privacy and computer science eci 2015 day 2 privacy
play

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity - PowerPoint PPT Presentation

Feb 10, 2023 •370 likes •1.55k views

Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic Point of View F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale

  1. Introduction Traditional Cryptographic Approach to Privacy Privacy is more complex than just using a cryptographic function. = ⇒ Very often it even requires a priori contradictory features: (e.g. electronic vote, electronic cash, authentication and replay attacks...) It consists into elaborated protocols which uses several cryptographic primitives entangled together to achieve a specific goal: Secure hash functions, Asymetric encryption, Secret sharing schemes, Bit commitment, Etc. Together with those primitives, standard techniques to compose them are used: Challenge/response schemes. Use of nounces and randomness in general. Cut and choose. Etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 5 / 48

  2. Data Integrity, Secure Hash Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 6 / 48

  3. Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48

  4. Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h ( x ) = y and y is securily stored. Then if x is changed into x ′ , h ( x ′ ) = y ′ � = y . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48

  5. Data Integrity, Secure Hash Cryptographic Hash Functions Trying to make the equivalent of fingerprints for data. Hash functions should be like a salami machine: impossible to inverse but such that if feeding material is changed, then the salami is changed as well. The idea is that if h ( x ) = y and y is securily stored. Then if x is changed into x ′ , h ( x ′ ) = y ′ � = y . Actually families of keyed hash functions are used. The simplest way to make a MAC: A and B share k , A sends ( x , y = h k ( x )) to B. A third party C cannot alter x into x ′ and sends ( x ′ , h k ( x ′ )) without knowing k . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 7 / 48

  6. Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48

  7. Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48

  8. Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y 2 Second Preimage: In h : X → Y , and x ∈ § Out x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48

  9. Data Integrity, Secure Hash Cryptographic Hash Functions Definition (hash-family) A hash-family is ( X , Y , K , H ) X : set of messages Y : set of digests of authentication tags K : set of keys H : for each k ∈ K , there is h k ∈ H : X → Y 1 Preimage: In h : X → Y , and y ∈ Y Out x ∈ X s.t. h ( x ) = y 2 Second Preimage: In h : X → Y , and x ∈ § Out x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ 3 Collision: In h : X → Y Out x , x ′ ∈ X s.t. h ( x ) = h ( x ′ ) and x � = x ′ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 8 / 48

  10. Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48

  11. Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48

  12. Data Integrity, Secure Hash The properties of Hash functions: Random Oracle Model Introduced by Bellare and Rogaway in 1995 [Bellare and Rogaway, 1995]. Try to capture the essence of an “ideal” hash function: h : X → Y is chosen randomly. h is seen as a black box: querry through an Oracle. We can try to analyze hash functions independently from the particularities of the hash function considered. Algorithms are randomized algorithms . Notion of ǫ average-case success probability relatively to the number Q of queries to the oracle: ( ǫ, Q ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 9 / 48

  13. Data Integrity, Secure Hash Pre-image Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 10 / 48

  14. Data Integrity, Secure Hash Pre-image Find_PreImage(h,y,Q): choose X0 subset of X, |X0|=Q for all x in X0 do if h(x)=y then return (x) return (fail) Theorem If | X | = M the average-case success of Find Preimage is: ǫ = 1 − (1 − 1 / M ) Q F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 10 / 48

  15. Data Integrity, Secure Hash Second Pre-image Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 11 / 48

  16. Data Integrity, Secure Hash Second Pre-image Find_Second_PreImage(h,x,Q): y := h(x) choose X0 subset of X\{x}, |X0|=Q-1 for all x0 in X0 do if h(x0)=y then return (x0) return (fail) Theorem If | X | = M average-case success of Find Second Preimage is: ǫ = 1 − (1 − 1 / M ) Q − 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 11 / 48

  17. Data Integrity, Secure Hash Collision Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 12 / 48

  18. Data Integrity, Secure Hash Collision Find_Collision(h,x,Q): Choose X0 subset of X\{x}, |X0|=Q-1 for all x in X0 do y[x] := h(x) if y[x]=y[x’] for some x <> x’ then return (x,x’) else return (fail) Theorem The average-case success probability of Find Collision is, supposing that | X | = M ǫ = 1 − ( M − 1 )( M − 2 ) . . . ( M − Q + 1 ) M M M F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 12 / 48

  19. Data Integrity, Secure Hash Some numbers Birthday paradox and Find Second Preimage . In a group of 23 there is probability 1 / 2 that two persons have the same age: Q = 23 and M = 365. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 13 / 48

  20. Data Integrity, Secure Hash Some numbers Birthday paradox and Find Second Preimage . In a group of 23 there is probability 1 / 2 that two persons have the same age: Q = 23 and M = 365. Analysis of Find Collision . Theorem 4 gives the probability of no collisions: i =1 (1 − i Π Q − 1 M ) when x → 0 1 − x ≃ exp − x , thus − i Π Q − 1 i =1 (1 − i Π Q − 1 M ) ≃ i =1 exp M exp − Σ Q − 1 i = i =1 M − Q ( Q − 1) = exp 2 M We can express Q in terms of ǫ (probability to find a collision) and M . � 1 Q ≃ 2 M log( 1 − ǫ ) √ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 13 / 48 Thus for ǫ = 1 / 2 we have Q ≃ 1 . 17 M .

  21. Data Integrity, Secure Hash Collision using Second Preimage It is easy to find collision using the second preimage algorithm: choose random x in X if Find_Second_Preimage h(x)=x’ then return (x,x’) else return failure Hence because of the birthday paradox we have to take care of the size of the digest ! With probability 1 / 2 a 40-bits message digest only needs 2 20 random hashes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 14 / 48

  22. Proving Oneself’s Identity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 15 / 48

  23. Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48

  24. Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48

  25. Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48

  26. Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48

  27. Proving Oneself’s Identity Philosophy of Identity Philosophical problem hard to grasp: social vs. inner identity (Plato : life is an image on the wall of a cave). More prosaically, three ways to proves identity: Something you know: password, proof of a theorem, etc. Something you have: key, card, cellphone (via text message), email Something you are: biometrics. Each of these three ways have advantages/drawbacks. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 16 / 48

  28. Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48

  29. Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48

  30. Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48

  31. Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 Attack (parallel session) of the insecure scheme: Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48

  32. Proving Oneself’s Identity Challenge-Response and Randomization To identify oneself: very common every-day life process. Something that is going to be repeated over and over. Insecure Scheme: suppose Alice and Bob shares secret k Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( r ) and sends y to Bob. 2 Bob computes y ′ = h K ( r ). If y = y ′ Bob accepts, otherwise rejects. 3 Attack (parallel session) of the insecure scheme: Bob chooses a random challenge r , sends it to Alice. 1 Oscar intercepts r and sends it to Bob 2 Bob thinking it has received an id request from Alice computes 3 y = h K ( r ) and sends y back. Oscar can impersonate Alice by sending back the y he received from 4 Bob. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 17 / 48

  33. Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48

  34. Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48

  35. Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48

  36. Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). What about other attacks ?? F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48

  37. Proving Oneself’s Identity Naive Challenge Response Fixed Secure version: Bob chooses a random challenge r , sends it to Alice. 1 Alice computes y = h K ( ID ( Alice ) , r ) and sends y to Bob. 2 Bob computes y ′ = h K ( ID ( Alice ) , r ). If y = y ′ Bob accepts, otherwise 3 rejects. If Oscar tries to launch a parallel session he will do it with the wrong ID: knowing h K ( ID ( Bob ) , r ) does not help to compute h k ( ID ( Alice ) , r ). What about other attacks ?? = ⇒ What are the assumptions made ? Secret Key. Random Challenges. MAC Security. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 18 / 48

  38. Proving Oneself’s Identity Conclusion There are full books of MAC/identification/signature schemes/protocols. Different protocols for different usage: One time passwords. Tickets with limited time limit. With or without central authority. etc. It is very hard to have “convincing proofs” of their correctness. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 19 / 48

  39. Anonymous communications Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 20 / 48

  40. Anonymous communications Communicating without Revealing one’s Identity Everyday life concern: Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc. Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 21 / 48

  41. Anonymous communications Communicating without Revealing one’s Identity Everyday life concern: Confession at church, Anonymous disease testing, Anonymous medical consultation, Etc. Seems paradoxical at first: it appears that one should know where to send the data and where to return the answer. Many point of views: Sender anonymity. Receiver anonymity. External vs Internal observer. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 21 / 48

  42. Anonymous communications Sender Anonymity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 22 / 48

  43. Anonymous communications Sender Anonymity Sender Anonymity How to achieve sender’s anonymity allowing return adresses for the answer ? Useful in anonymous referee process. Web surfing under political watch. Etc. Seems paradoxical since the return adress should reveal the senders identity. Uses asymetric encryptions in layers for which encryption and decrytion commutes: K ( K ( M )) = K ( K ( M )) = M F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 23 / 48

  44. Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Idea The idea is to put many envelopes around the message in order for each intermediary to know only two links of the message path. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 24 / 48

  45. Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Specifications Let us name the public key of actor A with its name, and the private key with A . Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K ( R , K next ( R next , M ) , K next ) The mix K can decypher it and sends the second part of the message ( K next ( R next , M )) to K next F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 25 / 48

  46. Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], the Specifications Let us name the public key of actor A with its name, and the private key with A . Relays are called “mixes” they receive many messages and shuffle them before sending them back. The structure of a message sent to a mix K is K ( R , K next ( R next , M ) , K next ) The mix K can decypher it and sends the second part of the message ( K next ( R next , M )) to K next The procedure can be repeteadly nested: K n ( R n , K n − 1 ( R n − 1 , . . . K 2 ( R 2 , K 1 ( R 1 , B ( R 0 , M ) , B ) , K 1 ) . . . ) , K n − 1 ) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 25 / 48

  47. Anonymous communications Sender Anonymity Chaum’s mix nets [Chaum, 1981], Return Adress The anonymous return adress can be added to the message: K 1 ( R 1 , A ) , K A where K A is a session key, A is Alice’s adress. Bob sends: K 1 ( R 1 , A ) , K A ( R 0 , M ) and the mix K 1 decrypts the first part of the message and sends: R 1 ( K A ( R 0 , M )) to A using R 1 as an encryption key. This construction can be nested as well: K 1 ( R 1 , K 2 ( R 2 , . . . K n ( R n , A ) . . . )) , K A ( R 0 , M ) In the end Alice receives: R n ( R n − 1 ( . . . R 2 ( R 1 ( K A ( R 0 , M )) . . . ))) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 26 / 48

  48. Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48

  49. Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48

  50. Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48

  51. Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays. etc. ref http://freehaven.net/anonbib/ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48

  52. Anonymous communications Sender Anonymity Mix Nets in Real Life Attacking mix nets: Flooding the net with fake messages. Timing attacks between entry and output nodes. Earning a lot of relays. etc. ref http://freehaven.net/anonbib/ Mix nets in practice: The Onion routing, aka Tor. Not exactly mix nets but same ideas. NSAproof (they try other attacks). More than 2 Million Users and 6,500 relays: https://metrics.torproject.org/ F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 27 / 48

  53. Anonymous communications Sender and Receiver Anonymity Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 28 / 48

  54. Anonymous communications Sender and Receiver Anonymity Sender and Receiver Anonymity [Golle and Juels, 2004] Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 29 / 48

  55. Anonymous communications Sender and Receiver Anonymity Sender and Receiver Anonymity [Golle and Juels, 2004] Dining Cryptographers networks (DC-Networks) [Chaum, 1988] In a DC-net the anonymous message transmission may be accomplished by players in a non-interactive manner, i.e., in a single broadcast round. Problem: DC-nets are easily breakable with non cooperative players (honnest but curious is the limit). The problem is to be able to publish a message without knowing who has sent the message. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 29 / 48

  56. Anonymous communications Sender and Receiver Anonymity Basic Protocol A and B possesses k -bits messages m A , m B . A and B shares two keys of length k : k AB (0) , k AB (1) and a random bit b . F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 30 / 48

  57. Anonymous communications Sender and Receiver Anonymity Basic Protocol A and B possesses k -bits messages m A , m B . A and B shares two keys of length k : k AB (0) , k AB (1) and a random bit b . A and B publishes pairs of messages as follows: if b=0 then Alice: M A , 0 = k AB (0) ⊕ m A , M A , 1 = k AB (1) Bob: M B , 0 = k AB (0) , M B , 1 = k AB (1) ⊕ m B if b=1 then Alice: M A , 1 = k AB (0) , M A , 1 = k AB (1) ⊕ m A Bob: M B , 0 = k AB (0) ⊕ m B , M B , 1 = k AB (1) An observer can compute M A , 0 ⊕ M b , 0 and M A , 1 ⊕ M b , 1 yielding the unordered pair ( m A , m B ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 30 / 48

  58. Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48

  59. Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 To broadcast a message each players P i chosses a random position c i and XORs the message m i with W i ( c i ) obtaining V i = { V i (1) , . . . , V i ( n ) } that differ in position c i . If all players select a different c i the vector V = ⊕ n j =1 V j will consists in the set of messages posted by all players. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48

  60. Anonymous communications Sender and Receiver Anonymity Extension to multiple players Suppose there are n players P 1 , P 2 , . . . , P n . Each pair ( P i , P j ) shares a set of keys k i , j ( w ) for i , j , w ∈ { 1 , 2 , . . . , n } where K i , j ( w ) = k j , i ( w ). Each players P i computes a vector: W i = { W i (1) = ⊕ n j =1 k i , j (1) , . . . , W i ( n ) = ⊕ n j =1 k i , j ( n ) } Notice that ⊕ n j =1 W i ( w ) = 0 To broadcast a message each players P i chosses a random position c i and XORs the message m i with W i ( c i ) obtaining V i = { V i (1) , . . . , V i ( n ) } that differ in position c i . If all players select a different c i the vector V = ⊕ n j =1 V j will consists in the set of messages posted by all players. Receiver anonymity can be achieved through public key encryption of messages. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 31 / 48

  61. Electronic Cash Plan Introduction 1 Data Integrity, Secure Hash 2 Proving Oneself’s Identity 3 Anonymous communications 4 Sender Anonymity Sender and Receiver Anonymity Electronic Cash 5 Conclusion 6 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 32 / 48

  62. Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48

  63. Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve: false money. double spending. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48

  64. Electronic Cash Anonymous Money Payment mechanism without audit trail (typically the opposite of BitCoin) ... Raw issues to solve: false money. double spending. Political issue as well: governments are reluctant. Complicated protocols using many cryptographic ingredients: bit commitment, secret sharing and Blind signatures. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 33 / 48

  65. Electronic Cash Blind Signature Normally the signer knows what he is signing... F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48

  66. Electronic Cash Blind Signature Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48

  67. Electronic Cash Blind Signature Normally the signer knows what he is signing... In order to respect privacy it could be a good idea that it is not the case ! Completely blind signature: Alice takes the message to be signed and multiply it by a random value 1 (blinding factor). Alice sends the blinded document to Bob. 2 Bob signs the blinded document. 3 Alice divides by the blinding factor. 4 = ⇒ The signature function and multiplication must be commutative (eg RSA). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 34 / 48

  68. Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48

  69. Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography: Bob generates R , sends it to Alice 1 Alice makes her prediction (one bit) b and sends K ( R , b ) 2 When the time has come to make the prediction public Alice sends Bob 3 K . Bob decrypts it to reveal her bit and checks the random string. 4 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48

  70. Electronic Cash Bit Commitment Raw problem: commit a prediction without revealing it. The checker wants to make sure that the prediction is not changed once it has been formulated. Solution with symmetric cryptography: Bob generates R , sends it to Alice 1 Alice makes her prediction (one bit) b and sends K ( R , b ) 2 When the time has come to make the prediction public Alice sends Bob 3 K . Bob decrypts it to reveal her bit and checks the random string. 4 Solution with secure hash functions: Alice generates R 1 , R 2 and sends H ( R 1 , R 2 , b ) , R 1 to Bob. 1 When time has come to reveal the prediction Alice sends Bob 2 ( R 1 , R 2 , b ) Bob computes the Hash and compares it and R 1 3 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 35 / 48

  71. Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48

  72. Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t , w be positive integers, t ≤ w . A ( t , w )-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48

  73. Electronic Cash Secret Sharing Cryptographic version of what is implemented in highly secured environments: banks, nuclear missile silos etc. One needs several people to agree in order to perform some action. Definition Let t , w be positive integers, t ≤ w . A ( t , w )-threshold scheme is a method of sharing a key K among w participants in such a way that any subset of size t can compute K but no group of a lesser size can. The Shamir scheme is unconditionnaly secure (no limit on the amount of computation that can be performed by any subset of participants). Many cryptographic applications. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 36 / 48

  74. Electronic Cash Secret Sharing [Shamir, 1979], definition D is the dealer. P i , 1 ≤ i ≤ w are the participants. K ∈ Z p is the secret to be shared ( p > w ). F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 37 / 48

  75. Electronic Cash Secret Sharing [Shamir, 1979], definition D is the dealer. P i , 1 ≤ i ≤ w are the participants. K ∈ Z p is the secret to be shared ( p > w ). Definition (Shamir ( t , w )-Threshold Scheme) 1 Initialization Phase: D chooses w distinct, non-zero elements of Z p : x i , 1 ≤ i ≤ w . For i ∈ { 1 , . . . , w ), D gives x i to P i . x i are public values. 2 Share Distribution: D secretely and randomly choose t − 1 elements of Z p : a 1 , . . . , a t − 1 . 3 For 1 ≤ w ≤ w , D computes t − 1 � a j x j y i = a ( x i ) = K + mod p i j =1 4 For 1 ≤ i ≤ w , D gives the share y i to P i F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 37 / 48

  76. Electronic Cash Secret Sharing [Shamir, 1979], geometric interpretation The scheme relies on the Lagragian polynomial interpolation: there is only one polynomial curve of degree t − 1 groing through t different points ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 38 / 48

  77. Electronic Cash Secret Sharing [Shamir, 1979], recovering the secret Suppose P i 1 , . . . , P i t want to recover the secret. They know y i j = a ( x i j ) Since a ( x ) ahs degree at most t − 1: a ( x ) = a 0 + a 1 x + . . . + a t − 1 t − 1 There are t linear equations in the t unknowns a 0 + . . . + a t − 1 , there is a unique solution and a 0 is the key ! F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 39 / 48

  78. Electronic Cash Secret Sharing [Shamir, 1979], recovering the secret Suppose P i 1 , . . . , P i t want to recover the secret. They know y i j = a ( x i j ) Since a ( x ) ahs degree at most t − 1: a ( x ) = a 0 + a 1 x + . . . + a t − 1 t − 1 There are t linear equations in the t unknowns a 0 + . . . + a t − 1 , there is a unique solution and a 0 is the key ! Easier way to compute is to use the formula of Lagrangian interpolation (we just need to compute a (0)):   t x i k � � K =  y i j  x i k − x i j j =1 1 ≤ k ≤ t , k � = j F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 39 / 48

  79. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  80. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  81. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  82. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  83. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  84. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. 5 Alice opens the envelope and spends it with a Merchant. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

  85. Electronic Cash E-cash First Protocol (from [Chaum, 1982]) 1 Alice prepares 100 anonymous bills for 1000 $. 2 Alice blinds the 100 bills and sends them to the Bank. 3 The Bank opens (by asking Alice) 99 envelopes and confirms they are all 1000 $ notes. 4 The Bank blindly signs the last envelope and sends it back to Alice. The Bank deducts 1000$ from Alice’s account. 5 Alice opens the envelope and spends it with a Merchant. 6 Merchant takes the money, checks the Bank signature is correct and takes it to the Bank. F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´ Privacy and Computer Science (ECI 2015) Day 2 - Privacy/Identity from traditional Cryptographic erieure de Lyon) July 2015 40 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology

Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology

Privacy in D.A.T.A. Latanya Sweeney, Ph.D. Assistant Professor of Computer Science, Technology &amp; Policy Carnegie Mellon University latanya@privacy.cs.cmu.edu http://privacy.cs.cmu.edu/ The Question in this Talk Can computer scientists

801 views • 77 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS

Do Computer Science Definitions of Privacy Satisfy Legal Definitions of Privacy? The Case of FERPA and Differential Privacy CS LAW Kobbi Nissim Ben-Gurion University Center for Research on Computation and Society

865 views • 62 slides
Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in

Privacy Protection privacy notions and metrics; privacy in RFID systems; location privacy in vehicular networks; Security and Cooperation in Wireless Networks Georg-August University Gttingen Chapter outline 1 Important privacy related

1.12k views • 33 slides
2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science

2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science

2020 Vision For Web Privacy Eric Chan-Tin Assistant Professor Department of Computer Science Loyola University Chicago SNTA20 Keynote What does Privacy mean to you? What does Privacy mean to you? Personal What you buy What you

1.12k views • 58 slides
Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy -

CISPA Center for IT Security, Privacy and Accountabiltiy Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when,

573 views • 26 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong

Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong

Privacy Does Matter! Haojin Zhu Professor Computer Science &amp; Engineering Shanghai Jiao Tong University Scope of Privacy in This Talk Data about individuals Collection, using, and sharing of such data Privacy is primarily a

1.18k views • 98 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup Privacy and Computer Science

1.16k views • 103 slides
Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in

Data privacy: an introduction (part 1) Klara Stokes What is privacy? Privacy has been defined in many ways over the years. Usually privacy is concerned with the individual human being. We may talk about privacy as the control over your own

230 views • 21 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy.

Anonymity &amp; Privacy Alice Privacy EU directives (e.g. 95/46/EC) to protect privacy. College Bescherming Persoonsgegevens (CBP) What is privacy? Users must be able to determine for themselves when, how, to what extent and

798 views • 45 slides
Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics

ECE598NB Privacy Enhancing Technologies Spring 2006 Outline Privacy Overview Course Topics Course Structure Privacy Define privacy Privacy History Privacy has always existed Cities / large populations have made

173 views • 14 slides
Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F.

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F.

Privacy and Computer Science (ECI 2015) Day 1 - Introduction why cryptography is not enough F. Prost Frederic.Prost@ens-lyon.fr Ecole Normale Sup erieure de Lyon July 2015 F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup Privacy

1.51k views • 115 slides
1 To allow the President to retrieve the situation after an unprovoked launch of Plan R, there

1 To allow the President to retrieve the situation after an unprovoked launch of Plan R, there

ECO 199 - GAMES OF STRATEGY Spring Term 2004 GUIDE TO STRATEGIES IN DR. STRANGELOVE What follows is a statement and discussion of the many strategic issues and incidents from the movie. It is based on the points brought up in class as well as

517 views • 3 slides
Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar,

Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar,

Situation Recognition: Visual Semantic Role Labeling for Image Understanding By Mark Yatskar, Luke Zettlemoyer, and Ali Farhadi Presentation by Rishub Jain Outline Problem statement Dataset Baseline model Experiments

734 views • 16 slides
Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh,

Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh,

CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.Washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner,

721 views • 33 slides
Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to

Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Client and Server model Client , like your computer or mobile phone, makes requests to specific server. Server gets the request and

441 views • 25 slides
Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct

Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct

Unit 11 - Communications Integrated Marketing Communications: Personal Selling g and Direct Marketing CuuDuongThanCong.com https://fb.com/tailieudientucntt The Nature of Personal Selling The Nature of Personal Selling The term

316 views • 17 slides
Scaling Machine Learning at Salesforce Leah McGuire, PhD Lead Member of Technical Staff What I

Scaling Machine Learning at Salesforce Leah McGuire, PhD Lead Member of Technical Staff What I

Scaling Machine Learning at Salesforce Leah McGuire, PhD Lead Member of Technical Staff What I am going to talk about: Blah blah blah. In case you are curious or want to take a nap. Blah The Salesforce use case helping companies

502 views • 22 slides
Three Part Series: Three-Part Series: Building an Effective Sales O Organization for the

Three Part Series: Three-Part Series: Building an Effective Sales O Organization for the

Three Part Series: Three-Part Series: Building an Effective Sales O Organization for the Recovery i ti f th R Summer 2010 Mike Marks, Mike Emerson, and Steve Deist Discussion Leaders Indian River Consulting Group Indian River

934 views • 56 slides
An Introduction to Marketing Automation Agenda 1. Who are Force24? 2. Automation principles Human

An Introduction to Marketing Automation Agenda 1. Who are Force24? 2. Automation principles Human

An Introduction to Marketing Automation Agenda 1. Who are Force24? 2. Automation principles Human argument Journeys - components, a look at the components we use Use cases for automation Common mistakes 2. Lead score Is it worth it? What is it?

301 views • 27 slides

More recommend