + ρr i , i = 1 , ..., n v i ˙ = g (10) � n j =1 α 3 j + τλ + ρα v ˙ = g (11) � n j =1 2 α j A ji + δr i , i = 1 , ..., n w i ˙ = g (12) � n j =1 α 2 j + δα w ˙ = g (13) 3. P − → V : ′ } , ˜ g ′ , g ′ , m ′ , { ˙ t, v, w, u, { u i } , { ˜ g i t i } , { ˙ v i } , ˙ v, { ˙ w i } , ˙ w, i = 1 , ..., n 4. P ← − V : challenges { c i | i = 1 , ..., n } , c i ∈ U Z q PET’03

Breaking and Mending Resilient Mix-nets 13 5. P − → V : n � s = r j c j + α j =1 n � s i = A ij c j + α i mod q, i = 1 , ..., n j =1 n λ ′ � λ j c 2 = j + δ mod q j =1 6. V verifies: n n � � g s s j g ′ ′ c j ˜ g j ˜ = ˜ g j ˜ (14) j =1 j =1 n n g s j g ′ c j � � g ′ g s = (15) j j j =1 j =1 PET’03

Breaking and Mending Resilient Mix-nets 14 n n m ′ c j m s j � � y s m ′ = (16) j j j =1 j =1 n c 2 g λ ′ � = u u j (17) j j =1 n � n j =1 ( s 3 j − c 3 c 2 j ) c j ˙ t λ ′ v s g � = v ˙ v j ˙ t j j (18) j =1 n � n j =1 ( s 2 j − c 2 j ) � w s g c j = w ˙ w j ˙ (19) j =1 PET’03

Breaking and Mending Resilient Mix-nets 15 Intuition • (5),(6),(7),(8),(14), (15) and (16) show prover’s knowledge of matrix ( A ij ) and { r i } satisfying (3) and (4) • (9),(10),(11),(17) and (18) show ( A ij ) satisfying (2) • (12),(13),(19) show ( A ij ) satisfying (1) • based on Theorem 1, ( A ij ) is a permutation matrix PET’03

Breaking and Mending Resilient Mix-nets 16 Millimix It is efficient for small input batches because each mix server needs O ( nlogn ) exponentiations with low constant coefficient. Each mix server simulates a pairwise permutation network. The mix server proves the correctness of each of its switching gate using the following verification protocol. PET’03

Breaking and Mending Resilient Mix-nets 17 Verification Protocol for Switching Gate Input is El Gamal ciphertexts ( α 1 , β 1 ), ( α 2 , β 2 ) of plaintexts m 1 , m 2 respectively. Output is El Gamal ciphertexts ( α ′ 1 , β ′ 1 ), ( α ′ 2 , β ′ 2 ) of plaintexts m ′ 1 , m ′ 2 respectively. The server proves statements: • Statement 1: m 1 m 2 = m ′ 1 m ′ 2 using Plaintext Equivalent Proof ( PEP ) for ( α 1 α 2 , β 1 β 2 ) and ( α ′ 1 α ′ 2 , β ′ 1 β ′ 2 ). • Statement 2: m 1 = m ′ 1 OR m 1 = m ′ 2 using DISjunctive Plaintext Equivalent Proof ( DISPEP ) PEP proves ( α ′ , β ′ ) is a re-encryption of ( α, β ) by using Schnorr identification protocol • Compute ( y s , g s ) = (( α/α ′ ) z ( β/β ′ ) , y z g ) as Schnorr public key PET’03

Breaking and Mending Resilient Mix-nets 18 • ( α ′ , β ′ ) re-encrypts ( α, β ) ⇔ ∃ γ ∈ Z q : ( y s , g s ) = (( y z g ) γ , y z g ) • Prover uses Schnorr identification protocol to show that it knows γ DISPEP proves ( α 1 , β 1 ) is a re-encryption of one of ( α ′ 1 , β ′ 1 ) and ( α ′ 2 , β ′ 2 ) by using Disjunctive Schnorr identification protocol. Proof in [2]: • Compute ( y s 1 , g s 1 ) = ( α 1 /α ′ 1 , β 1 /β ′ 1 ) and ( y s 2 , g s 2 ) = ( α 1 /α ′ 2 , β 1 /β ′ 2 ) as Schnorr public keys • Use Disjunctive Schnorr identification protocol to show knowledge of one of the Schnorr private keys, which is also the El Gamal private key x of the ciphertexts • This requires the mix-server to know the El Gamal private key x , which is not acceptable PET’03