kAnonymous Message Transmission

1
k-Anonymous Message Transmission
Luis von Ahn Andrew Bortz Nick Hopper
The Aladdin Center Carnegie Mellon University
2
Sender Anonymous Protocol
Adversary cannot identify the sender of a
particular message
3
Sender Anonymous Protocol
Adversary cannot identify the sender of a
particular message
Receiver Anonymous Protocol
Adversary cannot identify the receiver of a
particular message
4
Some Applications
Secret Love Letters
Anonymous Crime Tips
Distribution of Music
5
Sender and receiver anonymity can be achieved
with a trusted third party
6
Sender and receiver anonymity can be achieved
with a trusted third party
7
In This Talk
We will present a scheme for anonymous
communication that is efficient and requires no
trusted third parties
8
The Model
Reliable Communication
The adversary can see all communications in
network
The adversary can own some of the participants
A participant owned by the adversary may act
arbitrarily
9
The Rest of the Talk
DC Nets
Why DC Nets have never been implemented
k-Anonymity
An efficient scheme
10
DC Nets Key Idea
Divide time into small steps
At step t, party i wants to send message Mi ? Zm
If party j doesnt want to send a message at step
t, they must send Mj0
11
DC Nets Key Idea
Divide time into small steps
At step t, party i wants to send message Mi ? Zm
If party j doesnt want to send a message at step
t, they must send Mj0
Each party i splits Mi into n random shares
Mi si,1 si,2 si,n-1 (Mi (si,1
si,n-1))
si,n
12
DC Nets Key Idea
Each party distributes their n shares
si,n
si,1
si,2
si,3
13
DC Nets Key Idea
All parties add up every share that they have
received and broadcast the result (Let Bi denote
Party is broadcast)
Bi s1,i s2,i sn,i
14
DC Nets Key Idea
All parties add up every share that they have
received and broadcast the result (Let Bi denote
Party is broadcast)
Mi si,1 si,2 si,n-1 si,n
Bi s1,i s2,i sn,i
B1 B2 Bn M1 M2 Mn
15
DC Nets Key Idea
If only one of the Mi is nonzero, then
B1 B2 Bn Mi
16
DC Nets Problems
It is very easy for the adversary to jam the
channel!
Communication complexity is O(n2)
17
Full Anonymity Versus k-Anonymity
We will relax the requirement that the adversary
learns nothing about the origin of a given
message
We will accept k-anonymity, in which the
adversary can only narrow down his search to k
participants
18
The Rest of the Talk
DC Nets
Why DC Nets have never been implemented
k-Anonymity
An efficient scheme
19
k-anonymous message transmission (k-AMT)

• Idea Divide N parties into small DC-Nets of
  size O(k). Encode Mt as (group, msg) pair

P2
P3
s1,2
s1,3
s1,4
P1
P4
s1,1s1,2s1,3s1,4 (Gt,Mt)
20
How to compromise k-anonymity

• If everyone follows the protocol, its impossible
  to compromise the anonymity guarantee.
• So instead, dont follow the protocol if Alice
  can never send anonymously, she will have to
  communicate using onymous means.

21
How to break k-AMT (I)

• Dont follow the protocol after receiving
  shares s1,i,,sk,i, instead of broadcasting si,
  generate a random value r and broadcast that
  instead.
• This will randomize the result of the DC-Net
  protocol, preventing Alice from transmitting.

22
Stopping the randomizing attack

• Solution Use Verifiable Secret Sharing. Every
  player in the group announces (by broadcast) a
  commitment to all of the shares of her input.
• These commitments allow verification of her
  subsequent actions.

23
k-anonymous message transmission (k-AMT) with VSS

• Before starting, each player commits to si,1
  si,k viaPedersen commitment C(s,r)gshr

s1,1s1,2s1,3s1,4 x1 (Gi,Mi)
C1
C1
C1
24
k-anonymous message transmission (k-AMT) with VSS

• Before starting, each player commits to si,1
  si,k viaPedersen commitment C(s,r)gshr

s1,1s1,2s1,3s1,4 x1 (Gi,Mi)
P2
P3
C2
C3
P1
P4
C4
25
How to break k-AMT (II)

• The multiparty sum protocol gives k participants
  a single shared channel at most one person can
  successfully transmit each turn.
• So Transmit every turn! VSS still perfectly
  hides the value of each input no one will know
  who is hogging the line.

26
Accommodating more than one sender per turn

• Idea we can run several turns in parallel.
  Instead of sending commitments to shares of a
  single value, generate shares of 2k values.
• If Alice picks a random turn to transmit in,
  she should have probability at least ½ of
  successfully transmitting.

27
Accommodating more than one sender per turn

• Before starting, each player picks slot s, sets
  xi,s (Gt,Mt), xi,1xi,2k 0, and chooses
  si,j,m so that ?msi,j,m xi,j

P2
P3
C1,1..2k
C1,1..2k
P1
P4
C1,1..2k
28
Accommodating more than one sender per turn

• Suppose at the end of the protocol, at least k of
  the 2k parallel turns were empty (zero). Then
  Alice should be happy she had probability ½ to
  transmit.
• If not, somebody has cheated and used at least 2
  turns. How do we catch the cheater?

29
Catching a cheater

• Idea each party can use her committed values to
  prove (in zero knowledge) that she transmitted in
  at most one slot, without revealing that slot.
• If someone did cheat, she will have a very low
  probability of convincing the group she did not.

30
Zero-Knowledge proof of protocol conformance

• Pi ? (All)
• Pick permutation ? on 12k
• Send C(x) C(x?(0), r0),, C(x?(2k),r2k)
• (All) ? Pi b ? 0,1
• Pi ? (All)
• if b 0 open 2k-1 0 values
• else reveal ?, prove (in ZK) x ?(x)

31
Efficiency

• O(k2) protocol messages to transmit O(k)
  anonymous messages O(k) message overhead
• Cheaters are caught with high probability
• Zero Knowledge proofs are Honest Verifier and can
  be done non-interactively in the Random Oracle
  Model, or interactively via an extra round
  (commit to verifier coins)