riposte: an anonymous messaging system handling millions ......riposte is an anonymous messaging...
TRANSCRIPT
-
Riposte: An Anonymous Messaging System Handling Millions of Users
IEEE Security and Privacy18 May 2015
Henry Corrigan-Gibbs, Dan Boneh, and David Mazières
Stanford University
1
-
…but does that hide enough?
With encryption, we can hide the data…
?!?
0VUIC9zZW5zaXRpdmU
2
(pk, sk)pk
-
…
Time From To Size10:12 Alice Bob 2543 B10:27 Carol Alice 567 B10:32 Alice Bob 450 B10:35 Bob Alice 9382 B
3
[cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013]
-
Time From To Size10:12 Alice [email protected] 2543 B10:27 Carol Alice 567 B10:32 Alice Bob 450 B10:35 Bob Alice 9382 B
[cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013]
…
Hiding the data is necessary, but
not sufficient
4
-
Goal
5
The “Anonymity Set”
-
Goal
6
-
Goal
7
-
+
Goal
8
0To: [email protected]
0Protest will be held tomo…See my cat photos at w…
0
DBs do not learn who wrote which
message
-
9
Building block for systems related to “hiding the metadata”à Anonymous Twitterà Anonymous surveysà Private messaging, etc.
-
Low-latency anonymity systems (e.g., Tor)… do not protect against a global adversary
Mix-nets… require expensive ZKPs to protect against
active attacks
Riposte is an anonymous messaging system that:• protects against a near-global active adversary• handles millions of users in an
“anonymous Twitter” system
10
-
Outline• Motivation• A “Straw man” scheme• Technical challenges• Evaluation
11
-
“Straw man”
Scheme [Chaum ‘88]
12
SX00000
SY00000
Non-colluding servers
-
13
SX00000
SY00000
“Straw man” Scheme
-
14
SX00000
SY00000
mA 2 F
Write msg mA into DB
row 3
“Straw man” Scheme
-
15
SX00000
SY00000
00
mA00
“Straw man” Scheme
-
“Straw man” Scheme
16
SX00000
SY00000
00
mA00
r1r2r3r4r5
-
“Straw man” Scheme
17
SX00000
SY00000
00
mA00
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
- =
-
“Straw man” Scheme
18
SX00000
SY00000
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
-
19
SX00000
SY00000
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
“Straw man” Scheme
-
20
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
“Straw man” Scheme
-
21
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
0000
mB
“Straw man” Scheme
-
“Straw man” Scheme
22
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
0000
mB
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
- =
-
“Straw man” Scheme
23
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
-
24
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
“Straw man” Scheme
-
25
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
-
26
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
-
27
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
-
28
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
-
29
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
At the end of the day, servers
combine DBs to reveal plaintext
+ =00
mA0
mB
“Straw man” Scheme
-
First-Attempt Scheme: Properties
“Perfect” anonymity as long as servers don’t collude• Can use k servers to
protect against k-1 collusions
Practical efficiency: almost no “heavy” computation involved
30
Unlike a mix-net, storage cost is constant in the
anonymity set size
-
Outline• Motivation• A “Straw man” scheme• Technical challenges• Evaluation
31
-
Outline• Motivation• A “Straw man” scheme• Technical challenges– Collisions– Malicious clients– O(L) communication cost
• Evaluation
32
-
Outline• Motivation• A “Straw man” scheme• Technical challenges– Collisions– Malicious clients– O(L) communication cost
• Evaluation
33
in the paper
-
Challenge: Bandwidth Efficiency
In “straw man” design, client sends DB-sized vector to each server
Idea: use a cryptographic trick to compress the vectorsà Based on PIR protocols
[Ostrovsky and Shoup 1997]
s1s2s3s4s5
-
Distributed Point Function
35
…KeyGen(m, `)
KeyGen(m, `)Eval
…
Eval
Eval
x1+x2
xn+…
0 0 00 0m=
[Gilboa and Ishai 2014]
k1
kn
k2
-
Distributed Point Function
36
KeyGen(m, `)
KeyGen(m, `)Eval
…
Eval
Eval
x1+x2
xn+…
0 0 00 0m=
[Gilboa and Ishai 2014]
…
k1
kn
k2
Privacy: A subset of keys leaks nothing about message or l
-
37
SX00000
SY00000
DPFs Reduce Bandwidth Cost
Eval( ) Eval( )
-
38
SX00000
SY00000
DPFs Reduce Bandwidth Cost
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
-
Alice sends L1/2 bits (instead of L)
• Two-server version just uses AES (no public-key crypto)
• With fancier crypto, privacy holds even if all but one server is malicious
[Chor and Gilboa 1997][Gilboa and Ishai 2014]
-
Outline• Motivation• Definitions and a “Straw man” scheme• Technical challenges• Evaluation
40
-
Bottom-Line Result• Implemented the protocol in Go• For a DB with 65,000 Tweet-length rows,
can process 30 writes/second• Can process 1,000,000 writes in 8 hours
on a single server
è Completely parallelizable workload
41
-
Throughput (anonymous Twitter)
At large table sizes, AES cost
dominates
42
-
Time From To Size10:12 Alice [email protected] 2543 B10:15 Bob Alice 567 B10:17 Carol Bob 450 B10:22 Dave Alice 9382 B
43
-
Time From To Size10:12 Alice Riposte Server 207 KB10:15 Bob Riposte Server 207 KB10:17 Carol Riposte Server 207 KB10:22 Dave Riposte Server 207 KB
44
?!?
-
ConclusionIn many contexts, “hiding the metadata” is as important as hiding the data
Combination of crypto tools with systems design è 1,000,000-user anonymity sets
Next step: Better performance at scale
45
-
46