1,872 research outputs found
Anonymity in Shared Symmetric Key Primitives
We provide a stronger definition of anonymity in the context of shared symmetric key primitives, and show that existing schemes do not provide this level of anonymity. A new scheme is presented to share symmetric key operations amongst a set of participants according to a (t, n)-threshold access structure. We quantify the amount of information the output of the shared operation provides about the group of participants which collaborated to produce it.
Verifying Privacy-Type Properties in a Modular Way
Formal methods have proved their usefulness for analysing the security of protocols. In this setting, privacy-type security properties (e.g. vote-privacy, anonymity, unlink ability) that play an important role in many modern applications are formalised using a notion of equivalence. In this paper, we study the notion of trace equivalence and we show how to establish such an equivalence relation in a modular way. It is well-known that composition works well when the processes do not share secrets. However, there is no result allowing us to compose processes that rely on some shared secrets such as long term keys. We show that composition works even when the processes share secrets provided that they satisfy some reasonable conditions. Our composition result allows us to prove various equivalence-based properties in a modular way, and works in a quite general setting. In particular, we consider arbitrary cryptographic primitives and processes that use non-trivial else branches. As an example, we consider the ICAO e-passport standard, and we show how the privacy guarantees of the whole application can be derived from the privacy guarantees of its sub-protocols
Composing security protocols: from confidentiality to privacy
Security protocols are used in many of our daily-life applications, and our privacy largely depends on their design. Formal verification techniques have proved their usefulness to analyse these protocols, but they become so complex that modular techniques have to be developed. We propose several results to safely compose security protocols. We consider arbitrary primitives modeled using an equational theory, and a rich process algebra close to the applied pi calculus.
Relying on these composition results, we derive some security properties on a protocol from the security analysis performed on each of its sub-protocols individually. We consider parallel composition and the case of key-exchange protocols. Our results apply to deal with confidentiality but also privacy-type properties (e.g. anonymity) expressed using a notion of equivalence. We illustrate the usefulness of our composition results on protocols from the 3G phone application and electronic passport
Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management
With the growing amount of personal information exchanged over the Internet,
privacy is becoming more and more a concern for users. One of the key
principles in protecting privacy is data minimisation. This principle requires
that only the minimum amount of information necessary to accomplish a certain
goal is collected and processed. "Privacy-enhancing" communication protocols
have been proposed to guarantee data minimisation in a wide range of
applications. However, currently there is no satisfactory way to assess and
compare the privacy they offer in a precise way: existing analyses are either
too informal and high-level, or specific for one particular system. In this
work, we propose a general formal framework to analyse and compare
communication protocols with respect to privacy by data minimisation. Privacy
requirements are formalised independent of a particular protocol in terms of
the knowledge of (coalitions of) actors in a three-layer model of personal
information. These requirements are then verified automatically for particular
protocols by computing this knowledge from a description of their
communication. We validate our framework in an identity management (IdM) case
study. As IdM systems are used more and more to satisfy the increasing need for
reliable on-line identification and authentication, privacy is becoming an
increasingly critical issue. We use our framework to analyse and compare four
identity management systems. Finally, we discuss the completeness and
(re)usability of the proposed framework
HORNET: High-speed Onion Routing at the Network Layer
We present HORNET, a system that enables high-speed end-to-end anonymous
channels by leveraging next generation network architectures. HORNET is
designed as a low-latency onion routing system that operates at the network
layer thus enabling a wide range of applications. Our system uses only
symmetric cryptography for data forwarding yet requires no per-flow state on
intermediate nodes. This design enables HORNET nodes to process anonymous
traffic at over 93 Gb/s. HORNET can also scale as required, adding minimal
processing overhead per additional anonymous channel. We discuss design and
implementation details, as well as a performance and security evaluation.Comment: 14 pages, 5 figure
Hash Families and Cover-Free Families with Cryptographic Applications
This thesis is focused on hash families and cover-free families and their application to
problems in cryptography. We present new necessary conditions for generalized separating
hash families, and provide new explicit constructions. We then consider three cryptographic
applications of hash families and cover-free families. We provide a stronger de nition of
anonymity in the context of shared symmetric key primitives and give a new scheme with
improved anonymity properties. Second, we observe that nding the invalid signatures
in a set of digital signatures that fails batch veri cation is a group testing problem, then
apply and compare many group testing algorithms to solve this problem e ciently. In
particular, we apply group testing algorithms based on cover-free families. Finally, we
construct a one-time signature scheme based on cover-free families with short signatures
Finding Safety in Numbers with Secure Allegation Escrows
For fear of retribution, the victim of a crime may be willing to report it
only if other victims of the same perpetrator also step forward. Common
examples include 1) identifying oneself as the victim of sexual harassment,
especially by a person in a position of authority or 2) accusing an influential
politician, an authoritarian government, or ones own employer of corruption. To
handle such situations, legal literature has proposed the concept of an
allegation escrow: a neutral third-party that collects allegations anonymously,
matches them against each other, and de-anonymizes allegers only after
de-anonymity thresholds (in terms of number of co-allegers), pre-specified by
the allegers, are reached.
An allegation escrow can be realized as a single trusted third party;
however, this party must be trusted to keep the identity of the alleger and
content of the allegation private. To address this problem, this paper
introduces Secure Allegation Escrows (SAE, pronounced "say"). A SAE is a group
of parties with independent interests and motives, acting jointly as an escrow
for collecting allegations from individuals, matching the allegations, and
de-anonymizing the allegations when designated thresholds are reached. By
design, SAEs provide a very strong property: No less than a majority of parties
constituting a SAE can de-anonymize or disclose the content of an allegation
without a sufficient number of matching allegations (even in collusion with any
number of other allegers). Once a sufficient number of matching allegations
exist, the join escrow discloses the allegation with the allegers' identities.
We describe how SAEs can be constructed using a novel authentication protocol
and a novel allegation matching and bucketing algorithm, provide formal proofs
of the security of our constructions, and evaluate a prototype implementation,
demonstrating feasibility in practice.Comment: To appear in NDSS 2020. New version includes improvements to writing
and proof. The protocol is unchange
- âŚ