July 10, 2013
Key Privacy and Anonymous Protocols
by
Paolo D’Arco and Alfredo De Santis
Privacy
 In all its forms, central issue in information
technology
 Current methods of communication and information
processing give rise to many challenges
 On wired and wireless networks: monitoring actions,
transactions or activities, tracing movements,
profiling users behaviours …
Privacy
“ U.S. authorities have access to
phone calls, e-mails and other
communications far beyond
constitutional bounds.”
(Edward Snowden, ex-NSA contractor)
June 2013
(CNN) -- President Barack Obama responded to outrage by European
leaders over revelations of alleged U.S. spying on them by saying Monday
that all nations, including those expressing the strongest protests, collect
intelligence on each other. (June 2013)
Privacy and Anonymity
“Political Springs” and social networks
“There is now a menace which is called
Twitter,” Erdogan said. “The best examples
of lies can be found there. To me, social
media is the worst menace to society.”
Turkish Prime Minister (May, 2013)
In some “applications” methods to guarantee user privacy and
anonymous computation/communication play a “crucial” role …
Privacy and Anonymity
“Political Springs” and social networks
“Are you in Egypt? Send us your experiences, but please stay safe.
Cairo (CNN) – Just ...”
Need tools enabling private and anonymous
computation and communication
Focus of this paper
• Key-private public key encryption schemes.
“Which public key has been used to produce encryption c”?
• Secret sets schemes
“Who are the members of the set? How many?”
• Anonymous broadcast encryption schemes
“Who are the recipients of the sent message?”
Contribution of this paper
1. key privacy and robustness imply security
2. formal model for secret set
3. secret set and anonymous broadcast are
equivalent w.r.t. non adaptive adversary
4. security reductions for general and concrete
secret set constructions
Public Key Encryption
Π = (Gen, Enc, Dec) message space M, ciphertext space C
(pk, sk) <--- Gen (1k)
c <--- Encpk (m)
m = Decsk (c)
Correctness:
Pr[(pk, sk) <--- Gen (1k); m <--- M; c <--- Encpk (m): m = Decsk (c)] = 1
Security
Semantic security: a ciphertext does not leak any partial information
about the plaintext w.r.t a ppt Adv
Indistinguishability: given m0 and m1 and an encryption c of one of them, a
ppt Adv in unable to tell to which message the ciphertext c corresponds to
The two notions are equivalent [GM 1984].
The second can be thought of as a “characterization”.
Indistinguishability: Experiment
Challenger C , adversary A
pk
C runs (pk, sk) <--- Gen (1k)
c
A receives pk, oracle access Decsk (c)
poly (k) times, outputs m0 and m1
Decsk(c)
m
Phase 1
m0, m1
Challenge
C chooses b <--- {0,1},
computes c* <--- Encpk (mb)
c*
c
Decsk(c)
m
Phase 2
b’
A wins if b’ = b
Indistinguishability Experiments
By giving different power to the Adversary, we get different security
notions
Decsk(c)
No Oracle access
IND-CPA
Decsk(c)
Oracle access only in Phase 1
IND-CCA1
Decsk(c)
Oracle access in Phase 1 and Phase 2
IND-CCA2
Key Privacy
[Bellare et al. 2001]
Given pk0 and pk1 and an encryption c of a
message m, obtained by using one of the two
public keys, chosen uniformly at random,
a ppt Adv in unable to tell with which one
the ciphertext c has been computed
IK-CCA Experiment
Challenger C , adversary A
pk0, pk1
C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)
Decsk0(c)
Decsk1(c)
A receives pk0, pk1, oracle access Decsk0 (c) and
Decsk1 (c) poly (k) times, outputs m*
c
m
Phase 1
m*
Challenge
C chooses b <--- {0,1},
computes c* <--- Encpkb (m*)
c*
Decsk0(c)
Decsk1(c)
c
m
Phase 2
b’
A wins if b’ = b
Concrete encryption schemes
Key privacy was introduced as an additional property for a
secure encryption scheme.
It was shown that
• El Gamal encryption scheme is ik-cpa private
• Cramer-Shoup is ik-cca private
Some other schemes (e.g., RSA based versions) are not.
Robustness
[Abdalla et al. 2010]
Given a key pair (pk0, sk0) and an
encryption c of a message m obtained
by using pk0, only sk0 enables
decrypting c. There is no other key
pair (pk1, sk1) such that Decsk1 (c) ≠ fail
WROB Experiment
Challenger C , adversary A
pk0, pk1
C runs (pk0, sk0) <--- Gen (1k), (pk1, sk1) <--- Gen (1k)
Decsk0(c)
Decsk1(c)
c
A receives pk0, pk1, oracle access Decsk0 (c) and
Decsk1 (c) poly (k) times
m
Outputs m* and computes c* using pk0
If Decsk0 (c*) ≠ fail and Decsk1 (c*) ≠ fail
then C outputs 1
A wins if C outputs 1
Key Privacy, Robustness
and Security
Question: is there any relation among them?
Non malleability
[Dolev et al. 1991]
Roughly speaking, an encryption scheme is non
malleable if, given a ciphertext c = Encpk(m),
it is not feasible to produce a new ciphertext
c’, which is an encryption of a message m’,
somehow related to m.
Non malleability under cca attack
is equivalent to IND-CCA
1. Key Privacy and robustness imply security
Thm. Let Π = (eGen, Enc, Dec) be a robust publickey encryption scheme. Π is ik-cca secure only if Π is
non malleable.
Since non malleability is equivalent to ind-cca
security, we get:
Cor. Let Π = (eGen, Enc, Dec) be a robust public-key
encryption scheme. Π is ik-cca secure only if Π is indcca-secure.
Proof Idea
ik-cca experiment run by a challenger C
By contradiction.
Adv for ik-cca
If there exists an efficient Adv
which wins the NM experiment,
then there exists an efficient Adv
which wins the ik-cca experiment
Simulates the
environment for
the NM
experiment,
i.e., acts as the
challenger C of
the NM
experiment
Non
Adv for NM
Secret Set and Anomymous
Broadcast Encryption
Secret Set
[Molva and Tsudik 1998]
A representation of a set S of users of
a given universe U, satisfying
Universe of users U
 any user of U can check if he is member of S
 no one can check if another user is member
Set S
 no one can determine the size of the set S
Secret societies
Real and fictitious
Secret societies at Yale University
Priory of Sion
A secret society is a club or organization whose activities and
inner functionings are concealed from the non-members …
2. Secret Set Scheme: formal model
Σ = (Kgen, Srep, Mver) for universe of users U={u1, …, un}
(pub1, sec1) … (pubn, secn) <--- Kgen (1k)
SR <--- Srep(S, pub)
{0,1, fail} <--- Mver(SR, seci)
Correctness: for each set S and user ui in U, for each k,
Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); SR <--- Srep(S, pub):
Mver(SR, seci) = mi] = 1
Membership Private
No coalition of users R is able to check
the membership status mi of user ui
outside the coalition R
MSHIP Experiment
pub1, …, pubn
Challenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)
A asks key queries and membership queries
(SR, i) / i
Decsk(c)
mi / seci
Phase 1
ui, uj
Challenge
C chooses b <--- {0,1}, S0=SU {ui}, S1=S U {uj}
computes SR* <--- Srep(Sb, pub)
SR*
(SR, i) / i
Decsk(c)
mi / seci
Phase 2
b’
A wins if b’ = b
Size Hiding
No coalition of users R is able to
determine the size of the secret set
SHIDE Experiment
pub1, …, pubn
Challenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Kgen (1k)
A asks key queries and membership queries
(SR, i) / i
Decsk(c)
mi / seci
Phase 1
S0, S1
Challenge
C chooses b <--- {0,1},
computes SR* <--- Srep(Sb, pub)
SR*
(SR, i) / i
Decsk(c)
mi / seci
b’
Phase 2
A wins if b’ = b
Adversary Power
Decsk(c)
No Oracle access
Static
Decsk(c)
Oracle access only in Phase 1
Non-adaptive
Decsk(c)
Oracle access in Phase 1 and Phase 2
Adaptive
Anonymous Broadcast Encryption
[Barth et al. 2006, Libert et al. 2012]
The Broadcast Encryption Problem
[Berkowitz 1991, Fiat and Naor 1994]
• A center C broadcasts a msg to a set N of receivers
• A subset P of privileged users should be able to decrypt
• P changes from time to time
C
msg
forbidden
priviliged
Identities of
priviliged users are
in the header of msg
Anonymous Broadcast Encryption
Σ = (Keygen, Encrypt, Decrypt) for universe of users U={u1, …, un}
(pub1, sec1) … (pubn, secn) <--- Keygen (1k)
c <--- Encrypt(P, pub, m)
{m, fail} <--- Decrypt(seci, c)
Correctness: for each set P and user ui in P, for each k,
Pr[(pub1, sec1) … (pubn, secn) <--- Kgen (1k); c <--- Encrypt(P, pub, m):
Decrypt(seci, c) = m] = 1
Anonymous and semantically secure
No Adv through a cca attack is able to
decrypt the message or to find out the
identity of any recipient
A-IND-CCA Experiment
pub1, …, pubn
Challenger C , adversary A
C runs (pub1, sec1) … (pubn, secn) <--- Keygen (1k)
A asks key queries and decryption queries
(c, i) / i
Decsk(c)
m / seci
Phase 1
S0 , S 1 , m 0 , m 1
Challenge
C chooses b <--- {0,1},
computes c* <--- Encrypt(Sb, pub, mb)
c*
(c, i) / i
Decsk(c)
m / seci
Phase 2
A wins if b’ = b
b’
3. Equivalence between primitives
Thm 1. Anonymous broadcast encryption implies secret set
Thm 2. Secret set implies anonymous broadcast encryption
w.r.t. non-adaptive adversaries
Security reductions
for general and concrete
constructions
[Revisitation of Molva and Tsudik’s constructions]
Signature Scheme
Σ=(sGen, Sign, Ver), message space M
(vk, sk) <--- sGen (1k)
σ <--- Signsk (m)
{0,1} <--- Vervk (m, σ)
Correctness: for each k,
Pr[(vk, sk) <--- sGen (1k); m <--- M; σ <--- Signsk (m): Vervk (m, σ) =1] = 1
Unforgeability under cma
Challenger C , adversary A
C runs (vk, sk) <--- sGen (1k)
vk
Signsk (m)
A receives vk, oracle access to Signsk(m)
poly (k) times, outputs m*,σ*
m
σ
m*,σ* (different from all m,σ)
If Ver(m*,σ*)=1 then
C outputs 1, else 0.
A wins if C outputs 1
PK-based Construction
Π=(eGen, Enc, Dec) public key scheme, Σ=(sGen, Sign, Ver) signature scheme
Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k)
pubj = pkj , secj= skj
Srep(S, pubU):
(vk, sk) <--- sGen(1k)
for j=1, …, n, cj=Encpkj(in|vk) if uj in S, cj=Encpkj(out|vk) if uj not in S
σ=Signsk(c1| … |cn)
SR=[(c1 … cn, σ)]
Mver(SR, seci)
m=Decski(ci)
if m=in|vk and Vervk(c1| … |cn, σ)=1 then output 1
if m=out|vk and Vervk(c1| … |cn, σ)=1 then output 0
else output fail
4. Security Reduction (1/4)
Thm. Assuming
• Π = (eGen, Enc, Dec) is a cca-secure public-key
encryption and
• Σ = (sGen, Sign, Ver) is an existentially unforgeable
under chosen message attack signature scheme
the Pk-based Construction is a membership-private
and size-hiding secret set scheme
Representation-length efficiency
Π=(eGen, Enc, Dec) public key scheme
Kgen (1k): for j=1, …, n, (pkj, skj) <--- eGen(1k)
pubj = pkj , secj= skj
Srep(S, pubS):
for j s.t. uj in S, cj=Encpkj(in|uj)
SR=(c1 … c|S|)
Mver(SR, seci)
for j=1, …, |S|, m=Decskj(ci)
if m=in|uj , then output 1
else if j=|S| then output 0
4. Security Reduction (2/4)
Thm. Assuming Π = (eGen, Enc, Dec) is a public-key
encryption
• weakly robust
• ik-cca private
the Representation-length-efficient Pk-based
Construction, is a weak membership-private secret set
scheme.
non-adaptive adversary
DH-based Bit-Vector Construction
G ciclic group of order q, g generator
Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj
pubj = gaj, secj= aj
Srep(S, pubU):
Choose b <--- Zq*
Compute gb
for j=1, …, n, Kj=(gaj)b and
if uj in S, set cj=MSB(Kj), else set cj=MSB(Kj)+1 mod2
SR=(gb,c1 … cn)
Mver(SR, seci)
Compute Ki=(gb) ai and di =MSB(Ki)
If di = ci, then output 1; else, output 0
4. Security Reduction (3/4)
Thm. Assuming
• CDH problem is hard in G
• MSB is a hard-core predicate
the DH-based bit-vector Construction is a weak
membership-private and size-hiding secret set
scheme
Hash-based Construction
G ciclic group of order q, g generator, H hash function
Kgen (1k): for j=1, …, n,, aj <--- Zq*, compute gaj
pubj = gaj, secj= aj
Srep(S, pubS):
Choose b <--- Zq*
Compute gb
for j=1, …, |S|, Kj=(gaj)b and cj=H(Kj)
SR=(gb,c1 … cn)
Mver(SR, seci)
Compute Ki=(gai)b and h =H(Ki)
If h ε {c1 … cs}, then output 1; else, output 0
4. Security Reduction (4/4)
Thm. Assuming
• CDH problem is hard in G
• H is a random oracle
the Hash-based Construction is a weak membershipprivate secret set scheme
Conclusions
We have
• shown that key privacy and robustness imply
security
•introduced a formal model for secret set
• proved that secret set and anonymous
brodcast are equivalent w.r.t. non adaptive adv
• provided security reductions for general and
concrete secret set constructions
Open Problems
• anonymous broadcast and secret set:
equivalent w.r.t. adaptive adversaries?
• does exist a length-efficient membershipprivate and size-hiding secret set
construction?
• does exist a length-efficient membershipprivate secret set construction?
Thanks!