SATE: Robust and Private Allegation Escrows
share
For fear of retribution, the victim of a crime may be willing to report the crime only if others victimized by the same perpetrator also step forward. Common examples include identifying oneself as the victim of sexual harassment by a person in a position of authority or accusing an influential politician, an authoritarian government or ones own employer of corruption. To handle such situations, legal literature has proposed the concept of an allegation escrow, a neutral third-party that collects allegations anonymously, matches allegations against each other, and de-anonymizes allegers only after de-anonymity thresholds (in terms of number of allegers), pre-specified by the allegers, are reached. An allegation escrow can be realized as a single trusted third party; however, such a party is exposed to attacks on the confidentiality of accusations and the anonymity of accusers. To address this problem, this paper introduces split, anonymizing, threshold escrows (SATEs). A SATE is a group of parties with independent interests and motives, acting jointly as an escrow for collecting allegations from individuals, matching the allegations, and revealing the allegations when designated thresholds are reached. By design, SATEs provide a very strong property: No less than a majority of parties constituting a SATE can de-anonymize or disclose the content of an allegation without a sufficient number of matching allegations (even in collusion with any number of other allegers). Once a sufficient number of matching allegations exist, all parties can simultaneously disclose the allegation with a verifiable proof of the allegers' identities. We describe how SATEs can be constructed using a novel anonymous authentication protocol and an allegation thresholding and matching algorithm. We give formal proofs of the security, and evaluate a prototype implementation, demonstrating feasibility in practice.
READ FULL TEXT