University of Virginia, Department of Computer Science
CS588: Cryptology - Principles and Applications, Fall 2001

Matthew Mah discovered a serious problem with the annonymous tallying protocol:
Anonymous Tallying Vulnerability

Matthew Mah

Here is my description of the confidentiality vulnerability in the given
solution for Anonymous Tallying.

We will use the example given in the solutions to show how Fred can
figure out whether Alice has read the paper. He can do this by performing
2n modular exponentiations with appended strings, where n is the number
of students in the class.

 1. Fred receives EKAF [ EKUF ["send to: Holly" | EKUH ["send to: Cathy"
    | EKUC ["Here it is:" | 1 | RA]]]]
 2. Fred has EKAF and EKUF, and thus he also knows EKUH ["send to: Cathy"
    | EKUC ["Here it is:" | 1 | RA]].
 3. Fred notes each of the n final responses rj|Rj that are written on
    the board and the person who wrote that response Wj. Here rj is the
    bit indicating whether the original sender read the paper and Rj is a
    random string.
 4. Fred tries to generate the message he passes to Holly from the final
    results on the board. For each final response on the board rj|Rj,
    Fred generates mj = "EKUH [send to: $(Wj)" | EKUj ["Here it is:" | rj
    | Rj]]. Fred knows EKUj and EKUH. He knows EKUj because he saw who
    wrote the final response on the board, and he knows EKUH because he
    knows whom he passed his message to (Holly). He knows the formatting
    of the messages sent and so also knows what strings to append. This
    gives Fred n different texts, one for each student in the class. This
    step requires 2 modular exponentiations per final response on the
    board or 2n total modular exponentiations.
 5. Fred compares each of these to his own decrypted message from #2.
    Exactly one will match, and Fred will thus know that Alice sent
    rj|Rj, and know whether Alice claims to have read the paper.

We have shown in generality that the first student (Fred) receiving from
the information origin (Alice) can determine whether Alice has read the
paper by performing 2n modular exponentiations. This is certainly
feasible to calculate since the protocol requires 3n modular
exponentiations for encryption and 3n modular exponentiations for
decryption. Initially Fred does not need to know where the message he
relays to Holly ends up. He can calculate it based upon the final results
placed on the board. Discovering whether Alice has read the paper does
not require breaking RSA or the symmetric cipher.

For onion routes of length L, a similar process for Fred would require
O(n ^ (L-2)) modular exponentiations, where the length of the above route is
3. For each additional person in the onion route, Fred needs to encrypt
each result from #4 with one additional public key with appropriate
appended string designating the receiver. He does not know which keys to
use or which final result to use and thus must perform n modular
exponentiations for each result from #4. This gives n*2n = 2n^2 for onion
routes of length 4.

We can fix this problem by making the following simple modification.
Alice includes an additional random string RA into her message. This
random string can be of fixed length.

EKAF [ EKUF ["send to: Holly" | EKUH ["send to: Cathy" | EKUC ["Here it
is:" | 1 | RA|RA]]]]

When Cathy receives the final message, she writes only 1|RA on the board.
Cathy knows how many characters to leave out because the random string is
of fixed length. Now Fred cannot reconstruct the message he sends Holly
from any of the final responses written on the board.

CS 655 University of Virginia
Department of Computer Science
CS 588: Cryptology - Principles and Applications
David Evans