Riposte: an Anonymous Messaging System that 'Hides the Metadata' - - PowerPoint PPT Presentation

riposte an anonymous messaging system that hides the
SMART_READER_LITE
LIVE PREVIEW

Riposte: an Anonymous Messaging System that 'Hides the Metadata' - - PowerPoint PPT Presentation

Nov 02, 2023 776 likes •1.86k views

Riposte: an Anonymous Messaging System that 'Hides the Metadata' Henry Corrigan-Gibbs Joint work with Dan Boneh and David Mazires To appear at IEEE Security and Privacy 2015 Charles River Crypto Day 20 February 2015 1 With PKE, we can

slide-1
SLIDE 1

Riposte: an Anonymous Messaging System that 'Hides the Metadata'


 Charles River Crypto Day 20 February 2015

Henry Corrigan-Gibbs

Joint work with Dan Boneh and David Mazières To appear at IEEE Security and Privacy 2015

1

slide-2
SLIDE 2

?!?

0VUIC9zZW5zaXRpdmU

…but does that hide enough? With PKE, we can hide the data…

2

(pk, sk) pk

slide-3
SLIDE 3

…"

Time From To Size 10:12 Alice Bob 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B

3

slide-4
SLIDE 4

Time From To Size 10:12 Alice taxfraud@stanford.edu 2543 B 10:27 Carol Alice 567 B 10:32 Alice Bob 450 B 10:35 Bob Alice 9382 B

[cf. Ed Felten’s testimony before the House
 Judiciary Committee, 2 Oct 2013]

…"

Hiding the data is necessary, but not sufficient

4

slide-5
SLIDE 5

Focus of this talk

Goal: post “anonymously” to a public bulletin board
 Building block for many problems related to “hiding the metadata”

! E-voting ! Anonymous surveys ! Private messaging, etc.

5

slide-6
SLIDE 6

First Attempt: Tor

[Dingledine,
 Mathewson,
 Syverson 2004]

6

“Onion”
 encryption

slide-7
SLIDE 7

Passive network adversary can correlate flows! Is this attack realistic?

[Murdoch and
 Danezis 2005] [Bauer et al. 2007]

7

slide-8
SLIDE 8

A well-placed adversary need control few links

[Murdoch and Zieliński 2007]

8

slide-9
SLIDE 9

Tor is practical at Internet scale … but its security properties are unclear

We design an anonymous messaging system that:
 1) satisfies clear security goals, 2) handles millions of users in an
 “anonymous Twitter” system.

9

slide-10
SLIDE 10

Outline

  • Motivation
  • Definitions and a “Straw man” scheme
  • Technical challenges
  • Evaluation
  • Conclusions

10

slide-11
SLIDE 11

Outline

  • Motivation
  • Definitions and a “Straw man” scheme
  • Technical challenges
  • Evaluation
  • Conclusions

11

slide-12
SLIDE 12

Reframe the Problem

"

Writing “privately” to a database Posting anonymously to a bulletin board

12

slide-13
SLIDE 13

Goal

13

The “Anonymity Set”

slide-14
SLIDE 14

Goal

14

slide-15
SLIDE 15

+

Goal

15

To: taxfraud@stanford.edu Protest will be held tomo… See my cat photos at w…

DB does not learn who wrote which message

slide-16
SLIDE 16

(k,t)-Write-Anonymous DB Scheme

k = (# of servers), t = (# malicious servers)

[Gen query to write m into row l of DB] [Apply query to state of server i] [Combine server states to reveal plaintext DB]

16

s s’ qi

slide-17
SLIDE 17

Goals

  • 1. Correctness
  • 2. Write-anonymity
  • 3. Disruption resistance

17

slide-18
SLIDE 18

Goal 1: Correctness

Informal: Output DB should be result of applying queries to DB state. If queries are: then result of Reveal() is:

18

n

X

i=1

mie`i (m1, `1), . . . , (mn, `n)

slide-19
SLIDE 19

Goal 2: Write-Anonymity

Informal: coalition of t malicious servers and any number of malicious clients should not learn who wrote what to the DB. I will present the [simplified] two-server definition with one malicious server.

19

slide-20
SLIDE 20

20

Challenger Adversary Let n = number of clients total

(qi, ˆ qi) ←

π

← Query(mi, `i)

For :

Choose on elements of H

H ⊆ [n] s.t. |H| ≥ 2 {(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H}

slide-21
SLIDE 21

21

Challenger Adversary Let n = number of clients total

(qi, ˆ qi) ← ← Query(mi, `i)

For :

π

Choose perm 


  • n elements of H

H ⊆ [n] s.t. |H| ≥ 2 {(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H} {ˆ qi | i 62 H}

slide-22
SLIDE 22

22

Challenger Adversary Let n = number of clients total

(qi, ˆ qi) ← ← Query(mi, `i)

For :

s ← Update(ˆ

π

Choose perm 


  • n elements of H

H ⊆ [n] s.t. |H| ≥ 2 {(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H} {ˆ qi | i 62 H}

slide-23
SLIDE 23

23

(qi, ˆ qi) ← ← Query(mi, `i)

For :

s ← Update(ˆ

date(ˆ q1, . . . , ˆ qn)

π

Choose perm 


  • n elements of H

H ⊆ [n] s.t. |H| ≥ 2 {(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H} {ˆ qi | i 62 H}

slide-24
SLIDE 24

24

(qi, ˆ qi) ← ← Query(mi, `i)

For :

s ← Update(ˆ

date(ˆ q1, . . . , ˆ qn)

s, π

π

Choose perm 


  • n elements of H

{(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H} {ˆ qi | i 62 H}

Queries in H updated according to permutation π

slide-25
SLIDE 25

25

(qi, ˆ qi) ← ← Query(mi, `i)

For :

s ← Update(ˆ

date(ˆ q1, . . . , ˆ qn)

s, π

π

Choose perm 


  • n elements of H

{(mi, `i) | i ∈ H}

i ∈ H

{qπ(i) | i ∈ H} {ˆ qi | i 62 H}

π∗

Adv should not be able to distinguish between real π and random π*

Choose perm 


  • n elements of H

π∗

Intuition: The scheme hides “who wrote what” (which query corresponds to which message)

slide-26
SLIDE 26

Goal 3: Disruption Resistance

Intuition: each query should change at most

  • ne DB row—prevent disruption

Informal: An adversary cannot generate N “valid” queries that affect > N rows [We defer the definition a
 “valid” query for now…]

26

slide-27
SLIDE 27

Privacy-Preserving DB Schemes

ORAM [GO’96] / Group ORAM [GOMT’11]

– CPU(s) writing to RAM

Private Info Retrieval (PIR) [CGKS’97]

– Client reading from DB shared across servers

Private Info Storage [OS’97]

– Client writing to DB shared across servers

This work: Many clients (incl malicious ones) writing to DB shared across servers

27

Ideally: for all k, tolerate compromise

  • f k-1 servers
slide-28
SLIDE 28

(2,1)-Private
 “Straw man”
 Scheme


[Chaum ‘88]

28

SX SY

slide-29
SLIDE 29

29

SX SY

“Straw man”
 Scheme

slide-30
SLIDE 30

30

SX SY

mA ∈ F

Write msg mA into DB row 3

“Straw man”
 Scheme

slide-31
SLIDE 31

31

SX SY

mA

“Straw man”
 Scheme

slide-32
SLIDE 32

“Straw man”
 Scheme

32

SX SY

mA r1 r2 r3 r4 r5

slide-33
SLIDE 33

“Straw man”
 Scheme

33

SX SY

mA r1 r2 r3 r4 r5

  • r1
  • r2

mA -r3

  • r4
  • r5
  • =
slide-34
SLIDE 34

“Straw man”
 Scheme

34

SX SY

r1 r2 r3 r4 r5

  • r1
  • r2

mA -r3

  • r4
  • r5
slide-35
SLIDE 35

35

SX SY

r1 r2 r3 r4 r5

  • r1
  • r2

mA -r3

  • r4
  • r5

“Straw man”
 Scheme

slide-36
SLIDE 36

36

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

“Straw man”
 Scheme

slide-37
SLIDE 37

37

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

mB

“Straw man”
 Scheme

slide-38
SLIDE 38

“Straw man”
 Scheme

38

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

mB s1 s2 s3 s4 s5

  • s1
  • s2
  • s3
  • s4

mB -s5

  • =
slide-39
SLIDE 39

“Straw man”
 Scheme

39

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

s1 s2 s3 s4 s5

  • s1
  • s2
  • s3
  • s4

mB -s5

slide-40
SLIDE 40

40

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

s1 s2 s3 s4 s5

  • s1
  • s2
  • s3
  • s4

mB -s5

“Straw man”
 Scheme

slide-41
SLIDE 41

41

SX

r1 + s1 r2 + s2 r3 + s3 r4 + s4 r5 + s5

SY

  • r1 - s1
  • r2 - s2
  • r3 - s3 + mA
  • r4 - s4
  • r5 - s5 - mB

“Straw man”
 Scheme

slide-42
SLIDE 42

42

SX

r1 + s1 r2 + s2 r3 + s3 r4 + s4 r5 + s5

SY

  • r1 - s1
  • r2 - s2
  • r3 - s3 + mA
  • r4 - s4
  • r5 - s5 - mB

“Straw man”
 Scheme

slide-43
SLIDE 43

43

SX

r1 + s1 r2 + s2 r3 + s3 r4 + s4 r5 + s5

SY

  • r1 - s1
  • r2 - s2
  • r3 - s3 + mA
  • r4 - s4
  • r5 - s5 - mB

“Straw man”
 Scheme

slide-44
SLIDE 44

44

SX

r1 + s1 r2 + s2 r3 + s3 r4 + s4 r5 + s5

SY

  • r1 - s1
  • r2 - s2
  • r3 - s3 + mA
  • r4 - s4
  • r5 - s5 - mB

“Straw man”
 Scheme

slide-45
SLIDE 45

45

SX

r1 + s1 r2 + s2 r3 + s3 r4 + s4 r5 + s5

SY

  • r1 - s1
  • r2 - s2
  • r3 - s3 + mA
  • r4 - s4
  • r5 - s5 - mB

At the end of the day, servers combine DBs to reveal plaintext

+ =

mA mB

“Straw man”
 Scheme


slide-46
SLIDE 46

First-Attempt Scheme: Properties

Correctness — By construction Write-Anonymity — Given output vector, servers can simulate
 their view of the protocol run

Practical Efficiency — Almost no “heavy” computation involved

46

slide-47
SLIDE 47

Extensions

Use k > 2 servers ! secure against
 k-1 evil servers Use a large- characteristic field ! e.g., email-length rows

47

slide-48
SLIDE 48

Outline

  • Motivation
  • Definitions and a “Straw man” scheme
  • Technical challenges
  • Evaluation
  • Conclusions

48

slide-49
SLIDE 49

Limitations of the “Straw man”

  • 1. O(L) communication cost
  • 2. Collisions
  • 3. Malicious clients

49

slide-50
SLIDE 50

Limitations of the “Straw man”

  • 1. O(L) communication cost
  • 2. Collisions
  • 3. Malicious clients

50

slide-51
SLIDE 51

Challenge 1: Bandwidth Efficiency

In “straw man” design, client sends DB-sized vector to each server Idea: run PIR protocol in reverse to write into DB while sending fewer bits PIR-in-reverse used in Ostrovsky-Shoup ’97 in single-client context We extend their results to a many- client context (with malicious clients)

51

slide-52
SLIDE 52

(k,t)-Distributed Point Functions

  • We use a generalization of “DPFs” defined

by Gilboa and Ishai (2014)

  • Many one-round-trip PIR protocols

construct DPFs implicitly

m ∈ F ; ` ∈ [L]

Goal:

52

slide-53
SLIDE 53

(k,t)-Distributed Point Functions

Correctness: (k,t)-Privacy: [In a minute]

53

Sum of the Eval()

  • utputs will be zero

everywhere, except at position l

slide-54
SLIDE 54

DPF Correctness

54

KeyGen(

en(m, `)

q1 q2 qk Eval … Eval Eval

x1

+

x2 xk

+ …

m

=

slide-55
SLIDE 55

(k,t)-Distributed Point Functions

(k,t)-Privacy: Can simulate the distribution

  • f any subset S of at most t DPF keys

[ Intuition: t keys leak nothing about m or ]

55

(q1, . . . , qk) ← KeyGen(m, `) {qi}i∈S ≈c Sim(S) ∀S ⊂ [k] s.t. |S| ≤ t

slide-56
SLIDE 56

56

SX SY

DPFs Reduce Bandwidth Cost

Eval( ) Eval( )

slide-57
SLIDE 57

57

SX SY

DPFs Reduce Bandwidth Cost

r1 r2 r3 r4 r5

  • r1
  • r2

mA -r3

  • r4
  • r5
slide-58
SLIDE 58

58

Alice sends
 bits

slide-59
SLIDE 59

Challenge 1: Bandwidth Efficiency

We show: a (k, t)-private DPF yields a k-server write-anonymous DB scheme tolerating up to t malicious servers

59

I will present a (2,1)-DPF with O(L1/2)-length keys based on PIR of Chor and Gilboa (’97)

slide-60
SLIDE 60

(2,1)-DPF Construction

Idea: – Represent Eval() output as a matrix – Keys can be length of side

60

slide-61
SLIDE 61

(2,1)-DPF Construction

61

slide-62
SLIDE 62

(2,1)-DPF Construction

Idea: – Represent Eval() output as a matrix – Keys can be length of row

62

Output will sum to m at = (i, j)

slide-63
SLIDE 63

(2,1)-DPF Construction

63

k1 k2 k3 k4 k5

v

1 1 1

Using as the field Key = (b, k, v), where each has length O(

√ L)

F2

Sampled at random

k1 k2* k3 k4 k5

v

1 1

slide-64
SLIDE 64

(2,1)-DPF Construction

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1 G(k1) G(k2) G(k3) G(k4) G(k5) G(k1) G(k2*) G(k3) G(k4) G(k5)

64

G() is a PRG mapping keys k to L1/2 bits

slide-65
SLIDE 65

(2,1)-DPF Construction

65

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1 G(k1) G(k2) + v G(k3) + v G(k4) G(k5) + v G(k1) G(k2*) G(k3) + v G(k4) G(k5) + v

slide-66
SLIDE 66

(2,1)-DPF Construction

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1 G(k1) G(k2) + v G(k3) + v G(k4) G(k5) + v G(k1) G(k2*) G(k3) + v G(k4) G(k5) + v

Outputs are equal everywhere except at row 2

66

slide-67
SLIDE 67

(2,1)-DPF Construction

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1 G(k1) G(k3) + v G(k4) G(k5) + v G(k1) G(k3) + v G(k4) G(k5) + v

Outputs sum to zero everywhere except at row 2

G(k2) + v G(k2*)

67

slide-68
SLIDE 68

(2,1)-DPF Construction

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1 G(k1) G(k3) + v G(k4) G(k5) + v G(k1) G(k3) + v G(k4) G(k5) + v G(k2) + v G(k2*)

Construct v as: v = G(k2) + G(k2*) + m " ej

68

slide-69
SLIDE 69

G(k1) G(k2) + v G(k3) + v G(k4) G(k5) + v G(k1) G(k2*) G(k3) + v G(k4) G(k5) + v

+ =

00000…00000 0000000m000 00000…00000 00000…00000 00000…00000

69

slide-70
SLIDE 70

Challenge 1: Bandwidth Efficiency

  • Brings comm cost down to O(L1/2)

– Just requires PRG — fast!

  • Recursive application of the same trick

– Key size down to polylog(L) [GI’14]

k1 k2 k3 k4 k5

v

1 1 1

70

slide-71
SLIDE 71

New DPF Construction

Given a seed-homomorphic PRG

G(s1) + G(s2) = G(s1 + s2)

we build a (k, k-1)-private DPF


[NPR’99] [BLMR’13] [BP’14] [BV’15]


! Privacy holds even if all but


  • ne server is adversarial

71

slide-72
SLIDE 72

Limitations of the “Straw man”

  • 1. O(L) communication cost
  • 2. Collisions
  • 3. Malicious clients

72

slide-73
SLIDE 73

Challenge 2: Collisions

  • Clients pick write location at random
  • Two honest clients may write into 


the same location

73

slide-74
SLIDE 74

Challenge 2: Collisions

  • Clients pick write location at random
  • Two honest clients may write into 


the same location

74

mA

slide-75
SLIDE 75

Challenge 2: Collisions

  • Clients pick write location at random
  • Two honest clients may write into 


the same location

75

mA + mB

slide-76
SLIDE 76

Challenge 2: Collisions

  • Clients pick write location at random
  • Two honest clients may write into 


the same location Instead of getting mA,
 mB, get the sum mA + mB

76

mA + mB

slide-77
SLIDE 77

Challenge 2: Collisions

Straightforward solution: Make DB table large enough
 to avoid collisions Better solution: Use coding techniques to recover from
 up to d-way collisions Key idea: even after a collision, learn the sum of colliding writes

c = m1 + m2

77

slide-78
SLIDE 78

Challenge 2: Collisions

Idea: To handle 2-collisions, can
 code message m as: (m, m2)

[Let ]

After a 2-collision, DBs recover the values: Given c1 and c2 can recover m1 and m2

c1 = m1 + m2 c2 = m2

1 + m2 2

78

slide-79
SLIDE 79

Challenge 2: Collisions

Using coding technique, can tolerate
 d-collisions for any d For 1% loss rate, 1k users: Naive method: 100k cells Coding method: 6.9k cells

79

Reduces table size by 93%

slide-80
SLIDE 80

Limitations of the “Straw man”

  • 1. O(L) communication cost
  • 2. Collisions
  • 3. Malicious clients

80

slide-81
SLIDE 81

Challenge 3: Malicious Clients

81

SX

r1 r2 r3 r4 r5

SY

  • r1
  • r2
  • r3+mA
  • r4
  • r5

One malicious client can corrupt the entire DB!

b1 b2 b3 b4 b5 a1 a2 a3 a4 a5

slide-82
SLIDE 82

Goal: Prevent evil client from destroying DB

  • One way to solve this is with NIZKs

– Expensive public-key crypto [Golle Juels ‘04]

  • More efficient solution:

– Add a third non-colluding “audit” server to get honest majority – Fast, info-theoretic MPC techniques

[GMW’87], [CCD’88], [FNW’96]

Challenge 3: Malicious Client

82

slide-83
SLIDE 83

DB Server X DB Server Y Auditor

83

slide-84
SLIDE 84

DB Server X DB Server Y Auditor

84

slide-85
SLIDE 85

DB Server X DB Server Y Auditor

85

slide-86
SLIDE 86

DB Server X DB Server Y Auditor Auditor

k1 k2 k3 k4 k5

v

1 1 1 k1 k2* k3 k4 k5

v

1 1

86

slide-87
SLIDE 87

DB Server X DB Server Y Auditor Auditor

k1 k2 k3 k4 k5 1 1 1 k1 k2* k3 k4 k5 1 1

87

slide-88
SLIDE 88

DB Server X DB Server Y Auditor Auditor

0 | k1 1 | k2 1 | k3 0 | k4 1 | k5 0 | k1 0 | k2* 1 | k3 0 | k4 1 | k5

88

slide-89
SLIDE 89

DB Server X DB Server Y Auditor

a1 a2 a3 b1 b2 b3

89

slide-90
SLIDE 90

DB Server X DB Server Y Auditor

a1

  • ffset

a2 a3 b1 b2 b3

90

slide-91
SLIDE 91

DB Server X DB Server Y Auditor

  • ffset

a1 a2 a3 b2 b3 b1

91

slide-92
SLIDE 92

DB Server X DB Server Y Auditor

h1, h2, h3

a1 a2 a3 b2 b3 b1

92

slide-93
SLIDE 93

DB Server X DB Server Y Auditor

h1(a1) h2(a2) h3(a3) h2(b2) h3(b3) h1(b1)

h1, h2, h3

93

slide-94
SLIDE 94

DB Server X DB Server Y Auditor

h1(a1) h2(a2) h3(a3) h2(b2) h3(b3) h1(b1)

94

slide-95
SLIDE 95

DB Server X DB Server Y Auditor

h1(a1) h2(a2) h3(a3) h2(b2) h3(b3) h1(b1)

95

slide-96
SLIDE 96

Auditor

r3 r1 r2 r1 r2 r3

Equal almost everywhere?

96

slide-97
SLIDE 97

DB Server X DB Server Y Auditor

97

slide-98
SLIDE 98

Outline

  • Motivation
  • Definitions and a “Straw man” scheme
  • Technical challenges
  • Evaluation
  • Conclusions

98

slide-99
SLIDE 99

Implementation

  • Implemented the full protocol in Go

– 2 DB servers + 1 audit server

  • Ran perf evaluation on a network testbed

simulating real-world net conditions

99

slide-100
SLIDE 100

Bottom-Line Result

  • For a DB with 65,000 Tweet-length rows,

can process 30 writes/second

  • Can process 1,000,000 writes in 8 hours
  • n a single server

# Main bottleneck is PRG expansion

100

slide-101
SLIDE 101

Throughput


(anonymous Twitter)

At large table sizes, PRG cost dominates

101

slide-102
SLIDE 102

Outline

  • Motivation
  • Definitions and a “Straw man” scheme
  • Technical challenges
  • Evaluation
  • Conclusions

102

slide-103
SLIDE 103

Open Problems

  • 1. Reduce Θ(L) computation cost at server

– Using multiple rounds per write?

  • 2. Key-homomorphic DPFs

– Another way to reduce cost at server

  • 3. (k, k-1)-private DPFs without PKC

– Possible without seed-hom PRGs?

103

slide-104
SLIDE 104

Conclusion

In many contexts, “hiding the metadata” is as important as hiding the data Combination of crypto tools with systems design # 1,000,000-user anonymity sets “Multi-user writable PIRs” have applications to private messaging

– Stillbarriers to practicality (+ open problems)

104

slide-105
SLIDE 105

Questions?

105

slide-106
SLIDE 106

106