proactively accountable anonymous messaging in verdict henry corrigan-gibbs, david isaac wolinsky,...
TRANSCRIPT
![Page 1: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/1.jpg)
Proactively Accountable Anonymous Messaging in Verdict
Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford
Department of Computer ScienceYale University
22nd USENIX Security Symposium14 August 2013
![Page 2: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/2.jpg)
2
On the eve of an election in country X…activist learns that the prime
minister is stashing stolen money in a secret bank account.
Acct #35139387Acct #09836271
MUST PUBLISH this info before the election
![Page 3: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/3.jpg)
3
Can I publish these anonymously?
![Page 4: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/4.jpg)
4
Can I publish these anonymously? Blog
Server
![Page 5: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/5.jpg)
5
Possible Solution #1: Onion Routing
Blog Server
Dingledine, Mathewson,Syverson[USENIX Sec ’04]
![Page 6: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/6.jpg)
6
Possible Solution #1: Onion Routing
time
time
First-last correlation attack (traffic confirmation)
![Page 7: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/7.jpg)
7
Dining Cryptographers networks (DC-nets) are
resistant to traffic analysis attacks Blog
Server
![Page 8: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/8.jpg)
8
Possible Solution #2: DC-nets
Blog Server
Everyone contributes an equal-length message
Acct #35139387
![Page 9: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/9.jpg)
9
Possible Solution #2: DC-nets
Blog Server
Acct #35139387
![Page 10: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/10.jpg)
10
DC-nets in 30 Seconds
Alice Bob
Chris
1 0
1
1
David Chaum“Dining Cryptographers Problem”
[J. Cryptography ‘88]
Implement an anonymous group broadcast primitive
![Page 11: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/11.jpg)
11
DC-nets in 30 Seconds
Alice Bob
Chris
1 0
1
⊕⊕⊕⊕
1
![Page 12: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/12.jpg)
12
⊕
DC-nets in 30 Seconds
Alice
1
Bob
Chris
1
1
1 0
1
1 ⊕⊕⊕
![Page 13: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/13.jpg)
13
DC-nets in 30 Seconds
Alice
1
Bob
Chris
1
1
⊕
1
DC-nets are resistant to traffic analysis attacks
Primarily use fast symmetric-key crypto operations (PRNG, XOR)
![Page 14: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/14.jpg)
14
DC-nets in 30 Seconds
Alice
1
Bob
Chris
1
1
⊕
Dissent: DC-nets made practical• Splits nodes into
clients and servers• Scales to 1000s of
nodes• Handles client churn• Anonymity set size =
set of honest nodes
![Page 15: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/15.jpg)
15
Possible Solution #2: DC-nets
Blog Server
DC-nets resist traffic analysis attacks…
BUT
![Page 16: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/16.jpg)
16
Possible Solution #2: DC-nets
Blog Server
…if the prime minister’s henchmen
can infiltrate the group
![Page 17: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/17.jpg)
17
Alice
1
Bob
Chris
1
1
⊕
1
![Page 18: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/18.jpg)
18
Alice
1
Bob
Chris
1
0
⊕
0
Anonymous disruption (DoS) attack
![Page 19: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/19.jpg)
19
Possible Solution #3: Dissent
• Dissent can handle this sort of misbehavior– After a disruption occurs, participants run a
shuffle/e-voting protocol– The anonymous sender sends an accusation
through the shuffle– All nodes use the accusation to trace (“blame”)
the disruptor
![Page 20: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/20.jpg)
20
Possible Solution #3: Dissent
• Dissent can handle this sort of misbehavior– After a corruption occurs, participants run a
shuffle protocol– The anonymous sender sends an anonymous
accusation through the shuffle– All nodes use the accusation to trace the disruptor
16 160 160010
100
1000
Participating clients (log scale)
Tim
e to
bla
me
(sec
onds
, log
sca
le)
At 1024 nodes, blame takes 20 minutes
![Page 21: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/21.jpg)
21
Possible Solution #3: Dissent
Blog Server
![Page 22: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/22.jpg)
22
Possible Solution #3: Dissent
Blog Server
![Page 23: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/23.jpg)
23
Possible Solution #3: Dissent
Blog Server
![Page 24: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/24.jpg)
24
Possible Solution #3: Dissent
Blog Server
![Page 25: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/25.jpg)
25
Possible Solution #3: Dissent
Blog ServerHenchmen can block
the activist’s transmission until the election has passed!
![Page 26: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/26.jpg)
26
Possible Solution #3: Dissent
Blog ServerIn a 1000-node group,
18 disruptors can block communication for 6 hours
![Page 27: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/27.jpg)
27
Verdict: Motivation
• Can we get– the traffic-analysis-resistance of DC-nets and – the scalability of Dissent
with lower blame cost?• Idea: Group members prove that their messages
are sending are correctly formed. Identify disruptors before they jam the
anonymous communication channel
![Page 28: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/28.jpg)
28
“Verifiable” DC-nets
• In 2004 Eurocrypt paper, Golle and Juels propose applying zero-knowledge proof (ZKP) techniques to DC-nets
• Participants prove correctness of messages• Drawbacks of Golle-Juels work: computationally
expensive, inefficient in communication cost, uses pairings, requires trusted setup, …
• Never implemented…
![Page 29: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/29.jpg)
29
Verdict: Contributions
1. First (to our knowledge) implementation and evaluation of verifiable DC-nets
2. Two new verifiable DC-nets constructions which give 5.6x speedup over Golle-Juels approach
3. Optimizations to make verifiable DC-nets fast– for long messages,– when there are no active disruptors, and– by optimistically using XOR-based DC-nets
when possible (138x speedup)
![Page 30: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/30.jpg)
30
Outline
• Background and Motivation• Verdict
– Design Challenges– Optimizations
• Evaluation• Conclusion
![Page 31: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/31.jpg)
31
Design Challenges
1. Resist traffic analysis attacks2. Make sender’s transmission indistinguishable3. Prove that transmissions are well-formed
![Page 32: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/32.jpg)
32
Design Challenges
1. Resist traffic analysis attacks2. Make sender’s transmission indistinguishable3. Prove that transmissions are well-formed
![Page 33: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/33.jpg)
Challenge 1: Traffic Analysis Resistance
• Time is divided into messaging rounds• One anonymous sender per messaging round• Every client transmits the same number of
bits in every messaging round– # of bits sent does not leak sender’s identity
• Clients’ ciphertexts are cryptographically indistinguishable– Content does not leak sender’s identity
![Page 34: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/34.jpg)
34
Alice Bob Chris
Server X Server Y
Challenge 1: Traffic Analysis Resistance
We assume that at least one server is honest
CAlice CBob CChris
![Page 35: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/35.jpg)
35
Alice Bob Chris
Server X Server Y
Challenge 1: Traffic Analysis Resistance
CAlice CBob CChris
CX CY
![Page 36: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/36.jpg)
36
Alice Bob Chris
Server X Server Y
Challenge 1: Traffic Analysis Resistance
mmm
![Page 37: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/37.jpg)
37
Design Challenges
1. Resist traffic analysis attacks2. Make sender’s transmission indistinguishable3. Prove that transmissions are well-formed
![Page 38: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/38.jpg)
Challenge 2: Encoding Messages
• The transmitting client sends an encryption of arbitrary message: m
• Non-transmitting clients set m = 1– An encryption of the identity element
• Use an ElGamal-like scheme to encrypt
E(m, σ1, …, σN) = mg
… where the σs are secrets shared between clients and servers.
σ1+ … +σN
![Page 39: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/39.jpg)
39
Alice Bob Chris
Server X Server Y
Challenge 2: Encoding Messages
![Page 40: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/40.jpg)
40
Alice Bob Chris
Server X Server Y
σay
σax
Clients and servers agree to k-bit shared secrets σ using DH exchange
![Page 41: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/41.jpg)
41
CAlice = 1*gt
σay
σax
σax+σay
Alice Bob Chris
Server X Server Y
gt generates some group in which DDH is hard
![Page 42: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/42.jpg)
42
σcx
σcy
m
Alice Bob Chris
Server X Server Y
CChris = m*gt
σcx+σcy
![Page 43: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/43.jpg)
43
σcx
Alice Bob Chris
Server X Server Y
CX = gt
- σax - σbx - σcx
σay
σax
![Page 44: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/44.jpg)
44
Challenge 2: Encoding Messages
• In product of Cs, every secret σij is included as an exponent once with (+) sign and once with (-) sign:
CAliceCBobCChrisCXCY = m
![Page 45: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/45.jpg)
45
Alice Bob Chris
Server X Server Y
CChris = m*gt
σcx+σcy
Without knowing the secrets σ, an attacker cannot tell whether Alice or Chris is the anonymous sender of m
(by DDH assumption)
CAlice = 1*gt
σax+σay
![Page 46: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/46.jpg)
46
Design Challenges
1. Resist traffic analysis attacks2. Make sender’s transmission indistinguishable3. Prove that transmissions are well-formed
![Page 47: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/47.jpg)
47
Challenge 3: Proving Correctness
• Clients attach non-interactive zero-knowledge proofs of knowledge to their ciphertexts– Use off-the-shelf ZKP techniques
Camenisch-Stadler [ETH Zurich TR-260, ‘97]– Servers check proofs before accepting client
ciphertexts• Servers prove validity of their ciphertexts too
![Page 48: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/48.jpg)
Challenge 3: Proving Correctness
• Recall: one client transmits in each messaging round• As in Dissent, we use a key shuffle to assign
pseudonymous “owners” to messaging rounds– Each client submits a pseudonym public key to shuffle– Shuffle hides owner-to-pseudonym mapping
Pseudonym
Alice Bob ChrisOwner
gd ge gf
“A Verifiable Secret Shuffle and its
Application to E-Voting” – Neff [CCS ‘01]
![Page 49: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/49.jpg)
49
Challenge 3: Proving Correctness
• When Bob submits a ciphertext in a messaging round owned by pseudonym gd, Bob attaches a proof that:
CBob is a correct encryption of m=1OR
I know the pseudonym secret dPoK
![Page 50: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/50.jpg)
50
Challenge 3: Proving Correctness
• Clients and servers publish commitments to their shared secrets σij
Sax = Commit(σax)= h
…using some generator h of group G for which no one knows logg_t(h).
σax
![Page 51: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/51.jpg)
51Alice Bob Chris
Server X Server Y
SaySax Sbx SbyScx
Scy
Sax SbxScx Say Sby
Scy
![Page 52: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/52.jpg)
52
Challenge 3: Proving Correctness
• When Bob submits a ciphertext in a messaging round owned by pseudonym gd, Bob attaches a proof that:
CBob is a correct encryption of m=1OR
I know the pseudonym secret dPoK
![Page 53: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/53.jpg)
53
• When Bob submits a ciphertext in a messaging round owned by pseudonym gd, Bob attaches a proof that:
( ANDCBob
SbxSby
==
gt
h )OR
D = gd
Challenge 3: Proving Correctness
PoKσbx+σby
σbx+σby
σbx
σby d
:
![Page 54: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/54.jpg)
54
• When Bob submits a ciphertext in a messaging round owned by pseudonym gd, Bob attaches a proof that:
( ANDCBob
SbxSby
==
gt
h )OR
D = gd
Challenge 3: Proving Correctness
σbx+σby
σbx+σby
PoKσbx
σby d
:
![Page 55: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/55.jpg)
55
• When Bob submits a ciphertext in a messaging round owned by pseudonym gd, Bob attaches a proof that:
( ANDCBob
SbxSby
==
gt
h )OR
D = gd
Challenge 3: Proving Correctness
σbx
σby d
:σbx+σby
σbx+σby
Proof is just a bit-string—can send it over the network, etc
PoK
![Page 56: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/56.jpg)
56
Alice Bob Chris
m
Server X Server Y
Challenge 3: Proving Correctness
CBob CChris
CX CY
π πCAlice π
ππ
![Page 57: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/57.jpg)
57
m
Alice Bob Chris
Server X Server Y
Challenge 3: Proving Correctness
mmm
![Page 58: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/58.jpg)
58
Outline
• Background and Motivation• Verdict
– Design Challenges– Optimizations
• Evaluation• Conclusion
![Page 59: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/59.jpg)
59
Optimizations
1. Long messages2. “Lazy” proof verification3. Hybrid Dissent+Verdict DC-net
![Page 60: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/60.jpg)
60
Optimizations
1. Long messages2. “Lazy” proof verification3. Hybrid Dissent+Verdict DC-net
![Page 61: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/61.jpg)
61
Long Messages• Short proofs for long messages
PoKσax
σay d
: (AND
CA,1 = g1
)CA,2 = g2
… = … CA,L = gL
SaxSay = h
OR D = gd
σax+σay
σax+σay
σax+σay
σax+σay
We use a public hash function to pick these generators
Golle-Juels scheme required a pairing to achieve a similar effect
![Page 62: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/62.jpg)
62
Optimization 1: Long Messages
σax
σay d
: (AND
CA1 = g1
)CA2 = g2
… = … CA,L = gL
SaxSay = h
OR D = gd
σax+σay
σax+σay
σax+σay
σax+σay
Proof length is linear in the number of variables, so we get O(1)-length proofs
PoK
![Page 63: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/63.jpg)
63
Optimizations
1. Long messages2. “Lazy” proof verification3. Hybrid Dissent+Verdict DC-net
![Page 64: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/64.jpg)
64
Optimization 2: “Lazy” Verification
• Checking proofs is expensive• Servers defer checking proofs until after a disruption
occurs
• Anonymous sender signs content with pseudonym secret key
• If sig check fails, servers know that disruption has occurred—then they check proofs
sig content
m
![Page 65: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/65.jpg)
65
Optimizations
1. Long messages2. “Lazy” proof verification3. Hybrid Dissent+Verdict DC-net
![Page 66: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/66.jpg)
66
Optimization 3: Hybrid DC-net
Verdict: heavy pub key cryptoDissent/DC-nets: AES + XORs• Recall: After a disruption in Dissent, the
anonymous sender broadcasts an “accusation” using a verifiable shuffle protocol– Participants use the accusation to trace the disruptor– Over 99% of the “blame” process is spent in shuffle
• Idea: Use Verdict to broadcast Dissent’s anonymous accusations hybrid DC-net
![Page 67: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/67.jpg)
67
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
…
time
Dissent
…Verdict
![Page 68: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/68.jpg)
68
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 …
time
Dissent
…Verdict
![Page 69: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/69.jpg)
69
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 …
time
Dissent
…Verdict
![Page 70: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/70.jpg)
70
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 …
time
Dissent
…Verdict
![Page 71: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/71.jpg)
71
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 …
time
Dissent
acc. blob …Verdict
![Page 72: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/72.jpg)
72
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 …
time
Dissent
acc. blob …Verdict
![Page 73: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/73.jpg)
73
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 m3 …
time
Dissent
acc. blob …Verdict
![Page 74: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/74.jpg)
74
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
m1 m2 m3 …
time
Dissent
acc. blob …Verdict
![Page 75: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/75.jpg)
75
• Participants set up parallel Dissent and Verdict communication sessions
Optimization 3: Hybrid DC-net
Acco unt# 351 …
time
Dissent
acc. blob …Verdict
Normal case: Dissent XOR-based DC-netUnder disruption: Verdict (faster than shuffle)
![Page 76: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/76.jpg)
76
Outline
• Background and Motivation• Verdict
– Design Challenges– Optimizations
• Evaluation• Conclusion
![Page 77: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/77.jpg)
77
Implementation
• Implemented in C++ as an extension to Dissent• Cryptographic primitives
– OpenSSL, Crypto++, and Botan libraries– 256-bit NIST elliptic curve group
• Used the DeterLab testbed– Physical nodes: 8 servers, 128 clients– Ran many client processes per machine to
simulate up to 1024 clients• Source code: https://github.com/DeDis/Dissent
![Page 78: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/78.jpg)
78
Encryption Throughput (CPU Cost)
ElGamal: 2.9x speedup
Hybrid: 138x speedup
Pairing-based: 4 KB/s
Fastest Verdict: 5.6x speedup
![Page 79: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/79.jpg)
79
Messaging LatencyTweet-length messages
Clients (log scale)
“Lazy” Verdict: 2.3x speedup
Pure Verdict: 34 seconds
Hybrid: 27x speedup
![Page 80: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/80.jpg)
80
Blame Time
Clients (log scale)
Hybrid: 24 seconds Pure Verdict: 6 seconds
Dissent: 1177 seconds (19.6 minutes)
![Page 81: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/81.jpg)
81
Outline
• Background and Motivation• Verdict
– Design Challenges– Optimizations
• Evaluation• Conclusion
![Page 82: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/82.jpg)
82
Details in the Paper
• Messaging protocol– Handling equivocation, dropped messages, etc.
• Proof constructions– The paper describes three variants– Implementation details
• Handling server failure• Handling client churn
![Page 83: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/83.jpg)
83
Conclusion
First practical verifiable DC-nets scheme• Introduces two new verifiable DC-nets
constructions• Reduces the cost of finding DC-net disruptors
by two orders of magnitude• By reducing the cost of disruption, Verdict
brings strong traffic-analysis-resistant anonymity closer to practicality
![Page 84: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/84.jpg)
84
Acknowledgements
Thanks to:• the anonymous reviewers,• our shepherd, Micah Sherr,• the DeterLab staff,• Aaron Johnson, Ewa Syta, Michael J. Fischer, Michael Z.
Lee, Michael “Fitz” Nowlan, Ramki Gummadi, and• all of you for listening.
https://dedis.cs.yale.edu/2010/anon/Shameless plug: The Dissent project is hiring!
![Page 85: Proactively Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale University](https://reader031.vdocuments.us/reader031/viewer/2022013004/56649cf95503460f949ca5bc/html5/thumbnails/85.jpg)
85