Efficient Non-interactive Anonymous Communication

Abstract

Methods for untraceable and anonymous communication, such as anonymous routing networks and dining cryptographers networks, are in general very complex and suffer from high performance overhead of a minimum order of \(N^2\) encryptions for N participants. In this paper, we propose an original approach to untraceable communication that avoids some of the significant shortcomings of existing methods. Using non-interactive privacy-preserving aggregation as an underlying building block we achieve attractive features, including unsurpassed low computational and transmission overhead of only 3 encryptions per participant in only a single round.

1 Introduction

The necessity for privacy exists in numerous ICT applications. Anonymous communication refers to sender untraceability in which transmitted data elements cannot be linked to the sender. Sometimes receiver untraceability is also desired, in which the receiver of transmitted data elements cannot be determined. Sender anonymity, untraceable data transmission, data collection, and message submission are desired core privacy features of many privacy-related applications, such as voting systems, anonymous surveys, social networks, and more. Anonymous communication systems can be divided into categories including anonymous routing networks (AR nets) and dining cryptographers networks (DC nets) [1, 6, 9, 15, 18, 20, 23, 27, 28]. AR nets cover approaches such as mix nets [7, 10,11,12, 29, 30], onion routing [17], and crowds [24]. These are end-to-end-oriented, in which a sender communicates with a receiver through a network of designated proxies (message forwarding nodes) by which the communication becomes untraceable w.r.t. the senders. AR nets have generally low to medium latency.

DC nets differ from AR nets by not using message-forwarding and having no trusted proxies. Rather they are group- and broadcast-oriented, assuming a closed group of N participants, where each group member is able to communicate anonymously with the other group members. To realize untraceable transmission of a single message, the collaboration of all group participants is necessary. An inherent implication is that the sending order must be determined anonymously, and thus an additional synchronization protocol is necessary, adding to the complexity.

The existing approaches have significant disadvantages regarding high complexity and high transmission overhead of an order of minimum \(N^2\) messages and a correspondingly high computational overhead. All existing approaches are interactive, which impacts latency and incurs in general very complex protocol designs. A performance comparison with some prominent and well-performing anonymous communications schemes is shown in Table 1.

Contributions. In this paper, we propose a novel and original approach to untraceable communication that avoids the mentioned significant shortcomings of existing methods. Using non-interactive privacy-preserving aggregation [4, 8, 16, 19, 25] as a building block we achieve the following attractive features:

• Unsurpassed low transmission and computational overhead: Each participant computes and broadcasts only 3 encryptions.

• Non-interactive: All participants transmit (broadcast) in a single round. No particular sending order or synchronization is necessary, and there are no user interactions where one transmission triggers off another transmission.

• Simple design: There is only a single round. The scheme is simple to implement.

Outline. Related work is discussed in Sect. 2. Some background on privacy-preserving aggregation is presented in Sect. 3. In Sect. 4 the novel anonymous communication scheme is presented, and Sect. 5 concludes the paper.

2 Related Work

In this we section look into techniques for anonymous communication that we divide into the two categories of anonymous routing networks and dining cryptographers networks. For a comprehensive survey, see Shiraz et al. [26]. Existing techniques are in common complex and have low performance with transmission and computational overhead of an order of minimum \(N^2\).

2.1 Anonymous Routing Networks

Anonymous routing techniques comprise mix nets [10], including variants such as [7, 29] discussed below, onion routing [17], and crowds [24]. These are anonymization networks, assuming a number of intermediate computers (or nodes) forwarding messages on behalf of a sender and a receiver. The intermediate nodes are third parties that may be trusted or untrusted.

Mix nets were originally proposed by Chaum [10], having a number of N intermediates (called mix nodes or mixes by Chaum) in a fixed chain configuration (mix cascade). The senders encrypt their messages N times using the public key of each intermediate. Each intermediate waits for a predefined number (threshold) of ciphertexts to be received (into a batch). When the threshold is reached, it decrypts each ciphertext, thus removing one layer of encryption, and forwards the partially decrypted ciphertexts in a random (shuffled) order to the next intermediate. Assuming that the ciphertexts have the same lengths, the reshuffling breaks the input-output-relation, creating unlinkability. In conclusion, mix nets have a high transmissions and computation cost of \(N^2\) transmission and \(N^2\) public key encryptions. The threshold criterion combined with the serial mix node configuration incur high latency.

A mix net variant was proposed by Yang et al. [29] for anonymous (oneway) data collection, enabling a fixed group of respondents to anonymously send to a single receiver (the miner). It has two operational distinctions from [10]; instead of a chained mix cascade, the participants interact in parallel with the receiver; and instead of multiple encryptions, each sender encrypts only once using an aggregated Diffie-Hellman-type public key, \(y = \prod _{i=j}^N y_j= g^x\), of which the sum of the corresponding private keys is \(x = \sum _{j=1}^N x_j\). Each responder \(P_i\) produces an ElGamal ciphertext \((c_i = m_i y^{r_i}, d_i=g^{r_i})\), where \(r_i\) is an ephemeral private key. The miner sends all N encryptions to respondent \(P_1\), who blinds them by multiplying an ephemeral random encryption factor \(\delta _k\) to both ElGamal cipher elements \((c_j y^\delta _k, d_j g^\delta _k)\), \(1 \le k \le N\), before returning the modified ciphertexts in a random order to the miner, thus achieving untraceability. This process is repeated until the last respondent \(P_N\). Next, each respondent \(P_i\) computes N partial decryptions, i.e., the ElGamal decryption factor \(e_{j,i} = (d_j g^\delta _k)^{x_i}\), \(1 \le j \le N\). By combining the partial decryptions pertaining to a given ciphertext, the plaintexts \(m_i = (c_i y^\delta _k) \prod _{j=1}^N e_{i,j} = (m_i y^{r_i} y^\delta _k) \prod _{i=1}^N g^{-r_j x_i} g^{\delta _k x_i}\), \(1 \le i \le N\), are restored due to the mutual elimination of the respective encryption factors. The transmission overhead is high, by \(4 N^2 + N\) transmitted ElGamal encryptions.

Brickell and Shmatikov [7] proposed a mix net scheme providing fault detection, but instead of third party mixes, a group of N sending participants form a chain configuration, using layered encryption. Each participant encrypts his or her message N times using the public key of each of participant in order \(P_1, P_2, \ldots , P_N\), resulting in \(C_i\). This encryption process is then repeated, but now N encryption layers are added using a secondary public key of each participant, resulting in \(C_i'\). The reason for the repeated encryptions is for detecting faulty behavior. An intermediate waits for a number of ciphertexts to be received, decrypts, thus removing one layer of encryption, and forwards the new ciphertexts in a random order to the next intermediate. The participants send their multi-layered ciphertexts to \(P_1\) who decrypts all ciphertexts, randomly and secretly rearranges their order. \(P_1\) sends the shuffled ciphertexts \(\vec {C}_1\) to \(P_2\) who decrypts and shuffles the ciphertexts in \(\vec {C}_1\), resulting in \(\vec {C}_2\). This is done by all, ending with \(P_N\). The decryptions are checked by all participants who checks that his encryption \(C_i'\) is included. If alright, the participants remove the remaining N layers of encryption.

Crowds [24] was intended for anonymous web browsing. In crowds, messages are routed by the intermediates by means of random paths to and from the intended web servers. When a web browser makes a request, an intermediate flips a biased coin to determined whether to forward the request to another intermediate or directly to the web server. In the former case, the intermediate selects another intermediate at random to which it forwards the request. Subsequent requests and server responses follow the same path. Crowds assume symmetric key encryption, and each pair of intermediates share a symmetric encryption key. To reduce latency, communication is encrypted using a path key. This key is generated by the first intermediate, and is forwarded to the next intermediate in the path by encrypting it with the key it shares with the next intermediate. Crowds does not provide anonymity against global eavesdroppers.

2.2 Dining Cryptographers Networks

The idea of dining cryptographers networks (DC nets) was proposed by Chaum [9]. The concept was later revised by Waidner [27] using additive groups \(\mathbb {G}\) modulo p, instead of bitwise XOR operations as originally proposed by Chaum. DC nets assume a (closed) group \(\mathcal {U} = \{P_1, \ldots , P_N \}\) of N participants arranged in a logical ring topology or a complete graph (or star) topology, where a node symbolizes a user and an edge represents a secret key that is shared by its two adjacent users. Specifically, in a ring arrangement, each user \(P_i\) shares the secret ephemeral key \(k_{i-1,i}\) with the adjacent user \(P_{i-1}\) and the ephemeral key \(k_{i,i+1}\) with \(P_{i+1}\), so that each user holds in total two shared secrets. In a star arrangement, each user shares a unique secret with each other user, so there are in total \(N(N-1)\) shared secrets. Application of the Diffie-Hellman-primitive is convenient for establishing shared ephemeral DH keys. DC nets provide unconditional security, which may not be provided by the chosen key establishment method.

For each round, only one participant can send an encrypted plaintext, but the participation of the remaining users is required. To send a message anonymously (in a ring topology), \(P_i \in \mathcal {U}\) blinds the plaintext \(m_i\) by means of the shared secrets, and broadcasts the encryption \(c_i = m_i \oplus k_{i-1,i} \oplus k_{i,i+1}\). Each of the other participants \(P_j \in \mathcal {U} \backslash \{P_i\}\) broadcasts an “empty” encryption \(c_j = k_{j-1,j} \oplus k_{j,i+1}\). The plaintext is anonymously obtained by combining all encryptions \(m_i = \bigoplus _{j=1}^N c_j \), in which the pairwise shared keys cancel each other out. As the encryptions are indistinguishable, it is not possible to determine the originator of \(m_i\).

DC nets can be realized by additive groups [27] for integrating number-theoretic primitives such as Diffie-Hellman key establishment. An (non-empty) encryption on this form becomes \(c_i = m_i \ k_{i-1,i}^{-1} \ k_{i,i+1} \mod p\), where \(k_{i-1,i}\) and \(k_{i,i+1}\) are secret ephemeral DH blinding factors. Aggregating the encryptions by multiplication restores \(m_i = \prod _{j=1}^N c_j \mod p\).

If two or more encrypted plaintexts are sent in one round, a collision occurs resulting in an aggregated plaintext, in which case the plaintexts cannot be restored. To prevent collisions, it is necessary to establish an anonymous sending order before the sending can take place. This is known as scheduling or slot reservation, of which the participants agree on a sending schedule in an anonymous way so that each participant learns when to send but not who is sending in the other respective rounds.

In addition to the mentioned disadvantages, the pairwise shared encryption factors must be ephemeral to prevent plaintext leakage. Depending on the key establishment scheme, this incurs extra transmission and computational overhead. Other shortcomings of DC nets are “churn”, scalability, and high latency.

2.3 Disruption

DC nets are vulnerable to disruption, in which a participant sends an invalid encryption or a random message, or modifies somebody else’s valid encryption, with the result that legitimate plaintexts cannot be recovered. This begs the questions of how disruptions be can detected and how invalid encryptions can be identified. Disruption detection can be done subjectively, meaning that the originator of an encryption checks whether his or her encryption has been tampered with, in which case that user must take action and inform the remaining participants. “Universal” disruption detection capability is a stronger feature that allows anybody to check the correctness of any encryption.

Disruption identification is considered a difficult problem in DC nets, since this should be resolved without compromising anonymity of honest participants. Disruption is related to collision detection and collision resolution, in the context of slot scheduling [5, 6, 27, 28], in the sense that collisions may render colliding encryptions invalid.

Chaum was the first to address this problem by proposing a trap mechanism, in which the participant declare a trap or non-trap for his or her reserved sending slot. If a trap is declared, the message is random, and a cryptographic commitment for the random message is computed. If a dishonest party tries to disrupt the communication, this is detected by the sending party who proves this by opening the commitment by sending the encryption key. Disadvantages are the added transmission overhead and that this mechanism is probabilistic, effective in some but not all cases.

Golle and Juels [18] proposed using non-interactive zero-knowledge proofs based on the bilinear Diffie-Hellman key exchange primitive. Their approach allows anybody to (universally) detect invalid encryptions by means of additional verification elements. Long-terms encryption keys are generated using a polynomial function (cf. (k, n)-threshold cryptography) to enable recovery from disruption or network faults. A variant of zero-knowledge proofs using Pedersen commitments was proposed by Franck and van de Graaf [15].

Nosouhi et al. [23] describe a straight-forward XOR-type DC-net scheme with subjective disruption management. If a user detects that his or her encryption has been tempered with or corrupted, everybody has to publicize their pairwise keys pertaining to the relevant slot. Then each user \(P_i\) checks if the keys shared with the adjacent users \(P_{i-1}, P_{i+1}\) are different from the publicized keys. Since the message cannot be recovered, it can be said that anonymity is preserved in such situations.

2.4 Hybrid Approaches

Corrigan-Gibbs and Ford [11] proposed a hybrid approach (Dissent) combining mix nets (the shuffle scheme by Brickell and Shmatikov [7] described in Sect. 2.1) and XOR-type DC nets. Its goals are moderate-sized groups, variable-length message support, and disruption support. Despite that the bulk scheme builds on DC nets, the authors claim that their approach is “efficient enough for latency-tolerant messaging in small distributed groups”, a claim that is most reasonably disputed by Bauer and Staudemeyer [1].

Each user establish two ephemeral key pairs, for inner and outer encryption, and all public keys are distributed to all users. By means of the shuffle scheme, each user \(P_i\) anonymously distributes a message descriptor \(d_i\), whose purpose is to facilitate variable length encryptions w.r.t. the subsequent invocation of the DC net protocol. It indicates the size of his or her message \(m_i\). Regarding the subsequent DC net encryption, it contains N “seeds”, each seed is encrypted with the public key of the respective user.

\(P_i\) encrypts \(d_i\) N times using the “inner” public key of each of participant in order \(P_1, P_2, \ldots , P_N\), resulting in the ciphertext \(C_i'\), and N more times by means of the N outer public keys, resulting in \(C_i\). The reason for the outer encryption layers is to detect faulty behavior (disruption). After the N outer encryption layers have been removed during the shuffle, \(P_N\) broadcasts the inner-encrypted message descriptors. Everybody checks that his \(C_i'\) is included or not. If there are no complaints about missing or invalid encryptions, then all participants broadcasts the inner private key, allowing all participants to remove the remaining N layers of encryptions from each \(C_i'\), obtaining the message descriptor plaintexts in random order. Each user recognizes its own descriptor and its position, knowing when to send the genuine and empty encryptions. XOR DC net sending is then conducted. By means of \(d_i\), the participants compute and broadcast a variable length encryption for each round.

3 Preliminaries

Our new approach to untraceable communication is based on privacy-preserving aggregation. A key observation is that sender untraceability is implicitly provided by privacy-preserving aggregation, as explained further in Sect. 4. In this chapter we will provide a brief background on this topic.

3.1 Privacy-Preserving Aggregation

Secure multiparty computation (SMC) is a class of cryptographic protocols that enable two or more participants, not trusting each other, to jointly compute a function over their inputs while keeping those inputs private. Privacy-preserving aggregation is a subfield of SMC that enables a group of participants to compute an aggregation (sum or product) without having to disclose their inputs to any party. Many privacy-preserving aggregation schemes assume homomorphic cryptography. The inputs are encrypted, and by aggregating the encryptions only a plaintext sum (or product) is produced. Depending on protocol designs, aggregation is performed by a single (untrusted) central entity or locally by each participant, in which all encryptions are broadcasted and received by the participants themselves.

Furthermore, we can distinguish between interactive and non-interactive privacy protocols. Non-interactive protocols are characterized by unidirectional communication or broadcasting, and there are no interactions in which one transmission triggers off another transmission [2, 13, 19, 25]. Interactive protocols are in contrast characterized by multiple rounds of communication [3, 14, 16, 21, 22]. Consequently, the former approaches are more efficient and have lower transmission and computational overhead than the latter.

The non-interactive privacy-preserving aggregation scheme of Shi et al. [25] (cf. Appendix A) is very efficient, having only one round of communication and one modular exponentiation per user. For this reason, we suggest a modification (cf. Appendix B) as a building block for the proposed scheme.

The security property achieved by privacy-preserving aggregation is often referred to as aggregator obliviousness. The following informal definition is adapted from [19]:

Definition 1

(Aggregator obliviousness). This notion requires that the aggregator \(\mathcal {A}\) cannot learn any more than the aggregated value from the encrypted inputs of the (honest) users. If there are dishonest users (i.e., users sharing their private information with the aggregator), the notion only requires that the aggregator gets no extra information about the values of the honest users beyond their aggregated value. It is assumed that each user encrypts only one value per time period.

We observe that if the aggregation scheme is secure, it is not possible to disclose individual plaintext inputs, which means that untraceability is inherently achieved.

3.2 Performance Goals

Transmission and computational overhead should be as low as possible and the protocol design should not be complex, which infer that interaction should be avoided. The proposed protocol has an unsurpassed efficiency, with a transmission overhead of only three group elements and a computational overhead of only three modular exponentiations per user.

3.3 Security Goals

The security properties we wish the protocol to satisfy is foremost sender anonymity (untraceability), although receiver anonymity (untraceability) is also provided due to broadcasting. Sender untraceability means that it must be infeasible to link (or trace) any plaintext message to its originator (the sender) with more than 1/N probability, assuming no colluding participants. Likewise, receiver untraceability means that a certain message cannot be linked to a particular receiver with more than 1/N probability.

3.4 Adversarial Model

The adversarial model is honest-but-curious, a.k.a. semi-honest, meaning that the participants will not deviate from the protocol specification in how they compute and exchange messages. They may attempt to learn all possible information from the legitimately computed messages. An adversary can consist of up to \(N-2\) colluding participants or an external party. We assume the attacker is computationally polynomial-time limited and can monitor all network traffic.

4 Non-interactive Anonymous Communication Using Privacy-Preserving Aggregation

To achieve untraceable communication, we assume a predefined group of N individuals. For any given round, each participant can anonymously send a message by means of three encryptions that are broadcasted and received by everyone else in the group. There is no single aggregator and no decryption key, although this could be possible by a minor modification of the scheme. No particular transmissions order, synchronization, or coordination is necessary. Given that it is not computationally feasible to recover any plaintext in other ways than by aggregating the complete set of the pertaining encryptions, a participant may contribute with “empty” encryptions in case there is nothing particular to send.

We will next present some key observations that are the basis for the anonymous communication scheme:

1. 1.

   Sender untraceability is implicitly provided by privacy-preserving aggregation as it is not possible to disclose individual plaintext inputs due to the aggregation obliviousness security property (Definition 1).

2. 2.

   A privacy-preserving product (PPP) aggregation protocol enables a group of participants, each holding a secret prime, to compute a product \(\dot{p}\) in an untraceable manner, since no prime factor can be traced to a specific participant due to the aggregation obliviousness security property (Definition 1).

3. 3.

   The (prime) factors of \(\dot{p}\) have no particular order.

In summary, application of a PPP protocol enables a group of participants to send and distribute primes in an untraceable manner, so that the originator of any given prime cannot be determined when the product \(\dot{p}\) is factorized, assuming that the PPP protocol is secure.

For sending arbitrary messages and not only primes, we consider Goldbach’s conjecture, which is one of the oldest and best-known unsolved problems in number theory and all of mathematics.¹ Goldbach’s conjecture states that every even natural number greater than 2 is the sum of two prime numbers, and has been shown to hold for all integers less than \(4 \times 10^{18}\). In agreement with Goldbach’s conjecture, the idea is to represent a plaintext \(m_i\) as a sum \(m_i=p_i+q_i\) of two primes \((p_i, q_i)\). The sum of two odd primes is always even. Taking arbitrary (odd and even) values of \(m_i\) into account, simply divide by two, i.e., \(m_i=\frac{p_i+q_i}{2}\).

Using a secure PPP protocol, each participant \(P_i\) computes the encryptions \(c_i = E(p_i)\) and \(c_i' = E(q_i)\). After respectively aggregating the two sets of encryptions, \((\{c_i\}_{i=1}^N, \{c_i'\}_{i=1}^N)\), the primes \(P=\{p_1,\ldots , p_N\}\), \(Q=\{q_1,\ldots , q_N\}\) are restored by factorization.

Since there is no particular order to the primes in (P, Q) and the correct associations between the corresponding prime pairs \((p_i \in P, q_i \in Q)\) that constitute a given plaintext \(m_i\) are broken and unknown, a measure is necessary to correctly identify and restore the pertaining prime pair associations. For this purpose, we use a similar approach by privately aggregating plaintext hashes \(z = \prod _{j=1}^{N} f(m_j)\). The plaintexts are restored by a simple exhaustive search of at most N! trials, finding the pertaining prime pairs.

Our scheme can handle a limited number of users and data sizes, where basically the applied PPP is the main limiting factor. However, it can fit well as a building block and in this regard be used for larger groups and bigger data sizes if some few adjustments are carried out, cf. Sect. 4.3.

4.1 Hardness Assumption

The security of our protocol relies on the security of the underlying PPP aggregation scheme. The suggested PPP aggregation scheme (cf. Appendix B) relies on the difficulty of the Decisional Diffie-Hellman problem.

4.2 The Novel Non-interactive Anonymous Communication Scheme

The proposed anonymous communication scheme consists of the following steps:

Setup. Each user \(P_i\) is assigned a group \(\mathcal {U} = \{P_1, \ldots , P_N\}\). A large public prime p is selected that will be used as a modulus. For each user \(P_i \in \mathcal {U}\), a key center randomly generates a long-term secret encryption key \(s_i\), \(1 < s_i < p-1\), in which the sum is zero:

$$\begin{aligned} 0 = \sum _{i=1}^{N} s_i \bmod p-1 \end{aligned}$$

(1)

Encryption. \(P_i\) selects two primes \((p_i, q_i)\), so that \(m_i = \frac{p_i + q_i}{2}\) and \((p_i, q_i) < b\), where \(b=\frac{p}{N}\) is an upper bound. \(P_i\) encrypts \((p_i, q_i, f(m_i))\):

$$\begin{aligned} c_i = E_{s_i}(p_i, 1), \; c_i' = E_{s_i}(q_i, 2), \; d_i = E_{s_i}(f(m_i, 3)) \end{aligned}$$

where \(E_{s_i}(x, j) = x f(t,j)^{s_i} \bmod p\), f is a secure hash function, t is a timestamp or unique counter, j is a constant, and \(f(t,j)^{s_i}\) is a secret encryption factor. The encryptions \((c_i,c_i',d_i)\) are broadcasted to the other members in \(\mathcal {U}\).

Aggregation and Restoration. After receiving all encryptions, each participant combines the respective encryptions \((\{c_i\}_{i=1}^N, \{c_i'\}_{i=1}^N, \{d_i\}_{i=1}^N)\), yielding the three products (x, y, z), where

$$\begin{aligned} x = \prod _{i=1}^N c_{i} = \prod _{i=1}^N p_i \bmod p, \; y = \prod _{i=1}^N c'_{i} = \prod _{i=1}^N q_i \bmod p, \; z = \prod _{i=1}^N d_{i} = \prod _{i=1}^N f(m_i) \bmod p \end{aligned}$$

Notice that all encryption factors \(f(t,j)^{s_i}\), \(1 \le i \le N\), \(j \in \{1, 2, 3\}\), are cancelled out in agreement Eq. 1, resulting in the intended products as shown above. By factorizing (x, y), the pertaining primes \(P = \{p_1, \ldots , p_N\}\) and \(Q = \{q_1, \ldots , q_N\}\) are restored.

Lastly, by means of the cryptographic checksum z all plaintexts are restored by finding the prime pairs, \((p_i \in P, q_i \in Q)\), constituting \(m_i = \frac{p_i + q_i}{2}\). Let \(\pi \) denote a permutation of a vector \(\vec {v}\) of monotonic increasing elements \(\vec {v} = (1, 2, \ldots , {N-1}, N)\), of which there are N! permutations. For each permutation \(\pi \), check if

$$\begin{aligned} \prod _{i=1}^N f(\frac{p_i + q_{\pi (i)}}{2}) \bmod p \,{\mathop {=}\limits ^{?}}\, z \end{aligned}$$

is true, then all N plaintexts \(\{m_i = \frac{p_i + q_{\pi (i)}}{2} \}_{i=1}^N\) are recovered.

When Less than N Plaintexts. Although it is not possible to recover any plaintexts unless the complete set of N encryptions for a given round is present, a participant may contribute with an “empty” encryption in case he or she has nothing particular to send. An empty encryption is only the encryption factor \(E_{s_i}(1, j) = f(t,j)^{s_i}\). Since the encryptions are in effect probabilistic due to the randomly chosen secret exponent \(s_i\), it cannot be determined whether a given encryption is empty or not.

4.3 Scalability

The scalability of the above protocol depends heavily on the selected PPP scheme. The suggested PPP scheme was considered due to its simple non-interactive design and having low transmission and computational overhead. The size of the modulus p imposes a bound on the group size N and data size m due to the bound \(p_i, q_i < \frac{p}{N}\), \(1 \le i \le N\).

The untraceability scheme can be extended to larger data sizes by segmenting the plaintext into blocks of a fixed size b, in which the untraceability scheme is invoked for each block. The blocks must be equipped with a small header indicating a unique message identifier and block number. To restore the plaintexts after decryption, the blocks pertaining to the same message are joined in the right order.

4.4 Performance

A comparison of some prominent anonymous communications schemes is shown in Table 1, with regard to number of rounds, transmission complexity, and computational complexity. Transmission complexity is the total number of transmitted data elements (encryptions, hashes, and signatures), while computational complexity refers to the total number of encryptions, decryptions, and signature computations and verifications. A significant improvement of the proposed scheme is that it has linear transmission and computational complexity, while this is quadric for existing work. As noted, we suggest a non-interactive privacy-preserving aggregation subprotocol to keep the overhead at a minimum.

Table 1. Performance comparison

4.5 Security Analysis

In this section we show that the proposed scheme ensures sender untraceability under the assumption that the underlying PPP is secure. Note that receiver untraceability is implicity provided due to broadcasting. We also show that the suggested PPP is secure given that Decision Diffie-Hellman problem is hard to solve.

Theorem 1

The proposed scheme provides sender untraceability provided that the applied PPP protocol ensures aggregator obliviousness.

Proof

Only an informal proof is necessary. If the applied PPP protocol provides the aggregator obliviousness security property (Definition 1), no other information than the product can be deduced. Therefore, it is infeasible to link a prime factor to a particular encryption. Thus, sender untraceability is ensured.    \(\square \)

Lemma 1

The PPP protocol ensures aggregator obliviousness assuming that the Decision Diffie-Hellman problem is hard.

Proof

The aggregator obliviousness security property is based on the assumption that the encryption factors, here denoted \(\vec {h} = (h_1,\ldots , h_N) \in \mathbb {Z}_p\), \(N \ge 2\), are indistinguishable from random integers \(\vec {h}' = (h_1', \ldots , h_N')\) in the same domain \(\mathbb {Z}_p\), cf. the Decision Diffie-Hellman problem. Let g be a generator to \(\mathbb {Z}_p\).

Setup. Assume a challenger and an adversary. The challenger picks a random generator g for the group \(\mathbb {Z}_p\) and the random vector \((s_1, \ldots , s_N) \in \mathbb {Z}_{p-1}\), such that \(\sum _{i=1}^{N}s_i = 0\). Let \(h = g^x\) for some random undisclosed integer \(x \in \mathbb {Z}_{p-1}\). The challenger sends \((g,h, g^{s_1}, \ldots , g^{s_N})\) to the adversary.

Challenge. The challenger flips a random coin b. If \(b = 0\) then the challenger sends \(\vec {h} = (h^{s_1},\ldots , h^{s_N})\) to the adversary. If \(b = 1\) then the challenger picks N random elements \(\vec {h}' = (h_1', \ldots , h_N')\) in \(\mathbb {Z}_p\), such that \(\prod _{i=1}^{N} h_i' = \prod _{i=1}^{N} h^{s_i} \). The challenger sends \(\vec {h}'\) to the adversary.

Guess. The adversary has now the distribution \((g, g^x, g^{s_i}, t_i, 1 \le i \le N)\), where either \(t_i = h^{s_i}= g^{x \cdot s_i}\) or \(t_i=h_i'\). The adversary guesses either \(b=0\) or \(b=1\). The adversary wins the game if he successfully guesses b. If the adversary has a non-negligible advantage in guessing the correct b, he would be able to solve the DDH problem with non-negligible advantage as well. The proposed scheme is therefore secure assuming this is a computationally infeasible problem.    \(\square \)

5 Conclusion

Anonymous routing networks and dining cryptographers networks (DC nets) are wellknown approaches to untraceable and anonymous communication, but these methods are in general very complex and suffer from high performance overhead. In this paper, we have proposed an original approach to untraceable communication that avoids some of the significant shortcomings of existing methods. Using non-interactive privacy-preserving aggregation as an underlying building block we achieve attractive features, such as unsurpassed low computational and transmission overhead of only 3 encryptions per participant in only a single round. No particular sending order, synchronization, or user interactions are necessary.

Appendices

A Shi et al. Privacy-Preserving Aggregation

A non-interactive privacy-preserving sum aggregation was proposed Shi et al. [25]. It meets the aggregator oblivious security property under the DDH hardness assumption, and has therefore smaller ciphertexts than in [19]. Similar to the Joye and Libert scheme, it was originally proposed for the smart meter setting, and transmissions are limited to each user broadcasting a single encryption for each round, resulting in a low computational load and bandwidth. The Shi et al. scheme comprises the following steps:

Setup. A key center (KC) establishes a large public prime p. For each user \(P_i \in U\), KC randomly generates an encryption key \(s_i \in \mathbb {Z}_{p-1}\) in agreement with \(0 = - \sum _{1 \le i \le N} s_i \bmod p-1\).

Encryption. \(P_i \in U\) samples a timeseries consumption value \(m_{i}\) at time interval t, and computes the ciphertext:

$$\begin{aligned} c_{i} = g^{m_i} f(t)^{s_i} \bmod p \end{aligned}$$

where f is a secure hash function.

Aggregation and Decryption. After having received all N ciphertexts, they are multiplied according to

$$\begin{aligned} \hat{M} = \prod _{1 \le i \le N} c_i = \prod _{1 \le i \le N} g^{m_i} f(t)^{s_i} = \prod _{1 \le i \le N} g^{m_i} \bmod p \end{aligned}$$

cancelling out the encryption factors \(f(t)^{s_i}\), \(1 \le i \le N\). The aggregated plaintext is then found by computing the discrete logarithm of \(\hat{M}\) w.r.t. to the base g.

B A Privacy-Preserving Product Protocol

The non-interactive privacy-preserving sum aggregation was proposed Shi et al. [25], shown in Appendix A, can conveniently be simplified to a privacy-preserving product protocol simply by neglecting the final step of resolving the aggregated sum by computing the discrete logarithm. Therefore, this simplification meets the aggregator oblivious security property under the DDH hardness assumption.

Setup. Each user \(P_i\) is assigned a group U of exactly N members. For each user \(P_i \in U\), the key center randomly generates a secret encryption key \(s_i \in \mathbb {Z}_{p-1}\) in agreement with \(0 = \sum _{1 \le i \le N} s_i \bmod p-1\).

Encryption. \(P_i \in U\) encrypts the prime \(p_i\):

$$\begin{aligned} c_i = E_{s_i}(p_i, t) = p_i f(t)^{s_i} \bmod {p} \end{aligned}$$

where h is a secure hash function and t is a timestamp. The ciphertext is transmitted to the AC.

Aggregation and Decryption. Each user aggregates the received ciphertexts according to

$$\begin{aligned} \dot{p} = \prod _{1 \le j \le N} c_j = \prod _{1 \le j \le N} p_j f(t)^{s_j} = \prod _{1 \le j \le N} p_j \pmod {p} \end{aligned}$$

(2)

The multiplication is hence cancelling out the encryption factors \(f(t)^{s_j}\), \(1 \le j \le N\), yielding the product \(\dot{p}\). As can be seen, the procedure is identical to that of [25], with the exception of omitting the final discrete logarithm computation.