computer science and engineering, asu anonymous communications: an identity-based solution dijiang...

Computer Science and Engineering, ASU

Anonymous Communications: An Identity-Based Solution

Dijiang Huang

Identity-Pseudonym-Anonymity 2

Outline

Overview of Anonymous Communication Systems

Overview of Identity, Pseudonymity, and Anonymity

An identity-based cryptographic solution for anonymous communications

Future Research Directions


Anonymity Accountability

Anonymous Communications Anonymous communication services

o Identity anonymity: receiver anonymity, sender anonymity, and both ends anonymity

o Routing anonymity: route anonymityo Confidentiality: data anonymity

Existing solutions for both Internet and wireless anonymous serviceso Use Proxies (client-proxy-server networking architecture, e.g., Anonymizer©)o Source rewriting (e.g., Mixes type of solutions)

Change the source field of received messages Chaining (includes route explore and anonymous data delivery)

o Dummy traffic to against traffic analysis

How to set up initial trust? (In wireless environment) o Assumption 1: the source node knows whom the packet is sent to. But how?o Assumption 2: a shared key is used to open a trapdoor function in order to

identify the recipient. How to set up the shared key? o The above assumptions are weak. The question is how to distribute credentials

in a natural way.

Identity PseudonymPublic keyRedentials

proxy

request

reply

requestreply

Black Box


Outline

Overview of Anonymous Communication Systems


An identity-based cryptographic solution for anonymous communications



What is “identity”?

Defined at www.dictionary.com 1. The collective aspect of the set of characteristics by which a

thing is definitively recognizable or known. 2. The set of behavioral or personal characteristics by which an

individual is recognizable as a member of a group. 3. The quality or condition of being the same as something else. 4. The distinct personality of an individual regarded as a

persisting entity; individuality.

Identity can be explained as an exclusive3,4 perception1 of life, integration into a social group2, and continuity4, which is bound to a body2,4 and shaped by society.-- by Andreas Pfitzmann and Marit Hansen

Identity describes a state of being identifiable.


Anonymity

Anonymity is the state of being not identifiable within a set of subjects, the anonymity set.o “not identifiable within” means “not uniquely

characterized within”.o The anonymity set is the set of all possible

subjects. I.e., the set of possible subjects depends on the knowledge of the attacker. Thus, anonymity is relative with respect to the attacker.


Pseudonym

Pseudonyms are identifiers of subjects, in our setting of sender and recipient. The subject which the pseudonym refers to is the holder of the pseudonym.o We prefer the term “holder” over “owner” of a pseudonym because it

seems to make no sense to “own” pseudonyms, e.g., bit strings. o The holdership must be provable, e.g., via a trusted third party

A digital pseudonym is a bit string which, to be meaningful in a certain context, is unique to represent an identity (at least with very high probability) and suitable to be used to authenticate the holder’s actions relatively to his/her digital pseudonym, e.g., to authenticate his/her messagest.

Types of pseudonymso Public pseudonym, e.g., phone number, email address, mail addresso Initially non-public pseudonym, e.g., a bank account, DNA information o Unlinked pseudonym: the link between a pseudonym and the identity

is only known by the pseudonym holder; and the link should be meaningful, i.e., it must associate with a certain level of interests.


Pseudonym

Classification of pseudonym1. Person pseudonym, e.g., links to one or a group of subjects.2. Role pseudonym, e.g., links to one or set of functions or abilities.3. Relation pseudonym, e.g., links to one or several communication

sessions. 4. Role-relationship pseudonym, e.g., the combinations of 2 and 3.5. Transaction pseudonym, e.g., links to a particular action.

Pseudonymity <≠> Anonymityo Pseudonym provides a mechanism to achieve anonymityo Pseudonym is an effective means to achieve the both: privacy

protection and accountability (and openness). o Pseudonym based business models are more attractive than

anonymity based ones.o Degrees of abuse control is enabled due to the use of pseudonyms.o User has the flexibility in selecting the degree of anonymity for

different applications by using pseudonym-enabling techniques.


Anonymity Models

Anonymity with “Big Brother”o An arbitration mechanism exists to solve disputes,

e.g., law enforcement, private key escrow.

Anonymity with “trusted” partieso The anonymous users trust the corresponding business

models

I promise that I will not disclose

your private information.…

?

Anonymity “semi-trusted” parties

Purely Anonymity

I am not sure if I

was spied. hehe

Only I know what I am

doing.

However, if you were not following the regulations, you will be kicked out.

Only I know what I am doing and

nobody can kick me out..

Well, nobody will trust you

then!

o Anonymityo Accountability


Outline

Overview of Identity, Pseudonymity, and Anonymity Anonymous Communication Systems An identity-based cryptographic solution for

anonymous communicationso Overview of Identity-based Cryptographyo Our solutions

Math basic Pseudonym-based encryption (PBE) Zero-round key exchange Blind certificate Pseudonym revocation



Overview of Identity-Based Encryption

ID-based Encryptiono Shamir (crypto’84) first proposed; Boneh and Franklin (crypto’01) proposed a pairing-based

IBE schemeo Using a user’s identification (a pseudonym) as the public keyo The private key generator (PKG – a trusted third party) is in charge of the private key

distributiono Sample applications: revocation of public keys (such as [email protected] || 2006);

delegations (laptop and duties)

The anonymous user can use a pseudonym as his/her ID for anonymous communication (Zhang et al. Infocom 2005)

o Before the anonymous communication The PKG publishes a set of system parameters, params The anonymous user self-generates a pseudonym based on the params, The anonymous user register at the PKG to derive his/her private key and public key certificate (the

signature of his ID generated by the PKG)o During the communication

The anonymous user broadcasts his/her ID (a pseudonym) and corresponding certificate Other anonymous users can verify his/her ID by using the params Once verified, the ID can be used as the public key of the anonymous user

o The main drawback: the pseudonym and corresponding private key are not anonymous to the PKG

H([email protected]||2006) → [k]P(G) → [sk]P [s]H([email protected]||3/3/2006) [s]H([email protected]||14:30-50/3/3/2006)


Problem Statements of Using the ID-based Cryptography for Anonymous Communications

The pseudonym and corresponding private key should be only known to the pseudonym holder

o It is desirable that the user can self-generate the pseudonym and corresponding private keys by using the publicly known params

The pseudonym also serves as partial credential for accountabilityo The organizer blindly generates the certificate for the pseudonymo Based on announced pseudonyms, each pair can self-generate a shared key

without key negotiations (zero-round key exchange) o The organizer can revoke one pseudonym as well as a group of pseudonyms

The research challenges: o Can we provide an admissible anonymous communication environment? i.e.,

an organizer controls the admissions to the anonymous communication group.o Can we prevent the organizer from disclosing the underlying anonymous

communications? i.e., the public and private keys and the certificates are all blind to the organizer.


Our Solutions

Math Basico Elliptical Curve Cryptography (ECC)o Parings and Its Properties

Pseudonym-Based Encryption (ABE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme


What is an Algebraic Group <G,> ?

• Closure: a b must remain in G

• Associativity: a (b c) = (a b) c

• Neutral Element: a e = e a = a

• Inverse Element: a a' = a' a = e

• Commutativity: a b = b a (Abelian Group)

A group is an algebraic system consisting of a set G and anoperation such that for all elements a, b and c in G thefollowing conditions must be fulfilled:

Examples:

• Addition: <R, +> e = 0 , a' = -a

• Multiplication: <R-{0}, · > e = 1 , a' = a-1


-3 -2 -1 0 1 2 3-4

-3

-2

-1

0

1

2

3

4

[k]P = P + P + ... + P[k]P = P + P + ... + P

Point Iteration:

P3

P2P

Point Iteration – Adding A Point k-1 Times to Itself

Elliptic curves can be defined in a finite or Galois field GFp:

y2 = x3 + ax + b mod py2 = x3 + ax + b mod p

Given Q = [k]P, Is it possible to compute k?

Answer: This is a hard problem known as the Elliptic Curve Discrete Logarithm Problem (ECDLP).


Parings and Its Properties Parings

Multiplicative maskThe order of P denoted by δP. If r is a unit in the multiplicative group and r-1 is the inverse, then k=r(r-1k)(mod δP) for and k . This means that if k’=r-1k (mod δP), we can recover the desired points [k]P by first computing Q’=[k’]P and then [k]P=[r]Q’

**

*

Generated by P

One-way mapping


Our Solutions

Math Basic Pseudonym-Based Encryption (PBE)

o System setupo PBE descriptionso Comparisons of PBE and IBE

Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme


System Setup

organizer

Bob John

Publishes the system parameters:

System public key: Q0=[s]PSystem Private key: s

PseudonymBob=(QB,cB) where QB=[b2b1]P and cB=ê(QB,[b2

-1-1]Q0)Private key: [sb1]P, b1, b2

PseudonymJohn=(QJ,cJ) where QJ=[j1j2]P and cJ=ê(QJ,[j2

-1-1]Q0)Private key: [sj1]P, j1, j2


Pseudonym-Based Encryption

The PBE scheme Include four steps: Setup, Extract, Encryption, and Decryption.

Setup: System parameters params is published


PBE and IBE

In PBE, each anonymous user generates his private key; in IBE, the PKG generates private keys for all anonymous users

In PBE, there is no mapping function H1:{0,1}nG1, which maps an ID to a point in G1 used in IBE scheme.

The key differences from IBE by using PBE are the step 4 in Extract and step 3 in Encrypt. The PBE computes a masker c, which enable the anonymous user to blind his pseudonym and then decrypt the ciphertext.

There is no concept of the PKG in PBE, where each anonymous user can create their own anonymous communication group. We call the anonymous group organizer as the anonymous group leader. His duties are:

1. admit the anonymous group member via traditional admission control mechanism and

2. generate certificates for the anonymous group participants.


Our Solutions

Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme


Zero-round Key Exchange

Bob John



PseudonymJohn=(QJ,cJ) where QJ=[j1j2]P and cJ=ê(QJ,[j2

-1-1]Q0)Private key: [sj1]P, j1, j2

Bob broadcasts PseudonymBob=(QB,cB) John broadcasts PseudonymJohn=(QJ,cJ)

Bob computes(ê(QJ, Q0)·cJ)b1

= ê([j1]P, Q0)b1

=ê(P, Q0)b1j1

John computes(ê(QB, Q0)·cB)j1

= ê([b1]P, Q0)j1

=ê(P, Q0) j1b1

Shared secret


Our Solutions

Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme


Blind Certificate SchemeOur scheme is based on the BLS short signature scheme by Boneh et. al (Asiacrypt2001) and the blind signature scheme by Boldyreva (PKC2003).

The blind certificate scheme includes four steps: KeyGen, Sign, Recover, and Verify:


Our Solutions

Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation schemes


Pseudonym Revocation

Anonymous Service Revocation

Pseudonym Revocation

where

si can be used to identify an anonymous service, e.g., the anonymous file downloading service. To revoke the service i, the organizer can simple publish new system parameters with {Q0[k], k=1,…,n}\Q0[i]

Use revocation list, i.e., a list of revoked pseudonym. Since the pseudonym can be uniquely identified by PDA·cA=ê(P,Q0)kA, the organizer can simply list the value of ê(P,Q0)kA in the revocation list.

Bob




Outline


Anonymous Communication Systems An identity-based cryptographic solution for

anonymous communications Future Research Directions



Multiple non-identifiable pseudonyms map to the same private key by using the same set of system parameters.

A certificate can be used for multiple pseudonyms.

The changes of pseudonyms is traceable by the communication peers.

More!


Thank You!

computer science and engineering, asu anonymous communications: an identity-based solution dijiang...

Documents

anonymity orouting anonymity

anonymity6 anonymity

othe anonymity set

sender anonymity

receiver anonymity

digital pseudonym

set of subjects

marit hansen identity