Dining cryptographers problem

Last updated May 09, 2024

In cryptography, the dining cryptographers problem studies how to perform a secure multi-party computation of the boolean-XOR function. David Chaum first proposed this problem in the early 1980s and used it as an illustrative example to show that it was possible to send anonymous messages with unconditional sender and recipient untraceability. Anonymous communication networks based on this problem are often referred to as DC-nets (where DC stands for "dining cryptographers").^[1]

Description

Three cryptographers gather around a table for dinner. The waiter informs them that the meal has been paid for by someone, who could be one of the cryptographers or the National Security Agency (NSA). The cryptographers respect each other's right to make an anonymous payment, but want to find out whether the NSA paid. So they decide to execute a two-stage protocol.

In the first stage, every two cryptographers establish a shared one-bit secret, say by tossing a coin behind a menu so that only two cryptographers see the outcome in turn for each two cryptographers. Suppose, for example, that after the coin tossing, cryptographer A and B share a secret bit $1$ , A and C share $0$ , and B and C share $1$ .

In the second stage, each cryptographer publicly announces a bit, which is:

if they didn't pay for the meal, the exclusive OR (XOR) of the two shared bits they hold with their two neighbours,
if they did pay for the meal, the opposite of that XOR.

Supposing none of the cryptographers paid, then A announces $1\oplus 0=1$ , B announces $1\oplus 1=0$ , and C announces $0\oplus 1=1$ . On the other hand, if A paid, she announces $\lnot (1\oplus 0)=0$ .

The three public announcements combined reveal the answer to their question. One simply computes the XOR of the three bits announced. If the result is 0, it implies that none of the cryptographers paid (so the NSA must have paid the bill). Otherwise, one of the cryptographers paid, but their identity remains unknown to the other cryptographers.

David Chaum coined the term dining cryptographers network, or DC-net, for this protocol.

Limitations

The DC-net protocol is simple and elegant. It has several limitations, however, some solutions to which have been explored in follow-up research (see the References section below).

Collision: If two cryptographers paid for the dinner, their messages will cancel each other out, and the final XOR result will be $0$ . This is called a collision and allows only one participant to transmit at a time using this protocol. In a more general case, a collision happens as long as any even number of participants send messages.

Disruption: Any malicious cryptographer who does not want the group to communicate successfully can jam the protocol so that the final XOR result is useless, simply by sending random bits instead of the correct result of the XOR. This problem occurs because the original protocol was designed without using any public key technology and lacks reliable mechanisms to check whether participants honestly follow the protocol.^[2]

Complexity: The protocol requires pairwise shared secret keys between the participants, which may be problematic if there are many participants. Also, though the DC-net protocol is "unconditionally secure", it actually depends on the assumption that "unconditionally secure" channels already exist between pairs of the participants, which is not easy to achieve in practice.

A related anonymous veto network algorithm computes the logical OR of several users' inputs, rather than a logical XOR as in DC-nets, which may be useful in applications to which a logical OR combining operation is naturally suited.

History

David Chaum first thought about this problem in the early 1980s. The first publication that outlines the basic underlying ideas is his.^[3] The journal version appeared in the very first issue of the Journal of Cryptology .^[4]

Generalizations

DC-nets are readily generalized to allow for transmissions of more than one bit per round, for groups larger than three participants, and for arbitrary "alphabets" other than the binary digits 0 and 1, as described below.

Transmissions of longer messages

To enable an anonymous sender to transmit more than one bit of information per DC-nets round, the group of cryptographers can simply repeat the protocol as many times as desired to create a desired number of bits worth of transmission bandwidth. These repetitions need not be performed serially. In practical DC-net systems, it is typical for pairs of participants to agree up-front on a single shared "master" secret, using Diffie–Hellman key exchange for example. Each participant then locally feeds this shared master secret into a pseudorandom number generator, in order to produce as many shared "coin flips" as desired to allow an anonymous sender to transmit multiple bits of information.

Larger group sizes

The protocol can be generalized to a group of $n$ participants, each with a shared secret key in common with each other participant. In each round of the protocol, if a participant wants to transmit an untraceable message to the group, they invert their publicly announced bit. The participants can be visualized as a fully connected graph with the vertices representing the participants and the edges representing their shared secret keys.

Sparse secret sharing graphs

The protocol may be run with less than fully connected secret sharing graphs, which can improve the performance and scalability of practical DC-net implementations, at the potential risk of reducing anonymity if colluding participants can split the secret sharing graph into separate connected components. For example, an intuitively appealing but less secure generalization to $n>3$ participants using a ring topology, where each cryptographer sitting around a table shares a secret only with the cryptographer to their immediate left and right, and not with every other cryptographer. Such a topology is appealing because each cryptographer needs to coordinate two coin flips per round, rather than $n$ . However, if Adam and Charlie are actually NSA agents sitting immediately to the left and right of Bob, an innocent victim, and if Adam and Charlie secretly collude to reveal their secrets to each other, then they can determine with certainty whether or not Bob was the sender of a 1 bit in a DC-net run, regardless of how many participants there are in total. This is because the colluding participants Adam and Charlie effectively "split" the secret sharing graph into two separate disconnected components, one containing only Bob, the other containing all other honest participants.

Another compromise secret sharing DC-net topology, employed in the Dissent system for scalability,^[5] may be described as a client/server or user/trustee topology. In this variant, we assume there are two types of participants playing different roles: a potentially large number n of users who desire anonymity, and a much smaller number $m$ of trustees whose role is to help the users obtain that anonymity. In this topology, each of the $n$ users shares a secret with each of the $m$ trustees—but users share no secrets directly with other users, and trustees share no secrets directly with other trustees—resulting in an $n\times m$ secret sharing matrix. If the number of trustees $m$ is small, then each user needs to manage only a few shared secrets, improving efficiency for users in the same way the ring topology does. However, as long as at least one trustee behaves honestly and does not leak his or her secrets or collude with other participants, then that honest trustee forms a "hub" connecting all honest users into a single fully connected component, regardless of which or how many other users and/or trustees might be dishonestly colluding. Users need not know or guess which trustee is honest; their security depends only on the existence of at least one honest, non-colluding trustee.

Alternate alphabets and combining operators

Though the simple DC-nets protocol uses binary digits as its transmission alphabet, and uses the XOR operator to combine cipher texts, the basic protocol generalizes to any alphabet and combining operator suitable for one-time pad encryption. This flexibility arises naturally from the fact that the secrets shared between the many pairs of participants are, in effect, merely one-time pads combined symmetrically within a single DC-net round.

One useful alternate choice of DC-nets alphabet and combining operator is to use a finite group suitable for public-key cryptography as the alphabet—such as a Schnorr group or elliptic curve—and to use the associated group operator as the DC-net combining operator. Such a choice of alphabet and operator makes it possible for clients to use zero-knowledge proof techniques to prove correctness properties about the DC-net ciphertexts that they produce, such as that the participant is not "jamming" the transmission channel, without compromising the anonymity offered by the DC-net. This technique was first suggested by Golle and Juels,^[6] further developed by Franck,^[7] and later implemented in Verdict, a cryptographically verifiable implementation of the Dissent system.^[8]

Handling or avoiding collisions

The measure originally suggested by David Chaum to avoid collisions is to retransmit the message once a collision is detected, but the paper does not explain exactly how to arrange the retransmission.

Dissent avoids the possibility of unintentional collisions by using a verifiable shuffle to establish a DC-nets transmission schedule, such that each participant knows exactly which bits in the schedule correspond to his own transmission slot, but does not know who owns other transmission slots.^[9]

Countering disruption attacks

Herbivore divides a large anonymity network into smaller DC-net groups, enabling participants to evade disruption attempts by leaving a disrupted group and joining another group, until the participant finds a group free of disruptors.^[10] This evasion approach introduces the risk that an adversary who owns many nodes could selectively disrupt only groups the adversary has not completely compromised, thereby "herding" participants toward groups that may be functional precisely because they are completely compromised.^[11]

Dissent implements several schemes to counter disruption. The original protocol^[9] used a verifiable cryptographic shuffle to form a DC-net transmission schedule and distribute "transmission assignments", allowing the correctness of subsequent DC-nets ciphertexts to be verified with a simple cryptographic hash check. This technique required a fresh verifiable before every DC-nets round, however, leading to high latencies. A later, more efficient scheme allows a series of DC-net rounds to proceed without intervening shuffles in the absence of disruption, but in response to a disruption event uses a shuffle to distribute anonymous accusations enabling a disruption victim to expose and prove the identity of the perpetrator.^[5] Finally, more recent versions support fully verifiable DC-nets - at substantial cost in computation efficiency due to the use of public-key cryptography in the DC-net - as well as a hybrid mode that uses efficient XOR-based DC-nets in the normal case and verifiable DC-nets only upon disruption, to distribute accusations more quickly than is feasible using verifiable shuffles.^[8]

Related Research Articles

Articles related to cryptography include:

David Lee Chaum is an American computer scientist, cryptographer, and inventor. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper. He has been referred to as "the father of online anonymity", and "the godfather of cryptocurrency".

Onion routing is a technique for anonymous communication over a computer network. In an onion network, messages are encapsulated in layers of encryption, analogous to the layers of an onion. The encrypted data is transmitted through a series of network nodes called "onion routers," each of which "peels" away a single layer, revealing the data's next destination. When the final layer is decrypted, the message arrives at its destination. The sender remains anonymous because each intermediary knows only the location of the immediately preceding and following nodes. While onion routing provides a high level of security and anonymity, there are methods to break the anonymity of this technique, such as timing analysis.

<span class="mw-page-title-main">Blind signature</span> Form of digital signature

In cryptography a blind signature, as introduced by David Chaum, is a form of digital signature in which the content of a message is disguised (blinded) before it is signed. The resulting blind signature can be publicly verified against the original, unblinded message in the manner of a regular digital signature. Blind signatures are typically employed in privacy-related protocols where the signer and message author are different parties. Examples include cryptographic election systems and digital cash schemes.

A commitment scheme is a cryptographic primitive that allows one to commit to a chosen value while keeping it hidden to others, with the ability to reveal the committed value later. Commitment schemes are designed so that a party cannot change the value or statement after they have committed to it: that is, commitment schemes are binding. Commitment schemes have important applications in a number of cryptographic protocols including secure coin flipping, zero-knowledge proofs, and secure computation.

An anonymous P2P communication system is a peer-to-peer distributed application in which the nodes, which are used to share resources, or participants are anonymous or pseudonymous. Anonymity of participants is usually achieved by special routing overlay networks that hide the physical location of each node from other participants.

In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece has been transferred.

Secure multi-party computation is a subfield of cryptography with the goal of creating methods for parties to jointly compute a function over their inputs while keeping those inputs private. Unlike traditional cryptographic tasks, where cryptography assures security and integrity of communication or storage and the adversary is outside the system of participants, the cryptography in this model protects participants' privacy from each other.

In cryptography, a private information retrieval (PIR) protocol is a protocol that allows a user to retrieve an item from a server in possession of a database without revealing which item is retrieved. PIR is a weaker version of 1-out-of-n oblivious transfer, where it is also required that the user should not get information about other database items.

Digital credentials are the digital equivalent of paper-based credentials. Just as a paper-based credential could be a passport, a driver's license, a membership certificate or some kind of ticket to obtain some service, such as a cinema ticket or a public transport ticket, a digital credential is a proof of qualification, competence, or clearance that is attached to a person. Also, digital credentials prove something about their owner. Both types of credentials may contain personal information such as the person's name, birthplace, birthdate, and/or biometric information such as a picture or a finger print.

Mix networks are routing protocols that create hard-to-trace communications by using a chain of proxy servers known as mixes which take in messages from multiple senders, shuffle them, and send them back out in random order to the next destination. This breaks the link between the source of the request and the destination, making it harder for eavesdroppers to trace end-to-end communications. Furthermore, mixes only know the node that it immediately received the message from, and the immediate destination to send the shuffled messages to, making the network resistant to malicious mix nodes.

In cryptography, a secret sharing scheme is publicly verifiable (PVSS) if it is a verifiable secret sharing scheme and if any party can verify the validity of the shares distributed by the dealer.

In verifiable secret sharing (VSS) the object is to resist malicious players, such as
(i) a dealer sending incorrect shares to some or all of the participants, and
(ii) participants submitting incorrect shares during the reconstruction protocol, cf. [CGMA85].
In publicly verifiable secret sharing (PVSS), as introduced by Stadler [Sta96], it is an explicit goal that not just the participants can verify their own shares, but that anybody can verify that the participants received correct shares. Hence, it is explicitly required that (i) can be verified publicly.

Forward anonymity is a property of a cryptographic system which prevents an attacker who has recorded past encrypted communications from discovering its contents and participants in the future. This property is analogous to forward secrecy.

The framework of universal composability (UC) is a general-purpose model for the analysis of cryptographic protocols. It guarantees very strong security properties. Protocols remain secure even if arbitrarily composed with other instances of the same or other protocols. Security is defined in the sense of protocol emulation. Intuitively, a protocol is said to emulate another one, if no environment (observer) can distinguish the executions. Literally, the protocol may simulate the other protocol. The notion of security is derived by implication. Assume a protocol $is secure per definition. If another protocol emulates protocol such that no environment tells apart the emulation from the execution of the protocol, then the emulated protocol is as secure as protocol .$

Scantegrity is a security enhancement for optical scan voting systems, providing such systems with end-to-end (E2E) verifiability of election results. It uses confirmation codes to allow a voter to prove to themselves that their ballot is included unmodified in the final tally. The codes are privacy-preserving and offer no proof of which candidate a voter voted for. Receipts can be safely shown without compromising ballot secrecy.

In cryptography, the anonymous veto network is a multi-party secure computation protocol to compute the boolean-OR function. It was first proposed by Feng Hao and Piotr Zieliński in 2006. This protocol presents an efficient solution to the Dining cryptographers problem.

The Password Authenticated Key Exchange by Juggling is a password-authenticated key agreement protocol, proposed by Feng Hao and Peter Ryan. This protocol allows two parties to establish private and authenticated communication solely based on their shared (low-entropy) password without requiring a Public Key Infrastructure. It provides mutual authentication to the key exchange, a feature that is lacking in the Diffie–Hellman key exchange protocol.

Riffle is an anonymity network developed by researchers at MIT and EPFL as a response to the problems of the Tor network.

Garbled circuit is a cryptographic protocol that enables two-party secure computation in which two mistrusting parties can jointly evaluate a function over their private inputs without the presence of a trusted third party. In the garbled circuit protocol, the function has to be described as a Boolean circuit.

Hard privacy technologies are methods of protecting data. Hard privacy technologies and soft privacy technologies both fall under the category of privacy enchancing technologies. Hard privacy technologies allow online users to protect their privacy through different services and applications without the trust of the third-parties. The data protection goal is data minimization and reduction of the trust in third-parties and the freedom to conceal information or to communicate.

References

↑ Chaum DL (1988). "The dining cryptographers problem: unconditional sender and recipient untraceability". J Cryptol. 1(1):65–75.
↑ Knights and Knaves.
↑ David Chaum (1985). "Security without identification: transaction systems to make big brother obsolete" (PDF). Communications of the ACM. 28 (10): 1030–1044. CiteSeerX 10.1.1.319.3690 . doi:10.1145/4372.4373. S2CID 15340054.
↑ David Chaum (1988). "The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability". Journal of Cryptology. 1 (1): 65–75. CiteSeerX 10.1.1.127.4293 . doi:10.1007/BF00206326. S2CID 2664614.
1 2 David Isaac Wolinsky; Henry Corrigan-Gibbs; Bryan Ford; Aaron Johnson (October 8–10, 2012). Dissent in Numbers: Making Strong Anonymity Scale. 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Hollywood, CA, USA.
↑ Philippe Golle; Ari Juels (May 2–6, 2004). Dining Cryptographers Revisited (PDF). Eurocrypt 2004. Interlaken, Switzerland.^{[ permanent dead link ]}
↑ Franck, Christian (2008). New Directions for Dining Cryptographers (PDF) (M.Sc. thesis).
1 2 Henry Corrigan-Gibbs; David Isaac Wolinsky; Bryan Ford (August 14–16, 2013). Proactively Accountable Anonymous Messaging in Verdict. 22nd USENIX Security Symposium. Washington, DC, USA.
1 2 Henry Corrigan-Gibbs; Bryan Ford (October 2010). Dissent: Accountable Group Anonymity. 17th ACM Conference on Computer and Communications Security (CCS). Chicago, IL, USA. Archived from the original on 2012-11-29. Retrieved 2012-09-09.
↑ Emin Gün Sirer; Sharad Goel; Mark Robson; Doğan Engin (September 19–22, 2004). Eluding Carnivores: File Sharing with Strong Anonymity (PDF). ACM SIGOPS European workshop. Leuven, Belgium.
↑ Nikita Borisov; George Danezis; Prateek Mittal; Parisa Tabriz (October 2007). Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity (PDF). ACM Conference on Computer and Communications Security (CCS). Alexandria, VA, USA.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Chaum DL (1988). "The dining cryptographers problem: unconditional sender and recipient untraceability". J Cryptol. 1(1):65–75.

[2] Knights and Knaves.

[3] David Chaum (1985). "Security without identification: transaction systems to make big brother obsolete" (PDF). Communications of the ACM. 28 (10): 1030–1044. CiteSeerX 10.1.1.319.3690 . doi:10.1145/4372.4373. S2CID 15340054.

[4] David Chaum (1988). "The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability". Journal of Cryptology. 1 (1): 65–75. CiteSeerX 10.1.1.127.4293 . doi:10.1007/BF00206326. S2CID 2664614.

[WCFJ12-5] 1 2 David Isaac Wolinsky; Henry Corrigan-Gibbs; Bryan Ford; Aaron Johnson (October 8–10, 2012). Dissent in Numbers: Making Strong Anonymity Scale. 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI). Hollywood, CA, USA.

[GJ04-6] Philippe Golle; Ari Juels (May 2–6, 2004). Dining Cryptographers Revisited (PDF). Eurocrypt 2004. Interlaken, Switzerland.^{[ permanent dead link ]}

[7] Franck, Christian (2008). New Directions for Dining Cryptographers (PDF) (M.Sc. thesis).

[CWF13-8] 1 2 Henry Corrigan-Gibbs; David Isaac Wolinsky; Bryan Ford (August 14–16, 2013). Proactively Accountable Anonymous Messaging in Verdict. 22nd USENIX Security Symposium. Washington, DC, USA.

[CF10-9] 1 2 Henry Corrigan-Gibbs; Bryan Ford (October 2010). Dissent: Accountable Group Anonymity. 17th ACM Conference on Computer and Communications Security (CCS). Chicago, IL, USA. Archived from the original on 2012-11-29. Retrieved 2012-09-09.

[SGRE04-10] Emin Gün Sirer; Sharad Goel; Mark Robson; Doğan Engin (September 19–22, 2004). Eluding Carnivores: File Sharing with Strong Anonymity (PDF). ACM SIGOPS European workshop. Leuven, Belgium.

[BDMT07-11] Nikita Borisov; George Danezis; Prateek Mittal; Parisa Tabriz (October 2007). Denial of Service or Denial of Security? How Attacks on Reliability can Compromise Anonymity (PDF). ACM Conference on Computer and Communications Security (CCS). Alexandria, VA, USA.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]