Improving Onion Notation Richard Clayton - - PowerPoint PPT Presentation

improving onion notation
SMART_READER_LITE
LIVE PREVIEW

Improving Onion Notation Richard Clayton - - PowerPoint PPT Presentation

Sep 29, 2022 282 likes •524 views

Improving Onion Notation Richard Clayton Why does notation matter? In signs one observes an advantage

slide-1
SLIDE 1

Improving Onion Notation

Richard Clayton

slide-2
SLIDE 2

Why does notation matter?

In signs one observes an advantage in discovery which is greatest when they express the exact nature of a thing briefly and, as it were, picture it; then indeed the labour of thought is wonderfully diminished. Leibniz, 1646–1716

slide-3
SLIDE 3

Summary

  • Current onion notation
  • What’s important about a notation?
  • A new notation
  • Using the new notation
  • Discussion
  • Lunch!
slide-4
SLIDE 4

KM2 KM1 KA R0T R1A R2M1

M2 A M1

Sending message T to Alice

slide-5
SLIDE 5

KM2 KM1 KA R0T R1A R2M1

M2 A M1

Sending message T to Alice

slide-6
SLIDE 6

Onion notation

  • MIXs invented by David Chaum, 1981
  • Ki(x) means “seal” x with key Ki
  • Hence an “onion” [Goldschlag et al 1996]

for text T destined for node A (owner of key Ka) sent via MIX M1 (owner of key K1) is, with the addition of nonces R1 and R0: K1(R1,Ka(R0,T),A)

slide-7
SLIDE 7

Onion notation II

  • Ohkubo & Abe, 2000
  • use

Ki(x) to mean “encrypt” x with key Ki

  • Hence an “onion” for text T destined for

node A (owner of key Ka) sent via MIX M1 (owner of key K1) is, with the addition of nonces R1 and R0:

K1(R1, Ka(R0,T),A)

slide-8
SLIDE 8

Onion notation III

  • Serjantov, 2003, following BAN tradition
  • {x}Ki means “encrypt” x with key Ki
  • Hence an “onion” for text T destined for

node A (owner of key Ka) sent via MIX M1 (owner of key K1) is, with the addition of nonces R1 and R0: {R1,{R0,T}Ka,A}K1

slide-9
SLIDE 9

Assessing notations

A) Make it fit on one line

Frege, 1879 Begriffsschrift The start of the age

  • f symbolic logic.

His contemporaries failed to cope!

slide-10
SLIDE 10

Assessing notations

B) Make it easy to write eg: “

Ki(x)” has custom subscript, font

size and line spacing C) Make it easy to read can you read subscript from the back ?

slide-11
SLIDE 11

so what of this example? Kn(Rn…(R2,K1(R1,Ka(R0,T),A),M1)…Mn) so what of this example? Kn(Rn…(R2,K1(R1,Ka(R0,T),A),M1)…Mn-1) D) Will it allow errors to be detected ? E) Will it allow simple generalisation F) Will it be easy to comprehend

Assessing notations

slide-12
SLIDE 12

There must be a better way!

| R0,T # Ka|R1,*,A # K1 | is the start of a section of the onion #K means encrypt this section with key K * is the result of the previous encryption

slide-13
SLIDE 13

There’s no nesting to unpick!

  • Three MIXs:

| R0,T # Ka|R1,*,A # K1|R2,*,M1 # K2

  • n MIXs:

| R0,T # Ka|R1,*,A # K1|…|Rn,*,Mn-1 # Kn-1

slide-14
SLIDE 14

Pfitzmann & Waidner 1986

  • Avoid end-to-end retransmission on failures

Xa Ka(T) Xn Kn(kn, A), kn(Xa) Xi Ki(ki,Mi+1,ki+1,Mi+2),ki(Xi+1)

ie: besides normal information, each MIX is told about next but one MIX and can route around a

  • failure. The sender also encrypts with ki values

and tells appropriate MIXs their values.

slide-15
SLIDE 15

In the new notation

Xa |T # Ka Xn |kn, A # Kn|Xa # kn|*0*1 Xi |ki, Mi+1,ki+1,Mi+2 # Kn|Xi+1 # ki|*0*1 where *0 is the result of encrypting the previous section and *1 the result of encrypting the section before that

slide-16
SLIDE 16

Avoiding the induction

|T # ka |kn,A # Kn |*0*1 # kn-1 |kn-1,Mn,kn,A # Kn-1 |*0*1 # kn-2 |kn-2,Mn-1,kn-1,Mn # Kn-2|*0*1 # kn-3 |kn-3,Mn-2,kn-2, Mn-1 # Kn-3 | *0*1 # kn-4 … and can now reason about security properties

slide-17
SLIDE 17

Questions for a discussion

  • Is it worthwhile making the notation

resemble the implementation, or should it resemble Encryption(functions) ?

  • Do we actually have trouble reading nested

brackets? or lots of subscripts? or … ellipses?

  • If this notation isn’t useful, should we start

to ruthlessly stamp out the new-fangled notations that are appearing ?

slide-18
SLIDE 18

Why does notation matter?

In signs one observes an advantage in discovery which is greatest when they express the exact nature of a thing briefly and, as it were, picture it; then indeed the labour of thought is wonderfully diminished. Leibniz, 1646–1716

slide-19
SLIDE 19

Discussion

| R0,T # Ka|R1,*,A # K1|…|Rn,*,Mn-1 # Kn-1 | is the start of a section of the onion # K means encrypt this section with key K * is the result of the previous encryption

slide-20
SLIDE 20

More ideas

  • Brackets:

| Ka (R0,T) | K1(R1,*,A) | K2(R2,*,A)

  • Arrows:

| R0,T>Ka|R1,*,A>K1|…|Rn,*,Mn-1>Kn-1

  • r

| R0 Ka|R1 1|…|Rn,*,Mn-1 Kn-1

slide-21
SLIDE 21

And a functional notation

(Grothoff)

F(a, b)(x) := Eka(Ra, x, b) (f(A,B) o f(B,C) o f(C,C)) (T)

slide-22
SLIDE 22

Power notation (Serjantov)

cf: or (Euler’s notation)

n

Ri , *, Mi

i=0

  • where A is M0 and the “initial” * is empty
slide-23
SLIDE 23

More discussion ?

  • At lunch ?
  • Or later in the workshop !

richard.clayton@cl.cam.ac.uk http://www.cl.cam.ac.uk/~rnc1/