diff options
| author | Dennis Brentjes <d.brentjes@gmail.com> | 2017-06-05 09:45:31 +0200 |
|---|---|---|
| committer | Dennis Brentjes <d.brentjes@gmail.com> | 2017-06-05 09:45:31 +0200 |
| commit | 5482f6b544fa91273ec983892681b6c67e59e825 (patch) | |
| tree | d2a1de44153deef445508249eceb807cafa518a0 /content/cmix_additions.tex | |
| parent | 33483109b741824e163210acfda07dfa96876cc9 (diff) | |
| download | thesis-5482f6b544fa91273ec983892681b6c67e59e825.tar.gz thesis-5482f6b544fa91273ec983892681b6c67e59e825.tar.bz2 thesis-5482f6b544fa91273ec983892681b6c67e59e825.zip | |
Minor fixes for readability.
Diffstat (limited to 'content/cmix_additions.tex')
| -rw-r--r-- | content/cmix_additions.tex | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/content/cmix_additions.tex b/content/cmix_additions.tex index e2c2ee5..277dd02 100644 --- a/content/cmix_additions.tex +++ b/content/cmix_additions.tex @@ -1,6 +1,6 @@ \section{\cmix additions} \label{sec:cmixaddtions} -So the base protocol still has some issues, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use \cmix in the wild without these attack mitigations we implemented the extra messages needed. This makes for a more realistic benchmark. +So the base protocol still has some issues, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use \cmix in the wild without these attack mitigations. This implementation adds the extra messages needed as this results in a more realistic benchmark. \subsection{Tagging attack} \label{sec:tagging} @@ -8,5 +8,5 @@ In a tagging attack an adversary changes a message slightly and later can detect When you control the last node you can change the output of realtime precomputation phase slightly by when combining your nodes $r$ value for this slot with the input. you either combine the input with $r * i$, for cyclic group ElGamal, or $r + p$, for elliptic curve implementations. After all computations are done you have the plaintexts that you want to send out. If you can verify that one of the outputs is not valid, it probably is the value you modified with either $i$ or $p$. You now now the slot this value used to be in and you can reverse your tag by doing the reverse operation. This is undetectable in the network and thus compromise the network. Note that the last node is not special in \cmix, if all but one Node is malicious the protocol should still be safe. -To stop this attack we need to change the protocol. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each of the nodes to the next, we send a hash, a commitment to our decryption shares to the next node. The nodes keep the decryption shares to themselves, and will use them separately in the realtime phase. The last node also includes a hash of the current mix result. So the hash of $\pi(R)*S$ for all slots. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which caused the tagging attack to be possible in the first place. +To stop this attack we need to change the protocol. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each of the nodes to the next, we send a hash, a commitment to our decryption shares to the next node. The nodes keep the decryption shares to themselves, and will use them separately in the realtime phase. The last node also includes a hash of the current mix result. So the hash of the decryption of formula \ref{form:EPiRS}. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which caused the tagging attack to be possible in the first place. |