riposte an anonymous messaging system handling millions
play

Riposte: An Anonymous Messaging System Handling Millions of Users - PowerPoint PPT Presentation

Dec 08, 2022 •24 likes •484 views

Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, Dan Boneh, and David Mazires Stanford University IEEE Security and Privacy 18 May 2015 1 With encryption, we can hide the data but

  1. 
 Riposte: An Anonymous Messaging System Handling Millions of Users Henry Corrigan-Gibbs, 
 Dan Boneh, and David Mazières Stanford University IEEE Security and Privacy 18 May 2015 1

  2. With encryption, we 
 can hide the data… …but does that 
 ?!? hide enough? pk (pk, sk) 0VUIC9zZW5zaXRpdmU 2

  3. Time From To Size 10:12 Alice Bob 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B … ¡ [cf. Ed Felten’s testimony before the House 
 Judiciary Committee, 2 Oct 2013] 3

  4. Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B Hiding the data is necessary, but not sufficient … ¡ [cf. Ed Felten’s testimony before the House 
 Judiciary Committee, 2 Oct 2013] 4

  5. Goal The “Anonymity Set” 5

  6. Goal 6

  7. Goal 7

  8. DBs do not learn Goal who wrote which message 0 To: taxfraud@stanford.edu 0 + Protest will be held tomo… See my cat photos at w… 0 8

  9. Building block for systems related to “hiding the metadata” à Anonymous Twitter à Anonymous surveys à Private messaging, etc. 9

  10. Low-latency anonymity systems (e.g., Tor) … do not protect against a global adversary Mix-nets … require expensive ZKPs to protect against 
 active attacks Riposte is an anonymous messaging system that: • protects against a near-global active adversary • handles millions of users in an 
 “anonymous Twitter” system 10

  11. Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 11

  12. 
 S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 Non-colluding Scheme 
 servers [Chaum ‘88] 12

  13. S X S Y 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 Scheme 13

  14. S X S Y 0 0 0 0 0 0 0 0 0 0 Write msg m A into DB row 3 “Straw man” 
 m A ∈ F Scheme 14

  15. S X S Y 0 0 0 0 0 0 0 0 0 0 0 0 “Straw man” 
 m A Scheme 0 0 15

  16. S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 0 r 2 “Straw man” 
 m A r 3 Scheme 0 r 4 0 r 5 16

  17. S X S Y 0 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 0 r 2 - r 2 - “Straw man” 
 = m A r 3 m A - r 3 Scheme 0 r 4 - r 4 0 r 5 -r 5 17

  18. S X S Y 0 0 0 0 0 0 0 0 0 0 r 1 - r 1 r 2 - r 2 “Straw man” 
 r 3 m A - r 3 Scheme r 4 - r 4 r 5 -r 5 18

  19. S X S Y 0 0 - r 1 r 1 0 0 - r 2 r 2 0 0 m A - r 3 r 3 0 0 - r 4 r 4 0 0 -r 5 r 5 “Straw man” 
 Scheme 19

  20. S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 “Straw man” 
 Scheme 20

  21. S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 0 “Straw man” 
 0 Scheme 0 m B 21

  22. S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 0 s 1 - s 1 0 s 2 - s 2 - “Straw man” 
 = 0 s 3 - s 3 Scheme 0 s 4 - s 4 m B s 5 m B - s 5 22

  23. S X S Y r 1 - r 1 r 2 - r 2 r 3 - r 3 + m A r 4 - r 4 r 5 - r 5 s 1 - s 1 s 2 - s 2 “Straw man” 
 s 3 - s 3 Scheme s 4 - s 4 s 5 m B - s 5 23

  24. S X S Y r 1 - r 1 s 1 - s 1 r 2 - r 2 s 2 - s 2 r 3 - r 3 + m A s 3 - s 3 r 4 - r 4 s 4 - s 4 r 5 - r 5 s 5 m B - s 5 “Straw man” 
 Scheme 24

  25. S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 25

  26. S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 26

  27. S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 27

  28. S X S Y r 1 + s 1 - r 1 - s 1 r 2 + s 2 - r 2 - s 2 r 3 + s 3 - r 3 - s 3 + m A r 4 + s 4 - r 4 - s 4 r 5 + s 5 - r 5 - s 5 - m B “Straw man” 
 Scheme 28

  29. S X S Y r 1 + s 1 - r 1 - s 1 0 r 2 + s 2 - r 2 - s 2 0 + = r 3 + s 3 - r 3 - s 3 + m A m A r 4 + s 4 - r 4 - s 4 0 r 5 + s 5 - r 5 - s 5 - m B m B At the end of the “Straw man” 
 day, servers Scheme 
 combine DBs to reveal plaintext 29

  30. First-Attempt Scheme: Properties “Perfect” anonymity as long as servers don’t collude • Can use k servers to protect against k -1 collusions Unlike a mix-net, Practical efficiency: storage cost is almost no “heavy” constant in the computation involved anonymity set size 30

  31. Outline • Motivation • A “Straw man” scheme • Technical challenges • Evaluation 31

  32. Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions – Malicious clients – O( L ) communication cost • Evaluation 32

  33. Outline • Motivation • A “Straw man” scheme • Technical challenges – Collisions in the paper – Malicious clients ¡ – O( L ) communication cost • Evaluation 33

  34. Challenge: Bandwidth Efficiency In “straw man” design, client sends DB-sized vector to s 1 each server s 2 Idea : use a cryptographic s 3 trick to compress the vectors s 4 à Based on PIR protocols s 5 [Ostrovsky and Shoup 1997]

  35. Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = 0 0 m 0 0 0 [Gilboa and Ishai 2014] 35

  36. Distributed Point Function k 1 Eval x 1 en ( m, ` ) + k 2 x 2 Eval … KeyGen ( … … + k n x n Eval = Privacy: A subset of 0 0 m 0 0 0 keys leaks nothing 
 [Gilboa and Ishai 2014] about message or l � 36

  37. S X S Y 0 0 Eval ( ) Eval ( ) 0 0 0 0 0 0 0 0 DPFs Reduce Bandwidth Cost 37

  38. S X S Y 0 r 1 - r 1 0 0 r 2 - r 2 0 0 r 3 m A - r 3 0 0 r 4 - r 4 0 0 r 5 -r 5 0 DPFs Reduce Bandwidth Cost 38

  39. Alice sends 
 L 1/2 bits (instead of L ) • Two-server version just uses AES (no public-key crypto) • With fancier crypto, privacy holds even if all but one server is malicious [Chor and Gilboa 1997] [Gilboa and Ishai 2014]

  40. Outline • Motivation • Definitions and a “Straw man” scheme • Technical challenges • Evaluation 40

  41. Bottom-Line Result • Implemented the protocol in Go • For a DB with 65,000 Tweet-length rows, can process 30 writes/second • Can process 1,000,000 writes in 8 hours on a single server è Completely parallelizable workload 41

  42. At large table Throughput 
 sizes, AES cost (anonymous Twitter) dominates 42

  43. Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:15 Bob Alice 567 B 10:17 Carol Bob 450 B 10:22 Dave Alice 9382 B 43

  44. Time From To Size 10:12 Alice Riposte Server 207 KB 10:15 Bob Riposte Server 207 KB 10:17 Carol Riposte Server 207 KB 10:22 Dave Riposte Server 207 KB ?!? 44

  45. Conclusion In many contexts, “hiding the metadata” is as important as hiding the data Combination of crypto tools with systems design è 1,000,000-user anonymity sets Next step: Better performance at scale 45

  46. 46

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Riposte: an Anonymous Messaging System that 'Hides the Metadata' Henry Corrigan-Gibbs Joint work

Riposte: an Anonymous Messaging System that 'Hides the Metadata' Henry Corrigan-Gibbs Joint work

Riposte: an Anonymous Messaging System that 'Hides the Metadata' Henry Corrigan-Gibbs Joint work with Dan Boneh and David Mazires To appear at IEEE Security and Privacy 2015 Charles River Crypto Day 20 February 2015 1 With PKE, we can

1.85k views • 106 slides
Dissent: Accountable Anonymous Group Messaging Henry

Dissent: Accountable Anonymous Group Messaging Henry

Dissent: Accountable Anonymous Group Messaging Henry Corrigan-Gibbs and Bryan Ford Department of Computer Science Yale University 17 th ACM Conference on

879 views • 65 slides
Proac&vely Accountable Anonymous Messaging in Verdict Henry

Proac&vely Accountable Anonymous Messaging in Verdict Henry

Proac&vely Accountable Anonymous Messaging in Verdict Henry Corrigan-Gibbs, David Isaac Wolinsky, and Bryan Ford Department of Computer Science Yale

966 views • 85 slides
Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung

Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung

Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung Matei Zaharia Nickolai Zeldovich SOSP 2017 Previous talk: Anonymous broadcast This talk: Private messaging Alice Bob Problem: Communication

725 views • 50 slides
How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway Why do we need push? How I spend my time in Netflix application... What is push? What is push? How you can build it What is push?

965 views • 83 slides
America Enroll America will help deliver on the promise of affordable health care for millions of

America Enroll America will help deliver on the promise of affordable health care for millions of

Connecting Millions of Americans with Health Coverage: Enrollment and Messaging Work Martine Apodaca, Director, Public Education Campaign, Enroll America Enroll America will help deliver on the promise of affordable health care for millions of

520 views • 34 slides
Amateur Radio Message Handling Bill Ellis, KF7PB April 19, 2012 Formal Messaging ARRL

Amateur Radio Message Handling Bill Ellis, KF7PB April 19, 2012 Formal Messaging ARRL

Amateur Radio Message Handling Bill Ellis, KF7PB April 19, 2012 Formal Messaging ARRL Radiogram Radiogram Components Preamble Address Text Signature Preamble Number Assigned by the station that originates the message.

438 views • 33 slides
Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model

Secure Messaging Lecture 23 Messaging Alice Bob Secure Messaging Corruption model Server/network is adversarial (but trusted identity registration needed) Windows of compromise when a party is under adversarial control (or readable

933 views • 14 slides
WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable

WSO2 Message Broker Scalable persistent Messaging System Outline Messaging Scalable Messaging Distributed Message Brokers WSO2 MB Architecture o Distributed Pub/sub architecture o Distributed Queues architecture User Story

1.12k views • 33 slides
Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work

Anonymous Tokens Michele Orr ia.cr/2020/072 1 Anonymous Tokens Michele Orr joint work with Ben Kreuter, Tancrde Lepoint, Mariana Raykova ia.cr/2020/072 1 Definition Anonymous tokens are lightweight, single-use anonymous credentials.

657 views • 61 slides
Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable.

Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable.

Parent, School, and Employee Notification System Ease of Use. Custom Messaging System. Reliable. start . welcome BUS BULLETIN THE COMPANY We saw an opportunity to streamline the communications with school districts around the country. By

401 views • 18 slides
Anonymous Paper-Review System Reporter: Group: Peer

Anonymous Paper-Review System Reporter: Group: Peer

Anonymous Paper-Review System Reporter: Group: Peer review of scholarly papers is seen to be a critical step in the publication of high quality outputs in reputable journals. Defects with the mechanism:

501 views • 20 slides
YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I

YOUR MESSAGING ISNT ABOUT YOU 7 Steps to Messaging that Connects Who am I? Why am I here? Hundreds of product launches. Dozens of corporate launches. One top-funded Kickstarter campaign The Tool: The Message Map

655 views • 22 slides
A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social

A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social

Introduction Social Multicast Summary A Social Messaging System for GNUnet Gabor Toth July 3, 2013 1/18 Introduction Social Multicast Summary Design goals A social messaging system, which is scalable extensible end-to-end

348 views • 18 slides
I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger

I MPROVED S TRONGLY D ENIABLE A UTHENTICATED K EY E XCHANGES F OR S ECURE M ESSAGING Nik Unger and Ian Goldberg Secure Messaging 2 Secure Messaging All-Verifier Deniable Anonymous Authentication End-to Authentication End Zone

776 views • 48 slides
Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons

Two cool ideas: Anonymous classes Polymorphism Anonymous classes motivation You probably have many buttons and/or menu items in your VectorGraphics project Three approaches for responding to the events from selecting those buttons /

406 views • 6 slides
The EBEX AHWP Shaul Hanany + EBEX Team, Tomo Matsumura, Jeff Klein Observational Cosmology -

The EBEX AHWP Shaul Hanany + EBEX Team, Tomo Matsumura, Jeff Klein Observational Cosmology -

The EBEX AHWP Shaul Hanany + EBEX Team, Tomo Matsumura, Jeff Klein Observational Cosmology - University of Minnesota, Twin Cities Single HWP Model I measured = 1 2 [ I in + I P in cos(4 hwp t 2 in )] Scanning modulates intensity and

960 views • 24 slides
Machine Learning (CSE 446): Learning as Minimizing Loss: Regularization and Gradient Descent

Machine Learning (CSE 446): Learning as Minimizing Loss: Regularization and Gradient Descent

Machine Learning (CSE 446): Learning as Minimizing Loss: Regularization and Gradient Descent Sham M Kakade c 2018 University of Washington cse446-staff@cs.washington.edu 1 / 12 Announcements Assignment 2 due tomo. Midterm: Weds,

520 views • 23 slides
THE WEB AND TV JEFF JAFFE, W3C CEO HOSTING AND MAJOR UNDERWRITING PROVIDED BY ADDITIONAL

THE WEB AND TV JEFF JAFFE, W3C CEO HOSTING AND MAJOR UNDERWRITING PROVIDED BY ADDITIONAL

THE WEB AND TV JEFF JAFFE, W3C CEO HOSTING AND MAJOR UNDERWRITING PROVIDED BY ADDITIONAL SPONSORSHIP SUPPORT PROVIDED BY WORKSHOP ORGANIZING COMMITTEE Yosuke Funahashi, Tomo-Digi Karen Myers, W3C Giuseppe Pascale, Opera Software Kaz

449 views • 17 slides
IMRT treatments in Belgium: IMRT treatments in Belgium: an update an update S. Vy Vyn nckier

IMRT treatments in Belgium: IMRT treatments in Belgium: an update an update S. Vy Vyn nckier

IMRT treatments in Belgium: IMRT treatments in Belgium: an update an update S. Vy Vyn nckier ckier S. Stefaan.vynckier@uclouvain.be U.C.L.- Cliniques universitaires Saint-Luc- Service de radiothrapie oncologique- Brussels, Belgium

116 views • 9 slides
Cognate object case in Samoan and Niuean Rebecca Tollan and Diane Massam University of Delaware

Cognate object case in Samoan and Niuean Rebecca Tollan and Diane Massam University of Delaware

Cognate object case in Samoan and Niuean Rebecca Tollan and Diane Massam University of Delaware and University of Toronto 1 Transitive vs. unergative constructions Transitive verbs and unergative predicates have long received a uniform

533 views • 35 slides
The Mu2e Experiment Tomo Miyashita Caltech On Behalf of the Mu2e Collaboration Fermilab Users

The Mu2e Experiment Tomo Miyashita Caltech On Behalf of the Mu2e Collaboration Fermilab Users

The Mu2e Experiment Tomo Miyashita Caltech On Behalf of the Mu2e Collaboration Fermilab Users Meeting Batavia, IL June 20th, 2018 Overview Motivation and Theory Experiment Overview Experiment Design Proton Beam

705 views • 42 slides
Complexity and Jacobians for cyclic coverings of a graph Alexander Mednykh Sobolev Institute of

Complexity and Jacobians for cyclic coverings of a graph Alexander Mednykh Sobolev Institute of

Complexity and Jacobians for cyclic coverings of a graph Alexander Mednykh Sobolev Institute of Mathematics Novosibirsk State University Summer School for Inetnational conference and PhD-Master on Groups and Graphs, Desighs and Dynamics,

457 views • 29 slides
Bound on Reheating Temperature with Dark Matter [Based on the work with Tomo Takahashi] Ki

Bound on Reheating Temperature with Dark Matter [Based on the work with Tomo Takahashi] Ki

Bound on Reheating Temperature with Dark Matter [Based on the work with Tomo Takahashi] Ki -Young Choi Contents 1. Reheating temperature and early Matter Domination 2. Dark matter in the early Matter Domination 3. Low bound on the reheating

526 views • 35 slides

More recommend