Abstract
Universal Re-encryption allows El-Gamal ciphertexts to be re-encrypted without knowledge of their corresponding public keys. This has made it an enticing building block for anonymous communications protocols. In this work we analyze four schemes related to mix networks that make use of Universal Re-encryption and find serious weaknesses in all of them. Universal Re-encryption of signatures is open to existential forgery; two-mix schemes can be fully compromised by a passive adversary observing a single message close to the sender; the fourth scheme, the rWonGoo anonymous channel, turns out to be less secure than the original Crowds scheme, on which it is based. Our attacks make extensive use of unintended “services” provided by the network nodes acting as decryption and re-routing oracles. Finally, our attacks against rWonGoo demonstrate that anonymous channels are not automatically composable: using two of them in a careless manner makes the system more vulnerable to attack.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abe, M.: Universally verifiable MIX with verification work independent of the number of MIX servers. In: Proceedings of EUROCRYPT 1998, LNCS 1403. Springer, (1998)
Chaum D. (1981). Untraceable electronic mail, return addresses and digital pseudonyms. Commun. ACM 24(2): 84–88
Chaum D. (1988). The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1: 65–75
Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III anonymous remailer protocol. In: IEEE symposium on security and privacy. Berkeley, CA (2003)
Danezis G., Laurie B. (2004). Minx: a simple and efficient anonymous packet format. In: Atluri, V., Syverson, P.F. (eds) WPES, pp 59–65. ACM, New York
Dingledine, R., Shmatikov, V., Syverson, P.: Synchronous batching: from cascades to free routes. In: Proceedings of privacy enhancing technologies workshop (PET 2004), LNCS, vol. 3424 (2004)
Douceur J.R. (2002). The sybil attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A.I.T. (eds) IPTPS, Lecture notes in computer science, vol. 2429, pp 251–260. Springer, Heidelberg
El Gamal T. (1985). A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory IT-31(4): 469–472
Fairbrother P. (2004). An improved construction for universal re-encryption. In: Martin, D., Serjantov, A. (eds) Privacy enhancing technologies, Lecture Notes in Computer Science, vol. 3424, pp 79–87. Springer, Heidelberg
Golle, P., Jakobsson, M., Juels, A., Syverson, P.: Universal re-encryption for mixnets. In: Proceedings of the 2004 RSA conference, Cryptographer’s track. San Francisco, USA (2004)
Gomulkiewicz, M., Klonowski, M., Kutylowski, M.: Onions based on universal re-encryption—anonymous communication immune against repetitive attack. In: Lim, C.H., Yung, M. (eds.) Information security applications, 5th international workshop, WISA 2004, Lecture Notes in Computer Science, vol. 3325, pp. 400–410. Springer, Jeju Island, (2004)
Gülcü, C., Tsudik, G.: Mixing E-mail with Babel. In: Network and distributed security symposium—NDSS ’96, pp. 2–16. IEEE, San Diego, California (1996)
Klonowski, M., Kutylowski, M., Lauks, A., Zagorski, F.: Universal re-encryption of signatures and controlling anonymous information flow. In: WARTACRYPT ’04 conference on cryptology. Bedlewo, Poznan (2004)
Klonowski, M., Kutylowski, M., Zagrski, F.: Anonymous communication with on-line and off-line onion encoding. In: Vojts, P., Bielikov, M., Charron-Bost, B., Skora, O. (eds.) SOFSEM 2005: theory and practice of computer science, 31st conference on current trends in theory and practice of computer science, Lecture Notes in Computer Science, pp. 229–238. 3381, Liptovsk Jn, Slovakia (2005)
Lu T., Fang B., Sun Y., Guo L. (2005). Some remarks on universal re-encryption and a novel practical anonymous tunnel. In: Lu, X., Zhao, W. (eds) ICCNMC, Lecture Notes in Computer Science, vol. 3619, pp 853–862. Springer, Heidelberg
Moeller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster protocol version 2. Tech. rep., Network Working Group (2004). Internet-Draft
Neff C.A. (2001). A verifiable secret shuffle and its application to e-voting. In: Samarati, P. (eds) ACM conference on computer and communications security (CCS 2002), pp 116–125. ACM Press, NewYork
Park, C., Itoh, K., Kurosawa, K.: Efficient anonymous channel and all/nothing election scheme. In: Helleseth, T. (ed.) Advances in cryptology (Eurocrypt ’93), LNCS, vol. 765, pp. 248–259. Springer, Lofthus (1993)
Pfitzmann, B.: Breaking efficient anonymous channel. In: Santis, A.D. (ed.) Advances in cryptology (Eurocrypt ’94), LNCS, vol. 950, pp. 332–340. Springer, Perugia (1994)
PKCS #1 v2.1: RSA cryptography standard. RSA Security Inc. (2002)
Reiter M.K., Rubin A.D. (1999). Anonymous web transactions with crowds. Commun. ACM 42(2): 32–38
Rivest R.L., Shamir A., Adleman L.M. (1978). A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2): 120–126
Shoup V. (2002). Securing threshold cryptosystems against chosen ciphertext attack. J. Cryptol. 15(2): 75–96
Wright M., Adler M., Levine B.N., Shields C. (2004). The predecessor attack: an analysis of a threat to anonymous communications systems. ACM Trans. Inf. Syst. Secur. 7(4): 489–522
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Danezis, G. Breaking four mix-related schemes based on Universal Re-encryption. Int. J. Inf. Secur. 6, 393–402 (2007). https://doi.org/10.1007/s10207-007-0033-y
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-007-0033-y