riposte an anonymous messaging system that hides the
play

Riposte: an Anonymous Messaging System that 'Hides the Metadata' - PowerPoint PPT Presentation

Nov 02, 2023 •776 likes •1.85k views

Riposte: an Anonymous Messaging System that 'Hides the Metadata' Henry Corrigan-Gibbs Joint work with Dan Boneh and David Mazires To appear at IEEE Security and Privacy 2015 Charles River Crypto Day 20 February 2015 1 With PKE, we can

  1. DPF Correctness Eval x 1 q 1 en ( m, ` ) + x 2 Eval q 2 … KeyGen ( … … + x k Eval q k = 0 0 m 0 0 0 54

  2. (k,t)-Distributed Point Functions (k,t)- Privacy : Can simulate the distribution of any subset S of at most t DPF keys ( q 1 , . . . , q k ) ← KeyGen ( m, ` ) ∀ S ⊂ [ k ] { q i } i ∈ S ≈ c Sim ( S ) s.t. | S | ≤ t [ Intuition : t keys leak nothing about m or ] 55

  3. S X S Y 0 0 Eval ( ) Eval ( ) 0 0 0 0 0 0 0 0 DPFs Reduce Bandwidth Cost 56

  4. S X S Y 0 r 1 - r 1 0 0 r 2 - r 2 0 0 r 3 m A - r 3 0 0 r 4 - r 4 0 0 r 5 -r 5 0 DPFs Reduce Bandwidth Cost 57

  5. Alice sends 
 bits 58

  6. Challenge 1: Bandwidth Efficiency We show: a ( k , t )-private DPF yields a k -server write-anonymous DB scheme tolerating up to t malicious servers I will present a (2,1)-DPF with O(L 1/2 )-length keys based on PIR of Chor and Gilboa (’97) 59

  7. (2,1)-DPF Construction Idea : – Represent Eval() output as a matrix – Keys can be length of side 60

  8. (2,1)-DPF Construction 61

  9. (2,1)-DPF Construction Output will sum to Idea : – Represent Eval() output as a matrix m at = ( i , j ) – Keys can be length of row 62

  10. (2,1)-DPF Construction Sampled at F 2 Using as the field random √ Key = ( b , k , v ), where each has length O ( L ) 0 k 1 0 k 1 1 k 2 0 k 2 * 1 k 3 1 k 3 0 k 4 0 k 4 1 k 5 1 k 5 v v 63

  11. (2,1)-DPF Construction G() is a PRG mapping keys k to L 1/2 bits G(k 1 ) 0 k 1 0 k 1 G(k 1 ) 1 k 2 G(k 2 ) G(k 2 *) 0 k 2 * 1 k 3 G(k 3 ) 1 k 3 G(k 3 ) G(k 4 ) 0 k 4 0 k 4 G(k 4 ) 1 k 5 G(k 5 ) 1 k 5 G(k 5 ) v v 64

  12. (2,1)-DPF Construction G(k 1 ) 0 k 1 0 k 1 G(k 1 ) 1 k 2 G(k 2 ) + v G(k 2 *) 0 k 2 * 1 k 3 G(k 3 ) + v 1 k 3 G(k 3 ) + v G(k 4 ) 0 k 4 0 k 4 G(k 4 ) 1 k 5 G(k 5 ) + v 1 k 5 G(k 5 ) + v v v 65

  13. (2,1)-DPF Construction Outputs are equal everywhere except at row 2 G(k 1 ) 0 k 1 0 k 1 G(k 1 ) 1 k 2 G(k 2 ) + v G(k 2 *) 0 k 2 * 1 k 3 G(k 3 ) + v 1 k 3 G(k 3 ) + v G(k 4 ) 0 k 4 0 k 4 G(k 4 ) 1 k 5 G(k 5 ) + v 1 k 5 G(k 5 ) + v v v 66

  14. (2,1)-DPF Construction Outputs sum to zero everywhere except at row 2 G(k 1 ) 0 k 1 0 k 1 G(k 1 ) 1 k 2 G(k 2 ) + v G(k 2 *) 0 k 2 * 1 k 3 G(k 3 ) + v 1 k 3 G(k 3 ) + v G(k 4 ) 0 k 4 0 k 4 G(k 4 ) 1 k 5 G(k 5 ) + v 1 k 5 G(k 5 ) + v v v 67

  15. (2,1)-DPF Construction Construct v as: v = G(k 2 ) + G(k 2 *) + m " e j G(k 1 ) 0 k 1 0 k 1 G(k 1 ) 1 k 2 G(k 2 ) + v G(k 2 *) 0 k 2 * 1 k 3 G(k 3 ) + v 1 k 3 G(k 3 ) + v G(k 4 ) 0 k 4 0 k 4 G(k 4 ) 1 k 5 G(k 5 ) + v 1 k 5 G(k 5 ) + v v v 68

  16. G(k 1 ) G(k 1 ) 00000…00000 G(k 2 ) + v G(k 2 *) 0000000 m 000 + = G(k 3 ) + v G(k 3 ) + v 00000…00000 G(k 4 ) G(k 4 ) 00000…00000 G(k 5 ) + v G(k 5 ) + v 00000…00000 69

  17. Challenge 1: Bandwidth Efficiency • Brings comm cost down to O ( L 1/2 ) – Just requires PRG — fast! • Recursive application of the same trick – Key size down to polylog( L ) [GI’14] 0 k 1 1 k 2 1 k 3 v 0 k 4 1 k 5 70

  18. New DPF Construction Given a seed-homomorphic PRG G( s 1 ) + G( s 2 ) = G( s 1 + s 2 ) we build a (k, k-1)-private DPF 
 [NPR’99] [BLMR’13] [BP’14] [BV’15] 
 ! Privacy holds even if all but 
 one server is adversarial 71

  19. Limitations of the “Straw man” 1. O( L ) communication cost 2. Collisions 3. Malicious clients 72

  20. Challenge 2: Collisions • Clients pick write location at random • Two honest clients may write into 
 the same location � 0 0 0 0 0 73

  21. Challenge 2: Collisions • Clients pick write location at random • Two honest clients may write into 
 the same location � 0 0 m A 0 0 74

  22. Challenge 2: Collisions • Clients pick write location at random • Two honest clients may write into 
 the same location � 0 0 m A + m B 0 0 75

  23. Challenge 2: Collisions • Clients pick write location at random • Two honest clients may write into 
 the same location � 0 0 Instead of getting m A , 
 m A + m B m B , get the sum 0 m A + m B 0 76

  24. Challenge 2: Collisions Straightforward solution : Key idea: even Make DB table large enough 
 after a collision, to avoid collisions learn the sum of colliding writes Better solution : c = m 1 + m 2 Use coding techniques to recover from 
 up to d -way collisions 77

  25. Challenge 2: Collisions Idea : To handle 2-collisions, can 
 code message m as: (m, m 2 ) [Let ] After a 2-collision, DBs recover the values: c 1 = m 1 + m 2 c 2 = m 2 1 + m 2 2 Given c 1 and c 2 can recover m 1 and m 2 78

  26. Challenge 2: Collisions Using coding technique, can tolerate 
 Reduces table d -collisions for any d size by 93% For 1% loss rate, 1k users: Naive method: 100k cells Coding method: 6.9k cells 79

  27. Limitations of the “Straw man” 1. O( L ) communication cost 2. Collisions 3. Malicious clients 80

  28. One malicious S X S Y client can corrupt r 1 - r 1 the entire DB! r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 a 1 b 1 Challenge 3: a 2 b 2 Malicious a 3 b 3 Clients a 4 b 4 a 5 b 5 81

  29. Challenge 3: Malicious Client Goal : Prevent evil client from destroying DB • One way to solve this is with NIZKs – Expensive public-key crypto [Golle Juels ‘04] • More efficient solution: – Add a third non-colluding “audit” server to get honest majority – Fast, info-theoretic MPC techniques [GMW’87], [CCD’88], [FNW’96] 82

  30. Auditor DB Server X DB Server Y 83

  31. Auditor DB Server X DB Server Y 84

  32. Auditor DB Server X DB Server Y 85

  33. 0 k 1 0 k 1 Auditor Auditor 1 k 2 0 k 2 * 1 k 3 1 k 3 v v 0 k 4 0 k 4 1 k 5 1 k 5 DB Server X DB Server Y 86

  34. 0 k 1 0 k 1 Auditor Auditor 1 k 2 0 k 2 * 1 k 3 1 k 3 0 k 4 0 k 4 1 k 5 1 k 5 DB Server X DB Server Y 87

  35. 0 | k 1 0 | k 1 Auditor Auditor 1 | k 2 0 | k 2 * 1 | k 3 1 | k 3 0 | k 4 0 | k 4 1 | k 5 1 | k 5 DB Server X DB Server Y 88

  36. Auditor a 1 a 2 a 3 b 1 b 2 b 3 DB Server X DB Server Y 89

  37. Auditor a 1 a 2 a 3 b 1 b 2 b 3 offset DB Server X DB Server Y 90

  38. Auditor a 3 a 1 b 2 b 3 b 1 a 2 offset DB Server X DB Server Y 91

  39. Auditor a 3 a 1 b 2 b 3 b 1 a 2 h 1 , h 2 , h 3 DB Server X DB Server Y 92

  40. Auditor h 3 ( a 3 ) h 1 ( a 1 ) h 2 ( b 2 ) h 3 ( b 3 ) h 1 ( b 1 ) h 2 (a 2 ) h 1 , h 2 , h 3 DB Server X DB Server Y 93

  41. Auditor h 3 ( a 3 ) h 1 ( a 1 ) h 2 ( b 2 ) h 3 ( b 3 ) h 1 ( b 1 ) h 2 ( a 2 ) DB Server X DB Server Y 94

  42. Auditor h 2 ( b 2 ) h 3 ( b 3 ) h 1 ( b 1 ) h 2 ( a 2 ) h 3 ( a 3 ) h 1 ( a 1 ) DB Server X DB Server Y 95

  43. Equal almost Auditor everywhere? r 1 r 2 r 3 r 1 r 2 r 3 96

  44. Auditor DB Server X DB Server Y 97

  45. Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation • Conclusions 98

  46. Implementation • Implemented the full protocol in Go – 2 DB servers + 1 audit server • Ran perf evaluation on a network testbed simulating real-world net conditions 99

  47. Bottom-Line Result • For a DB with 65,000 Tweet-length rows, can process 30 writes/second • Can process 1,000,000 writes in 8 hours on a single server # Main bottleneck is PRG expansion 100

Recommend

Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, Dan

Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, Dan

Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, Dan Boneh, and David Mazires Stanford University IEEE Security and Privacy 18 May 2015 1 With encryption, we can hide the data but

484 views • 46 slides
Dissent: Accountable Anonymous Group Messaging Henry

Dissent: Accountable Anonymous Group Messaging Henry

Dissent: Accountable Anonymous Group Messaging Henry Corrigan-Gibbs and Bryan Ford Department of Computer Science Yale University 17 th ACM Conference on

879 views • 65 slides
Proac&vely Accountable Anonymous Messaging in Verdict Henry

Proac&vely Accountable Anonymous Messaging in Verdict Henry

Proac&vely Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale

966 views • 85 slides
Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung

Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung

Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung Matei Zaharia Nickolai Zeldovich SOSP 2017 Previous talk: Anonymous broadcast This talk: Private messaging Alice Bob Problem: Communication

725 views • 50 slides
HIDES (September 22, 2012): Hides Gas Development Company Ltd has reaffirmed it commitment to

HIDES (September 22, 2012): Hides Gas Development Company Ltd has reaffirmed it commitment to

MEDIA RELEASE HIDES GAS DEVELOPMENT COMPANY LIMITED CONTINUES TO SUPPORT HUMAN RESOURCE DEVELOPMENT IN THE HELA PROVINCE HIDES (September 22, 2012): Hides Gas Development Company Ltd has reaffirmed it commitment to support human resource

421 views • 3 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable Messaging Distributed Message Brokers WSO2 MB Architecture o Distributed Pub/sub architecture o Distributed Queues architecture User Story

1.12k views • 33 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable.

Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable.

Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable. start . welcome BUS BULLETIN THE COMPANY We saw an opportunity to streamline the communications with school districts around the country. By

401 views • 18 slides
Anonymous Paper-Review System Reporter: Group: Peer

Anonymous Paper-Review System Reporter: Group: Peer

Anonymous Paper-Review System Reporter: Group: Peer review of scholarly papers is seen to be a critical step in the publication of high quality outputs in reputable journals. Defects with the mechanism:

501 views • 20 slides
YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I here? Hundreds of product launches. Dozens of corporate launches. One top-funded Kickstarter campaign The Tool: The Message Map

655 views • 22 slides
A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social

A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social

Introduction Social Multicast Summary A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social Multicast Summary Design goals A social messaging system, which is scalable extensible end-to-end

348 views • 18 slides
I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger and Ian Goldberg Secure Messaging 2 Secure Messaging All-Verifier Deniable Anonymous Authentication End-to Authentication End Zone

776 views • 48 slides
Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Two cool ideas: Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons and/or menu items in your VectorGraphics project Three approaches for responding to the events from selecting those buttons /

406 views • 6 slides
SLACK BASICS Introducing Slack Group messaging system with the persistence,

SLACK BASICS Introducing Slack Group messaging system with the persistence,

TAKE CONTROL OF SLACK BASICS Introducing Slack Group messaging system with the persistence, searchability, and chronology of email Extensible with bots and integrations that bring third-party services into Slack Both free and

301 views • 13 slides
12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship

12-STEP PROGRAMS Alcoholics Anonymous The Preamble Alcoholics Anonymous is a fellowship of men and women who share their experience, strength and hope with each other that they may solve their common problem and help others to recover

1.11k views • 76 slides
Say Something Anonymous Reporting System (SSARS) February 7, 2019 Dr. Ashley Janosko Mr. Kevin

Say Something Anonymous Reporting System (SSARS) February 7, 2019 Dr. Ashley Janosko Mr. Kevin

Say Something Anonymous Reporting System (SSARS) February 7, 2019 Dr. Ashley Janosko Mr. Kevin Morra Dr. Richard Noonan Background DISTRICT STRATEGIC PLAN To meet this newly added goal of the STUDENT & STAFF WELLNESS Strategic

1.22k views • 6 slides
BBM Messaging is the new social media More than 85% of 13-34 year olds use messaging apps every

BBM Messaging is the new social media More than 85% of 13-34 year olds use messaging apps every

BBM Messaging is the new social media More than 85% of 13-34 year olds use messaging apps every day Why 13-34 year olds love messaging 1. Trust Young adults dont trust social networks 2. Intimacy They want to be able to share

465 views • 34 slides
The Food System has Tiers From Small to Large Global Anonymous Aggregation and distribution

The Food System has Tiers From Small to Large Global Anonymous Aggregation and distribution

The Food System has Tiers From Small to Large Global Anonymous Aggregation and distribution Cargill, Tyson, Walmart Large Volume Aggregation and distribution Sysco, Reinhart, Martin Brothers, HyVee, Fareway Strategic Partners In Supply

376 views • 15 slides
Grid Messaging System Wojciech Czech AGH University of Science and Technology, Krakw Openlab

Grid Messaging System Wojciech Czech AGH University of Science and Technology, Krakw Openlab

Grid Messaging System Wojciech Czech AGH University of Science and Technology, Krakw Openlab Summer Student Program 30th August 2007 Introduction Message brokers - Active MQ Performance tests Outline Integration with SAM

237 views • 23 slides
POST: A Secure, Resilient, Cooperative Messaging System A. Mislove, A. Post, C. Reis, P.

POST: A Secure, Resilient, Cooperative Messaging System A. Mislove, A. Post, C. Reis, P.

POST: A Secure, Resilient, Cooperative Messaging System A. Mislove, A. Post, C. Reis, P. Willmann, P. Druschel, D. S. Wallach Rice University X. Bonnaire, P. Sens, J.-M. Busca, L. Arantes-Bezerra University of Paris 6 (LIP6) HotOS 2003 1

197 views • 16 slides
Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The

Cocaine Anonymous A Presentation to Professionals Presentation Contents Our Aims Today The CA Group Cocaine Anonymous Is The 12 Steps Cocaine Anonymous Is Not Spirituality History of Cocaine Anonymous Sponsorship

700 views • 37 slides
Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and

Remote Side-Channel Attacks on Anonymous Transactions In Zcash & Monero Florian Tramr and Dan Boneh and Kenny Paterson USENIX Security Symposium Meet Alice the Anonymous Activist Blogger PK A anonymous 2 Alices Lack of Privacy Send

395 views • 21 slides
Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr

Task Computability in Unreliable Anonymous Networks Nayuta Yanagisawa DeNA Co., Ltd. Petr Kuznetsov Telecom ParisTech I am here to talk about ... the computability issues of failure-prone anonymous broadcast models. Anonymous Model

660 views • 21 slides

More recommend