Users IEEE Security and Privacy 18 May 2015 Henry CorriganGibbs Dan Boneh and David Mazières Stanford University 1 but does that hide enough With encryption we can hide the data ID: 391598
Download Presentation The PPT/PDF document "Riposte: An Anonymous Messaging System H..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Riposte: An Anonymous Messaging System Handling Millions of Users
IEEE Security and Privacy18 May 2015
Henry Corrigan-Gibbs,Dan Boneh, and David MazièresStanford University
1Slide2
…but does thathide enough?
With encryption, wecan hide the data…
?!?
0VUIC9zZW5zaXRpdmU
2
(
pk
,
sk
)
pkSlide3
…
Time
FromToSize
10:12
Alice
Bob
2543 B
10:27
Carol
Alice
567 B
10:32
Alice
Bob
450 B
10:35
Bob
Alice
9382 B
3
[cf. Ed
Felten’s
testimony before the House
Judiciary Committee, 2 Oct 2013]Slide4
Time
From
ToSize
10:12
Alice
taxfraud@stanford.edu
2543 B
10:27
Carol
Alice
567 B
10:32
Alice
Bob
450 B
10:35
Bob
Alice
9382 B
[cf. Ed
Felten’s
testimony before the House
Judiciary Committee, 2 Oct 2013]
…
Hiding the data is necessary, but not sufficient
4Slide5
Goal
5
The “Anonymity Set”Slide6
Goal6Slide7
Goal
7Slide8
+
Goal8
0
To:
taxfraud@stanford.edu
0
Protest will be held
tomo
…
See my cat photos at w…
0
DBs
do not
learn who wrote which messageSlide9
9
Building block for systems related
to “hiding the metadata” Anonymous Twitter Anonymous surveys Private messaging, etc.Slide10
Low-latency anonymity systems (e.g., Tor) …
do not protect against a global adversaryMix-nets … require expensive ZKPs to protect against active attacks
Riposte is an anonymous messaging system that:protects against a near-global active adversaryhandles millions of users in an“anonymous Twitter” system10Slide11
Outline
MotivationA “Straw man” schemeTechnical challengesEvaluation11Slide12
“Straw man”Scheme[Chaum
‘88]12
SX00000
S
Y
0
0
0
0
0
Non-colluding serversSlide13
13
SX
00000SY
0
0
0
0
0
“Straw man”
SchemeSlide14
14
SX
00000SY
0
0
0
0
0
Write
msg
m
A
into DB row 3
“Straw man”
SchemeSlide15
15
SX
00000SY
0
0
0
0
0
0
0
m
A
0
0
“Straw man”
SchemeSlide16
“Straw man”Scheme
16
SX00000
S
Y
0
0
0
0
0
0
0
m
A
0
0
r
1
r
2
r
3r4r5Slide17
“Straw man”Scheme
17
SX00000
S
Y
0
0
0
0
0
0
0
m
A
0
0
r
1
r
2
r
3r4r5-r1-r2mA -r3-r4-r5-=Slide18
“Straw man”Scheme
18
SX000
0
0
S
Y
0
0
0
0
0
r
1
r
2
r
3
r
4
r
5-r1-r2mA -r3-r4-r5Slide19
19
SX
00000SY
0
0
0
0
0
r
1
r
2
r
3
r
4
r
5
-
r
1
-r2mA -r3-r4-r5“Straw man”SchemeSlide20
20
SX
r1r2r3r4r5
S
Y
-
r
1
-
r
2
-
r
3
+
m
A
-
r
4
-
r5“Straw man”SchemeSlide21
21
SX
r1r2r3r4r5
S
Y
-
r
1
-
r
2
-
r
3
+
m
A
-
r
4
-
r50000mB“Straw man”SchemeSlide22
“Straw man”Scheme
22
SXr1r2r3r4
r
5
S
Y
-
r
1
-
r
2
-
r
3
+
m
A
-
r
4-r50000mBs1s2s3s4s5-s1-s2-s3-s4
mB
-
s
5
-
=Slide23
“Straw man”Scheme
23
SXr1r2
r
3
r
4
r
5
S
Y
-
r
1
-
r
2
-
r
3
+
mA-r4-r5s1s2s3s4s5-s1-s2-s3-s4mB -s5Slide24
24
SX
r1r2r3r4r5
S
Y
-
r
1
-
r
2
-
r
3
+
m
A
-
r
4
-
r5s1s2s3s4s5-s1-s2-s3-s4mB -s5“Straw man”SchemeSlide25
25
SX
r1 + s1r2 + s2r3 + s3
r
4
+
s
4
r
5
+
s
5
S
Y
-
r
1
-
s
1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB“Straw man”SchemeSlide26
26
SX
r1 + s1r2 + s2r3 + s3
r
4
+
s
4
r
5
+
s
5
S
Y
-
r
1
-
s
1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB“Straw man”SchemeSlide27
27
SX
r1 + s1r2 + s2r3 + s3
r
4
+
s
4
r
5
+
s
5
S
Y
-
r
1
-
s
1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB“Straw man”SchemeSlide28
28
SX
r1 + s1r2 + s2r3 + s3
r
4
+
s
4
r
5
+
s
5
S
Y
-
r
1
-
s
1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB“Straw man”SchemeSlide29
29
SX
r1 + s1r2 + s2r3 + s3
r
4
+
s
4
r
5
+
s
5
S
Y
-
r
1
-
s
1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mBAt the end of the day, servers combine DBs to reveal plaintext+=00mA0mB“Straw man”SchemeSlide30
First-Attempt Scheme: Properties“Perfect” anonymity
as long as servers don’t colludeCan use k servers to protect against k-1 collusionsPractical efficiency: almost no “heavy” computation involved
30Unlike a mix-net, storage cost is constant in the anonymity set sizeSlide31
Outline
MotivationA “Straw man” schemeTechnical challengesEvaluation31Slide32
Outline
MotivationA “Straw man” schemeTechnical challengesCollisionsMalicious clientsO(L) communication cost
Evaluation32Slide33
Outline
MotivationA “Straw man” schemeTechnical challengesCollisionsMalicious clientsO(L
) communication costEvaluation33 in the paperSlide34
Challenge: Bandwidth EfficiencyIn “straw man” design, client sends DB-sized vector to each server
Idea: use a cryptographic trick to compress the vectors Based on PIR protocols
[Ostrovsky and Shoup 1997]s1s2s3
s
4
s
5Slide35
Distributed Point Function
35…
…
x
1
+
x
2
x
n
+
…
0
0
0
0
0
m
=
[
Gilboa
and Ishai 2014]Slide36
Distributed Point Function
36
…
x
1
+
x
2
x
n
+
…
0
0
0
0
0
m
=
[
Gilboa
and Ishai 2014]…
Privacy:
A subset of keys leaks nothing
about message or
lSlide37
37
SX
00000SY
0
0
0
0
0
DPFs Reduce Bandwidth CostSlide38
38
SX
00000SY
0
0
0
0
0
DPFs Reduce Bandwidth Cost
r
1
r
2
r
3
r
4
r
5
-
r
1-r2mA -r3-r4-r5Slide39
Alice sends
L1/2 bits (instead of L)
Two-server version just uses AES (no public-key crypto)
With fancier crypto, p
rivacy
holds even if all but one
server is malicious
[
Chor
and
Gilboa
1997]
[
Gilboa
and Ishai
2014]Slide40
Outline
MotivationDefinitions and a “Straw man” schemeTechnical challengesEvaluation40Slide41
Bottom-Line ResultImplemented the protocol in GoFor a DB with 65,000 Tweet-length rows, can process
30 writes/secondCan process 1,000,000 writes in 8 hours on a single server Completely parallelizable workload41Slide42
Throughput(anonymous Twitter)
At large table sizes, AES cost dominates
42Slide43
Time
From
ToSize
10:12
Alice
taxfraud@stanford.edu
2543 B
10:15
Bob
Alice
567 B
10:17
Carol
Bob
450 B
10:22
Dave
Alice
9382 B
43Slide44
Time
From
ToSize
10:12
Alice
Riposte Server
207 KB
10:15
Bob
Riposte Server
207 KB
10:17
Carol
Riposte
Server
207
K
B
10:22
Dave
Riposte
Server207 KB
44
?!?Slide45
ConclusionIn many contexts, “hiding the metadata” is as important as hiding the data
Combination of crypto tools with systems design 1,000,000-user anonymity setsNext step: Better performance at scale45Slide46
46