ANONIZE: A Large-Scale
Anonymous Survey System
Susan Hohenberger
Steven Myers
Rafael Pass
Abhi shelat
Paper cited 1 time.
:Johns Hopkins University
: Indiana University
: Cornell University
: University of Virginia
Requirements for Ad-hoc
Surveys.
Prior Work.
Intro to Ad-hoc Surveys.
Topics
Background Review.
Ad-hoc Surveys in More
Details.
How Each Property is
Achieved.
Implementation.
Performance Evaluation. 2
Objective
Enables a survey authority to independently select a group of registered users
and create a survey in which only selected users can anonymously submit
exactly one response.
3
Authenticity: ensuring that
only the legitimate users
can participate in the data
collections.
Requirements
Anonymity: ensuring that the
there is no link between
the legitimate user and
his/her data,even if an RA
and SA are arbitrarily
corrupted and in collusion,
(honest feedback!)
Each user should be allowed
to submit only once.
Yet must be anonymous!
4
Course Evaluation.
online product reviews.
Example
Whistleblowing ( Verify that
a complaint comes from
within the organization)
5
Happened at Cornell
University. Contains
sensitive data of 45,000
Issue with Third
Party.
Collect usernames during
submission
university members.
Side Channel indicate who
already filled the form
(order in which students
participated).
Jurisdictional boundaries (No
sensitive data to be stored on servers
run by foreign corporations)
6
Solution: Cryptography.
No need to Trust Third Party.
7
Prior Work
User authenticate to
server anonymously.
1) Authenticate
User use token to
participate on survey.
2) Get Token
3) Participate
User check out single
use token.
Good ... as long as step 2 & 3 separated with long time. However, this make it inconvenience.
8
Anyone can select group and
create survey.
Proposed
Solution:
Ad-hoc survey
Only those can complete the
survey at most once!
Survey initiator initiate survey
knowing only identities (email).
No further interaction required!
Hence, increase user
9
Ad-hoc Surveys:
Actor
Role
RA - Registration Authority (ex, University)
Issue master user token.
SA -Survey Authority- Course Administrator.
Create Surveys.
Users
Provide surveys data.
10
Ad-hoc Surveys: Step 1(one time)
1) Register ( e.x email)
User
(e.x student)
2) secret master user token
(unlinkable)
Token used for all surveys
RA (Registration Authority)
11
(e.x University)
Ad-hoc Surveys: Step 2 (Repeated)
Choose Survey ID
SA
(e.x Course
Administrator)
Choose List of identities
(e.x email)
12
Ad-hoc Surveys: Step 3 (Repeated)
survey key + master user token = one-time token (No interaction)
submit (Non interactively)
User
one-time token, properties:
● No link to student identity.
● For given survey, one token.
Anonymous network like Tor.
SA
13
Background: Tor (Anonymity network).
● Tor is free software for enabling
anonymous communication.
● Name derived from: The Onion Router.
● Directs Internet traffic through a free,
worldwide, volunteer network consisting
of more than 6,000 relay.
● NSA:"the King of high-secure, low-latency
Internet anonymity" with "no contenders
for the throne in waiting"
14
Background: Commitment Scheme.
Allows one to commit to a chosen value (or chosen
statement) while keeping it hidden to others, with
the ability to reveal the committed value later
15
Background: Commitment Scheme.
Example: Coin flipping.
If they are physically in the same
place:
1) Alice "calls" the coin flip.
2) Bob flips the coin.
3) If Alice's call is correct, she
wins, otherwise Bob wins.
Not in the same place:
1) Alice "calls" the coin flip but only tells
Bob a commitment to her call.
2) Bob flips the coin and reports the
result.
3) Alice reveals what she committed to.
4) Bob verifies that Alice's call matches
her commitment
5) If Alice's revelation matches the coin
result Bob reported, Alice wins.
16
Background: Pseudo-random functions (PRF)
●
A PRF is a seeded deterministic function that maps any input
to a random looking output, assuming one has no knowledge
of the seed.
● This is the intuition behind pseudo-random functions: Bob
gives alice some random i, and Alice returns FK(i), where FK(i) is
indistinguishable from a random function, that is, given any
x1,...,xm,FK(x1),...,FK(xm), no adversary can predict FK(xm+1) for any
xm
● Used for symmetric encryption.
17
Background:non-interactive zero-knowledge NIZK
● Non-interactive zero-knowledge (NIZK) proofs
are a variant of zero-knowledge proofs in
which no interaction is necessary between
prover and verifier.
● Common reference string shared between the
prover and the verifier is enough to achieve
computational zero-knowledge without
requiring interaction.
18
Background: Blind signature
● blind signature is a form of digital signature in which the content
of a message is disguised (blinded) before it is signed. The
resulting blind signature can be publicly verified against the
original, unblinded message in the manner of a regular digital
signature.
● Typically employed in privacy-related protocols where the signer
and message author are different parties.
● Examples include cryptographic election systems.
19
Registration- More Details: Step 1(one time)
2)Register:
● send commitment to
random seed sid PRF
● Provide NIZK that
commitment is well
formed.
User
(e.x student)
1.Generate public key pair.
3) sign the
commitment
with its sign
key (Blind
signature).
4) signature: master user
token (unlinkable)
Token used for all surveys
RA (Registration Authority)
20
(e.x University)
Ad-hoc Surveys - More Details: Step 2 (Repeated)
Choose Survey ID
(vid)
SA
(e.x Course
Administrator)
Choose List of identities
(e.x email) called “L”
21
Ad-hoc Surveys - More Details: Step 3 (Repeated)
submit m (Non interactively)
User
● survey key (vid) + master user token = one-time token (No
interaction)= Fsid (vid) (Evaluate PRF using seed sid with
input vid )
● Present NIZK proof that “it knows a signature by the RA
on it’s identity id and a commitment to a seed sid”.
● NIZK also proof “it’s signed by the SA on it’s id (meaning
id is on the L)
● Thereby user data is authenticated by NIZK.
SA
22
How Each Property is Achieved.
Property
How
Only authorized users complete survey
NIZK (Tag based).
User can complete survey at most once
One user token. PRF always give same
value, computed from s.
Anonymity.
● Neither RA nor SA see the seed (only
see commitments),
● Zero-knowledge property.
● Pseudo-random property of PRF.
23
Implementation: System setup
● RA generate public key-pair pkRA (public), skRA(private).
● Each SA generate public key-pair pkSA, skSA.
24
Implementation: User Registration
● User and RA execute the protocol (RegRA,
RegU).
● which allow user will get unlinkable “master
credential” credid.
25
Implementation: Survey Registration
● SA generate a “survey public key”.
● Or pksid
GenSurvey(1n, sid, L, skSA)
survey ID.
SA private key.
26
Implementation: Complete Survey
● User combined master credential credid with survey identifier sid
to generate one time token.
● Or sub = (tok,m,tokauth)
submit(1n, sid,pksid, m,credid)
● Submit Sub to SA through anonymous channel.
If they are physically in the same place:
1) Alice "calls" the coin flip.
2) Bob flips the coin.
3) If Alice's call is correct, she wins, otherwise Bob wins.
● tok: one time token.
● tokauth: authenticator to bind m
to tok.
27
Implementation: Audit
● User could check if submission counted by inspecting their
submission output.
● User use Check (pkSA,pkRA,sid,pksid,sub) to check if sub is valid
submission (No ballout/survey-stuffing)
● User could use Authorized( pkSA,sid,pksid,id’) to check user id’ is
authorized to do survey (result not targeted to particular user).
If they are physically in the same place:
1) Alice "calls" the coin flip.
2) Bob flips the coin.
3) If Alice's call is correct, she wins, otherwise Bob wins.
28
Concrete Implementation:
● Implemented in C++ using MIRCALE big number library.
● Supports pairing (bilinear map)-based cryptography.
● Free for Educational purpose.
If they are physically in the same place:
1) Alice "calls" the coin flip.
2) Bob flips the coin.
3) If Alice's call is correct, she wins, otherwise Bob wins.
Maps a vector space X into another
space Y.
There are no practical limits to the
precision except the ones implied by
the available memory in the machine.
29
Performance: Timing Result
Barreto–
Naehrig pairing
curve
degree k=12,
Barreto–
Lynn–Scott
pairing curve
Verify 1 million
submissions in
approximately
33 hours per
CPU core.
30
Thank You.
31