diff options
| author | Dennis Brentjes <d.brentjes@gmail.com> | 2017-04-29 13:06:59 +0200 |
|---|---|---|
| committer | Dennis Brentjes <d.brentjes@gmail.com> | 2017-04-29 13:06:59 +0200 |
| commit | 7410a7182cf5b8e563b93b986d35663679329a66 (patch) | |
| tree | 031af15f7f86b3f8be4d74737dbd6a3c153d8ae0 /content/cmix_additions.tex | |
| parent | 4b01d6a2fd7ed6cb7b9e994822ca737a613b4649 (diff) | |
| download | thesis-7410a7182cf5b8e563b93b986d35663679329a66.tar.gz thesis-7410a7182cf5b8e563b93b986d35663679329a66.tar.bz2 thesis-7410a7182cf5b8e563b93b986d35663679329a66.zip | |
Adds some additional info about the cmix protocol implemented.
Diffstat (limited to 'content/cmix_additions.tex')
| -rw-r--r-- | content/cmix_additions.tex | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/content/cmix_additions.tex b/content/cmix_additions.tex new file mode 100644 index 0000000..19cea01 --- /dev/null +++ b/content/cmix_additions.tex @@ -0,0 +1,11 @@ +\section{Cmix additions} + +So the base protocol still has some issues, thankfully these issues can be addressed at the cost of some speed and clarity. Because it would not be safe to use CMix in the wild without these attack mitigations we implemented the extra messages needed. This makes for a more realistic benchmark. + +\subsection{Tagging attack} +In a tagging attack an adversary changes a message slightly and later can detect this tag and remove it, otherwise it wouldn't be undetectable. This leaks information of the the origin of the message and from which slot it came. The easiest variant of this would be if a malicious person had control over the last node. + +When you control the last node you can change the output of Realtime procomputation phase slightly by when combining your nodes $r$ value for this slot with the input. you either combine the input with $r * i$, for cyclic group elgamal, or $r + p$, for elliptic curve implementations. After all computations are done you have the plaintexts that you want to send out. If you can verify that one of the outputs is not valid, it probably is the value you modified with either $i$ or $p$. You now now the slot this value used to be in and you can reverse your tag by doing the reverse operation. This is undetectable in the network and thus compromise the network. Note that the last node is not special in CMix, if all but one Node is malicious the protocol should still be safe. + +To stop this attack we need to change the protocol. First we need to change the third step of the precomputation phase. Instead of sending the decryption shares of each of the nodes to the next, we send a hash, a commitment to our decryption shares to the next node. The nodes keep the decryption shares to themselves, and will use them seperately in the realtime phase. The last node also includes a hash of the current mix result. So the has of $\pi(R*S)$ for all slots. This makes that an adversary can no longer tamper with the $r$ values in the realtime phase, which caused the tagging attack to be possible in the first place. + |