Asymmetric Message Franking Content Moderation for Metadata-Private - - PowerPoint PPT Presentation

Asymmetric Message Franking

Content Moderation for Metadata-Private End-to-End Encryption Nirvan Tyagi Paul Grubbs Julia Len Ian Miers Tom Ristenpart CRYPTO 2019

1

Setting: End-to-end encrypted messaging

Platform Alice Bob

2

From: Alice To: Bob

Hello

Setting: End-to-end encrypted messaging

Platform Alice Bob

3

From: Alice To: Bob

Hello

• Confidentiality and Integrity

Platform Alice Bob

4

From: Alice To: Bob

Hello

“Public”

Hello

• Alice

[OTR BGB ’04], [Signal X3DH ’16]

Setting: End-to-end encrypted messaging

• Confidentiality and Integrity
• Deniability

From: To:

Platform Alice Bob

5

? ?

[Dissent OSDI’12], [Riposte S&P’15], [Vuvuzela SOSP’15], [Pung OSDI’16] . . .

Setting: End-to-end encrypted messaging

• Confidentiality and Integrity
• Deniability
• Metadata privacy

From: To: Bob

Platform Alice Bob

6

?

Setting: End-to-end encrypted messaging

[Dissent OSDI’12], [Riposte S&P’15], [Vuvuzela SOSP’15], [Pung OSDI’16] . . .

• Confidentiality and Integrity
• Deniability
• Metadata privacy

From: To: Bob

What about abuse?

Platform Alice Bob

7

?

From: To: Bob

What about abuse?

Platform Alice Bob

8

?

$#@%!

From: To: Bob

What about abuse?

Platform Alice Bob

9

?

$#@%! Online bully Abusive partner Spammer Misinformation

From: To: Bob

What about abuse?

Platform Alice Bob

10

?

$#@%! Online bully Abusive partner Spammer Misinformation

Moderator

$#@%!

From: To: Bob

What about abuse?

Platform Alice Bob

11

?

$#@%! Online bully Abusive partner Spammer Misinformation

Moderator

$#@%! Moderation is a big priority: Facebook employs ≈15K content moderators*

* “The secret lives of Facebook moderators in America” [The Verge 2019]

From: To: Bob

What about abuse?

Platform Alice Bob

12

?

$#@%! Online bully Abusive partner Spammer Misinformation

Moderator

$#@%! Moderation is a big priority: Facebook employs ≈15K content moderators*

* “The secret lives of Facebook moderators in America” [The Verge 2019]

Privacy complicates abuse moderation!

? ?

From: To: Bob

What about abuse?

Platform Alice Bob

13

?

$#@%! Online bully Abusive partner Spammer Misinformation

Moderator

$#@%! Moderation is a big priority: Facebook employs ≈15K content moderators*

* “The secret lives of Facebook moderators in America” [The Verge 2019]

Privacy complicates abuse moderation!

? ? Can we balance need for accountability via moderation with privacy goals?

Our contributions

14

• Asymmetric Message Franking (AMF): a new cryptographic

primitive for content moderation ○ Metadata-privacy: message sender and/or recipient identities hidden ○ Third-party moderation: moderator decoupled from message-delivery platform

• Formal accountability and deniability security notions for content

moderation

• Construction inspired by “designated-verifier” signatures
• Implementation and proof-of-concept deployment

[TGLMR CRYPTO’19]

Prior work on moderation in E2E encryption

15

Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Prior work on moderation in E2E encryption

Platform Alice Bob

16

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Prior work on moderation in E2E encryption

Platform Alice Bob

17

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Symmetric encryption following key agreement

[Signal X3DH ‘16]

Prior work on moderation in E2E encryption

Platform Alice Bob

18

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Identities authenticated by platform

Prior work on moderation in E2E encryption

Platform Alice Bob

19

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Alice, Bob, ct

Prior work on moderation in E2E encryption

Platform Alice Bob

20

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Alice, Bob, ct

k

Prior work on moderation in E2E encryption

Platform Alice Bob

21

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Alice, Bob, ct

k m = Deck(ct) Alice sent Bob m

Prior work on moderation in E2E encryption

Platform Alice Bob

22

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Alice, Bob, ct

k m = Deck(ct) Alice sent Bob m

Prior work on moderation in E2E encryption

Platform Alice Bob

23

Moderator

From: Alice To: Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

Alice, Bob, ct

k m = Deck(ct) Alice sent Bob m

Platform Alice Bob

24

Moderator

m

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

? , Bob, ct

k From: To: Bob

?

m = Deck(ct) ? sent Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

Message franking for metadata-private setting?

Platform Alice Bob

25

Moderator

m

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

? , Bob, ct

k From: To: Bob

?

m = Deck(ct) ? sent Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

Message franking for metadata-private setting?

Platform Alice Bob

26

Moderator

m, Alice

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

? , Bob, ct

k From: To: Bob

?

Can we patch by including Alice’s identity in commitment?

m, Alice = Deck(ct) Alice sent Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

Message franking for metadata-private setting?

Message franking for metadata-private setting?

Platform Charlie Bob

27

Moderator

m, Alice

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

? , Bob, ct

k From: To: Bob

?

Can we patch by including Alice’s identity in commitment?

m, Alice = Deck(ct) Alice sent Bob m Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

Platform Charlie Bob

28

Moderator

m, Alice

[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]

? , Bob, ct

k From: To: Bob

?

Can we patch by including Alice’s identity in commitment?

m, Alice = Deck(ct) Alice sent Bob m

Core problem: Alice’s identity not cryptographically bound to message content

Message franking

• Content-based moderation of encryption that is NOT metadata-private
• Compactly-committing authenticated encryption

Message franking for metadata-private setting?

AMFs: High level idea

29

Specialized digital signature scheme that provides:

• Accountability
• Deniability

AMFs: High level idea

Platform Alice Bob

30

Moderator

Specialized digital signature scheme that provides:

• Accountability
• Deniability

From: To:

? ?

AMFs: High level idea

Platform Alice Bob

31

Moderator

Specialized digital signature scheme that provides:

• Accountability
• Deniability

m, σ

skA , pkA

σ = Sign(skA , m) m, σ

From: To:

? ?

AMFs: High level idea

Platform Alice Bob

32

Moderator

Specialized digital signature scheme that provides:

• Accountability
• Deniability

m, σ

skA , pkA

σ = Sign(skA , m) m, σ Verify(pkA , m , σ) Standard digital signatures provide accountability …but not deniability

From: To:

? ?

AMFs: High level idea

Platform Alice Bob

33

Moderator

Specialized digital signature scheme that provides:

• Accountability
• Deniability

m, σ

skA , pkA

σ = Sign(skA , m) m, σ Verify(pkA , m , σ) Standard digital signatures provide accountability …but not deniability “Public”

From: To:

? ?

Starting point: Designated-verifier signatures

34

Digital signatures where only one party can verify

[JSI EUROCRYPT ‘96]

Starting point: Designated-verifier signatures

35

Digital signatures where only one party can verify

• Accountability

Designated verifier can’t be fooled by forgery

• Deniability

There exists forgery algorithm that fools everyone else

[JSI EUROCRYPT ‘96]

Platform Alice Bob

36

Moderator

m, σ

skA , pkA

m, σ

Starting point: Designated-verifier signatures

From: To:

? ? Idea: Designating the moderator as a verifier?

Platform Alice Bob

37

Moderator

m, σ

skA , pkA

m, σ

skM , pkM

Starting point: Designated-verifier signatures

From: To:

? ? Idea: Designating the moderator as a verifier?

Platform Alice Bob

38

Moderator

m, σ

skA , pkA

σ = Sign(skA , pkM , m) m, σ

Starting point: Designated-verifier signatures

From: To:

? ? Idea: Designating the moderator as a verifier?

skM , pkM

Platform Alice Bob

39

Moderator

m, σ

skA , pkA

σ = Sign(skA , pkM , m) m, σ Verify(pkA , skM , m , σ)

Starting point: Designated-verifier signatures

From: To:

? ? Idea: Designating the moderator as a verifier?

skM , pkM

Platform Alice Bob

40

Moderator

m, σ

skA , pkA

σ = Sign(skA , pkM , m) m, σ Verify(pkA , skM , m , σ)

Starting point: Designated-verifier signatures

“Public” From: To:

? ?

Could be a forgery!

Idea: Designating the moderator as a verifier?

skM , pkM

Platform Alice Bob

41

Moderator

m, σ

skA , pkA

σ = Sign(skA , pkM , m) m, σ Verify(pkA , skM , m , σ)

Starting point: Designated-verifier signatures

Idea: Designating the moderator as a verifier?

“Public” From: To:

? ? Accountability issue: Bob can’t verify!

Could be a forgery! skM , pkM

42

AMFs: Include recipient as verifying party

Solution: Designate Bob as verifier of proof that signature to moderator will succeed

Platform Alice Bob

43

Moderator

m, σ

skA , pkA

m, σ

AMFs: Include recipient as verifying party

From: To:

? ? Solution: Designate Bob as verifier of proof that signature to moderator will succeed

skB , pkB skM , pkM

Platform Alice Bob

44

Moderator

m, σ

skA , pkA

m, σ

AMFs: Include recipient as verifying party

From: To:

? ? Solution: Designate Bob as verifier of proof that signature to moderator will succeed

skB , pkB

σ = Sign(skA , pkB , pkM , m)

skM , pkM

Platform Alice Bob

45

Moderator

m, σ

skA , pkA

m, σ

AMFs: Include recipient as verifying party

From: To:

? ? Solution: Designate Bob as verifier of proof that signature to moderator will succeed

skB , pkB

σ = Sign(skA , pkB , pkM , m) Verify(pkA , skB , pkM , m , σ) Judge(pkA , pkB , skM , m , σ)

skM , pkM

Platform Alice Bob

46

Moderator

m, σ

skA , pkA

m, σ

AMFs: Include recipient as verifying party

From: To:

? ? Solution: Designate Bob as verifier of proof that signature to moderator will succeed

skB , pkB

σ = Sign(skA , pkB , pkM , m) Verify(pkA , skB , pkM , m , σ) Judge(pkA , pkB , skM , m , σ)

Accountability notions

• Receiver binding: Bob can’t frame Alice for a message she did not send
• Sender binding: Alice can’t send Bob a message that evades moderation

Judge(pkA , pkB , skM , m , σ)

skM , pkM

Deniability landscape: “Who can trick whom?”

47

σ’ = Forge(pkA , skB , pkM , m) Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Deniability landscape: “Who can trick whom?”

48

Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Alice Bob Moderator skA , pkA skB , pkB

m, σ m, σ

σ = Sign(skA , pkB , pkM , m)

“Public”

σ’ = Forge(pkA , skB , pkM , m)

skM , pkM

Deniability landscape: “Who can trick whom?”

49

Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Alice Bob Moderator skA , pkA skB , pkB

m, σ’ m, σ

σ = Sign(skA , pkB , pkM , m)

“Public”

σ’ = Forge(pkA , skB , pkM , m)

skM , pkM

Deniability landscape: “Who can trick whom?”

50

Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Alice Bob Moderator skA , pkA skB , pkB

m, σ’ m, σ

σ = Sign(skA , pkB , pkM , m)

“Public”

pkA , pkB , skM σ’ = Forge(pkA , skB , pkM , m)

skM , pkM

Deniability landscape: “Who can trick whom?”

51

Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Alice Bob Moderator skA , pkA skB , pkB

skm , m, σ’ m, σ

σ = Sign(skA , pkB , pkM , m)

“Public”

pkA , pkB , skM

key compromise!

σ’ = Forge(pkA , skB , pkM , m)

skM , pkM

Deniability landscape: “Who can trick whom?”

52

Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM

Alice Bob Moderator skA , pkA skB , pkB

skm , m, σ’ m, σ

σ = Sign(skA , pkB , pkM , m)

“Public”

pkA , pkB , skM

key compromise!

pkA , pkB , skM σ’ = Forge(pkA , skB , pkM , m)

skM , pkM

Deniability landscape: “Who can trick whom?”

53

pkA , skB , pkM pkA , pkB , skM pkA , skB , skM skA , pkB , pkM pkA , skB , pkM skA , skB , pkM pkA , pkB , skM Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM σ’ = Forge(pkA , pkB , pkM , m)

Deniability landscape: “Who can trick whom?”

54

pkA , skB , pkM pkA , pkB , skM pkA , skB , skM skA , pkB , pkM pkA , skB , pkM skA , skB , pkM pkA , pkB , skM Forger Distinguisher D σ ≈D σ’ pkA , pkB , pkM σ’ = Forge(pkA , pkB , pkM , m)

Deniability landscape: “Who can trick whom?”

55

pkA , skB , pkM pkA , pkB , skM pkA , skB , skM skA , pkB , pkM pkA , skB , pkM skA , skB , pkM pkA , pkB , skM Forger Distinguisher D pkA , pkB , pkM implies non-repudiability Some deniability relationships are desirable σ’ = Forge(pkA , pkB , pkM , m)

Deniability landscape: “Who can trick whom?”

56

pkA , skB , pkM pkA , pkB , skM pkA , skB , skM skA , pkB , pkM pkA , skB , pkM skA , skB , pkM pkA , pkB , skM Forger Distinguisher D pkA , pkB , pkM Some deniability relationships are desirable implies non-repudiability v i

• l

a t e s r e c e i v e r b i n d i n g Others contradict directly with accountability σ’ = Forge(pkA , pkB , pkM , m)

Deniability landscape: “Who can trick whom?”

57

Forger Distinguisher

skM skB skA : Incompatible with unforgeability : Incompatible with receiver binding

Deniability landscape: “Who can trick whom?”

58

skM skB skA : Incompatible with unforgeability : Incompatible with receiver binding U : Universal deniability R : Receiver compromise deniability J : Judge compromise deniability U J R

Forger Distinguisher

Deniability landscape: “Who can trick whom?”

59

skM skB skA : Incompatible with unforgeability : Incompatible with receiver binding U : Universal deniability R : Receiver compromise deniability J : Judge compromise deniability U J R

This represents only one possible set of tradeoffs! Forger Distinguisher

Summary of AMF goals

60

Specialized digital signature scheme that provides:

• Accountability

Receiver binding Sender binding

• Deniability

Universal deniability Receiver compromise deniability Judge compromise deniability

Our Construction

61

• Proof of knowledge of carefully-crafted expression of discrete log relationships
• Create signature by adding message via Fiat-Shamir transform

Our Construction

62

Example of signature proof of knowledge (SPK) notation: Standard digital signature (Schnorr)

• Proof of knowledge of carefully-crafted expression of discrete log relationships
• Create signature by adding message via Fiat-Shamir transform

chal

Our Construction

63

Example of signature proof of knowledge (SPK) notation: Standard digital signature (Schnorr)

• Proof of knowledge of carefully-crafted expression of discrete log relationships
• Create signature by adding message via Fiat-Shamir transform

Verifier Prover

com resp

Σ-Protocol Proof

• f Knowledge

chal = H(com, m)

Verifier Prover

com resp

SPK via Fiat-Shamir

Our Construction

64

DV signature to moderator DV proof to Bob

Our Construction

65

DV signature to moderator DV proof to Bob

Our Construction

66

DV signature to moderator DV proof to Bob “What Alice is proving to the moderator”

Our Construction

67

DV signature to moderator DV proof to Bob “What Alice is proving to the moderator” “What allows other parties to forge”

Our Construction

68

DV signature to moderator DV proof to Bob “What Alice is proving to the moderator” “What allows other parties to forge” Moderator accepts if aaaaaaaa form a Diffie-Hellman triple

Our Construction

69

DV proof to Bob Moderator accepts if aaaaaaaa form a Diffie-Hellman triple DV signature to moderator

Our Construction

70

Moderator accepts if aaaaaaaa form a Diffie-Hellman triple DV signature to moderator “What Alice is proving to the recipient” “What allows other parties to forge”

Our Construction

71

DV proof to Bob Moderator accepts if aaaaaaaa form a Diffie-Hellman triple DV signature to moderator Alice is proving Diffie-Hellman relationship to Bob!

Our Construction

72

DV proof to Bob Moderator accepts if aaaaaaaa form a Diffie-Hellman triple DV signature to moderator Alice is proving Diffie-Hellman relationship to Bob! Accountability

• Moderator can attribute signature to sender
• Recipient can verify moderator will accept signature

Deniability

• Signature supports multiple forgery algorithms for

various key compromise scenarios

73

Implementation

73

• Implemented in Python 3 using petlib (OpenSSL bindings)
• Fast and efficient
• < 500 bytes for P-256 (9 group elements + 6 scalars)
• < 10 ms for P-256
• Available at github.com/julialen/asymmetric-message-franking

Perspective API (for toxicity score)

74

Proof-of-concept integration

Alice Bob Third-party moderation service

74

Keybase (for PKI)

Platform (Twitter private messages)

Available at github.com/julialen/asymmetric-message-franking m, σ m, σ m, σ

Our contributions

75

• Asymmetric Message Franking (AMF)

○ new cryptographic primitive for content moderation of metadata-private messaging ○ formal accountability and deniability security notions for content moderation

• Construction based on “designated-verifier” signatures
• Implementation and proof-of-concept integration

○ Available at github.com/julialen/asymmetric-message-franking