Universal Re-encryption:
For Mix-Nets and Other Applications
(to appear CT-RSA ’04)
Philippe Golle
Stanford
(now at PARC)
Markus Jakobsson Ari Juels
RSA Labs
UMBC Protocol Meeting 10/01/03
Paul Syverson
NRL
Extra Acknowledgements
•
•
•
Most Mix illustrations cribbed from a talk
by Ari Juels
Some RFID slides cribbed from Markus
Jakobsson’s ACM WiSe’03 talk
See their Web pages for originals
Talk Outline
•
•
•
•
•
Background and Motivation for mixes
and universal re-encryption
Definitions, Security Properties
Implementation using ElGamal
Applications: Bulletin Board, RFID
Privacy
Security Arguments
What does a mix network do?
message 1
message 2
message 3
Mix network
message 4
Randomly permutes and decrypts inputs
What does a mix network do?
?
message 2
Key property: Adversary can’t tell which ciphertext corresponds
to a given message
Example application:
Anonymizing bulletin board or e-mail
Example application:
Anonymizing bulletin board or e-mail
“Nobody
loves Bob”
Is it Bob, Charlie,
self-love, or other?
“I love
Alice”
“I
love
Charlie”
A look under the hood
Basic Mix (Chaum ‘81)
PK1
Server 1
PK2
Server 2
PK3
Server 3
Encryption of Message
PK1
PK2
PK3
message
Ciphertext = EPK1[EPK2[EPK3[message]]]
Basic Chaumian Mix
Server 1
m1
Server 2
decrypt
and
permute
m2
Server 3
decrypt
and
permute
m2
decrypt
and
permute
m2
m2
m3
m1
m3
m3
m1
m3
m1
Basic Chaumian Mix
Observe: As long as one server is honest,
privacy is preserved
m1
decrypt
and
permute
m2
decrypt
and
permute
m2
decrypt
and
permute
m2
m2
m3
m1
m3
m3
m1
m3
m1
Basic Chaumian Mix
Server 1
Server 2
Server 3
?
m3
What if one server fails?
Server 1
Server 2
Server 3
SK2
•Previous solution ideas:
•Robustness: Share key among other mixes
•Twinning Splitting
•Reliability: Track and use reputable mixes
What if one server fails?
Server 1
Server 2
Server 3
SK2
X
•New Idea: Mixing without keys
•No need to depend on any server (recovery mechanism)
•No need to trust servers to protect keys
•No need for PKI
A look further under the hood
Basic Re-encryption Mixnet
• Inputs are ciphertexts
• Outputs are a re-encryption of the inputs.
• ElGamal public key encryption:
– Anyone can encrypt with the public key e
– Those who know the secret key d can also decrypt
– Malleable: can produce E2(m) from E1(m) without knowing d
– Verifiable
– Multiplicative homomorphism: given E(m) and E(m’) I can
produce E(mm’)
Universal Re-encryption Mixnet
• Inputs are ciphertexts
• Outputs are a re-encryption of the inputs.
• ElGamal public key encryption:
– Anyone can encrypt without the public key e
– Those who know the secret key d can also decrypt
– Messages encrypted with different keys are
indistinguishable
Talk Outline
•
•
•
•
•
Background and Motivation for mixes
and universal re-encryption
Definitions, Security Properties
Implementation using ElGamal
Applications: Bulletin Board, RFID
Privacy
Security Arguments
Randomized Public-Key
Cryptosystem
•
•
•
(PK, SK)  KG
C  E(m, r, PK)
m  D(SK, C)
:generate key pairs
:encryption of m
:decryption of C
Semantic Security
•
•
•
•
Adversary chooses (m0 , m1 )
Messages are encrypted
(C0 , C1 ) = (E(m0, r0, PK), E(m1, r1, PK))
and randomly permuted
If adversary determines order correctly
no better than by guessing (within )
system is semantically secure
Re-encryption
•
Given:
• Randomized public-key cryptosystem
• Ciphertexts of form C = E(m, r, PK)
•
C’  Re(C, r’, PK) :Re-encryption of m
Semantic Security under
Re-encryption
•
•
•
•
Adversary chooses (C0 , C1 )
Messages are re-encrypted
(C0’, C1’ ) = (Re(C0, r0’, PK), Re(C1, r1’, PK))
and randomly permuted
If adversary gets order correct no better
than by guessing (within ) system is
semantically secure under re-encryption
Key-Privacy (Anonymity)
•
•
•
•
Adversary chooses message m
m is encrypted under PK0 and PK1
E(m, PK0 ) = C0 E(m, PK1 ) = C1
If adversary guesses correspondence of
ciphertext with public key with negligible
advantage, scheme satisfies key-privacy
Bellare et al. (ASIACRYPT’01) showed
ElGamal provides anonymity under chosenciphertext assuming DDH.
Universal Re-encryption
•
Given:
• Randomized public-key cryptosystem
• Ciphertexts of form C = E(m, r, PK)
•
X
C’  URe(C, r’, PK)
:
Universal re-encryption of m
Universal Semantic Security
under Re-encryption
•
•
•
•
•
Combines semantic security and key-privacy
Given PK0 and PK1 adversary chooses
(m0, m1, r0, r1 ) to produce (C0, C1 )
Messages are universal re-encrypted
(C0’, C1’ ) = (URe(C0, r0’), URe(C1, r1’))
Ciphertexts are randomly ordered (Cb’, C1-b’ )
If adversary gets order correct no better than by
guessing (within ) system is universal
semantically secure under re-encryption
Talk Outline
•
•
•
•
•
Background and Motivation for mixes
and universal re-encryption
Definitions, Security Properties
ElGamal based Universal Re-encryption
Applications: Bulletin Board, RFID
Privacy
Security Arguments
ElGamal Encryption
•
•
•
•
•
•
•
P,Q are prime, P = 2Q + 1
GQ subgroup of ZP* of order Q
g generator of GQ
x GQ is private key
y = gx mod P is public key
E(m) = (gr, myr) where r GQ ,r random
D(G,M) = M/Gx = myr /gxr = m
ElGamal with Re-encryption
•
•
Ciphertext (G,M)
Re-encryption (G’,M’) = (Ggr’, Myr’)
• Needs public key y but not private key
•
•
•
D(G’,M’) = M’/G’x = myrr’ /gxrr’ = m
Introduced for voting
Much work on efficient provable shuffles
Universal Re-encryption
•
•
•
•
(a,b) = (E[m]; E[1]) E is ElGamal enc
(a’,b’) = (R[b,k]a; R[b,k ’])
• R[*,k] is re-encryption with random k
(E[m]’, E[1]’)= ([(myr ykr’, gr gkr’), (yr’k’, gr’k’)]
D(E[m]’) = M’/G’x = mykrr’ /gxkrr’ = m
Symmetric-hybrid Encryption
U[k1],U[1],e[k1,m]
• U[1] is universal blank
can be converted to U[mi]
can be reused
• e[k1,m] is symmetric encryption of m
• Final message
U[k1],U[k2],…U[kn],e[kn,e[kn-1,…e[k1,m]…]
• Can also do an asymmetric hybrid
•
Talk Outline
•
•
•
•
•
Background and Motivation for mixes
and universal re-encryption
Definitions, Security Properties
Implementation using ElGamal
Applications: Low Volume Bulletin
Board, RFID Privacy
Security Arguments
Universal Mixnet (Bulletin Board)
• Senders post messages universally encrypted for
recipients
• Proof of Knowledge if nonmalleability desired
• Any server can download, mix, and repost any or
all messages
•
•
•
•
Servers can be dynamic
Shuffle proof if desired
No PKI and less trust of each server
No robustness/reliability issues with server failure
• No overhead or threats from replay (universal
semantic security)
Low Volume Bulletin Board
•
•
•
•
Suppose a bulletin board as above
Can mix with previous messages on board
Advantage: less delay retrieving new posts
Advantage: no need to detect replay (sort
of)
• Disadvantage: Must try decrypting all
messages to find ones for you
• Mitigate growth with message removal after PoK?
RFID Tags
• EZ Pass automated toll payment
• Supermarket shipment tracking, stock
monitoring, theft prevention
• Consumer stock monitoring, ordering
• Consumer theft-protection of belongings
• Implants in family pets
• Monitoring cash flows (500 Euro notes)
Privacy Problems
Wig
Pack of cigarettes
(fourth pack this week)
model #4456
(cheap polyester)
Das Kapital
(paid with Amex
card 345882299)
500 Euros
in wallet
30 items
of lingerie
Serial numbers:
597387,389473…
Privacy Solutions?
Privacy Solutions?
Method 2:
“Kill” RFID tags
Problem:
RFID tags are
much too useful…
Privacy Solutions?
Method 2:
“Put to sleep” RFID tags
Problems:
• No continuous use
• Complexity, key
management, trust
Privacy Solution: Blocker Tags
(Juels, Rivest & Szydlo)
Blocker simulates
all (billions of)
possible tag serial
numbers!!
1,2,3, …, 2023 pairs
of sneakers and…
(reading fails)…
Universal Re-encryption for
RFID Tag Privacy (Example)
• Alice at supermarket checkout.
• Uses PKAlice from fidelity card.
• Cashier creates universal ciphertexts on
Alice’s purchase IDs.
• As Alice walks home passes readers that reencrypt her tags or does it herself.
• Alice enters home, tags decrypted for home
use.
Security of ElGamal based BB
• Correctness: Can do shuffle proofs of
correct mixing
• Communication privacy: If the universal
cryptosystem is universal semanticsecure, then bulletin board construct
provides communication privacy.
• For ElGamal implementation,
communication privacy reduced to DDH.
Conclusions
• Universal Re-encryption: New primitive
• Proven Security:
• ElGamal BB is correct (wrt mixing)
• ElGamal BB reducible to DDH.
• Applications:
• Reduced trust in mixes
• Less complex mixnets (no PKI)
• Privacy preserving RFID tags
• Future
• Reduce receiver overhead in bulletin board
• Meteor Mixing (with George Danezis)