Forward-secrecy on POP Arthur Villard School of Computer and Communication Sciences Decentralized and Distributed Systems lab Master Thesis – September 2017 Responsible Supervisor Prof. Bryan Ford Prof. Ewa Syta Linus Gasser EPFL / DEDIS Trinity College EPFL / DEDIS
Context ● O n l i n e c o l l a b o r a t i v e s e r v i c e ( e . g . W i k i p e d i a ) ● Authenticate users anonymously against a list ● Link authentication attempts ● Other example: e-voting 2 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● Introduction ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 3 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● Introduction ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 4 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Frameworks ● PoP: P r o o f o f P e r s o n h o o d – DEDIS ➔ C r e a t i o n o f t h e u s e r l i s t ➔ Authentication protocol ➔ Anonymity within the group ➔ No forward-secrecy ● DAGA: Deniable Anonymous Group Authentication – Ewa Syta ➔ Authentication protocol ➔ Forward-secrecy 5 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Goals ● Using DAGA as PoP’s authentication protocol ● Implementing DAGA in Go ● Improving DAGA 6 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Key concepts ● Anonymity ➔ No information about the user is known ● Accountability ➔ The sender can be held responsible for his action ● Linkability ➔ Two messages come from the same user ● F o r w a r d - s e c r e c y ➔ Breaking a session does not break the previous ones 7 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● Introduction ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 8 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Integration 9 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion PoP: How it works 10 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion PoP: Weaknesses ● No forward-secrecy ➔ Tag derived from private key ➔ Leakage allows to identify the user in previous sessions ● Cross-service de-anonymisation ➔ Tags independent from the service ➔ Users can be tracked between different services Loss of anonymity 11 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion DAGA: How it works Request generation Compute Proof generation initial tag User s f R o e o q r P e u R e g + s n e t e q g c l a u l a h e t a h s e C l t g l e a n Context k g n e i L DAGA servers Distributed randomness 12 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion DAGA solutions ● Forward-secrecy ➔ Tags derived from context elements only ➔ Private key used in client proof ➔ Proof does not leak information ● Cross-service de-anonymisation ➔ Different services Different contexts Different tags for the same user 13 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Conclusion ● DAGA can solve PoP weaknesses ● DAGA and PoP can be interfaced ● E-voting 14 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● Introduction ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 15 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Implementation ● Go m ( ∏ m s k ) ● RSA Elliptic Curves i =( ∏ i = h i T 0 s k )∗ H i T 0 k = 1 k = 1 ● Distributed randomness 16 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Code results ● Library: Complete implementation ● Test coverage 88% ● Example scenario ● Benchmark package 17 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Benchmarks: Communication Setup: Setup: Windows 10 ● Ubuntu 12.04 ● x86-64 ● x86-64 ● 1 thread ● 1 thread ● @4,5GHz ● No improvement ● No explanation yet 18 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Benchmarks: Time Setup: Setup: Windows 10 ● Ubuntu 12.04 ● x86-64 ● x86-64 ● 1 thread ● 1 thread ● @4,5GHz 15 000 s 1 000 s 32768 members / 32 servers /15 ● Moore’s law 2012 2018: ~ /8 from hardware ● Elliptic Curves 19 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Conclusion ● Complete implementation ● Time improvement ● Next step: Integrate it with PoP 20 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● I n t r o d u c t i o n ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 21 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Proof problem Request generation Compute Proof generation initial tag User s f R o e o q r P e u R e g + s n e t e q g c l a u l a h e t a h s e C l t g l e a n Context k g n e i L DAGA servers Distributed randomness 22 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Proof problem ● Anonymity through a client OR proof: ➔ I know (private key 1 OR private key 2 OR … ) ● Growth , n = #members O ( 6 ∗ n ) ➔ 32768 members / 32 servers ● Proof ~6,3 MB, total cost ~200 MB ~20% of total 23 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Improving the proof ● Work with Kasra Edalatnejadkhamene, PhD student ● Survey of the field ● Split the proof ➔ Proof of membership: Accumulator ➔ Proof of knowledge: Signature of knowledge ● No concrete scheme 24 Arthur Villard - Master Thesis DEDIS 12/02/2018
Overview ● Introduction ● PoP and DAGA interaction ● Implementing DAGA ● Improving DAGA ● Conclusion & Future work 25 Arthur Villard - Master Thesis DEDIS 12/02/2018
Introduction | PoP and DAGA interaction | Implementing DAGA | Improving DAGA | Conclusion Conclusion & Future work ● DAGA and PoP can work together ● Complete Go implementation of DAGA ● Improvement guidelines for the proof ● Next steps ➔ Integrate DAGA and PoP ➔ Optimize network consumption ➔ Continue the work on the proof ➔ Improve implementation resistance (secure memory management, constant-time, … ) 26 Arthur Villard - Master Thesis DEDIS 12/02/2018
Distributed randomness 27 Arthur Villard - Master Thesis DEDIS 12/02/2018
Context ● User public keys (#members) ● Server public keys (#servers) ● Server random commitments (#servers) ● Client random generators (#members) 28 Arthur Villard - Master Thesis DEDIS 12/02/2018
Accumulator ● Accumulators from Bilinear Pairings and Applications L. Nguyen, 2005 ● Adjustments: ➔ Trusted setup ➔ Bounded ➔ Efficiency based on trusted authority 29 Arthur Villard - Master Thesis DEDIS 12/02/2018
Ring signature ● How to Leak a Secret , R. Rivest, A. Shamir and Y. Tauman 30 Arthur Villard - Master Thesis DEDIS 12/02/2018
Recommend
More recommend
