Efficient Non-interactive Anonymous Communication

Abstract

Methods for untraceable and anonymous communication, such as anonymous routing networks and dining cryptographers networks, are in general very complex and suffer from high performance overhead of a minimum order of \(N^2\) encryptions for N participants. In this paper, we propose an original approach to untraceable communication that avoids some of the significant shortcomings of existing methods. Using non-interactive privacy-preserving aggregation as an underlying building block we achieve attractive features, including unsurpassed low computational and transmission overhead of only 3 encryptions per participant in only a single round.

Appendices

A Shi et al. Privacy-Preserving Aggregation

A non-interactive privacy-preserving sum aggregation was proposed Shi et al. [25]. It meets the aggregator oblivious security property under the DDH hardness assumption, and has therefore smaller ciphertexts than in [19]. Similar to the Joye and Libert scheme, it was originally proposed for the smart meter setting, and transmissions are limited to each user broadcasting a single encryption for each round, resulting in a low computational load and bandwidth. The Shi et al. scheme comprises the following steps:

Setup. A key center (KC) establishes a large public prime p. For each user \(P_i \in U\), KC randomly generates an encryption key \(s_i \in \mathbb {Z}_{p-1}\) in agreement with \(0 = - \sum _{1 \le i \le N} s_i \bmod p-1\).

Encryption. \(P_i \in U\) samples a timeseries consumption value \(m_{i}\) at time interval t, and computes the ciphertext:

$$\begin{aligned} c_{i} = g^{m_i} f(t)^{s_i} \bmod p \end{aligned}$$

where f is a secure hash function.

Aggregation and Decryption. After having received all N ciphertexts, they are multiplied according to

$$\begin{aligned} \hat{M} = \prod _{1 \le i \le N} c_i = \prod _{1 \le i \le N} g^{m_i} f(t)^{s_i} = \prod _{1 \le i \le N} g^{m_i} \bmod p \end{aligned}$$

cancelling out the encryption factors \(f(t)^{s_i}\), \(1 \le i \le N\). The aggregated plaintext is then found by computing the discrete logarithm of \(\hat{M}\) w.r.t. to the base g.

B A Privacy-Preserving Product Protocol

The non-interactive privacy-preserving sum aggregation was proposed Shi et al. [25], shown in Appendix A, can conveniently be simplified to a privacy-preserving product protocol simply by neglecting the final step of resolving the aggregated sum by computing the discrete logarithm. Therefore, this simplification meets the aggregator oblivious security property under the DDH hardness assumption.

Setup. Each user \(P_i\) is assigned a group U of exactly N members. For each user \(P_i \in U\), the key center randomly generates a secret encryption key \(s_i \in \mathbb {Z}_{p-1}\) in agreement with \(0 = \sum _{1 \le i \le N} s_i \bmod p-1\).

Encryption. \(P_i \in U\) encrypts the prime \(p_i\):

$$\begin{aligned} c_i = E_{s_i}(p_i, t) = p_i f(t)^{s_i} \bmod {p} \end{aligned}$$

where h is a secure hash function and t is a timestamp. The ciphertext is transmitted to the AC.

Aggregation and Decryption. Each user aggregates the received ciphertexts according to

$$\begin{aligned} \dot{p} = \prod _{1 \le j \le N} c_j = \prod _{1 \le j \le N} p_j f(t)^{s_j} = \prod _{1 \le j \le N} p_j \pmod {p} \end{aligned}$$

(2)

The multiplication is hence cancelling out the encryption factors \(f(t)^{s_j}\), \(1 \le j \le N\), yielding the product \(\dot{p}\). As can be seen, the procedure is identical to that of [25], with the exception of omitting the final discrete logarithm computation.