computer science and engineering, asu anonymous communications: an identity-based solution dijiang...
TRANSCRIPT
Computer Science and Engineering, ASU
Anonymous Communications: An Identity-Based Solution
Dijiang Huang
Identity-Pseudonym-Anonymity 2
Outline
Overview of Anonymous Communication Systems
Overview of Identity, Pseudonymity, and Anonymity
An identity-based cryptographic solution for anonymous communications
Future Research Directions
Identity-Pseudonym-Anonymity 3
Anonymity Accountability
Anonymous Communications Anonymous communication services
o Identity anonymity: receiver anonymity, sender anonymity, and both ends anonymity
o Routing anonymity: route anonymityo Confidentiality: data anonymity
Existing solutions for both Internet and wireless anonymous serviceso Use Proxies (client-proxy-server networking architecture, e.g., Anonymizer©)o Source rewriting (e.g., Mixes type of solutions)
Change the source field of received messages Chaining (includes route explore and anonymous data delivery)
o Dummy traffic to against traffic analysis
How to set up initial trust? (In wireless environment) o Assumption 1: the source node knows whom the packet is sent to. But how?o Assumption 2: a shared key is used to open a trapdoor function in order to
identify the recipient. How to set up the shared key? o The above assumptions are weak. The question is how to distribute credentials
in a natural way.
Identity PseudonymPublic keyRedentials
proxy
request
reply
requestreply
Black Box
Identity-Pseudonym-Anonymity 4
Outline
Overview of Anonymous Communication Systems
Overview of Identity, Pseudonymity, and Anonymity
An identity-based cryptographic solution for anonymous communications
Future Research Directions
Identity-Pseudonym-Anonymity 5
What is “identity”?
Defined at www.dictionary.com 1. The collective aspect of the set of characteristics by which a
thing is definitively recognizable or known. 2. The set of behavioral or personal characteristics by which an
individual is recognizable as a member of a group. 3. The quality or condition of being the same as something else. 4. The distinct personality of an individual regarded as a
persisting entity; individuality.
Identity can be explained as an exclusive3,4 perception1 of life, integration into a social group2, and continuity4, which is bound to a body2,4 and shaped by society.-- by Andreas Pfitzmann and Marit Hansen
Identity describes a state of being identifiable.
Identity-Pseudonym-Anonymity 6
Anonymity
Anonymity is the state of being not identifiable within a set of subjects, the anonymity set.o “not identifiable within” means “not uniquely
characterized within”.o The anonymity set is the set of all possible
subjects. I.e., the set of possible subjects depends on the knowledge of the attacker. Thus, anonymity is relative with respect to the attacker.
Identity-Pseudonym-Anonymity 7
Pseudonym
Pseudonyms are identifiers of subjects, in our setting of sender and recipient. The subject which the pseudonym refers to is the holder of the pseudonym.o We prefer the term “holder” over “owner” of a pseudonym because it
seems to make no sense to “own” pseudonyms, e.g., bit strings. o The holdership must be provable, e.g., via a trusted third party
A digital pseudonym is a bit string which, to be meaningful in a certain context, is unique to represent an identity (at least with very high probability) and suitable to be used to authenticate the holder’s actions relatively to his/her digital pseudonym, e.g., to authenticate his/her messagest.
Types of pseudonymso Public pseudonym, e.g., phone number, email address, mail addresso Initially non-public pseudonym, e.g., a bank account, DNA information o Unlinked pseudonym: the link between a pseudonym and the identity
is only known by the pseudonym holder; and the link should be meaningful, i.e., it must associate with a certain level of interests.
Identity-Pseudonym-Anonymity 8
Pseudonym
Classification of pseudonym1. Person pseudonym, e.g., links to one or a group of subjects.2. Role pseudonym, e.g., links to one or set of functions or abilities.3. Relation pseudonym, e.g., links to one or several communication
sessions. 4. Role-relationship pseudonym, e.g., the combinations of 2 and 3.5. Transaction pseudonym, e.g., links to a particular action.
Pseudonymity <≠> Anonymityo Pseudonym provides a mechanism to achieve anonymityo Pseudonym is an effective means to achieve the both: privacy
protection and accountability (and openness). o Pseudonym based business models are more attractive than
anonymity based ones.o Degrees of abuse control is enabled due to the use of pseudonyms.o User has the flexibility in selecting the degree of anonymity for
different applications by using pseudonym-enabling techniques.
Identity-Pseudonym-Anonymity 9
Anonymity Models
Anonymity with “Big Brother”o An arbitration mechanism exists to solve disputes,
e.g., law enforcement, private key escrow.
Anonymity with “trusted” partieso The anonymous users trust the corresponding business
models
I promise that I will not disclose
your private information.…
?
Anonymity “semi-trusted” parties
Purely Anonymity
I am not sure if I
was spied. hehe
Only I know what I am
doing.
However, if you were not following the regulations, you will be kicked out.
Only I know what I am doing and
nobody can kick me out..
Well, nobody will trust you
then!
o Anonymityo Accountability
Identity-Pseudonym-Anonymity 10
Outline
Overview of Identity, Pseudonymity, and Anonymity Anonymous Communication Systems An identity-based cryptographic solution for
anonymous communicationso Overview of Identity-based Cryptographyo Our solutions
Math basic Pseudonym-based encryption (PBE) Zero-round key exchange Blind certificate Pseudonym revocation
Future Research Directions
Identity-Pseudonym-Anonymity 11
Overview of Identity-Based Encryption
ID-based Encryptiono Shamir (crypto’84) first proposed; Boneh and Franklin (crypto’01) proposed a pairing-based
IBE schemeo Using a user’s identification (a pseudonym) as the public keyo The private key generator (PKG – a trusted third party) is in charge of the private key
distributiono Sample applications: revocation of public keys (such as [email protected] || 2006);
delegations (laptop and duties)
The anonymous user can use a pseudonym as his/her ID for anonymous communication (Zhang et al. Infocom 2005)
o Before the anonymous communication The PKG publishes a set of system parameters, params The anonymous user self-generates a pseudonym based on the params, The anonymous user register at the PKG to derive his/her private key and public key certificate (the
signature of his ID generated by the PKG)o During the communication
The anonymous user broadcasts his/her ID (a pseudonym) and corresponding certificate Other anonymous users can verify his/her ID by using the params Once verified, the ID can be used as the public key of the anonymous user
o The main drawback: the pseudonym and corresponding private key are not anonymous to the PKG
H([email protected]||2006) → [k]P(G) → [sk]P [s]H([email protected]||3/3/2006) [s]H([email protected]||14:30-50/3/3/2006)
Identity-Pseudonym-Anonymity 12
Problem Statements of Using the ID-based Cryptography for Anonymous Communications
The pseudonym and corresponding private key should be only known to the pseudonym holder
o It is desirable that the user can self-generate the pseudonym and corresponding private keys by using the publicly known params
The pseudonym also serves as partial credential for accountabilityo The organizer blindly generates the certificate for the pseudonymo Based on announced pseudonyms, each pair can self-generate a shared key
without key negotiations (zero-round key exchange) o The organizer can revoke one pseudonym as well as a group of pseudonyms
The research challenges: o Can we provide an admissible anonymous communication environment? i.e.,
an organizer controls the admissions to the anonymous communication group.o Can we prevent the organizer from disclosing the underlying anonymous
communications? i.e., the public and private keys and the certificates are all blind to the organizer.
Identity-Pseudonym-Anonymity 13
Our Solutions
Math Basico Elliptical Curve Cryptography (ECC)o Parings and Its Properties
Pseudonym-Based Encryption (ABE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme
Identity-Pseudonym-Anonymity 14
What is an Algebraic Group <G,> ?
• Closure: a b must remain in G
• Associativity: a (b c) = (a b) c
• Neutral Element: a e = e a = a
• Inverse Element: a a' = a' a = e
• Commutativity: a b = b a (Abelian Group)
A group is an algebraic system consisting of a set G and anoperation such that for all elements a, b and c in G thefollowing conditions must be fulfilled:
Examples:
• Addition: <R, +> e = 0 , a' = -a
• Multiplication: <R-{0}, · > e = 1 , a' = a-1
Identity-Pseudonym-Anonymity 15
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
[k]P = P + P + ... + P[k]P = P + P + ... + P
Point Iteration:
P3
P2P
Point Iteration – Adding A Point k-1 Times to Itself
Elliptic curves can be defined in a finite or Galois field GFp:
y2 = x3 + ax + b mod py2 = x3 + ax + b mod p
Given Q = [k]P, Is it possible to compute k?
Answer: This is a hard problem known as the Elliptic Curve Discrete Logarithm Problem (ECDLP).
Identity-Pseudonym-Anonymity 16
Parings and Its Properties Parings
Multiplicative maskThe order of P denoted by δP. If r is a unit in the multiplicative group and r-1 is the inverse, then k=r(r-1k)(mod δP) for and k . This means that if k’=r-1k (mod δP), we can recover the desired points [k]P by first computing Q’=[k’]P and then [k]P=[r]Q’
**
*
Generated by P
One-way mapping
Identity-Pseudonym-Anonymity 17
Our Solutions
Math Basic Pseudonym-Based Encryption (PBE)
o System setupo PBE descriptionso Comparisons of PBE and IBE
Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme
Identity-Pseudonym-Anonymity 18
System Setup
organizer
Bob John
Publishes the system parameters:
System public key: Q0=[s]PSystem Private key: s
PseudonymBob=(QB,cB) where QB=[b2b1]P and cB=ê(QB,[b2
-1-1]Q0)Private key: [sb1]P, b1, b2
PseudonymJohn=(QJ,cJ) where QJ=[j1j2]P and cJ=ê(QJ,[j2
-1-1]Q0)Private key: [sj1]P, j1, j2
Identity-Pseudonym-Anonymity 19
Pseudonym-Based Encryption
The PBE scheme Include four steps: Setup, Extract, Encryption, and Decryption.
Setup: System parameters params is published
Identity-Pseudonym-Anonymity 20
Pseudonym-Based Encryption
Identity-Pseudonym-Anonymity 21
Pseudonym-Based Encryption
Identity-Pseudonym-Anonymity 22
PBE and IBE
In PBE, each anonymous user generates his private key; in IBE, the PKG generates private keys for all anonymous users
In PBE, there is no mapping function H1:{0,1}nG1, which maps an ID to a point in G1 used in IBE scheme.
The key differences from IBE by using PBE are the step 4 in Extract and step 3 in Encrypt. The PBE computes a masker c, which enable the anonymous user to blind his pseudonym and then decrypt the ciphertext.
There is no concept of the PKG in PBE, where each anonymous user can create their own anonymous communication group. We call the anonymous group organizer as the anonymous group leader. His duties are:
1. admit the anonymous group member via traditional admission control mechanism and
2. generate certificates for the anonymous group participants.
Identity-Pseudonym-Anonymity 23
Our Solutions
Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme
Identity-Pseudonym-Anonymity 24
Zero-round Key Exchange
Bob John
PseudonymBob=(QB,cB) where QB=[b2b1]P and cB=ê(QB,[b2
-1-1]Q0)Private key: [sb1]P, b1, b2
PseudonymJohn=(QJ,cJ) where QJ=[j1j2]P and cJ=ê(QJ,[j2
-1-1]Q0)Private key: [sj1]P, j1, j2
Bob broadcasts PseudonymBob=(QB,cB) John broadcasts PseudonymJohn=(QJ,cJ)
Bob computes(ê(QJ, Q0)·cJ)b1
= ê([j1]P, Q0)b1
=ê(P, Q0)b1j1
John computes(ê(QB, Q0)·cB)j1
= ê([b1]P, Q0)j1
=ê(P, Q0) j1b1
Shared secret
Identity-Pseudonym-Anonymity 25
Our Solutions
Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation scheme
Identity-Pseudonym-Anonymity 26
Blind Certificate SchemeOur scheme is based on the BLS short signature scheme by Boneh et. al (Asiacrypt2001) and the blind signature scheme by Boldyreva (PKC2003).
The blind certificate scheme includes four steps: KeyGen, Sign, Recover, and Verify:
Identity-Pseudonym-Anonymity 27
Our Solutions
Math Basic Pseudonym-Based Encryption (PBE) Zero-round key exchange Blind certificate scheme Pseudonym revocation schemes
Identity-Pseudonym-Anonymity 28
Pseudonym Revocation
Anonymous Service Revocation
Pseudonym Revocation
where
si can be used to identify an anonymous service, e.g., the anonymous file downloading service. To revoke the service i, the organizer can simple publish new system parameters with {Q0[k], k=1,…,n}\Q0[i]
Use revocation list, i.e., a list of revoked pseudonym. Since the pseudonym can be uniquely identified by PDA·cA=ê(P,Q0)kA, the organizer can simply list the value of ê(P,Q0)kA in the revocation list.
Bob
PseudonymBob=(QB,cB) where QB=[b2b1]P and cB=ê(QB,[b2
-1-1]Q0)Private key: [sb1]P, b1, b2
Identity-Pseudonym-Anonymity 29
Outline
Overview of Identity, Pseudonymity, and Anonymity
Anonymous Communication Systems An identity-based cryptographic solution for
anonymous communications Future Research Directions
Identity-Pseudonym-Anonymity 30
Future Research Directions
Multiple non-identifiable pseudonyms map to the same private key by using the same set of system parameters.
A certificate can be used for multiple pseudonyms.
The changes of pseudonyms is traceable by the communication peers.
More!
Identity-Pseudonym-Anonymity 31
Thank You!