Chosen-ciphertext attack on receiver anonymity
Brent Waters <bwaters@theory.stanford.edu> Mon, 04 July 2005 23:19 UTC
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DpaDX-0006vC-1w for openpgp-archive@megatron.ietf.org; Mon, 04 Jul 2005 19:19:11 -0400
Received: from above.proper.com (above.proper.com [208.184.76.39]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA03624 for <openpgp-archive@lists.ietf.org>; Mon, 4 Jul 2005 19:19:07 -0400 (EDT)
Received: from above.proper.com (localhost.vpnc.org [127.0.0.1]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j64N3tlD039390; Mon, 4 Jul 2005 16:03:55 -0700 (PDT) (envelope-from owner-ietf-openpgp@mail.imc.org)
Received: (from majordom@localhost) by above.proper.com (8.12.11/8.12.9/Submit) id j64N3tM7039389; Mon, 4 Jul 2005 16:03:55 -0700 (PDT)
X-Authentication-Warning: above.proper.com: majordom set sender to owner-ietf-openpgp@mail.imc.org using -f
Received: from agp.stanford.edu (agp.Stanford.EDU [171.67.73.10]) by above.proper.com (8.12.11/8.12.9) with ESMTP id j64N3tOJ039382 for <ietf-openpgp@imc.org>; Mon, 4 Jul 2005 16:03:55 -0700 (PDT) (envelope-from bwaters@theory.stanford.edu)
Received: from theory.stanford.edu ([171.64.78.10]) by agp.stanford.edu with esmtps (TLSv1:DES-CBC3-SHA:168) (Exim 4.43) id 1DpZyf-0004jK-Sx for ietf-openpgp@imc.org; Mon, 04 Jul 2005 16:03:49 -0700
Received: from mail by theory.Stanford.EDU with spam-scanned (Exim 4.30) id 1DpZyf-0002WR-Aq for ietf-openpgp@imc.org; Mon, 04 Jul 2005 16:03:49 -0700
Received: from cipher.stanford.edu ([171.64.78.146]) by theory.Stanford.EDU with esmtp (TLSv1:AES256-SHA:256) (Exim 4.30) id 1DpZyf-0002WN-8q for ietf-openpgp@imc.org; Mon, 04 Jul 2005 16:03:49 -0700
Received: from cipher.Stanford.EDU (localhost.localdomain [127.0.0.1]) by cipher.Stanford.EDU (8.12.11/8.12.8) with ESMTP id j64N3nFY020293 for <ietf-openpgp@imc.org>; Mon, 4 Jul 2005 16:03:49 -0700
Received: from localhost (bwaters@localhost) by cipher.Stanford.EDU (8.12.11/8.12.11/Submit) with ESMTP id j64N3nit020290 for <ietf-openpgp@imc.org>; Mon, 4 Jul 2005 16:03:49 -0700
Date: Mon, 04 Jul 2005 16:03:49 -0700
From: Brent Waters <bwaters@theory.stanford.edu>
To: ietf-openpgp@imc.org
Subject: Chosen-ciphertext attack on receiver anonymity
Message-ID: <Pine.LNX.4.62.0507041559420.20087@cipher.Stanford.EDU>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Scan-Signature: 67f4a389e065da33eb5969ecb4726704
X-Spam-Checker-Version: SpamAssassin 3.0.2-cs-csdcf (2004-11-16) on cs-smtp-2.Stanford.EDU
X-Spam-Status: No, score=-104.9 required=7.0 tests=BAYES_00,SPF_HELO_PASS, USER_IN_WHITELIST autolearn=no version=3.0.2-cs-csdcf
Sender: owner-ietf-openpgp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-openpgp/mail-archive/>
List-Unsubscribe: <mailto:ietf-openpgp-request@imc.org?body=unsubscribe>
List-ID: <ietf-openpgp.imc.org>
I wanted to bring up an issue that had to do with chosen-ciphertext attacks on receiver anonymity. The specific case I am worried about is when the "throw-keyid" option is used to encrypt a message to multiple recipients. My understanding is that the throw-keyid option should hide the identity of the a receiver of the message (by throwing away the key-id) even from other receivers of a message. Suppose I made such an encryption of M to Alice and Bob, then the hybrid encryption (at a high level) would look something like this: 1)Choose random symmetric key key K 2)Ciphertext: (C1,C2,C')=E_{KeyAlice}(K)E_{KeyBob}(K),E_K(Message) where C1,C2 are asymmetric encryption and C' is a symmetric key encryption. At this point Alice and Bob can both decrypt the message, but neither can tell if the other was the other receiver. Suppose Bob suspects Alice was the other receiver. Then he can create a ciphertext: (C1,C'')=E_{KeyAlice}(K)E_K(NewMessage) and send this to Alice, if Alice responds to this in a meaningful way she was the other receiver. NewMessage could be something simple like "Do you want to go to lunch?" which would likely elicit a response. Note, this can be a problem even if the ciphers are CCA-secure. I have been discussing this type of a problem in the context of BCC privacy for email programs with Adam Barth and Dan Boneh. However, there could be wider implications as PGP is used in other contextes. Anyway, I would be interested to hear comments. Regards, Brent http://crypto.stanford.edu/~bwaters/
- Chosen-ciphertext attack on receiver anonymity Brent Waters
- Re: Chosen-ciphertext attack on receiver anonymity "Hal Finney"
- Re: Chosen-ciphertext attack on receiver anonymity Peter Gutmann
- Re: Chosen-ciphertext attack on receiver anonymity Brent Waters
- Re: Chosen-ciphertext attack on receiver anonymity Werner Koch
- Re: Chosen-ciphertext attack on receiver anonymity Werner Koch
- Re: Chosen-ciphertext attack on receiver anonymity Ian Grigg
- Re: Chosen-ciphertext attack on receiver anonymity Peter Gutmann
- Re: Chosen-ciphertext attack on receiver anonymity Ian Grigg
- Re: Chosen-ciphertext attack on receiver anonymity Jon Callas
- Re: Chosen-ciphertext attack on receiver anonymity Ian Grigg
- Re: Chosen-ciphertext attack on receiver anonymity Werner Koch
- Re: Chosen-ciphertext attack on receiver anonymity Werner Koch
- Re: Chosen-ciphertext attack on receiver anonymity Brent Waters
- pgp-stealth (Re: Chosen-ciphertext attack on receā¦ Adam Back