Nymbler: Privacy-enhanced Protection from Abuses of Anonymity

Anonymous communications networks help to solve the real and important problem of enabling users to communicate privately over the Internet. However, by doing so, they also introduce an entirely new problem: How can service providers on the Internet—such as websites, IRC networks and mail servers—allow anonymous access while protecting themselves against abuse by misbehaving anonymous users? Recent research efforts have focused on using anonymous blacklisting systems (also known as anonymous revocation systems) to solve this problem. As opposed to revocable anonymity systems, which enable some trusted third party to deanonymize users, anonymous blacklisting systems provide a way for users to authenticate anonymously with a service provider, while enabling the service provider to revoke access from individual misbehaving anonymous users without revealing their identities. The literature contains several anonymous blacklisting systems, many of which are impractical for real-world deployment. In 2006, however, Tsang et al. proposed Nymble, which solves the anonymous blacklisting problem very efficiently using trusted third parties. Nymble has inspired a number of subsequent anonymous blacklisting systems. Some of these use fundamentally different approaches to accomplish what Nymble does without using third parties at all; so far, these proposals have all suffered from serious performance and scalability problems. Other systems build on the Nymble framework to reduce Nymble’s trust assumptions while maintaining its highly efficient design. The primary contribution of this thesis is a new anonymous blacklisting system built on the Nymble framework—a nimbler version of Nymble—called Nymbler. We propose several enhancements to the Nymble framework that facilitate the construction of a scheme that minimizes trust in third parties. We then propose a new set of security and privacy properties that anonymous blacklisting systems should possess to protect: 1) users’ privacy against malicious service providers and third parties (including other malicious users), and 2) service providers against abuse by malicious users. We also propose a set of performance requirements that anonymous blacklisting systems should meet to maximize their potential for real-world adoption, and formally define some optional features in the anonymous blacklisting systems literature. We then present Nymbler, which improves on existing Nymble-like systems by reducing the level of trust placed in third parties, while simultaneously providing stronger privacy guarantees and some new functionality. It avoids dependence on trusted hardware and unreasonable assumptions about non-collusion between trusted third parties. We have implemented all key components of Nymbler, and our measurements indicate that the system is highly practical. Our system solves several open problems in the anonymous blacklisting systems literature, and makes use of some new cryptographic constructions that are likely to be of independent theoretical interest.

[1]  Ian Goldberg,et al.  Making a Nymbler Nymble Using VERBS , 2010, Privacy Enhancing Technologies.

[2]  Mihir Bellare,et al.  Fast Batch Verification for Modular Exponentiation and Digital Signatures , 1998, IACR Cryptol. ePrint Arch..

[3]  Silvio Micali,et al.  A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks , 1988, SIAM J. Comput..

[4]  David Chaum,et al.  Blind Signature System , 1983, CRYPTO.

[5]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[6]  Paul F. Syverson,et al.  Unlinkable Serial Transactions , 1997, Financial Cryptography.

[7]  Jan Camenisch,et al.  How to win the clonewars: efficient periodic n-times anonymous authentication , 2006, CCS '06.

[8]  J. Holt,et al.  Nym: Practical Pseudonymity for Anonymous Networks , 2006 .

[9]  Ivan Damgård,et al.  Practical Threshold RSA Signatures without a Trusted Dealer , 2000, EUROCRYPT.

[10]  Torben P. Pedersen Non-Interactive and Information-Theoretic Secure Verifiable Secret Sharing , 1991, CRYPTO.

[11]  Sean W. Smith,et al.  PEREA: towards practical TTP-free revocation in anonymous authentication , 2008, CCS.

[12]  J. M. Pollard,et al.  Theorems on factorization and primality testing , 1974, Mathematical Proceedings of the Cambridge Philosophical Society.

[13]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[14]  Jan Camenisch,et al.  Practical Verifiable Encryption and Decryption of Discrete Logarithms , 2003, CRYPTO.

[15]  Thomas S. Heydt-Benjamin,et al.  Cryptographic Protocols of the Identity Mixer Library , 2009 .

[16]  Sean W. Smith,et al.  Nymble: Blocking Misbehaving Users in Anonymizing Networks , 2011, IEEE Transactions on Dependable and Secure Computing.

[17]  Anna Lysyanskaya,et al.  Signature schemes and applications to cryptographic protocol design , 2002 .

[18]  R. Dingledine,et al.  Design of a blocking-resistant anonymity system , 2006 .

[19]  Nicholas Hopper,et al.  Jack: scalable accumulator-based nymble system , 2010, WPES '10.

[20]  Hannes Federrath,et al.  Revocable Anonymity , 2006, Emerging Trends in Information and Communication Security.

[21]  Richard P. Brent,et al.  Some Parallel Algorithms for Integer Factorisation , 1999, Euro-Par.

[22]  David R. Cheriton,et al.  Pippenger's Multiproduct and Multiexponentiation Algorithms (Extended Version) , 2010 .

[23]  Jacques Stern,et al.  Fully Distributed Threshold RSA under Standard Assumptions , 2001, ASIACRYPT.

[24]  Jan Camenisch,et al.  A Signature Scheme with Efficient Protocols , 2002, SCN.

[25]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[26]  Nick Mathewson,et al.  Deploying Low-Latency Anonymity: Design Challenges and Social Factors , 2007, IEEE Security & Privacy.

[27]  Sean W. Smith,et al.  Blacklistable anonymous credentials: blocking misbehaving users without ttps , 2007, CCS '07.

[28]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[29]  Sean W. Smith,et al.  BLAC: Revoking Repeatedly Misbehaving Anonymous Users without Relying on TTPs , 2010, TSEC.

[30]  Amos Fiat,et al.  How to Prove Yourself: Practical Solutions to Identification and Signature Problems , 1986, CRYPTO.

[31]  Jan Camenisch,et al.  Proving in Zero-Knowledge that a Number Is the Product of Two Safe Primes , 1998, EUROCRYPT.

[32]  Amit Sahai,et al.  Efficient Non-interactive Proof Systems for Bilinear Groups , 2008, EUROCRYPT.

[33]  H. W. Lenstra,et al.  Factoring integers with elliptic curves , 1987 .

[34]  Kent E. Seamons,et al.  CPG: closed pseudonymous groups , 2008, WPES '08.

[35]  Ian Goldberg,et al.  A pseudonymous communications infrastructure for the internet , 2000 .

[36]  採編典藏組 Society for Industrial and Applied Mathematics(SIAM) , 2008 .

[37]  Ian Goldberg,et al.  Making a Nymbler Nymble using VERBS (Extended Version) , 2010 .

[38]  Colleen V. Chien Race to the Bottom , 2012 .

[39]  Victor Shoup,et al.  Practical Threshold Signatures , 2000, EUROCRYPT.

[40]  David Chaum,et al.  Blind Signatures for Untraceable Payments , 1982, CRYPTO.

[41]  Paul F. Syverson,et al.  Unlinkable serial transactions: protocols and applications , 1999, TSEC.

[42]  Stefan A. Brands,et al.  Rethinking Public Key Infrastructures and Digital Certificates: Building in Privacy , 2000 .

[43]  C. P. Schnorr,et al.  Efficient Identification and Signatures for Smart Cards (Abstract) , 1989, EUROCRYPT.

[44]  Stefan A. Brands,et al.  Untraceable Off-line Cash in Wallet with Observers , 2002 .

[45]  David Chaum,et al.  A Secure and Privacy-protecting Protocol for Transmitting Personal Information Between Organizations , 1986, CRYPTO.

[46]  Stefan Brands,et al.  Restrictive Blinding of Secret-Key Certificates , 1995, EUROCRYPT.

[47]  Moti Yung,et al.  Robust efficient distributed RSA-key generation , 1998, STOC '98.

[48]  Rizos Sakellariou,et al.  PARALLEL ALGORITHMS FOR INTEGER FACTORISATION , 1993 .

[49]  Ivan Damgård,et al.  Payment Systems and Credential Mechanisms with Provable Security Against Abuse by Individuals , 1988, CRYPTO.

[50]  Amit Sahai,et al.  Pseudonym Systems , 1999, Selected Areas in Cryptography.

[51]  Nicholas Hopper,et al.  Bnymble (a Short Paper) More Anonymous Blacklisting at Almost No Cost , 2010 .

[52]  Jonathan M. McCune,et al.  A Contractual Anonymity System , 2010 .

[53]  Jan Camenisch,et al.  An Efficient System for Non-transferable Anonymous Credentials with Optional Anonymity Revocation , 2001, IACR Cryptol. ePrint Arch..

[54]  Lidong Chen Access with Pseudonyms , 1995, Cryptography: Policy and Algorithms.

[55]  U. Maurer,et al.  A non-interactive public-key distribution system , 1996 .

[56]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[57]  David Chaum,et al.  Group Signatures , 1991, EUROCRYPT.

[58]  Carl Wmerance THE QUADRATIC SIEVE FACTORING ALGORITHM , 1985 .

[59]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[60]  Markulf Kohlweiss,et al.  P-signatures and Noninteractive Anonymous Credentials , 2008, TCC.

[61]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[62]  Jiangtao Li,et al.  Enhanced Privacy ID: A Direct Anonymous Attestation Scheme with Enhanced Revocation Capabilities , 2012, IEEE Trans. Dependable Secur. Comput..

[63]  Ian Goldberg,et al.  A Survey of Anonymous Blacklisting Systems , 2010 .

[64]  Kazue Sako,et al.  k-Times Anonymous Authentication (Extended Abstract) , 2004, ASIACRYPT.

[65]  Bart De Decker,et al.  A Practical System for Globally Revoking the Unlinkable Pseudonyms of Unknown Users , 2007, ACISP.

[66]  Paul Feldman,et al.  A practical scheme for non-interactive verifiable secret sharing , 1987, 28th Annual Symposium on Foundations of Computer Science (sfcs 1987).

[67]  David J. Goodman,et al.  Personal Communications , 1994, Mobile Communications.

[68]  Ed Dawson,et al.  Batch zero-knowledge proof and verification and its applications , 2007, TSEC.

[69]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[70]  Patrick P. Tsang,et al.  IP-address Blocking in Tor with Trusted Computing ( Short Paper : Work in Progress ) ∗ , 2006 .

[71]  Paul C. van Oorschot,et al.  Parallel collision search with application to hash functions and discrete logarithms , 1994, CCS '94.

[72]  Roger Dingledine,et al.  Tor Development Roadmap, 2008-2011 , 2011 .

[73]  Sean W. Smith,et al.  Nymble: Anonymous IP-Address Blocking , 2007, Privacy Enhancing Technologies.

[74]  Jiangtao Li,et al.  Enhanced Privacy ID from Bilinear Pairing for Hardware Authentication and Attestation , 2010, 2010 IEEE Second International Conference on Social Computing.