Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, Dan Boneh, and David Mazières Stanford University IEEE Security and Privacy 18 May 2015 1
With encryption, we can hide the data… …but does that ?!? hide enough? pk (pk, sk) 0VUIC9zZW5zaXRpdmU 2
Time From To Size 10:12 Alice Bob 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B … ¡ [cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013] 3
Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B Hiding the data is necessary, but not sufficient … ¡ [cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013] 4
Goal The “Anonymity Set” 5
Goal 6
Goal 7
DBs do not learn Goal who wrote which message 0 To: taxfraud@stanford.edu 0 + Protest will be held tomo… See my cat photos at w… 0 8
Building block for systems related to “hiding the metadata” à Anonymous Twitter à Anonymous surveys à Private messaging, etc. 9
Low-latency anonymity systems (e.g., Tor) … do not protect against a global adversary Mix-nets … require expensive ZKPs to protect against active attacks Riposte is an anonymous messaging system that: • protects against a near-global active adversary • handles millions of users in an “anonymous Twitter” system 10
Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 11
S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” Non-colluding Scheme servers [Chaum ‘88] 12
S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” Scheme 13
S X S Y 0 0 0 0 0 0 0 0 0 0 Write msg m A into DB row 3 “Straw man” m A ∈ F Scheme 14
S X S Y 0 0 0 0 0 0 0 0 0 0 0 0 “Straw man” m A Scheme 0 0 15
S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 0 r 2 “Straw man” m A r 3 Scheme 0 r 4 0 r 5 16
S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 0 r 2 - r 2 - “Straw man” = m A r 3 m A - r 3 Scheme 0 r 4 - r 4 0 r 5 -r 5 17
S X S Y 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 r 2 - r 2 “Straw man” r 3 m A - r 3 Scheme r 4 - r 4 r 5 -r 5 18
S X S Y 0 0 - r 1 r 1 0 0 - r 2 r 2 0 0 m A - r 3 r 3 0 0 - r 4 r 4 0 0 -r 5 r 5 “Straw man” Scheme 19
S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 “Straw man” Scheme 20
S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 0 “Straw man” 0 Scheme 0 m B 21
S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 s 1 - s 1 0 s 2 - s 2 - “Straw man” = 0 s 3 - s 3 Scheme 0 s 4 - s 4 m B s 5 m B - s 5 22
S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 s 1 - s 1 s 2 - s 2 “Straw man” s 3 - s 3 Scheme s 4 - s 4 s 5 m B - s 5 23
S X S Y r 1 - r 1 s 1 - s 1 r 2 - r 2 s 2 - s 2 r 3 - r 3 + m A s 3 - s 3 r 4 - r 4 s 4 - s 4 r 5 - r 5 s 5 m B - s 5 “Straw man” Scheme 24
S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” Scheme 25
S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” Scheme 26
S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” Scheme 27
S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” Scheme 28
S X S Y r 1 + s 1 - r 1 - s 1 0 r 2 + s 2 - r 2 - s 2 0 + = r 3 + s 3 - r 3 - s 3 + m A m A r 4 + s 4 - r 4 - s 4 0 r 5 + s 5 - r 5 - s 5 - m B m B At the end of the “Straw man” day, servers Scheme combine DBs to reveal plaintext 29
First-Attempt Scheme: Properties “Perfect” anonymity as long as servers don’t collude • Can use k servers to protect against k -1 collusions Unlike a mix-net, Practical efficiency: storage cost is almost no “heavy” constant in the computation involved anonymity set size 30
Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 31
Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions – Malicious clients – O( L ) communication cost • Evaluation 32
Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions in the paper – Malicious clients ¡ – O( L ) communication cost • Evaluation 33
Challenge: Bandwidth Efficiency In “straw man” design, client sends DB-sized vector to s 1 each server s 2 Idea : use a cryptographic s 3 trick to compress the vectors s 4 à Based on PIR protocols s 5 [Ostrovsky and Shoup 1997]
Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = 0 0 m 0 0 0 [Gilboa and Ishai 2014] 35
Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = Privacy: A subset of 0 0 m 0 0 0 keys leaks nothing [Gilboa and Ishai 2014] about message or l � 36
S X S Y 0 0 Eval ( ) Eval ( ) 0 0 0 0 0 0 0 0 DPFs Reduce Bandwidth Cost 37
S X S Y 0 r 1 - r 1 0 0 r 2 - r 2 0 0 r 3 m A - r 3 0 0 r 4 - r 4 0 0 r 5 -r 5 0 DPFs Reduce Bandwidth Cost 38
Alice sends L 1/2 bits (instead of L ) • Two-server version just uses AES (no public-key crypto) • With fancier crypto, privacy holds even if all but one server is malicious [Chor and Gilboa 1997] [Gilboa and Ishai 2014]
Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation 40
Bottom-Line Result • Implemented the protocol in Go • For a DB with 65,000 Tweet-length rows, can process 30 writes/second • Can process 1,000,000 writes in 8 hours on a single server è Completely parallelizable workload 41
At large table Throughput sizes, AES cost (anonymous Twitter) dominates 42
Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:15 Bob Alice 567 B 10:17 Carol Bob 450 B 10:22 Dave Alice 9382 B 43
Time From To Size 10:12 Alice Riposte Server 207 KB 10:15 Bob Riposte Server 207 KB 10:17 Carol Riposte Server 207 KB 10:22 Dave Riposte Server 207 KB ?!? 44
Conclusion In many contexts, “hiding the metadata” is as important as hiding the data Combination of crypto tools with systems design è 1,000,000-user anonymity sets Next step: Better performance at scale 45
46
Recommend
More recommend