Auditable Privacy:On Tamper-Evident Mix Networks

Jong Youl ChoiDept. of Computer ScienceIndiana University at Bloomington

Philippe GollePalo Alto Research Center

Markus JakobssonSchool of InformaticsIndiana University at Bloomingtonjychoi@cs.indiana.ed

upgolle@parc.com

markus@indiana.edu

Page 2

Mix Networks

PublicPrivate Public

• Mixing to make tracing impossible• Used as a building block to protect

privacy or keep something anonymous

• A sequence of mix servers

Page 3What can be wrong in mix-nets• Random permutation is secret

Mix-server 1 Mix-server 2 Mix-server 3

Page 4

Possible Attacks• Aims to

– Leak secret permutations– Leak private keys– Leak any security-critical information

• Although no side channel is allowed, leaking is possible through public channel

• Information leak is noticeable only to designated accomplices (by using a covert-channel)

Page 5

Vulnerable

Good time to launch an attack

Key generation

Commitment

Mixing phase

Verification

Safe

Time

Safe

Mix-server

Observer

Tamper-evident

Page 6

How to verify – Intuitive idea• Cut-and-choose: 50% error rate

• Randomized Partial Checking [Jakobsson, Juels, and Rivest] of k batches : 1/2k error rate

Page 7Review: Re-encryption mix-nets• Two operations in a mix server

• El-Gamal re-encryption is homomorphic– There exist two integers β and δ s.t. α = β + δ– Re-encryption(ReEnc) satisfies

ReEnc(m, α) = ReEnc(ReEnc(m, β), δ)

El-GamalRe-encryption

Permutation

α1

α2

αn

EncryptedMessages

Re-encrypted

andPermutedMessages

π(1)

π(2)

π(n)

Page 8

Homomorphism• El-Gamal re-encryption

EncryptedMessages

Re-encryptedMessages

α = β + δ

β δ• Permutation

=

Page 9An example of a covert channel• Replacing a random number

generator

El-GamalRe-encryption

Permutation

α1

α2

αn

Inputs

RandomNumber

Generator

Outputs

π(1)

π(2)

π(n)

Page 10

Solution overview• Data flow

Key Generation Mixing Phase

Observer

Commitment Witness

Re-encryptedMessage

Page 11

Permutation τPermutation σ

Key generation

• Conditions: αi = βi + δi , π = τ ◦ σ• Publicize a commitment

α1

α2

αn

Permutation πTh

e sa

me

inpu

ts

The

sam

e ou

tput

s

β1

β2

βn

δ1

δ2

δn

π(1)

π(2)

π(n)

σ(1)

σ(2)

σ(n)

τ(1)

τ(2)

τ(n)

Page 12

Mixing phase• Output re-encrypted messages {A’i} and

witnesses {Wi}

Permutation τPermutation σβ1

β2

βn

δ1

δ2

δn

W1

W2

Wn

α1

α2

αn

Permutation π

A1

A2

An

A’1

A’2

A’n

π(1)

π(2)

π(n)

σ(1)

σ(2)

σ(n)

τ(1)

τ(2)

τ(n)

Page 13

Interactive verificationPermutation τPermutation σ

β1

β2

βn

δ1

δ2

δn

A1

A2

An

A’1

A’2

A’n

W1

W2

Wn

Observer Mix Server1. Choose either 0(LEFT) or 1(RIGHT) 2. Open corresponding values

and hashes of the others3. Verify that there is no variation from the previous commitment

τ(1)

τ(2)

τ(n)

σ(1)

σ(2)

σ(n)

Page 14

Security improvement #1• Proof of tamper-freeness

– Probability of cheating : 1/2– Number of commitments κ

Acceptable cheating probability < 1/2κ

κ proofs

Page 15

Security improvement #2• Undercover observer

– Challenges are automatically chosen from κ bits of output hash({A’i})

– Non-interactive proof Stealthy observation– Attackers are hard to find non-interactive

observers. Thus we called undercover observers

Key Generation Mixing Phase

Commitment Witness

Page 16

Conclusion• A covert-channel in mix networks

threatens privacy • New notion of security :

Tamper-evidence, detecting variations from prescribed commitments

• Stealthy operation of non-interactive observer

Or, Send me an email : jychoi@cs.indiana.edu

Page 17

Key generation• Commitment : Root of a Merkle hash tree

σ τ β1…

ρ

…δ1 δn

Hash function

β2 δ2 δn-1