Anonymity-preserving Public-Key Encryption
Markulf Kohlweiss
Ueli Maurer, Cristina Onete,
Björn Tackmann, and Daniele Venturi
PETS 2013
Context: Encryption and Anonymity
Public-key encryption
 Short but eventful history, late 70s, 80s.
 Security usually defined using Games: IND-CPA, IND-CCA, …
Anonymity
 Shorter eventful history, early 90s.
 Anonymity is arguably a more high-level property
What if used together?
 Key privacy, robust encryption, formal analysis of onions
 Games prone to require iterations to find “right” notion
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 2
What is Anonymous Encryption? [PH08]
Sender Anonymity
Receiver Anonymity
Anonymity not created, but preserved
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 3
Our contribution
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 4
Chosen Ciphertext Attack Security (IND-CCA)
Dec
c
Dec(c)
Bit b
m0, m1
Enc(mb)
bit d
Challenger
pk
d = b?
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 5
Key Privacy (IK-CCA) [BBDP01]
Dec0
Dec1
c
Dec0 (c)
c Dec (c)
1
Bit b
m
Enc(pkb; m)
bit d
Challenger
pk0, pk1
d = b?
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 6
Weak Robustness (WROB) [ABN10]
Dec
m, i, j
Challenger
pk1, ..., pkn
c  Enc(pki, m)
≠ Dec(skj, c) ?
┴
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 7
Constructive Cryptography [MR11]
Resources (existing/assumed, desired):
 Available to everyone, including adversary/simulator through
interfaces
Converters:
 Transform existing into desired resources
 Two interfaces, inner and outer
 Protocol: composition of many converters, one for each user
Security:
 Correctness: without Eve the protocol works correctly
 Security: when Simulator connected, no-one can distinguish between
assumed and desired worlds.
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 8
Confidential Receiver-Anonymous Channel
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 9
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 10
Constructing the Channel from Broadcast
Existing Resources
(pki)
n x
B1
m
m
m
B2
m
┴
…
Bn
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 11
Constructing the Channel from Broadcast
Existing Resources
n x
(pki)
Encryption scheme that is:
B1
m
m*
…
Bj
m
Converters
m*, j
…
Bn
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 12
 IND-CCA
 IK-CCA
 WROB
Simulation (intuition)
Existing world
…
(c, i)
…
…
c
Desired world
B1
…
Bj
(m, i)
Bi
|m|
Bn
c
m, i
c
 Key-Generation: generate n keypairs (for each Bi), one separate (sk, pk)
 Ciphertext generation: get |m|, encrypt 0|m| under pk to get c
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 13
…
Bj
Bi
Bn
m, i
D
…
B1
Simulation (intuition)
Existing world
…
c*
(c, i)
(c*, j)
…
c
…
Bj
Bi
|m|
Bn
(c*, j)
m*
(m, i)
Dec(c*)
…
Desired world
B1
D
…
(m*, j)
…
B1
Bj
Bi
Bn
(c*, j)
m*
 Ciphertext delivery: deliver c* to Bj:
• if c* not seen before decrypt under skj and inject message m* into network
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 14
Simulation (intuition)
Assumed world
…
(c, i)
c
…
c
Desired world
B1
…
If i = i*
Bj
(m, i)
m
Bi
Bn
(c, i*)
D
m=Dec(c)
(c, i*)
…
Trial Delivery
|m|
(H, i*)
…
…
Bj
Bi
Bn
(c, i*)
H <-> m
m
 Ciphertext delivery: deliver c to Bj:
• if c seen before deliver corresponding msg. to correct receiver
Intuition: this is where we need WROB – wrong receiver outputs error
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 15
B1
(More) Results in a Nutshell
 WROB sufficient
 SROB leads to a tighter reduction
 WROB necessary
 without WROB, achieve anonymity with erroneous transmission
 Impossibility: SROB does not construct better resource
 Constructive aspects:
 Model network with single sender, many receivers
 PK settings: use uni-directional authenticated channels
 Trial deliveries prevent better anonymity
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 16
Results in Picture
Game-based analysis
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 17
Constructive result
Strong Robustness (SROB)
Dec
c, i, j
pk1, ..., pkn
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 18
Challenger
both
┴ ≠ Dec(ski, c)
┴ ≠ Dec(skj, c)
PETS 2013 | Markulf Kohlweiss | Anonymity-preserving PKE | Slide 19