87 research outputs found
Conscript Your Friends into Larger Anonymity Sets with JavaScript
We present the design and prototype implementation of ConScript, a framework
for using JavaScript to allow casual Web users to participate in an anonymous
communication system. When a Web user visits a cooperative Web site, the site
serves a JavaScript application that instructs the browser to create and submit
"dummy" messages into the anonymity system. Users who want to send non-dummy
messages through the anonymity system use a browser plug-in to replace these
dummy messages with real messages. Creating such conscripted anonymity sets can
increase the anonymity set size available to users of remailer, e-voting, and
verifiable shuffle-style anonymity systems. We outline ConScript's
architecture, we address a number of potential attacks against ConScript, and
we discuss the ethical issues related to deploying such a system. Our
implementation results demonstrate the practicality of ConScript: a workstation
running our ConScript prototype JavaScript client generates a dummy message for
a mix-net in 81 milliseconds and it generates a dummy message for a
DoS-resistant DC-net in 156 milliseconds.Comment: An abbreviated version of this paper will appear at the WPES 2013
worksho
The Discrete-Logarithm Problem with Preprocessing
This paper studies discrete-log algorithms that use preprocessing. In our model, an adversary may use a very large amount of precomputation to produce an advice string about a specific group (e.g., NIST P-256). In a subsequent online phase, the adversary\u27s task is to use the preprocessed advice to quickly compute discrete logarithms in the group. Motivated by surprising recent preprocessing attacks on the discrete-log problem, we study the power and limits of such algorithms. In particular, we focus on generic algorithms -- these are algorithms that operate in every cyclic group. We show that any generic discrete-log algorithm with preprocessing that uses an -bit advice string, runs in online time , and succeeds with probability , in a group of prime order , must satisfy .
Our lower bound, which is tight up to logarithmic factors, uses a synthesis of incompressibility techniques and classic methods for generic-group lower bounds. We apply our techniques to prove related lower bounds for the CDH, DDH, and multiple-discrete-log problems.
Finally, we demonstrate two new generic preprocessing attacks: one for the multiple-discrete-log problem and one for certain decisional-type problems in groups. This latter result demonstrates that, for generic algorithms with preprocessing, distinguishing tuples of the form from random is much easier than the discrete-log problem
Dissent: Accountable Group Anonymity
Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to disrupt the group. Messaging protocols such as Mix-nets and DC-nets leave online groups vulnerable to denial-of-service and Sybil attacks, while accountable voting protocols are unusable or inefficient for general anonymous messaging. We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members have much data to transmit in a given round. The N group members first cooperatively shuffle an N x N matrix of pseudorandom seeds, then use these seeds in N "pre-planned" DC-nets protocol runs. Each DC-nets run transmits the variable-length bulk data comprising one member's message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large and unbalanced message loads. A working prototype demonstrates the protocol's practicality for anonymous messaging in groups of 40+ member nodes
The Function-Inversion Problem: Barriers and Opportunities
The task of function inversion is central to cryptanalysis: breaking
block ciphers, forging signatures, and cracking password hashes are all
special cases of the function-inversion problem. In 1980, Hellman showed
that it is possible to invert a random function in
time given only
bits of precomputed advice about .
Hellmanâs algorithm is the basis for the popular âRainbow Tablesâ
technique (Oechslin, 2003), which achieves the same asymptotic cost and
is widely used in practical cryptanalysis.
Is Hellmanâs method the best possible algorithm for inverting functions
with preprocessed advice? The best known lower bound, due to Yao (1990),
shows that , which still admits the
possibility of an attack. There remains
a long-standing and vexing gap between Hellmanâs upper bound
and Yaoâs lower bound. Understanding the feasibility of an
algorithm is cryptanalytically relevant since such an
algorithm could perform a key-recovery attack on AES-128 in time
using a precomputed table of size .
For the past 29 years, there has been no progress either in improving
Hellmanâs algorithm or in strengthening Yaoâs lower bound. In this work,
we connect function inversion to problems in other areas of theory to
(1) explain why progress may be difficult and (2) explore possible ways
forward.
Our results are as follows:
- We show that *any* improvement on Yaoâs lower bound on
function-inversion algorithms will imply new lower bounds on
depth-two circuits with arbitrary gates. Further, we show that
proving strong lower bounds on *non-adaptive* function-inversion
algorithms would imply breakthrough circuit lower bounds on
linear-size log-depth circuits.
- We take first steps towards the study of the *injective*
function-inversion problem, which has manifold cryptographic
applications. In particular, we show that improved algorithms for
breaking PRGs with preprocessing would give improved algorithms for
inverting injective functions with preprocessing.
- Finally, we show that function inversion is closely related to
well-studied problems in communication complexity and data
structures. Through these connections we immediately obtain the best
known algorithms for problems in these domains
- âŠ