A new attack on Jakobsson Hybrid Mix-Net

Transcription

1 A new attack on Jakobsson Hybrd Mx-Net Seyyed Amr Mortazav Tehran, Iran. Abstract The Jakobsson hybrd Mx-net proposed by Jakobsson and Juels, s a very practcal and effcent scheme for long nput messages. But ths hybrd Mx-net does not have publc verfable property. In ths paper a new attack to the Jakobsson hybrd Mx-net s ntroduced. Ths attack breaks the robustness of the hybrd Mx-net scheme, gven that the corrupted frst mx server and one of the senders collude wth each other. keyword:mx-net,hybrd Mx-net, Anonymty. 1. Introducton Mx-net s a cryptographc tool for creatng an anonymous channel between a group of senders and recevers. By usng t the dentty of senders to recevers s kept unknown. The most mportant securty aspect of Mx-net desgn s mantanng the anonymty of senders. A properly desgned Mx-net takes a group of encrypted messages as ts nput and generates a set of plantexts and delvers them to recevers whle keepng anonymty of senders. Ideas for Mx-net frst appeared n Chaum s work [2] and snce then t s used as a strong tool to desgn the anonymous channels. In [4] the dfferent methods of desgn of anonymous channels are dscussed. Any Mxnet conssts of three partcpants; mx servers, senders and recevers. Senders encrypt ther messages and delver them to the frst mx server. Frst mx server performs mxng operaton over these nput messages and produces ts output. Mxng operatons nclude: 1- cryptographc operatons (encrypton or decrypton algorthms) to make nput messages anonymous. 2- random permutaton on the nput messages to elmnate any relatonshp between outputs and nputs of the mx server. Outputs of each server are transferred to the next mx server, where the same mxng operatons are carred out. The outputs of the last mx server are the plantexts whch are delvered to the recevers. Mx-nets may be desgned to have some features, such as correctness, prvacy of senders, robustness and verfablty. Desrable goal n the desgn of Mx-net s achevng these features wth hgh computatonal effcency. Correctness means that the result s correct, f all the mx servers are honest. In Mx-net the prvacy s dealt wth the anonymty of senders. A Mx-net s consdered to be robust, f mx servers could produce a correct output n presence of some faulty mx servers. In the verfable Mx-net each mx server s requred to prove that t performs ts tasks correctly. In 1981 Chaum ntroduces the Mx-net n [2] for the frst tme, that s now known as decrypton Mx-net. In a decrypton Mx-net the senders encrypt ther messages by the publc key of all servers n a reverse order. Durng the decrypton 1

2 operaton of each server, a layer of encrypton s decrypted. Thus the output of the last mx server wll be plantext messages. Not beng robust to a faulty mx server was the major drawback of the decrypton Mx-net, It means that f a mx server refuses to decrypt ts nput messages, mxng operatons of Mx-net wll stop. To acheve robustness aganst faulty servers, Park et.al n [14] propose a new Mx-net, n whch decrypton s substtuted by re-encrypton. Re-encrypton Mx-net formerly ntroduced n [14], later shown to have some weaknesses n [17]. A new re-encrypton Mx-net s ntroduced n [12] that s robust to above attacks. Snce then the man objectve of Mx-net desgners was reachng a Mx-net wth publc verfablty and hgh effcency. The frst publcly verfable Mx-net s presented n [7] that uses the cut and choose method. But ths scheme has low effcency and hgh complexty. After that, a lot of publcly verfable Mx-nets wth hgh effcency was ntroduced [1, 6, 10, 8]. Sako n [5] and Neff n [11] present two practcal publcly verfable Mx-nets wth hgh effcency. Schemes that are ntroduced above acheve ther best effcency when length of nput cphertext s short. A method for mxng long messages wth these Mx-nets, s to dvde each message nto blocks of the short bts, re-encrypt each block and concatenate them to form a strng. Ths approach requres only publc key operatons and provng correctness of mxng operatons for each block. Mx-nets usually use the publc key cryptosystem (such as ElGamal or RSA cryptosystem) to re-encrypt or decrypt ther nput messages. Usng the publc key cryptosystem n desgnng a Mx-net has caused some problems lke restrcton of nput message length and reducton of effcency because of modular computatons. Consderng these statements, Mx-nets that use both symmetrc and publc keys were desgned and known as hybrd Mx-nets. Acceptng nput messages wth arbtrary length s the advantage of usng symmetrc key n the Mx-net desgn. Furthermore, encrypton wth symmetrc key s more effcent than encrypton wth publc key. Abe et.al n [13] have ntroduced frst hybrd Mxnet that has robustness aganst n faulty mx servers from total of n mx servers. Jakobsson et.al n [9] proposes a hybrd Mx-net that has robustness aganst n faulty mx servers. The Mxnet schemes n [13, 9], are able to mx long mes- 2 sages effcently, but they do nor have the property of publc verfablty. In ths paper a revew of the Jakobsson hybrd Mx-net scheme carred out at secton 2 s presented. The new attack aganst ths hybrd Mxnet s ntroduced n secton 3, ths attack breaks robustness of ths hybrd Mx-net. In secton 4 the clue to a soluton of modfcaton ths scheme aganst our new attack s presented. Ths proposed scheme s a publc verfable Mx-net. 2 Revew of Hybrd Mx-Net In ths secton the hybrd Mx-network protocol presented by Jakobsson et al s revewed brefly. [9]. The descrpton gven here s as close as possble to the orgnal paper, but we dscard detals rrelevant to the new attack. For detals we refer the nterested reader to [9]. 2.1 Setup and buldng blocks The partcpants of the ths hybrd Mx-net protocol are; N senders that denoted by P 1,..., P N, and n mx servers that denoted by S 1,..., S n, and a bulletn board 1. Each sender encrypts ts message, and wrtes t on the bulletn board. The mx servers then run the hybrd Mx-net protocol. In the remanng of ths subsecton, the notatons and prelmnary blocks for the hybrd Mxnet protocol are ntroduced. 1 bulletn board s a publcly shared memory whch all partcpants can read and wrte access to t wth authentcaton but no partcpant can erase anythng on the bulletn board [9, 18] 2

3 2.1.1 Scheme parameters Frst the parameters used n ths scheme are explaned. Let p and q be two large prmes that q p 1 and Zp s a multplcatve group module p and G q s a subgroup of order q of Zp. The generator of subgroup G q s denoted wth g. Message authentcaton code (MAC) s a symmetrc keyed functon. MAC for message m wth symmetrc key z s denoted wth MAC Z (m). let k G q be a symmetrc key shared between two entty, E k [m] = c and D k [c] = m, are respectvely the encrypton and decrypton functon of the symmetrc key algorthm. Zero knowledge proof for provng quadruple (a, b, y, z) G 4 q s n the form of log a b = log y z = x and the prover knows the secret value of x s denoted wth EQDL[a, b, y, z] Intalzaton Each server S, 1 n, chooses three secure and random keys α, β, γ Z q, as ts prvate keys, then each server computes and publshes trple (Y, K, Z ) that Y = Y 1 α, K = Y 1 β, Z = Y 1 γ as ts publc key. In ths computaton, t s assumed that Y 0 = g. In the ntalzaton of ths scheme each server must prove knowledge of ts prvate keys by usng a zero knowledge proof such as [16] or [3]. After that all the prvate keys of each server are shared between all the servers by usng (t, n) verfable secret sharng (VSS) technque [15] Smulated server By cooperatons of all servers and usng VSS technque the last server S wth prvate keys β, γ and publc keys K, Z are smulated and these keys are shared between the other servers. 2.2 Encrypton In ths secton, encrypton algorthm, that s used by senders to encrypt ther messages s descrbed. Ths encrypton algorthm s based on the symmetrc key encrypton, that encrypts the message layer to a layer wth all the publc keys of the servers n a reverse order. 1. Compressed key schedule Generaton Eeach sender, lke P j, selects randomly secret key ρ Z q then computes k ρ = K 0 n + 1 z ρ = Z 1 n + 1 (2.1) y ρ 0 = Y 0. notce that the sender compressed key schedule s y 0 [9]. 2. Message Encrypton Each sender encrypts hs message n ths stage. For example the jth sender encrypts the m j by computng: c n = E k [m j ] c j = E k [c µ ] 0 n 1 µ j = MAC z [c I] 0 n (2.2) where I s a publcly random strng. the cphertext of the jth sender s {c 0, µ 0, y 0 } and other senders smlarly construct ther cphertexts. For the securty of the scheme, the length of all the cphertexts must be equal. The set of cphertext sent to frst mx server s shown by {c 0, µ 0, y 0 } N j= Mxng operaton In ths hybrd Mx-net, all of the transactons and nteractons between Mx-net partcpants are publc and performed by means of bulletn board. 3

4 1. Each server takes the set {c 1, µ 1, y 1 } N j=1 as ts nput and performs followng steps: (a) key generaton Server S by usng ts prvet keys computes decrypton keys as follows for 1 j N. ỹ = (y 1 ) α k = (y 1 ) β z = (y 1 ) γ (2.3) (b) MAC verfcaton Server S verfes the MAC valdty by: µ 1? = MAC z [c 1 I] (2.4) for 1 j N. If the MAC verfcaton s wrong,.e above equaton s not satsfed, the server S performs Verfy Complant (, j) (secton 2.4). (c) Message Decrypton Server S decrypts the cphertext as followes: D k [c 1 ] = ( c µ ) (2.5) (d) Permutaton Server S chooses randomely permutaton π and rearranges set {c, µ, y } N j=1 and the result s the output of server S. (e) proof of correctness of output keys Server S for provng correctness of output keys {y } N j=1 uses zero knowledge proofs as descrbed n secton Server S must prove that P = P α 1 and Y = Y α 1 by usng EQDL[P 1, P, Y 1, Y ], where P = N j=1 y. S must send the requred nformaton for proovng the EQDL equatons to server S and f S determnes that the proof s ncorrect t performs Verfy Complant (secton 2.4). 2. Output the output of S n s set {c n, µ n, y n } N j=1 and ths set s the nput of the smulated server, S. Wth help of the Mx-net servers and usng VSS technques, the prvte keys of the (n + 1)th server z, K (), are computed. By usng these keys, the mxng operatons are performed and Mx-net outputs are obtaned wth decrypton {D k [c n ] = m } N j= Verfy Complant (, j) Verfy Complant (, j) are executed when the mx server S complans that ts jth nput message (c 1, µ 1, y 1 ) has nvald form or the ( 1)th server s faulty. If the nput message of the mx server S s not satsfed, the MAC verfcaton (equatons (2.4)) or EQDL proof, ths algorthm wth complant of S s run. Wth cooperaton of all the servers and usng secret sharng method, frst the truth of complant s verfed and then the faulty server S or nvald form of the sender s message [9] s nspected. 3 A practcal attack on Jakobsson hybrd Mx-net In ths secton, a new attack aganst Jakobsson hybrd Mx-net [9] s ntroduced by the authors. Ths attack breaks the robustness of the hybrd Mx-net. In ths attack, the corrupted frst mx server and one of the senders, cooperate together to produce arbtrary outputs, wthout detecton by the other servers. 3.1 Corrupt mx server and corrupt sender We assume that the frst mx server S 1 and one of the senders,p N, are corrupted and cooperate 4

5 together to break the correctness and robustness of hybrd Mx-net. In ths attack the frst mx server could remove ts nput messages and replace them wth arbtrary messages wthout detecton by other partcpants. Ths attack s the general form of smlar attacks n [18, 17]. Input messages to the frst mx server are {c 0, µ 0, y 0 } N j=1, that y 0 = Y ρ 0. In ths statement, ρ s secret for the senders. Is assumed that the Nth sender s corrupted and makes ts message as follows: y (N) 0 = Π N 1 j=1 y 0 Y ρ (N) 0 (3.1) Then formes {c 0 (N), µ 0 (N), y 0 (N) } and post t to the frst server. Snce the messages are publc n the bulletn board, P N could construct y (N) 0 n the form of (N) (3.1) equatons. In the above equatons, c 0 and µ (N) 0 are random numbers, n a way that the structure of the message s correct and ρ (N) s random and common between the frst mx server and Nth sender. y 0 s the nverse of a y 0 n module p. The frst mx server could modfy messages to pass the verfcaton processes. The frst mx server chooses arbtrarly and unformly m 1, m 2,..., m N and ρ Z q for 1 j N, that N j=1 ρ = ρ (N) modq. The Frst mx server computes for 1 j N :(correspondng (2.1) equatons) = ρ α 1 k z y = K = Z 1 = Y 0. 1 n n + 1 (3.2) and t could encrypt messages m j, as follows: (correspondng (2.2) equatons): c n = E k [m ] c = E k [c µ ] 1 n 1 µ = MAC z [c I] 1 n (3.3) The frst mx server could construct the set {c 1, µ 1, y 1 } N j=1. The server S 1 rearrangees ths set and adds the knowledge for provng EQDL proof to ths ordered set, then posts t to the second server. Second server follow usual manner of protocol correspondng secton 2.3: 1. Key generaton S 2 computes k 2 and z 2 for 1 j N from equatons (2.3). 2. Verfy MAC equatons S 2 wth usng equatons (2.4), verfes MAC equatons for all messages. Snce the frst mx server formes these messages properly, all the messages satsfy the MAC equatons. 3. Message decrypton: Server S 2 by usng the equatons (2.5) decrypts all the messages. 4. EQDL equatons The server S 2 must check the EQDL proof, EQDL[P 0, P 1, Y 0, Y 1 ], correspondng wth secton 2.3. Snce: P 0 = Π N j=1y 0 = Y ρ (N) 0 and P 1 = Π N j=1y 1 = Y ρ N α 1 0 Y 1 = Y α 1 0 and server S 1 knows the value of α 1, consequently t could create EQDL zero knowledge proof correctly. The server S 1 could replace the messages of senders wth other arbtrary messages and send new messages to the second server wthout detecton by other partcpants. Smlarly the messages are sent to the last mx server and the outputs of Mx-net are formed. 5

6 4 Modfed and publcly verfable hybrd Mx-net In the hybrd Mx-net, senders must post y 0 to the frst mx server, and the senders don t need to prove that they know the exponents of the y 0,.e, ρ. by the use ths weakness, the new attack on the hybrd Mx-net s ntroduced. For modfyng the scheme aganst ths attack, a clue for the solutons of scheme s proposed. a new method for reachng publc verfablty n the hybrd Mx-networks s ntroduced. Verfcaton of MAC functon n Jakobsson hybrd Mxnet s performed only by next server, snce n ths scheme the MAC functon s a keyed functon and only the next server has ths key. The dgtal sgnature s used for reachng the publc verfablty. For usng ElGamal dgtal sgnature, frstly the publc and prvate keys of ElGamal sgnature are ntroduced as follows: (keys of the jth sender for sgnng the message of the th server) publc key:(y, y, p, q) prvate key: ρ notce that y = Y ρ and Y (the publc key of th server) s a generator n group G q. (q s a prme number and each exponent of g s a generator) ElGamal sgnature wth generator Y and prvate key ρ over message m s denoted by d = SIG ρj,y (H(m)) and the sgnature verfcaton by H(m) = VER-SIG (Y,y )(d). In the above equatons H s a secure hash functon. The message encrypton algorthms n secton 2.2 are changed wth new algorthms as followng: c n = E k [m ] c = E k [c µ j+1 ] 0 n 1 µ = SIG (ρ),y )[c ] 0 n (4.1) and the MAC verfcaton n secton 2.3 s replaced wth dgtal sgnature verfcaton as followng: c = VER-SIG (Y,y ) (µ ) (4.2) for 1 j N If the dgtal sgnature s used nstead of MAC, the effcency of the scheme s reduced, snce the complexty of dgtal sgnature s hgher than MAC verfcaton. In the below table the complexty of both schemes are compared. The comparson s based on the number of exponentaton for both schemes. n s the number of servers and N s the number of senders. Mx-net ntalzng Encrypton Mxng Jakobsson 3n + 9 2n + 3 3N + 6 Our scheme 2n + 6 2n + 3 5N Concluson Hybrd Mx-nets are effcent Mx-nets for long nput messages. Hybrd Mx-nets are constructed by use of both symmetrc and publc key encrypton. In ths paper a new attack on Jakobsson hybrd Mx-net s ntroduced, that breaks the robustness of the scheme. A new scheme that s resstent aganst the new attack s proposed. The proposed soluton s a publc verfable hybrd Mx-net that s based on Jakobsson hybrd Mx-net. References [1] Masayuk Abe, Unversally verfable mxnet wth verfcaton work ndependent of the number of mx servers, In Advances n Cryptology (EUROCRYPT 98), Sprnger- Verlag, LNCS 1403, 1998, pp [2] Davd Chaum, Untraceable electronc mal, return addresses, and dgtal pseudonyms, Communcatons of the ACM 24 (1981), no. 2. [3] Davd Chaum and Torben P. Pedersen, Wallet databases wth observers, CRYPTO, 1992, pp

7 [4] George Danezs and Clauda Daz, A survey of anonymous communcaton channels, Tech. Report MSR-TR , Mcrosoft Research, January [5] Jun Furukawa and Kazue Sako, An effcent scheme for provng a shuffle, Proceedngs of CRYPTO 2001 (Joe Klan, ed.), Sprnger- Verlag, LNCS 2139, [6] Markus Jakobsson, A practcal mx, Advances n Cryptology - EuroCrypt 98 (London, UK), Sprnger-Verlag, 1998, LNCS 1403, pp [7] Joe Klan and Kazue Sako, Recept-free MIX-type votng scheme - a practcal soluton to the mplementaton of a votng booth, Proceedngs of EUROCRYPT 1995, Sprnger-Verlag, [8] Jakobsson Markus, Flash Mxng, Proceedngs of Prncples of Dstrbuted Computng - PODC 99, ACM Press, [9] Jakobsson Markus and Juels Ar, An optmally robust hybrd mx network (extended abstract), Proceedngs of Prncples of Dstrbuted Computng - PODC 01, ACM Press, [10] Abe Masayuk, Mx-networks on permutaton networks, ASIACRYPT, 1999, pp [13] Myako Ohkubo and Masayuk Abe, A Length-Invarant Hybrd MIX, Proceedngs of ASIACRYPT 2000, Sprnger-Verlag, LNCS 1976, [14] Choonsk Park, Kazutomo Itoh, and Kaoru Kurosawa, Effcent anonymous channel and all/nothng electon scheme, EUROCRYPT 93: Workshop on the theory and applcaton of cryptographc technques on Advances n cryptology, [15] Gennaro Rosaro, Jareck Stanslaw, Krawczyk Hugo, and Rabn Tal, Secure dstrbuted key generaton for dscrete-log based cryptosystems, J. Cryptology 20 (2007), no. 1, [16] Claus-Peter Schnorr, Effcent sgnature generaton by smart cards, J. Cryptology 4 (1991), no. 3, [17] Brgt Pftzmann Unverstt and Brgt Pftzmann, Breakng an effcent anonymous channel, In EUROCRYPT, Sprnger-Verlag, 1995, pp [18] Douglas Wkström, Fve practcal attacks for optmstc mxng for ext-polls, Selected Areas n Cryptography (10th Annual Internatonal Workshop, SAC 2003), 2004, pp [11] C. Andrew Neff, A verfable secret shuffle and ts applcaton to e-votng, ACM Conference on Computer and Communcatons Securty, 2001, pp [12] Wakaha Ogata, Kaoru Kurosawa, Kazue Sako, and Kazunor Takatan, Fault tolerant anonymous channel, Informaton and Communcatons Securty - ICICS 97,LNCS 1334, 1997, pp