Citation Context

... during a “blame” process. Misbehaving members are thus unable to corrupt or block other members’ messages, overrun the group with spam, stuff ballots, or create unlimited anonymous Sybil identities [=-=Douceur 2002-=-] or sock puppets [Stone and Richtel 2007] with which to bias or subvert a group’s deliberations. DISSENT builds on the sender-verifiable shuffle of Brickell and Shmatikov [2006], combining a similar ...

Citation Context

... with a 1-to-1 correspondence to real group members. DISSENT has limitations, of course. It is not intended for large-scale, “open-access” anonymous messaging or file sharing [Goldschlag et al. 1999; =-=Clarke et al. 2000-=-]. DISSENT’s accountability property assumes closed groups, and may be ineffective if a malicious member can leave and rejoin the group under a new (public) identity. Finally, DISSENT’s serialized GMP...

Citation Context

...ge m with the signature SIGu{m}.We assume that the underlying digital signature scheme provides existential unforgeability under an adaptive chosen message attack, that is, that it is EUF-CMA secure [=-=Goldwasser et al. 1995-=-]. Pseudorandom Number Generator: We use a standard definition [Stinson 2005] of a pseudorandom number generator (PRNG). Let g(s) be a pseudo-random number generator, where s is a seed. We will denote...

Citation Context

...bers τ , a hash key kh and optionally a message length L. All group members run the SETUP algorithm before each protocol run to agree on common parameters. Such agreement might be achieved via Paxos [=-=Lamport 1998-=-] or BFT [Castro and Liskov 1999]. We emphasize that SETUP does not generate members’ signature key pairs or create a binding between a user’s identity and his signature key pair; rather, it uses long...

Citation Context

... and optionally a message length L. All group members run the SETUP algorithm before each protocol run to agree on common parameters. Such agreement might be achieved via Paxos [Lamport 1998] or BFT [=-=Castro and Liskov 1999-=-]. We emphasize that SETUP does not generate members’ signature key pairs or create a binding between a user’s identity and his signature key pair; rather, it uses long-term verification keys submitte...

Citation Context

... protocols providing stronger anonymity, such as mix-networks [Chaum 1981; Adida 2006], onion routing [Goldschlag et al. 1999; Dingledine et al. 2004a], and Dining Cryptographers Networks or DC-nets [=-=Chaum 1988-=-; Waidner and Pfitzmann 1989; Sirer et al. 2004; Golle and Juels 2004], further weaken accountability, yielding forums in which no content may be considered trustworthy and no reliable defense is avai...

Citation Context

...s need not be saved.We assume that the underlying public-key cryptosystem provides indistinguishable ciphertexts against a chosen-ciphertext attack, that is, that the cryptosystem is IND-CCA2 secure [=-=Bellare et al. 1998-=-]. We also assume that members can check an arbitrary (x, y) purported to be a key pair to verify that it could have been generated by the specified key generation algorithm. We describe a ciphertext ...

Citation Context

...al reprisal.Yet anonymity makes it difficult to trace or exclude misbehaving participants. Online protocols providing stronger anonymity, such as mix-networks [Chaum 1981; Adida 2006], onion routing [=-=Goldschlag et al. 1999-=-; Dingledine et al. 2004a], and Dining Cryptographers Networks or DC-nets [Chaum 1988; Waidner and Pfitzmann 1989; Sirer et al. 2004; Golle and Juels 2004], further weaken accountability, yielding for...

Citation Context

...ty is vulnerable to traffic analysis [Serjantov et al. 2003] and performance is vulnerable to active disruption [Dingledine and Syverson 2002; Iwanik et al. 2004]. Cryptographically-verifiable mixes [=-=Neff 2001-=-; Furukawa and Sako 2001; Adida 2006] are a possible solution to disruption atACM Transactions on Information and System Security, Vol. 0, No. 0, Article 0, Publication date: January 2013. Security An...

Citation Context

...a], a well-known and practical approach to general anonymous communication on the Internet, is vulnerable to traffic analysis by adversaries who can observe streams going into and out of the network [=-=Syverson et al. 2000-=-]. Similarly, Crowds [Reiter and Rubin 1999] is vulnerable to statistical traffic analysis when an attacker can monitor many points across the network. Herbivore [Goel et al. 2003] provides unconditio...

Citation Context

...e is received from every member, the protocol proceeds to the next round. Therefore every member knows when another should send a message, and thus gossip techniques such as those used in PeerReview [=-=Haeberlen et al. 2007-=-] should be applicable via a wrapper protocol to ensure liveness. Moreover, we note that when every member follows the protocol, not only does it complete but it succeeds. 5. TECHNICAL PRELIMINARIES 5...

Citation Context

... general anonymous communication on the Internet, is vulnerable to traffic analysis by adversaries who can observe streams going into and out of the network [Syverson et al. 2000]. Similarly, Crowds [=-=Reiter and Rubin 1999-=-] is vulnerable to statistical traffic analysis when an attacker can monitor many points across the network. Herbivore [Goel et al. 2003] provides unconditional anonymity, but only within a small subg...

Citation Context

...rable to traffic analysis [Serjantov et al. 2003] and performance is vulnerable to active disruption [Dingledine and Syverson 2002; Iwanik et al. 2004]. Cryptographically-verifiable mixes [Neff 2001; =-=Furukawa and Sako 2001-=-; Adida 2006] are a possible solution to disruption atACM Transactions on Information and System Security, Vol. 0, No. 0, Article 0, Publication date: January 2013. Security Analysis of Accountable An...

Citation Context

...ity protocols. These protocols are often complex and contain subtle flaws in design, security proofs, or security definitions. For example, many mix network designs have claimed to provide anonymity [=-=Park et al. 1994-=-; Jakobsson 1998; Jakobsson and Juels 2001; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; Pfitzmann 1994; Mitomo and Kurosawa 2000;...

Citation Context

...igh-latency but practical anonymous communication, and can be adapted to group broadcast [Perng et al. 2006]. Unfortunately, for many mix-network designs, anonymity is vulnerable to traffic analysis [=-=Serjantov et al. 2003-=-] and performance is vulnerable to active disruption [Dingledine and Syverson 2002; Iwanik et al. 2004]. Cryptographically-verifiable mixes [Neff 2001; Furukawa and Sako 2001; Adida 2006] are a possib...

Citation Context

...roviding stronger anonymity, such as mix-networks [Chaum 1981; Adida 2006], onion routing [Goldschlag et al. 1999; Dingledine et al. 2004a], and Dining Cryptographers Networks or DC-nets [Chaum 1988; =-=Waidner and Pfitzmann 1989-=-; Sirer et al. 2004; Golle and Juels 2004], further weaken accountability, yielding forums in which no content may be considered trustworthy and no reliable defense is available against anonymous misb...

Citation Context

...se protocols are often complex and contain subtle flaws in design, security proofs, or security definitions. For example, many mix network designs have claimed to provide anonymity [Park et al. 1994; =-=Jakobsson 1998-=-; Jakobsson and Juels 2001; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; Pfitzmann 1994; Mitomo and Kurosawa 2000; Abe and Imai 20...

Citation Context

...oup broadcast [Perng et al. 2006]. Unfortunately, for many mix-network designs, anonymity is vulnerable to traffic analysis [Serjantov et al. 2003] and performance is vulnerable to active disruption [=-=Dingledine and Syverson 2002-=-; Iwanik et al. 2004]. Cryptographically-verifiable mixes [Neff 2001; Furukawa and Sako 2001; Adida 2006] are a possible solution to disruption atACM Transactions on Information and System Security, V...

Citation Context

...anize without fear of personal reprisal.Yet anonymity makes it difficult to trace or exclude misbehaving participants. Online protocols providing stronger anonymity, such as mix-networks [Chaum 1981; =-=Adida 2006-=-], onion routing [Goldschlag et al. 1999; Dingledine et al. 2004a], and Dining Cryptographers Networks or DC-nets [Chaum 1988; Waidner and Pfitzmann 1989; Sirer et al. 2004; Golle and Juels 2004], fur...

Citation Context

...imitives and Security Assumptions DISSENT makes use of several cryptographic tools, and its security depends on certain assumptions about their security. Hash functions: We use a standard definition [=-=Stinson 2005-=-] of a keyed hash function and will denote the hash of message m using key kh as HASHkh{m}. We assume that the hash function used is collision resistant [Rogaway and Shrimpton 2004]. Encryption: We us...

Citation Context

...ix network designs have claimed to provide anonymity [Park et al. 1994; Jakobsson 1998; Jakobsson and Juels 2001; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [=-=Pfitzmann and Pfizmann 1990-=-; Pfitzmann 1994; Mitomo and Kurosawa 2000; Abe and Imai 2003; Wikström 2003; Khazaei et al. 2012b] or to have weaknesses identified in their security definitions [Abe and Imai 2006]. DISSENT has bee...

Citation Context

...ed to provide anonymity [Park et al. 1994; Jakobsson 1998; Jakobsson and Juels 2001; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; =-=Pfitzmann 1994-=-; Mitomo and Kurosawa 2000; Abe and Imai 2003; Wikström 2003; Khazaei et al. 2012b] or to have weaknesses identified in their security definitions [Abe and Imai 2006]. DISSENT has been designed to av...

Citation Context

... often complex and contain subtle flaws in design, security proofs, or security definitions. For example, many mix network designs have claimed to provide anonymity [Park et al. 1994; Jakobsson 1998; =-=Jakobsson and Juels 2001-=-; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; Pfitzmann 1994; Mitomo and Kurosawa 2000; Abe and Imai 2003; Wikström 2003; Khazae...

Citation Context

...nd Network) is a communication protocol that provides strong integrity, accountability, and anonymity, within a well-defined group of participants whose membership is closed and known to its members [=-=Corrigan-Gibbs and Ford 2010-=-]. DISSENT enables members of such a group to send anonymous messages – either to each other, to the whole The work of Ewa Syta, Henry Corrigan-Gibbs, Shu-Chun Weng, David Wolinsky, and Bryan Ford was...

Citation Context

... subtle flaws in design, security proofs, or security definitions. For example, many mix network designs have claimed to provide anonymity [Park et al. 1994; Jakobsson 1998; Jakobsson and Juels 2001; =-=Golle et al. 2002-=-; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; Pfitzmann 1994; Mitomo and Kurosawa 2000; Abe and Imai 2003; Wikström 2003; Khazaei et al. 2012b] or ...

Citation Context

...ontent or behavior [Feigenbaum et al. 2011]. DISSENT and other protocols based on DC-nets [Waidner and Pfitzmann 1989; Golle and Juels 2004], and verifiable shuffles [Neff 2003; Khazaei et al. 2012a; =-=Bayer and Groth 2012-=-] aim to hold users accountable for protocol violations. Each client remains anonymous unless he misbehaves by breaking the rules of the protocol. In contrast, some other anonymity protocols [von Ahn ...

Citation Context

... such as mix-networks [Chaum 1981; Adida 2006], onion routing [Goldschlag et al. 1999; Dingledine et al. 2004a], and Dining Cryptographers Networks or DC-nets [Chaum 1988; Waidner and Pfitzmann 1989; =-=Sirer et al. 2004-=-; Golle and Juels 2004], further weaken accountability, yielding forums in which no content may be considered trustworthy and no reliable defense is available against anonymous misbehavior. DISSENT (D...

Citation Context

... Jakobsson 1998; Jakobsson and Juels 2001; Golle et al. 2002; 2002; Allepuz and Castello 2010], only to be broken in later work [Pfitzmann and Pfizmann 1990; Pfitzmann 1994; Mitomo and Kurosawa 2000; =-=Abe and Imai 2003-=-; Wikström 2003; Khazaei et al. 2012b] or to have weaknesses identified in their security definitions [Abe and Imai 2006]. DISSENT has been designed to avoid these and other common flaws [Desmedt and...

Citation Context

...mber generator, where s is a seed. We will denote the first L bits generated from g(s) as PRNG{L, s}. Non-interactive Commitments: We use a non-interactive commitment that is concurrent nonmalleable [=-=Pandey et al. 2008-=-]. The notation x = COMMIT{c} indicates that x is a commitment to c, and the notation c = OPEN{x} indicates that c is the opening of the commitment x. We note that minor protocol modifications would a...

Citation Context

...spired by DC-nets [Chaum 1988], an information coding approach to anonymity. Mix networks [Chaum 1981] offer high-latency but practical anonymous communication, and can be adapted to group broadcast [=-=Perng et al. 2006-=-]. Unfortunately, for many mix-network designs, anonymity is vulnerable to traffic analysis [Serjantov et al. 2003] and performance is vulnerable to active disruption [Dingledine and Syverson 2002; Iw...

Citation Context

...06]. Unfortunately, for many mix-network designs, anonymity is vulnerable to traffic analysis [Serjantov et al. 2003] and performance is vulnerable to active disruption [Dingledine and Syverson 2002; =-=Iwanik et al. 2004-=-]. Cryptographically-verifiable mixes [Neff 2001; Furukawa and Sako 2001; Adida 2006] are a possible solution to disruption atACM Transactions on Information and System Security, Vol. 0, No. 0, Articl...

Citation Context

...l violations or for undesirable content or behavior [Feigenbaum et al. 2011]. DISSENT and other protocols based on DC-nets [Waidner and Pfitzmann 1989; Golle and Juels 2004], and verifiable shuffles [=-=Neff 2003-=-; Khazaei et al. 2012a; Bayer and Groth 2012] aim to hold users accountable for protocol violations. Each client remains anonymous unless he misbehaves by breaking the rules of the protocol. In contra...

Citation Context

... users accountable for protocol violations. Each client remains anonymous unless he misbehaves by breaking the rules of the protocol. In contrast, some other anonymity protocols [von Ahn et al. 2006; =-=Diaz and Preneel 2007-=-; Backes et al. 2014] attempt to unmask a client’s identity if the client’s actions or the contents of his messages are unacceptable or unpopular, when a set of explicitly or implicitly defined partie...

Citation Context

...several ways in which anonymity protocols have provided some notion of accountability. In general, they may offer accountability either for protocol violations or for undesirable content or behavior [=-=Feigenbaum et al. 2011-=-]. DISSENT and other protocols based on DC-nets [Waidner and Pfitzmann 1989; Golle and Juels 2004], and verifiable shuffles [Neff 2003; Khazaei et al. 2012a; Bayer and Groth 2012] aim to hold users ac...

Citation Context

...protocol violations. Each client remains anonymous unless he misbehaves by breaking the rules of the protocol. In contrast, some other anonymity protocols [von Ahn et al. 2006; Diaz and Preneel 2007; =-=Backes et al. 2014-=-] attempt to unmask a client’s identity if the client’s actions or the contents of his messages are unacceptable or unpopular, when a set of explicitly or implicitly defined parties agrees to. 3. INFO...

Citation Context

...yst. Sec. 0, 0, Article 0 (January 2013), 30 pages. DOI:http://dx.doi.org/10.1145/0000000.0000000 1. INTRODUCTION Anonymous participation is often considered a basic right in free societies [Yale Law =-=Journal 1961-=-]. The limited form of anonymity the Internet provides is a widely cherished feature enabling people and groups with controversial or unpopular views to communicate and organize without fear of person...

Citation Context

...d anonymity. Obtaining a provably secure protocol required a surprising amount of additional work given the relative simplicity and maturity of the underlying ideas. However, as observed by Wikström =-=[2004]-=-, the complexity of anonymous communication protocols has frequently resulted in incomplete proofs and subtle errors (see further discussion in Section 2). Section 3.4 discusses in greater detail the ...

Citation Context

...proofs and subtle errors (see further discussion in Section 2). Section 3.4 discusses in greater detail the discovered flaws and the resulting changes to the protocol. The full version of this paper [=-=Syta et al. 2013-=-] details the discovered flaws and their fixes, and also includes full details of protocols, properties, and proofs. The main contributions of this paper, therefore, are (1) we provide a full descript...