![Page 1: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/1.jpg)
Strongly Anonymous Communication
Albert Kwon David Lazar Srini Devadas Bryan Ford
April 18, 2016
![Page 2: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/2.jpg)
Tor
2
(( )3)2
( )3
((( )3)2)1
![Page 3: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/3.jpg)
Fingerprinting Attacks on Tor
Learn particular patterns of communication
E.g., number of incoming/outgoing packets,
total number of packets, burst pattern, etc.
Use machine learning to distinguish websites
Only requires guards nodes!
85+% accuracy in most recent work 3
![Page 4: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/4.jpg)
4
We kill people based on metadata. -General Michael Hayden
![Page 5: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/5.jpg)
“Anytrust“ Threat Model
5
![Page 6: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/6.jpg)
Anytrust: Mixnets
6
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1 ( )1
( )1
( )1
Public key encryption
![Page 7: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/7.jpg)
Anytrust: Mixnets
7
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1 ( )1
( )1
( )1
![Page 8: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/8.jpg)
Fixing Mixnets
8
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1
![Page 9: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/9.jpg)
Verifiable Shuffle
Generates a zero-knowledge proof of shuffle
Pioneered by Neff
Output is a valid permutation of input
Zero-knowledge of the permutation
But not necessarily random
Most common for discrete log based systems 9
![Page 10: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/10.jpg)
Verifiable Shuffle
10
((( )3)2)1
((( )3)2)1
((( )3)2)1
ZKP( , , )
(( )2)1
(( )2)1
(( )2)1
![Page 11: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/11.jpg)
Verifiable Shuffle
11
((( )3)2)1
((( )3)2)1
((( )3)2)1
ZKP( , , )
(( )2)1
(( )2)1
(( )2)1
![Page 12: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/12.jpg)
Verifiable Mixnets
12
... ...
![Page 13: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/13.jpg)
Verifiable Mixnets
13
... ...
1. Upload onion-encrypted messages.
Enc1(Enc2(Enc3(M1)))
Enc1(Enc2(Enc3(Mi)))
Enc1(Enc2(Enc3(Mn)))
![Page 14: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/14.jpg)
Verifiable Mixnets
14
... ...
2. Servers verifiable shuffle and decrypt the messages
{Enc1(Enc2(Enc3(Mi)))}i∈[n]
π1({Enc2(Enc3(Mi))}i∈[n])
π2(π1({Enc3(Mi)}i∈[n])
![Page 15: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/15.jpg)
Verifiable Mixnets
15
... ...
3. Send message to receiver
Mi Mn M1
π3(π2(π1({Mi}i∈[n])))
![Page 16: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/16.jpg)
Verifiable Mixnets
16
... ...
π3(π2(π1({Mi}i∈[n])))
![Page 17: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/17.jpg)
Problems with Verifiable Mixnets
Verifiable shuffle is slow
17
![Page 18: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/18.jpg)
Authenticated Encryption
Confidentiality, Integrity, Authenticity
In practice: symmetric encryption + MAC
Analyzed by Ballare and Namprempre
18
![Page 19: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/19.jpg)
Authenticated Encryption
Confidentiality, Integrity, Authenticity
19
Encrypt-and-MAC
![Page 20: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/20.jpg)
Authenticated Encryption
Confidentiality, Integrity, Authenticity
20
MAC-then-Encrypt
![Page 21: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/21.jpg)
Authenticated Encryption
Confidentiality, Integrity, Authenticity
21
Encrypt-then-MAC
![Page 22: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/22.jpg)
Hybrid Shuffle
Setup symmetric key with verifiable shuffle
Use symmetric encryption (w/ AEnc)
Similar to TLS or other secure communication
22
![Page 23: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/23.jpg)
Hybrid Shuffle (Setup)
23
Prover Verifier
0. Get public keys of prover and verifier
pk1 pk2
![Page 24: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/24.jpg)
Hybrid Shuffle (Setup)
24
Prover Verifier
Enc1(k11) Enc1(k21) Enc1(k31)
{k11,k21,k31}
1. Share symmetric keys with prover
![Page 25: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/25.jpg)
Hybrid Shuffle (Setup)
25
Prover Verifier
{k11,k21,k31}
2. Send onion-encrypted symmetric keys
Enc1(Enc2(k12)) Enc1(Enc2(k22)) Enc1(Enc2(k32))
![Page 26: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/26.jpg)
Hybrid Shuffle (Setup)
26
Prover Verifier
{k11,k21,k31}
3. Verifiably shuffle and decrypt. Send to the verifier
Enc2(k32) Enc2(k12) Enc2(k22)
{k32,k12,k22}
![Page 27: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/27.jpg)
Hybrid Shuffle (Communication)
27
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22}
![Page 28: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/28.jpg)
Hybrid Shuffle (Communication)
28
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22}
k32
AEnc (M3)
k12
AEnc (M1)
k22
AEnc (M2)
2. Decrypt and shuffle using the permutation from setup.
{M3,M1,M2}
![Page 29: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/29.jpg)
Hybrid Shuffle (Communication)
29
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22} AEnc (AEnc (M1)) k11 k12
AEnc (AEnc (M2)) k21 k22
AEnc (AEnc (M3)) k31 k32
1. Send onion-encrypted messages with authenticated enc.
![Page 30: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/30.jpg)
Hybrid Shuffle Security
Zero-knowledge?
Verifiable?
Any downsides?
30
![Page 31: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/31.jpg)
Setup
31
... ...
Enc1(k11) Enc1(Enc2(k12)) Enc1(Enc2(Enc3(k13)))
Enc1(ki1) Enc1(Enc2(ki2))
Enc1(Enc2(Enc3(ki3)))
Enc1(kn1) Enc1(Enc2(kn2))
Enc1(Enc2(Enc3(kn3)))
![Page 32: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/32.jpg)
Setup
32
... ...
{ki1}i∈[n]
π1({Enc2(ki2)}i∈[n])
π1({Enc2(Enc3(ki3))}i∈[n])
π1({ki2}i∈[n])
π2(π1({Enc3(ki3))}i∈[n]))
π2(π1({ki3}i∈[n]))
{Enc1(ki1)}i∈[n]
{Enc1(Enc2(ki2))}i∈[n]
{Enc1(Enc2(Enc3(ki3)))}i∈[n]
![Page 33: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/33.jpg)
Setup
33
... ...
{ki1}i∈[n]
π1({ki2}i∈[n])
π2(π1({ki3}i∈[n]))
![Page 34: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/34.jpg)
Upload/Send
34
... ... AEnc (AEnc (AEnc (M1))) k11 k12 k13
AEnc (AEnc (AEnc (Mi))) ki1 ki2 ki3
AEnc (AEnc (AEnc (Mn))) kn1 kn2 kn3
{ki1}i∈[n] π2(π1({ki3}i∈[n]))
π1({ki2}i∈[n])
![Page 35: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/35.jpg)
Upload
35
... ... {AEnc (AEnc (AEnc (Mi)))}i∈[n] ki1 ki2 ki3
ki3 ki2
π1({AEnc (AEnc (Mi)))}i∈[n])
ki3 π2(π1({AEnc (Mi)}i∈[n]))
{ki1}i∈[n] π2(π1({ki3}i∈[n]))
π1({ki2}i∈[n])
![Page 36: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/36.jpg)
Download/Receive
36
... ... Mi Mn M1
π3(π2(π1({Mi}i∈[n])))
![Page 37: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/37.jpg)
Problems with Download/Receive
No receiver anonymity
37
M
![Page 38: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/38.jpg)
Broadcast
38
... ...
π3(π2(π1({Mi}i∈[n])))
π3(π2(π1({Mi}i∈[n])))
![Page 39: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/39.jpg)
Problems with Download/Receive
No receiver anonymity
What if you want to privately download?
Broadcast everything!
At O(n) bandwidth overhead per client...
Client-Server bandwidth is expensive... 39
![Page 40: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/40.jpg)
Private Information Retrieval
Bit of crypto-magic to hide which message you
are downloading
Originally proposed by Chor et al.
Multiple servers w/ replicated database
Many schemes exists for different settings
Most single server schemes are impractical 40
![Page 41: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/41.jpg)
Private Information Retrieval
41
... ...
m1 = 001
m2 = 101
m3 = 110
M1 M2 M3
M1 M2 M3
M1 M2 M3
1. Share masks.
m1 = 001 m2 = 101 ⊕m3 = 110 m = 010
![Page 42: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/42.jpg)
Private Information Retrieval
42
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r2 = M1⊕M3
r3 = M1⊕M2 r1 = M3
2. Servers compute their resp.
m1 = 001
m2 = 101
m3 = 110
![Page 43: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/43.jpg)
Private Information Retrieval
43
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r2 = M1⊕M3
r3 = M1⊕M2
r1 = M3
3. Download resp.
r1 = M3
r2 = M1⊕M3
⊕ r3 = M1⊕M2
r = M2
![Page 44: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/44.jpg)
PIR Bandwidth
m masks (up) + m messages (down)
Compared to n message (down)
(mn + m*|message|) VS. (n*|message|)
|message| >> n, n >> m
44
![Page 45: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/45.jpg)
Private Information Retrieval
45
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
3b. Share pairwise secrets
S1
S2
S3
![Page 46: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/46.jpg)
Private Information Retrieval
46
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1 r3⊕s3
...
4b. Send resp + secret to one server
![Page 47: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/47.jpg)
Private Information Retrieval
47
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1 r3⊕s3
...
M3⊕s1
M1⊕M3⊕s2
M1⊕M2⊕s3
r = M2⊕s1⊕s2⊕s3
5b. Compute the final response
![Page 48: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/48.jpg)
Private Information Retrieval
48
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
r = M2⊕s1⊕s2⊕s3
r⊕s1⊕s2⊕s3 = M2
6b. Send final resp. back
![Page 49: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/49.jpg)
PIR Bandwidth
Client-Server
m masks (up) + m secrets (up) + 1
message (down)
Server-Server
m-1 messages
49
![Page 50: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/50.jpg)
PIR Optimization
Update the secrets and masks using PRNG
No need for communication
50
![Page 51: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/51.jpg)
PIR Optimized
51
... ... m1’ = PRNG(m1) m3’ = PRNG(m3)
M1 M2 M3
M1 M2 M3
M1 M2 M3
1. Update masks
![Page 52: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/52.jpg)
PIR Optimized
52
... ... m1’ = PRNG(m1)
m2’
m3’ = PRNG(m3)
M1 M2 M3
M1 M2 M3
M1 M2 M3
2. Generate and upload last mask
m1’ m2’ ⊕m3’
m = 010
![Page 53: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/53.jpg)
PIR Optimized
53
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
3c. Update pairwise secrets
S1’=PRNG(S1)
S2’=PRNG(S2)
S3’=PRNG(S3)
![Page 54: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/54.jpg)
PIR Optimized
54
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1’ r3⊕s3
’
...
4b. Send resp + secret to one server
![Page 55: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/55.jpg)
PIR Optimized
55
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
M3⊕s1’
M1⊕M3⊕s2’
M1⊕M2⊕s3’
r = M2⊕s1’⊕s2’⊕s3’
5b. Compute the final response
![Page 56: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/56.jpg)
PIR Optimized
56
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
r = M2⊕s1’⊕s2’⊕s3’
r⊕s1’⊕s2’⊕s3’ = M2
6b. Send final resp. back
![Page 57: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/57.jpg)
PIR Bandwidth
Client-Server
Setup: m masks (up) + m secrets (up)
Download: 1 mask (up) +1 message (down)
Server-Server
m-1 messages 57
![Page 58: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/58.jpg)
PIR Requirements
Need to know the index of the message
Often done by downloading digests
58
![Page 59: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/59.jpg)
Riffle
59
... ...
1. Setup hybrid shuffle keys
π1({ki2}i∈[n])
π2(π1({ki3}i∈[n])) {ki1}i∈[n]
![Page 60: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/60.jpg)
Riffle
60
... ...
2. Upload messages
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
![Page 61: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/61.jpg)
Riffle
61
... ... Mj
Mj
’ Mj’’
3a. Download (via PIR)
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
![Page 62: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/62.jpg)
Riffle
62
... ...
3b. Download (via broadcast)
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))
![Page 63: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/63.jpg)
Applications
63
![Page 64: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/64.jpg)
n i 1 hi hn h1
File Sharing
64
... ...
1. Request 2. Upload 3. Download
![Page 65: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/65.jpg)
n i 1 hi hn h1
File Sharing
65
... ... h1 hi hn
1. Request
![Page 66: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/66.jpg)
n i 1 hi hn h1
File Sharing
66
... ... hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
1. Request
![Page 67: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/67.jpg)
n i 1 hi hn h1
File Sharing
67
... ... hi hn h1
2. Upload
hi hn h1 ... ...
hi hn h1 ... ...
hi hn h1 ... ...
![Page 68: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/68.jpg)
n i 1 hi hn h1
File Sharing
68
... ...
hi hn h1 ... ...
hi hn h1 ... ...
hi hn h1 ... ...
hn ... hi ... h1
hn ... hi ... h1
hn ... hi ... h1
3. Download
![Page 69: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/69.jpg)
n i 1 hi hn h1
File Sharing
69
... ...
hi hn h1 ... ...
hi hn h1 ... ... hi hn h1
... ...
hi hn h1
3. Download
![Page 70: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/70.jpg)
Microblogging
70
... ... M1
Mi Mn
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
![Page 71: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/71.jpg)
Microblogging
71
... ...
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))
![Page 72: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/72.jpg)
Evaluation
72
![Page 73: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/73.jpg)
Network Layout
73
(100/(n/3)) Mbps
3 Servers Varying # of clients
1Gbps
![Page 74: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/74.jpg)
File Sharing Evaluation
74
![Page 75: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/75.jpg)
File Sharing Evaluation
75
Sharing 300MB File
![Page 76: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/76.jpg)
Microblogging Evaluation
76
![Page 77: Strongly Anonymous Communication · Verifiable Shuffle Generates a zero-knowledge proof of shuffle Pioneered by Neff Output is a valid permutation of input Zero-knowledge of the permutation](https://reader033.vdocuments.net/reader033/viewer/2022052806/605ffad650e9686cb207ea39/html5/thumbnails/77.jpg)
Conclusion
Trade-off latency and anonymity
Anytrust is a powerful threat model
Add verifiability to secure mixnets
Public key crypto => Symmetric crypto
Add PIR to protect receivers 77