Riposte: An Anonymous Messaging System Handling Millions of Users - PowerPoint PPT Presentation


 Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, 
 Dan Boneh, and David Mazières Stanford University IEEE Security and Privacy 18 May 2015 1

With encryption, we 
 can hide the data… …but does that 
 ?!? hide enough? pk (pk, sk) 0VUIC9zZW5zaXRpdmU 2

Time From To Size 10:12 Alice Bob 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B … ¡ [cf. Ed Felten’s testimony before the House 
 Judiciary Committee, 2 Oct 2013] 3

Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B Hiding the data is necessary, but not sufficient … ¡ [cf. Ed Felten’s testimony before the House 
 Judiciary Committee, 2 Oct 2013] 4

Goal The “Anonymity Set” 5

Goal 6

Goal 7

DBs do not learn Goal who wrote which message 0 To: taxfraud@stanford.edu 0 + Protest will be held tomo… See my cat photos at w… 0 8

Building block for systems related to “hiding the metadata” à Anonymous Twitter à Anonymous surveys à Private messaging, etc. 9

Low-latency anonymity systems (e.g., Tor) … do not protect against a global adversary Mix-nets … require expensive ZKPs to protect against 
 active attacks Riposte is an anonymous messaging system that: • protects against a near-global active adversary • handles millions of users in an 
 “anonymous Twitter” system 10

Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 11


 S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 Non-colluding Scheme 
 servers [Chaum ‘88] 12

S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 Scheme 13

S X S Y 0 0 0 0 0 0 0 0 0 0 Write msg m A into DB row 3 “Straw man” 
 m A ∈ F Scheme 14

S X S Y 0 0 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 m A Scheme 0 0 15

S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 0 r 2 “Straw man” 
 m A r 3 Scheme 0 r 4 0 r 5 16

S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 0 r 2 - r 2 - “Straw man” 
 = m A r 3 m A - r 3 Scheme 0 r 4 - r 4 0 r 5 -r 5 17

S X S Y 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 r 2 - r 2 “Straw man” 
 r 3 m A - r 3 Scheme r 4 - r 4 r 5 -r 5 18

S X S Y 0 0 - r 1 r 1 0 0 - r 2 r 2 0 0 m A - r 3 r 3 0 0 - r 4 r 4 0 0 -r 5 r 5 “Straw man” 
 Scheme 19

S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 “Straw man” 
 Scheme 20

S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 0 “Straw man” 
 0 Scheme 0 m B 21

S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 s 1 - s 1 0 s 2 - s 2 - “Straw man” 
 = 0 s 3 - s 3 Scheme 0 s 4 - s 4 m B s 5 m B - s 5 22

S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 s 1 - s 1 s 2 - s 2 “Straw man” 
 s 3 - s 3 Scheme s 4 - s 4 s 5 m B - s 5 23

S X S Y r 1 - r 1 s 1 - s 1 r 2 - r 2 s 2 - s 2 r 3 - r 3 + m A s 3 - s 3 r 4 - r 4 s 4 - s 4 r 5 - r 5 s 5 m B - s 5 “Straw man” 
 Scheme 24

S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 25

S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 26

S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 27

S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 28

S X S Y r 1 + s 1 - r 1 - s 1 0 r 2 + s 2 - r 2 - s 2 0 + = r 3 + s 3 - r 3 - s 3 + m A m A r 4 + s 4 - r 4 - s 4 0 r 5 + s 5 - r 5 - s 5 - m B m B At the end of the “Straw man” 
 day, servers Scheme 
 combine DBs to reveal plaintext 29

First-Attempt Scheme: Properties “Perfect” anonymity as long as servers don’t collude • Can use k servers to protect against k -1 collusions Unlike a mix-net, Practical efficiency: storage cost is almost no “heavy” constant in the computation involved anonymity set size 30

Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 31

Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions – Malicious clients – O( L ) communication cost • Evaluation 32

Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions in the paper – Malicious clients ¡ – O( L ) communication cost • Evaluation 33

Challenge: Bandwidth Efficiency In “straw man” design, client sends DB-sized vector to s 1 each server s 2 Idea : use a cryptographic s 3 trick to compress the vectors s 4 à Based on PIR protocols s 5 [Ostrovsky and Shoup 1997]

Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = 0 0 m 0 0 0 [Gilboa and Ishai 2014] 35

Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = Privacy: A subset of 0 0 m 0 0 0 keys leaks nothing 
 [Gilboa and Ishai 2014] about message or l � 36

S X S Y 0 0 Eval ( ) Eval ( ) 0 0 0 0 0 0 0 0 DPFs Reduce Bandwidth Cost 37

S X S Y 0 r 1 - r 1 0 0 r 2 - r 2 0 0 r 3 m A - r 3 0 0 r 4 - r 4 0 0 r 5 -r 5 0 DPFs Reduce Bandwidth Cost 38

Alice sends 
 L 1/2 bits (instead of L ) • Two-server version just uses AES (no public-key crypto) • With fancier crypto, privacy holds even if all but one server is malicious [Chor and Gilboa 1997] [Gilboa and Ishai 2014]

Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation 40

Bottom-Line Result • Implemented the protocol in Go • For a DB with 65,000 Tweet-length rows, can process 30 writes/second • Can process 1,000,000 writes in 8 hours on a single server è Completely parallelizable workload 41

At large table Throughput 
 sizes, AES cost (anonymous Twitter) dominates 42

Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:15 Bob Alice 567 B 10:17 Carol Bob 450 B 10:22 Dave Alice 9382 B 43

Time From To Size 10:12 Alice Riposte Server 207 KB 10:15 Bob Riposte Server 207 KB 10:17 Carol Riposte Server 207 KB 10:22 Dave Riposte Server 207 KB ?!? 44

Conclusion In many contexts, “hiding the metadata” is as important as hiding the data Combination of crypto tools with systems design è 1,000,000-user anonymity sets Next step: Better performance at scale 45

46