making strong
play

Making Strong Anonymity Scale David Wolinsky 1 , Henry Corrigan-Gibbs - PowerPoint PPT Presentation

Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1 , Henry Corrigan-Gibbs 1 , Bryan Ford 1 , and Aaron Johnson 2 1 Yale University, 2 US Naval Research Laboratory Motivation Strength in Numbers Meet tonight at 7 PM in the


  1. Dissent in Numbers: Making Strong Anonymity Scale David Wolinsky 1 , Henry Corrigan-Gibbs 1 , Bryan Ford 1 , and Aaron Johnson 2 1 Yale University, 2 US Naval Research Laboratory

  2. Motivation – Strength in Numbers Meet tonight at 7 PM in the park for pizza and beer! Bob, you’re going be spending some time in the slammer!

  3. Motivation – Strength in Numbers Meet tonight at 7 PM in the park for pizza and beer! All of you going to be spending time in the slammer!!!

  4. Motivation – Strength in Numbers

  5. Motivation – Strength in Numbers Meet tonight at 7 PM in the park for pizza and beer! Ugh, we can’t put them all in Jail… This party is over go home!!!

  6. Making Strong Anonymity Scale? • Challenge – tradeoff between scale and strength in anonymity systems favoring scale • Goals • Strong anonymity (timing analysis resistant) • Scalability (100s to 1,000s of active participants) • Churn tolerant (unannounced member departures) • Accountability Achieved in Dissent!

  7. Organization • Motivation • Existing Approaches • Dissent – Strong, Scalable Anonymity • Computational efficiency • Communication efficiency • Churn tolerant • Anonymity • Accountability • Evaluation • Conclusions

  8. Organization • Motivation • Existing Approaches • Dissent – Strong, Scalable Anonymity • Computational efficiency • Communication efficiency • Churn tolerant • Anonymity • Accountability • Evaluation • Conclusions

  9. Tor – The Onion Router Tor is scalable, supports more than 400,000 clients with 1,000 clients per server Server 02 Server 00 Server 01 Meet tonight at 7 Server 10 Server 11 Server 12 PM in the park for pizza and beer! Bob Public Server Server 22 Server 20 Server 21 Anonymizing Relays

  10. Tor – The Onion Router Server 02 Server 00 Server 01 Not timing analysis resistant! time Meet tonight at 7 Server 10 Server 11 Server 12 PM in the park for pizza and beer! Aha! Got you! Bob Public Server Server 22 Server 20 Server 21 time Anonymizing Relays State-run ISP

  11. DC-net Cleartext message Traffic analysis resistant since all member transmit 1 equal length messages Alice Bob Carol

  12. DC-net Cleartext message Traffic analysis resistant since all member transmit 1 equal length messages 1 1 0 1 Alice Bob 1 0 0 0 Carol

  13. Practical Considerations Mix-nets Tor DC-nets Strong anonymity √ √ √ 1 Scalability √ Churn tolerant √ √ √ 2 Accountability • Mix-nets / Shuffles – Chaum, Neff, Wikstrom • Onion Routing – Tor and I2P • DC-nets – 1 Herbivore and 2 Dissent v1 • Herbivore supported many concurrent users but distributed amongst many parallel DC-nets thus lacks the “Strength in Numbers” or large anonymity set sizes

  14. Organization • Motivation • Existing Approaches • Dissent – Strong, Scalable Anonymity • Computational efficiency • Communication efficiency • Churn tolerant • Anonymity • Accountability • Evaluation • Conclusions

  15. Key Insight Crystal Brett Anna Ben Bob Alice Amy Carol

  16. Use DC-net style Key Insight anonymity within the Mix-net topology to Server 1 obtain scalability! Server 2 Server 0 Barry Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett

  17. Making Strong Anonymity Scale! • Challenge – tradeoff between scale and strength in anonymity systems favoring scale • Dissent’s solution • Improving Computation Efficiency • Improving Communication Efficiency • Handling Churn • Identifying Disruptions • Maintaining Strong Anonymity

  18. Improving Computational Efficiency

  19. Computational Overhead Computation overhead due to O(N 2 ) secret shares Crystal Brett Crystal Ben Anna Bob Carol Amy Alice Anna Ben Bob Alice Amy Carol

  20. N = 100, Computational Overhead 4950 shared secrets, 9900 RNG operations Computation 5.5 ms/peer overhead due to O(N 2 ) secret shares Crystal Brett Crystal Ben Anna Bob Server 1 Carol Amy Alice Anna Cleartext Ben Server 0 Ciphertext Server 2 Bob Alice Amy Carol

  21. Computational Improvement With M servers and N Server 1 clients… O(M*N) shared Server 2 secrets with M << N Server 0 Each server has N secrets RNG reduction: 1000 << 9900 Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett N = 100 and M = 5, Each client 500 shared secrets, has M secrets 1000 RNG operations

  22. Improving Communication Efficiency

  23. Bandwidth Overhead N = 100, Ciphertexts exchanged in DC-nets: 9900 Computation overhead due to O(N 2 ) secret shares Crystal Brett Bandwidth overhead due to O(N 2 ) communication Anna Ben Crystal Ben Anna Bob Brett Carol Amy Alice Bob Cleartext Alice Amy Carol

  24. Bandwidth Efficiency Brett Earlier DC-nets had O(N 2 ) Bob Alex Christine communication cost Crystal Server 1 Anna Barry Amy Server 2 Ben Server 1 Carol Server 2 We can construct Alice Server 2 Server 1 Server 0 Server 0 a DC-net aware multicast tree! Server 0 Barry Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett Clients submit their ciphertext upstream to one server

  25. Bandwidth Efficiency Earlier DC-nets had O(N 2 ) communication cost Server 1 Server 0 Server 0 Server 1 Server 1 Server 0 Server 2 Server 2 We can construct Server 1 Server 2 Server 0 Server 2 a DC-net aware Cleartext Cleartext multicast tree! Cleartext N = 100 and M = 5 Ciphertexts exchanged in DC-nets: 9900, Dissent: 205 Barry Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett Clients submit their Servers XOR these Servers XOR these ciphertext upstream to messages to compute the messages together and one server cleartext and distribute it to share with each other their downstream clients

  26. Creating Churn Tolerance

  27. The resulting cleartext Churn Intolerance is garbage due to the dependency on Alice’s Computation secret shares overhead due to O(N 2 ) secret shares Crystal Brett Bandwidth overhead due to O(N 2 ) communication What if Alice left without transferring? Anna Ben Crystal Ben Anna Bob Brett Carol Amy Alice Bob Garbage Alice Amy Carol

  28. The protocol continues Tolerating Churn Server 1 will uninterrupted, since the timeout on Alex servers have yet to compute Server 1 their ciphertext Server 2 Server 0 Barry Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett

  29. Handling Disruptions via Accountability…

  30. DC-net Easily disrupted 1 1 1 0 1 Alice Bob 1 0 0 0 Carol

  31. DC-net – Disruptions Easily disrupted 1 x 1 1 1 0 1 0 Alice Bob 1 0 0 0 How can we prove Bob 0 transmitted the wrong ciphertext without losing anonymity? Carol

  32. How do many members Scheduling share the DC-net without disrupting each other? Anonymizing shuffle produces random Create a permutation and transmission hence the schedule schedule! Bob Carol Alice Key Alice Key Carol Shuffle Key Bob Key Alice Key Carol Key Bob DC-net Slot Carol Slot Alice Slot Bob

  33. DC-net Integrity check (parity bit) 111 x 101 111 110 000 Alice Bob 010 010 110 100 Integrity check failed! Carol

  34. DC-net 111 x 101 111 110 000 Alice Bob 010 010 110 To determine the disruptor Alice needs to 100 anonymously specify a bit that the disruptor “flipped” from 0 -> 1 Carol

  35. Safely Deanonymize a Bit Bob Carol Alice {Bit 1 } Alice 0 Shuffle 0 {Bit 1 } Alice 0 0

  36. DC-net In practice, this is a bit more complicated though the details are in the paper. 111 101 1 with Bob 1 with Alice 1 with Carol 0 with Carol 111 110 000 Alice Bob 010 110 100 1 with Alice 1 with Bob Carol

  37. DC-net In practice, this is a bit more complicated though the details are in the paper. 111 101 1 with Bob 1 with Alice 1 with Carol 0 with Carol 111 110 000 Alice Bob If Carol reveals the shared 010 110 secret, Alice can confirm that Bob disrupted the previous round 100 1 with Alice 1 with Bob Carol

  38. Progress! • We have gained • Improvements in computation and communication • Ability to tolerate churn • Identify disruptors • How does this impact strong anonymity?

  39. DC-net – Anonymity Set Anonymity set size: 8 Anonymity set size: 4 (Honest participants) (Honest participants) Crystal Brett Anna Ben Bob Alice Amy Carol

  40. Dissent retains this feature…

  41. Anonymity set size: 11 Anonymity set size: 7 Dissent – Anonymity Set (Honest participants) (Honest participants) Server 1 Server 2 Server 0 Barry Anna Ben Christine Alice Carol Alex Crystal Bob Amy Brett Secret sharing graph Anonymity set remains prevents the clients equal as long as there upstream server from is 1 honest server deanonymizing it

  42. Organization • Motivation • Existing Approaches • Dissent – Strong, Scalable Anonymity • Computational efficiency • Communication efficiency • Churn resistance • Anonymity • Accountability • Evaluation • Conclusions

  43. Dissent – Prototype • Written in C++ • Qt from networking, serialization, and events processing • Crypto++ as the crypto library

  44. Related Work Herbivore TR‘03 Evaluated only up to 40 members Dissent CCS’10

  45. Scaling to Thousands of Clients CPU Overheads Bandwidth limitations Latency limited 1,000 clients ~1 second > 5,000 concurrent clients!!

  46. CPU Time 5.5 ms/client

Recommend


More recommend