encrypted messaging traceback for end-to-endtyagi/slides/tracing.pdfnirvan tyagi ian miers tom...

Traceback for End-to-End Encrypted Messaging

Nirvan Tyagi Ian Miers Tom Ristenpart

CCS 2019 1

Setting: End-to-end encrypted (E2EE) messaging

2

PlatformAlice Bob

Hello

Setting: End-to-end encrypted (E2EE) messaging

3

PlatformAlice Bob

Hello > 2 billion users

4

Problem: Viral forwarding of misinformation in E2EE messaging

5

Problem: Viral forwarding of misinformation in E2EE messaging

Content moderation for user-driven reports

6

User submits report Moderation decision based on content

Action taken on relevant parties

Content moderation for user-driven reports

7

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Content moderation for user-driven reports

8

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Ban fake/troll accounts injecting misinformation into network

Notify users that have previously shared or received misinformation

Content moderation for user-driven reports

9

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Ban fake/troll accounts injecting misinformation into network

Notify users that have previously shared or received misinformation

Report must provide enough information to execute the following steps

10

E2EE hides information useful for content moderation of misinformation

11

- Platform doesn’t see message content

Message content is encrypted!

E2EE hides information useful for content moderation of misinformation

12Message content is encrypted!

- Platform doesn’t see message content- Platform doesn’t see forwarding relationships

E2EE hides information useful for content moderation of misinformation

13

- Platform doesn’t see message content- Platform doesn’t see forwarding relationships

Message content is encrypted!

Forwarding traffic is muddled by other users and other messages

E2EE hides information useful for content moderation of misinformation

This work: Tracing in E2EE messaging

14

[TMR CCS’19]

User submits report Moderation decision based on content

Action taken on relevant parties

- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging

- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source

This work: Tracing in E2EE messaging

15

- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging

- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source

- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality

[TMR CCS’19]

User submits report Moderation decision based on content

Action taken on relevant parties

Prior work: Abuse reporting in E2EE messaging

16

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

Prior work: Abuse reporting in E2EE messaging

17

!

User reports received message to platform

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

Prior work: Abuse reporting in E2EE messaging

18

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

!

User reports received message to platform

m

Prior work: Abuse reporting in E2EE messaging

19

!

User reports received message to platform

m

Platform learns message and sender, but nothing more about where message came from or where it reached

Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]

This work: Tracing in E2EE messaging

20

!

User reports received message to platform

[TMR CCS’19]

This work: Tracing in E2EE messaging

21

!

User reports received message to platform

- Two constructions for message tracing- Path traceback

[TMR CCS’19]

m

This work: Tracing in E2EE messaging

22

!

User reports received message to platform

- Two constructions for message tracing- Path traceback- Tree traceback

[TMR CCS’19]

m

23

Goal: Act like standard E2EE messaging before report

Before reportPlatform view: encrypted content and metadata (participants, length, and timing)

24

Goal: Act like standard E2EE messaging before report

25

Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send

Goal: Act like standard E2EE messaging before report

26

Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send

m

m

m

User shouldn’t learn forwarding info of received messages

Goal: Act like standard E2EE messaging before report

27

m

m

User shouldn’t learn forwarding info of received messages

m ?

Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send

Goal: Act like standard E2EE messaging before report

28

Goal: Reveal limited information after report

Goal: Reveal limited information after report

29

!m

After reportPlatform view: message content and forward links of traceback target (e.g. path, tree)

Goal: Report consists of accurate information

30

!m

31

!m

Trace accountabilityAn honest user cannot be framed for an action they didn’t perform

Goal: Report consists of accurate information

32

!m

Trace accountabilityAn honest user cannot be framed for an action they didn’t perform

Goal: Report consists of accurate information

Malicious user can partition trace, but will be blamed as source

33

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

34

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

mE2EE channel

35

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

mE2EE channel

- E2EE channel that is decoupled from message tracing

36

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB

mE2EE channel

- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners

“tracing” key

37

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners

kAB

“tracing” key

38

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel kAB

kØ

“null pointer” key randomly generated

39

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

40

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

“encrypted pointer”

41

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

“encrypted pointer”PRF that is also CR

(e.g., HMAC)

42

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

idAB

43

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

idAB ctAB

Table stored on platform

kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

idAB

kAB

44

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

idAB

idAB

45

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

idAB

idAB

46

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

kAB

idAB

idAB

47

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

F(kBC , m)

kAB

idAB

idAB

48

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

idBC

F(kBC , m)

kAB

idAB

idAB

49

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

idBC

F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC)

kAB

idAB

idAB

50

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

idBC

F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC)F(kAB , m)

idAB

kAB

idAB

idAB

51

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

!kBC m

idBC

F(kBC , m)

Decrypt and dereference ctBC

kAB = Dec(kBC , ctBC)F(kAB , m)

idAB

Decrypt and dereference ctAB

kØ = Dec(kAB , ctAB)F(kØ , m) not in table

⇒ beginning of forward chain!

kAB

idAB

idAB

52

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

Small and fast to compute!idAB

idAB

53

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext

kAB

idAB

idAB

54

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

After reportPlatform view: Learns keys only for rows of trace

kAB

Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext

ctAB

idBC ctBC

idAB

idAB

55

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

Trace accountabilityPointer “dereferences” are bound to a messageidAB

idAB

56

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB

Trace accountabilityPointer “dereferences” are bound to a messageidAB

idAB

57

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB!

Trace accountabilityPointer “dereferences” are bound to a message

k’ m’

idAB

idAB

58

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB!k’ m’

Trace accountabilityPointer “dereferences” are bound to a message

To break accountability, F(k’ , m’) must collide with idBC

idAB

idAB

Trace accountabilityPointer “dereferences” are bound to a message

59

Path tracebackIdea: Linked list of encrypted pointers

Alice Bob Charlie

kAB kAB

mE2EE channel

ctAB

Table stored on platform

ctBC = Enc(kBC , kAB)

m

idBC = F(kBC , m)

idBC ctBC

kBC kBC

idBC kØ

ctAB = Enc(kAB , kØ)

idAB = F(kAB , m)

kAB!

See paper for security proofs!

k’ m’

To break accountability, F(k’ , m’) must collide with idBC

idAB

idAB

60

Path tracebackIdea: Linked list of encrypted pointers

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Ban fake/troll accounts injecting misinformation into network

Notify users that have previously shared or received misinformation

61

Path tracebackIdea: Linked list of encrypted pointers

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Ban fake/troll accounts injecting misinformation into network

Notify users that have previously shared or received misinformation

62

Path tracebackIdea: Linked list of encrypted pointers

User submits report Moderation decision based on content

Action taken on relevant parties

Combination of machine learning and human review

Ban fake/troll accounts injecting misinformation into network

Notify users that have previously shared or received misinformationNeed something more than path traceback!

63

Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie

idBCidAB

64

Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie

idBCidAB

“backward pointer”

65

Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie

idBCidAB

“backward pointer”

“forward pointer”

66

Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie

idBCidAB

Diane

idBD

…

“backward pointer”

“forward pointers”

67

Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers

Alice Bob Charlie

idBCidAB

Diane

idBD

…

“backward pointer”

“forward pointers”

See paper for full details of construction!(uses PRG and secret sharing)

68

Performance evaluation

- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database

https://github.com/nirvantyagi/tracing

69

Performance evaluation

- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database

- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace

https://github.com/nirvantyagi/tracing

70

Performance evaluation

- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database

- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace

- Platform storage- Stores < 100B / message- 1 billion messages / day ⇒ ~ 2TB / month

- Reasonable to store most recent time period sliding window

https://github.com/nirvantyagi/tracing

71

Deployment considerationsCan tracing be abused to silence socially valuable content?

Future work: Policy and implementation to limit abuse of tracing

User submits report Moderation decision based on content

Action taken on relevant parties

72

Deployment considerations

Future work: Policy and implementation to limit abuse of tracing

User submits report Moderation decision based on content

Action taken on relevant parties

Threshold number of reports?

Tracing ability is only granted after moderation decision on

content is complete?

Can tracing be abused to silence socially valuable content?

73

Conclusion

https://github.com/nirvantyagi/tracing

- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging

- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source

- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality