Venkat Arun (Massachusetts Institute of Technology), Aniket Kate (Purdue University), Deepak Garg (Max Planck Institute for Software Systems), Peter Druschel (Max Planck Institute for Software Systems), Bobby Bhattacharjee (University of Maryland)
For fear of retribution, the victim of a crime may be willing to
report it only if other victims of the same perpetrator
also step forward. Common examples include identifying oneself as the
victim of sexual harassment by a person in a position of authority or
accusing an influential politician, an authoritarian government or
ones own employer of corruption. To handle such situations, legal
literature has proposed the concept of an emph{allegation escrow}, a
neutral third-party that collects allegations anonymously, matches
allegations against each other, and de-anonymizes allegers only after
de-anonymity thresholds (in terms of number of co-allegers),
pre-specified by the allegers, are reached.
An allegation escrow can be realized as a single trusted third party;
however, this party must be trusted to keep the identity of the alleger
and content of the allegation private. To address this problem,
this paper introduces Secure Allegation Escrows (SAE, pronounced ``say''). A
SAE is a group of parties with independent interests and motives,
acting emph{jointly} as an escrow for collecting allegations from
individuals, matching the allegations, and de-anonymizing the
allegations when designated thresholds are reached. By design, SAEs
provide a very strong property: No less than a majority of parties
constituting a SAE can de-anonymize or disclose the content of an
allegation without a sufficient number of matching allegations (even
in collusion with any number of other allegers). Once a sufficient
number of matching allegations exist, all parties can simultaneously
disclose the allegation with a verifiable proof of the allegers'
identities. We describe how SAEs can be constructed using a novel
authentication protocol and a novel allegation matching and bucketing
algorithm, provide formal proofs of the security of our constructions,
and provide an evaluation of a prototype implementation, demonstrating
feasibility in practice.