Untraceable Electronic Mail Return addresses and Digital Pseudonyms Authors David L Chaum University of California Berkeley Presented by Murtuza Jadliwala Electronic M ail System 8262013 ID: 769822
Download Presentation The PPT/PDF document "Untraceable Electronic Mail, Return addr..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Untraceable Electronic Mail, Return addresses, and Digital Pseudonyms Authors: David L. Chaum , University of California, Berkeley Presented by: Murtuza Jadliwala
Electronic Mail System 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 2 Sender Receiver Insecured Telecommunication Channel Email Problem : Vulnerable to Traffic Analysis Attacks How to hide the content of communication (message)? How to hide who is communicating with whom? More specifically, can the sender send the message anonymously to the receiver? Additional property needed: Untraceable return addresses
MotivationElectronic mail w as new in the 1980’s Anonymously sending an electronic mail was a desirable requirement! The idea of anonymous sending an electronic mail could also be used in other applications Anonymous electronic voting application Verification that ballots have been properly counted is possible if anonymously mailed ballots are signed with pseudonyms from a roster of registered voters 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)3
Background – Public Key Cryptography Used for providing confidentiality 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 4
Background – Public Key Cryptography Used for providing authentication 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 5
NotationsAssume that RSA public-key cryptosystem is used K is the public key (known to everyone) K -1 is the private key (known to only the sender)M is the message. Assume all messages consists of equal sized and equal number of blocks. M = M1M 2M3…ML-1Encryption of M by K (using RSA) is denoted as K(M). K(M) is a random mapping from M to a string of size K(M) K-1 (K(M)) = K(K-1 (M) = MIf M = M’, then K(M) = K(M’). To overcome this problem, choose a random string, attach to the message before encrypting K(R,M) 8/26/2013CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 6
Assumptions No one can determine the mapping between the plaintext and the corresponding encrypted plaintext by just looking at either one of them No one can create forge a message or a signature without the appropriate random string or private key.Anyone may learn the origin, destination(s), and representation of all messages in the underlying telecommunication system Anyone may inject, remove, or modify messages. 8/26/2013CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 7
Anonymous Mail System8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 8 s1 s 2 s3 s4 r1 r2 r3 r4 Mix Email K mix (R 1 , K r3 (R 0 ,M),r3) Email K r3 (R 0 ,M)
Anonymous Mail System8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 9 s1 s 2 s3 s4 r1 r2 r3 r4 Mix Email Email Timing and Order of arrival can leak information! How to overcome that problem ? Mix hides correspondences between its input and outputs. How is this possible? By assumption 1 – Cryptanalytic attack not possible! What if one item is repeated in the input and the output? How to overcome this? Remove redundant items across multiple batches! Email Email Email Email Email Email Batch
Protection against Mix Misbehavior Mix provides signed receipts of messages to the participants, Y= K -1 mix(C, K mix(R1, Kr3 (R0,M),r3))If a participant is wronged, he can supply X = (Kr3(R 0,M), r3), and the retained string R1,along with the signed receipt to the authorities Authorities can verify if Kmix(Y) = C, Kmix(R1 ,X)8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981)10
Mix Cascades8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 11 s1 s 2 s3 s4 r1 r2 r3 r4 Mix 1 Mix 2 Mix n … Advantage: Even if n-1 mixes are misbehaving or cheating, a single honest mix can provide secrecy
Mix Cascades Participant provides the following to the Mix1 K mix1 (R1, Kmix2 (R2, …..K mix n-1(Rn-1, Kmixn(R n, Kr3(R0,M),r3))….)) Mix1 yields a lexicographically ordered batch of items, each of the formKmix2(R2, ….. Kmix n-1(Rn-1, Kmixn (Rn, Kr3(R0,M),r3))….) The items in the final output batch of a cascade are of the same form as the single mix K r3 (R 0 ,M),r3 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 12
Return Addresses or Certified Mail If x can send an anonymous messages to y, is it possible for y to respond to x, while still keeping identity of x secret from y?Anonymous mail receipt!Solution: The sender x forms an untraceable return address Kmix(R1,A x), KX and includes it in the message sent through the mixAx is the address of xKX is the public key chosen by x 8/26/2013CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 13
Return Addresses or Certified Mail8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 14 s1 s 2 s3 s4 r1 r2 r3 r4 Mix Email K mix (R 2 , K r3 (R 0 ,M, K mix (R 1 ,s1), K s1 ),r3) Email K r3 (R 0 ,M, K mix (R 1 ,s1), K s1 ) Rcpt K mix (R 1 ,s1), K s1 (R 3 ,M’) Rcpt s1, R1(K s1 (R 3 ,M’))
Return Address in Mix Cascades With a cascade of mixes, the message part is prepared the same as for a single mix Receiver provides the following to the MixNK mixN(RN, K mix N-1(RN-1, …..Kmix2(R 2, K1(R1 ,s1))….)), Ks1(R’,M’)MixN yields a lexicographically ordered batch of items, each of the formKmix N-1(RN-1, …..Kmix2(R2, K 1 (R 1 ,s1 ) )….), R N (K s1 (R’,M’)) The items in the final output batch of a cascade are of the same form as the single mix s1, R 1 (…..R N-1 (R N (K s1 (R ’,M ’)))…) 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 15
Application: Anonymous Electronic Voting Digital Pseudonym: Public key of anonymous holder (used to verify signatures made by him) Roster: Collection of “digital pseudonyms” of acceptable anonymous holders maintained by an authorityHow can an authority form a roster of anonymous pseudonyms? Roster could contain a pseudonyms of registered votersAnonymous Voting : For a single mix, Each voter submits a ballot of the form Kmix ( R1, K, K-1( C, V )), where K is the voter’s pseudonym and V is the voteItems in the final lexicographically ordered output batch are of the form K, K-1( C, V ) duplicates need to be avoided in this batchCheck if the pseudonym K correctly decrypts the signed vote VIf the above is verified, check if K appears in the roster of registered voters The above can be easily extended for a cascading mix 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 16
General Purpose Anonymous Mail Systems To prevent misbehavior in single mix systems: Require all messages pass through mix cascades To hide the number of messages sent: All senders send messages to the mix (in a batch) Some senders send dummy messages To hide the number of messages received:Each receiver searches the entire output for messages directed to itBoth the above approaches are too costly One solution is to use only subsets rather than entire sets of senders/receiversIf a message passes through K mixes in the cascade and contains L blocks ( L-K content block, K address blocks)Problem: How to hide the number of mixes a message passes through Each mix typically strips off 1 address block? Solution : For each mix the message passes through, remove the corresponding address block, but add a junk content block! So number of block in each message is constant 8/26/2013 CS 898AB - Untraceable Electronic Mail (D. Chaum, 1981) 17