Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Riposte: An Anonymous Messaging System Handling Millions of Users
IEEE Security and Privacy18 May 2015
Henry Corrigan-Gibbs, Dan Boneh, and David Mazières
Stanford University
1
…but does that hide enough?
With encryption, we can hide the data…
?!?
0VUIC9zZW5zaXRpdmU
2
(pk, sk)pk
…
Time From To Size10:12 Alice Bob 2543 B10:27 Carol Alice 567 B10:32 Alice Bob 450 B10:35 Bob Alice 9382 B
3
[cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013]
Time From To Size10:12 Alice [email protected] 2543 B10:27 Carol Alice 567 B10:32 Alice Bob 450 B10:35 Bob Alice 9382 B
[cf. Ed Felten’s testimony before the House Judiciary Committee, 2 Oct 2013]
…
Hiding the data is necessary, but
not sufficient
4
Goal
5
The “Anonymity Set”
Goal
6
Goal
7
+
Goal
8
0To: [email protected]
0Protest will be held tomo…See my cat photos at w…
0
DBs do not learn who wrote which
message
9
Building block for systems related to “hiding the metadata”à Anonymous Twitterà Anonymous surveysà Private messaging, etc.
Low-latency anonymity systems (e.g., Tor)… do not protect against a global adversary
Mix-nets… require expensive ZKPs to protect against
active attacks
Riposte is an anonymous messaging system that:• protects against a near-global active adversary• handles millions of users in an
“anonymous Twitter” system
10
Outline• Motivation• A “Straw man” scheme• Technical challenges• Evaluation
11
“Straw man”
Scheme [Chaum ‘88]
12
SX00000
SY00000
Non-colluding servers
13
SX00000
SY00000
“Straw man” Scheme
14
SX00000
SY00000
mA 2 F
Write msg mA into DB
row 3
“Straw man” Scheme
15
SX00000
SY00000
00
mA00
“Straw man” Scheme
“Straw man” Scheme
16
SX00000
SY00000
00
mA00
r1r2r3r4r5
“Straw man” Scheme
17
SX00000
SY00000
00
mA00
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
- =
“Straw man” Scheme
18
SX00000
SY00000
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
19
SX00000
SY00000
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
“Straw man” Scheme
20
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
“Straw man” Scheme
21
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
0000
mB
“Straw man” Scheme
“Straw man” Scheme
22
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
0000
mB
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
- =
“Straw man” Scheme
23
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
24
SXr1r2r3r4r5
SY-r1-r2-r3+mA-r4-r5
s1s2s3s4s5
-s1-s2-s3-s4
mB -s5
“Straw man” Scheme
25
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
26
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
27
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
28
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
“Straw man” Scheme
29
SXr1 + s1r2 + s2r3 + s3r4 + s4r5 + s5
SY-r1 - s1-r2 - s2-r3 - s3 + mA-r4 - s4-r5 - s5 - mB
At the end of the day, servers
combine DBs to reveal plaintext
+ =00
mA0
mB
“Straw man” Scheme
First-Attempt Scheme: Properties
“Perfect” anonymity as long as servers don’t collude• Can use k servers to
protect against k-1 collusions
Practical efficiency: almost no “heavy” computation involved
30
Unlike a mix-net, storage cost is constant in the
anonymity set size
Outline• Motivation• A “Straw man” scheme• Technical challenges• Evaluation
31
Outline• Motivation• A “Straw man” scheme• Technical challenges– Collisions– Malicious clients– O(L) communication cost
• Evaluation
32
Outline• Motivation• A “Straw man” scheme• Technical challenges– Collisions– Malicious clients– O(L) communication cost
• Evaluation
33
in the paper
Challenge: Bandwidth Efficiency
In “straw man” design, client sends DB-sized vector to each server
Idea: use a cryptographic trick to compress the vectorsà Based on PIR protocols
[Ostrovsky and Shoup 1997]
s1s2s3s4s5
Distributed Point Function
35
…KeyGen(m, `)
KeyGen(m, `)Eval
…
Eval
Eval
x1+x2
xn+…
0 0 00 0m=
[Gilboa and Ishai 2014]
k1
kn
k2
Distributed Point Function
36
KeyGen(m, `)
KeyGen(m, `)Eval
…
Eval
Eval
x1+x2
xn+…
0 0 00 0m=
[Gilboa and Ishai 2014]
…
k1
kn
k2
Privacy: A subset of keys leaks nothing about message or l
37
SX00000
SY00000
DPFs Reduce Bandwidth Cost
Eval( ) Eval( )
38
SX00000
SY00000
DPFs Reduce Bandwidth Cost
r1r2r3r4r5
-r1-r2
mA -r3-r4-r5
Alice sends L1/2 bits (instead of L)
• Two-server version just uses AES (no public-key crypto)
• With fancier crypto, privacy holds even if all but one server is malicious
[Chor and Gilboa 1997][Gilboa and Ishai 2014]
Outline• Motivation• Definitions and a “Straw man” scheme• Technical challenges• Evaluation
40
Bottom-Line Result• Implemented the protocol in Go• For a DB with 65,000 Tweet-length rows,
can process 30 writes/second• Can process 1,000,000 writes in 8 hours
on a single server
è Completely parallelizable workload
41
Throughput (anonymous Twitter)
At large table sizes, AES cost
dominates
42
Time From To Size10:12 Alice [email protected] 2543 B10:15 Bob Alice 567 B10:17 Carol Bob 450 B10:22 Dave Alice 9382 B
43
Time From To Size10:12 Alice Riposte Server 207 KB10:15 Bob Riposte Server 207 KB10:17 Carol Riposte Server 207 KB10:22 Dave Riposte Server 207 KB
44
?!?
ConclusionIn many contexts, “hiding the metadata” is as important as hiding the data
Combination of crypto tools with systems design è 1,000,000-user anonymity sets
Next step: Better performance at scale
45
46