Abstract
Anonymous transfer, recently introduced by Agrikola, Couteau and Maier [3] (TCC ’22), allows a sender to leak a message anonymously by participating in a public non-anonymous discussion in which everyone knows who said what. This opens up the intriguing possibility of using cryptography to ensure strong anonymity guarantees in a seemingly non-anonymous environment.
The work of [3] presented a lower bound on anonymous transfer, ruling out constructions with strong anonymity guarantees (where the adversary’s advantage in identifying the sender is negligible) against arbitrary polynomial-time adversaries. They also provided a (heuristic) upper bound, giving a scheme with weak anonymity guarantees (the adversary’s advantage in identifying the sender is inverse in the number of rounds) against fine-grained adversaries whose run-time is bounded by some fixed polynomial that exceeds the run-time of the honest users. This leaves a large gap between the lower bound and the upper bound, raising the intriguing possibility that one may be able to achieve weak anonymity against arbitrary polynomial time adversaries, or strong anonymity a-gainst fine grained adversaries.
In this work, we present improved lower bounds on anonymous transfer, that rule out both of the above possibilities:
-
We rule out the existence of anonymous transfer with any non-trivial anonymity guarantees against general polynomial time adversaries.
-
Even if we restrict ourselves to fine-grained adversaries whose run-time is essentially equivalent to that of the honest parties, we cannot achieve strong anonymity, or even quantitatively improve over the inverse polynomial anonymity guarantees (heuristically) achieved by [3].
Consequently, constructions of anonymous transfer can only provide security against fine-grained adversaries, and even in that case they achieve at most weak quantitative forms of anonymity.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For concreteness, the public discussion could occur over Facebook or Twitter, and users need to be logged in with their true identity.
- 2.
This departs from our informal setting, where a real discussion occurred, while we now assume that “real discussions” are uniformly random. Various works, including [12, 15, 16] show how to embed uniform randomness into real discussions. Concretely, it suffices to (randomly) encode uniformly random messages to the distribution representing the (non-necessarily uniform) communication pattern, in a way that the random messages can be decoded.
- 3.
In this work, we use the convention that an AT is stronger as \(\varepsilon ,\delta \) tend to 0; this is the opposite convention of [3] where this held whenever \(\varepsilon ,\delta \) tend to 1.
- 4.
Anonymous transfer can also be defined with more than a single “dummy” party. We focus for simplicity on the 2-party case for this overview, and will show how to extend the attacks to the N-party case subsequently.
- 5.
We consider here “silent” receivers who do not send any messages—this is similarly known to be sufficient for lower bounds [3].
- 6.
We remind the reader that [3] takes different conventions than ours for \(\varepsilon \) and \(\delta \). With our notation, an AT satisfies stronger properties as \(\varepsilon \) and \(\delta \) get smaller and closer to 0, and are ideally negligible in the security parameter.
- 7.
In an AT, rounds are by default synchronous; for the sake of this general blueprint, any arbitrary sequentialization of the messages would be meaningful.
- 8.
More precisely, strategies are black-box in the AT algorithms, but need to consider full transcripts in a slightly non-black-box way (namely, by separating messages and considering random continuations).
- 9.
Technically, the quantities \(p_k\) when A is the neutral party and \(p_k\) when A is the bias inducer are not necessarily related. But without loss of generality, the strategies used by the bias inducer and the neutral party are independent of their identity as A or B, in which case the quantities \(p_{2k}\) are equal.
- 10.
One technically needs to be careful handling cases where \(p_i=0\) for some i. We largely ignore this technicality in this overview. For concreteness, it will be enough to output a random guess if this happens, and observe that, for games resulting from an AT, this happens with probability at most \(1-p_f\), and therefore does not affect our advantage too much. We refer to Sect. 4.3 for more details.
- 11.
Actually, the total progress is only guaranteed to be \(p_f/p_0\) on expectation, which induces several technical issues. We will assume the progress is always equal to \(p_f/p_0\) for the sake of this overview, and we refer to Sect. 4.2 for more details on the issues and a solution.
- 12.
This is done by considering all the messages sent by parties \(k\ne i,j\) as part of the CRS of the new 2-party protocol.
- 13.
Note that there is at most one such index. If no such index exist, our attack, say, outputs party 1.
- 14.
This corresponds to setting \(\delta =1-1/\alpha '\), conditioned on executions where the message can be correctly reconstructed. We refer to Sect. 5.3 for more details.
- 15.
The overhead arises from both the \(O(N^2)\) calls to the internal distinguisher, and the runtime of the internal distinguisher itself which is \(\textrm{poly}(\alpha ')=\textrm{poly}(N)\cdot \alpha \).
- 16.
- 17.
This is without loss of generality; see Remark 2.
- 18.
This is without loss of generality; see Remark 3.
- 19.
We remind the reader that the quantity \(\delta \) in [3] corresponds to \(1-\delta \) for us. Additionally, in this version of the definition, we do not include the receiver in the count for the number of parties.
- 20.
We technically are also conditioning the expectations X, Y on all the prior moves instead, but are omitting them for ease of notation. See Remark 5.
- 21.
Recall that each expectation is implicitly conditioned on prior moves (Remark 5).
- 22.
This is a stronger statement in the sense that observers can test whether an execution is winning, and therefore can output an arbitrary bit \(p_{2c}\ne 1\).
- 23.
Technically, \(\bot \) can be replaced by any arbitrary output, e.g. 0; but considering this output separately is in our eyes conceptually cleaner.
- 24.
Looking ahead, this large sample complexity is a result of the techniques we use in our analysis which require us compute precise estimations for each game state.
- 25.
The choice of the specific output doesn’t matter for the sake of the analysis, as long as is the same distribution whenever A or B is the bias inducer.
- 26.
Again, \(\bot \) can be replaced by any arbitrary output, e.g. 0; but considering this output separately is in our eyes conceptually cleaner.
- 27.
Here, we implicitly take the convention that, because players make c moves, they have complexity at least c. This is informal, and there is a mismatch: we are comparing sample complexity of \(C^*\) against standard complexity of A and B. The translation to AT lower bounds will make this statement more precise.
- 28.
Looking ahead, doing so comes at a mild loss in the resulting anonymity \(\delta \). While this loss is mild starting from Theorem 8 yielding the main result of the section, it is quite significant when starting from Theorem 9, in which case the anonymity guarantees we obtain are similar to the ones of [3]. We therefore focus on Theorem 8 in this section.
References
Navalny, A.: Russia’s jailed vociferous putin critic. British Broadcasting Corporation (2022). https://www.bbc.com/news/world-europe-16057045
Abraham, I., Pinkas, B., Yanai, A.: Blinder - scalable, robust anonymous committed broadcast. In: Ligatti, J., Ou, X., Katz, J., Vigna, G. (eds.) ACM CCS 2020, pp. 1233–1252. ACM Press, November 2020. https://doi.org/10.1145/3372297.3417261
Agrikola, T., Couteau, G., Maier, S.: Anonymous whistleblowing over authenticated channels. In: Kiltz, E., Vaikuntanathan, V. (eds.) TCC 2022, Part II. LNCS, vol. 13748, pp. 685–714. Springer, Heidelberg (2022). https://doi.org/10.1007/978-3-031-22365-5_24
Andrews, S., Burrough, B., Ellison, S.: The Snowden saga. Vanity Fair (2014). https://archive.vanityfair.com/article/2014/5/the-snowden-saga
Berret, C. (2016). https://www.cjr.org/tow_center_reports/guide_to_securedrop.php
Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988). https://doi.org/10.1007/BF00206326
Chaum, D.: Untraceable electronic mail, return addresses and digital pseudonyms. In: Gritzalis, D.A. (ed.) Secure Electronic Voting. Advances in Information Security, vol. 7, pp. 211–219. Springer, Boston (2003). https://doi.org/10.1007/978-1-4615-0239-5_14
Cohn-Gordon, K., Cremers, C., Dowling, B., Garratt, L., Stebila, D.: A formal security analysis of the signal messaging protocol. J. Cryptol. 33(4), 1914–1983 (2020). https://doi.org/10.1007/s00145-020-09360-1
Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Riposte: an anonymous messaging system handling millions of users. In: 2015 IEEE Symposium on Security and Privacy, pp. 321–338 (2015). https://doi.org/10.1109/SP.2015.27
Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: Blaze, M. (ed.) USENIX Security 2004, pp. 303–320. USENIX Association, August 2004
Eskandarian, S., Corrigan-Gibbs, H., Zaharia, M., Boneh, D.: Express: lowering the cost of metadata-hiding communication with cryptographic privacy. In: Bailey, M., Greenstadt, R. (eds.) USENIX Security 2021, pp. 1775–1792. USENIX Association, August 2021
Hopper, N.J., Langford, J., von Ahn, L.: Provably secure steganography. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 77–92. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45708-9_6
Inzaurralde, B.: The cybersecurity 202: leak charges against treasury official show encrypted apps only as secure as you make them. The Washinton Post (2018)
Newman, Z., Servan-Schreiber, S., Devadas, S.: Spectrum: high-bandwidth anonymous broadcast with malicious security. Cryptology ePrint Archive, Report 2021/325 (2021). https://eprint.iacr.org/2021/325
von Ahn, L., Hopper, N.J.: Public-key steganography. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 323–341. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_20
von Ahn, L., Hopper, N.J., Langford, J.: Covert two-party computation. In: Gabow, H.N., Fagin, R. (eds.) 37th ACM STOC, pp. 513–522. ACM Press (2005). https://doi.org/10.1145/1060590.1060668
Acknowledgements
Daniel Wichs was supported in part by the National Science Foundation under NSF CNS-1750795, CNS-2055510, and the JP Morgan faculty research award.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Quach, W., Tyner, L., Wichs, D. (2023). Lower Bounds on Anonymous Whistleblowing. In: Rothblum, G., Wee, H. (eds) Theory of Cryptography. TCC 2023. Lecture Notes in Computer Science, vol 14371. Springer, Cham. https://doi.org/10.1007/978-3-031-48621-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-48621-0_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-48620-3
Online ISBN: 978-3-031-48621-0
eBook Packages: Computer ScienceComputer Science (R0)
