strongly anonymous communication · verifiable shuffle generates a zero-knowledge proof of shuffle...
TRANSCRIPT
Strongly Anonymous Communication
Albert Kwon David Lazar Srini Devadas Bryan Ford
April 18, 2016
Tor
2
(( )3)2
( )3
((( )3)2)1
Fingerprinting Attacks on Tor
Learn particular patterns of communication
E.g., number of incoming/outgoing packets,
total number of packets, burst pattern, etc.
Use machine learning to distinguish websites
Only requires guards nodes!
85+% accuracy in most recent work 3
4
We kill people based on metadata. -General Michael Hayden
“Anytrust“ Threat Model
5
Anytrust: Mixnets
6
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1 ( )1
( )1
( )1
Public key encryption
Anytrust: Mixnets
7
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1 ( )1
( )1
( )1
Fixing Mixnets
8
((( )3)2)1
((( )3)2)1
((( )3)2)1
(( )2)1
(( )2)1
(( )2)1
Verifiable Shuffle
Generates a zero-knowledge proof of shuffle
Pioneered by Neff
Output is a valid permutation of input
Zero-knowledge of the permutation
But not necessarily random
Most common for discrete log based systems 9
Verifiable Shuffle
10
((( )3)2)1
((( )3)2)1
((( )3)2)1
ZKP( , , )
(( )2)1
(( )2)1
(( )2)1
Verifiable Shuffle
11
((( )3)2)1
((( )3)2)1
((( )3)2)1
ZKP( , , )
(( )2)1
(( )2)1
(( )2)1
Verifiable Mixnets
12
... ...
Verifiable Mixnets
13
... ...
1. Upload onion-encrypted messages.
Enc1(Enc2(Enc3(M1)))
Enc1(Enc2(Enc3(Mi)))
Enc1(Enc2(Enc3(Mn)))
Verifiable Mixnets
14
... ...
2. Servers verifiable shuffle and decrypt the messages
{Enc1(Enc2(Enc3(Mi)))}i∈[n]
π1({Enc2(Enc3(Mi))}i∈[n])
π2(π1({Enc3(Mi)}i∈[n])
Verifiable Mixnets
15
... ...
3. Send message to receiver
Mi Mn M1
π3(π2(π1({Mi}i∈[n])))
Verifiable Mixnets
16
... ...
π3(π2(π1({Mi}i∈[n])))
Problems with Verifiable Mixnets
Verifiable shuffle is slow
17
Authenticated Encryption
Confidentiality, Integrity, Authenticity
In practice: symmetric encryption + MAC
Analyzed by Ballare and Namprempre
18
Authenticated Encryption
Confidentiality, Integrity, Authenticity
19
Encrypt-and-MAC
Authenticated Encryption
Confidentiality, Integrity, Authenticity
20
MAC-then-Encrypt
Authenticated Encryption
Confidentiality, Integrity, Authenticity
21
Encrypt-then-MAC
Hybrid Shuffle
Setup symmetric key with verifiable shuffle
Use symmetric encryption (w/ AEnc)
Similar to TLS or other secure communication
22
Hybrid Shuffle (Setup)
23
Prover Verifier
0. Get public keys of prover and verifier
pk1 pk2
Hybrid Shuffle (Setup)
24
Prover Verifier
Enc1(k11) Enc1(k21) Enc1(k31)
{k11,k21,k31}
1. Share symmetric keys with prover
Hybrid Shuffle (Setup)
25
Prover Verifier
{k11,k21,k31}
2. Send onion-encrypted symmetric keys
Enc1(Enc2(k12)) Enc1(Enc2(k22)) Enc1(Enc2(k32))
Hybrid Shuffle (Setup)
26
Prover Verifier
{k11,k21,k31}
3. Verifiably shuffle and decrypt. Send to the verifier
Enc2(k32) Enc2(k12) Enc2(k22)
{k32,k12,k22}
Hybrid Shuffle (Communication)
27
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22}
Hybrid Shuffle (Communication)
28
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22}
k32
AEnc (M3)
k12
AEnc (M1)
k22
AEnc (M2)
2. Decrypt and shuffle using the permutation from setup.
{M3,M1,M2}
Hybrid Shuffle (Communication)
29
Prover Verifier
{k11,k21,k31}
{M1,M2,M3}
{k32,k12,k22} AEnc (AEnc (M1)) k11 k12
AEnc (AEnc (M2)) k21 k22
AEnc (AEnc (M3)) k31 k32
1. Send onion-encrypted messages with authenticated enc.
Hybrid Shuffle Security
Zero-knowledge?
Verifiable?
Any downsides?
30
Setup
31
... ...
Enc1(k11) Enc1(Enc2(k12)) Enc1(Enc2(Enc3(k13)))
Enc1(ki1) Enc1(Enc2(ki2))
Enc1(Enc2(Enc3(ki3)))
Enc1(kn1) Enc1(Enc2(kn2))
Enc1(Enc2(Enc3(kn3)))
Setup
32
... ...
{ki1}i∈[n]
π1({Enc2(ki2)}i∈[n])
π1({Enc2(Enc3(ki3))}i∈[n])
π1({ki2}i∈[n])
π2(π1({Enc3(ki3))}i∈[n]))
π2(π1({ki3}i∈[n]))
{Enc1(ki1)}i∈[n]
{Enc1(Enc2(ki2))}i∈[n]
{Enc1(Enc2(Enc3(ki3)))}i∈[n]
Setup
33
... ...
{ki1}i∈[n]
π1({ki2}i∈[n])
π2(π1({ki3}i∈[n]))
Upload/Send
34
... ... AEnc (AEnc (AEnc (M1))) k11 k12 k13
AEnc (AEnc (AEnc (Mi))) ki1 ki2 ki3
AEnc (AEnc (AEnc (Mn))) kn1 kn2 kn3
{ki1}i∈[n] π2(π1({ki3}i∈[n]))
π1({ki2}i∈[n])
Upload
35
... ... {AEnc (AEnc (AEnc (Mi)))}i∈[n] ki1 ki2 ki3
ki3 ki2
π1({AEnc (AEnc (Mi)))}i∈[n])
ki3 π2(π1({AEnc (Mi)}i∈[n]))
{ki1}i∈[n] π2(π1({ki3}i∈[n]))
π1({ki2}i∈[n])
Download/Receive
36
... ... Mi Mn M1
π3(π2(π1({Mi}i∈[n])))
Problems with Download/Receive
No receiver anonymity
37
M
Broadcast
38
... ...
π3(π2(π1({Mi}i∈[n])))
π3(π2(π1({Mi}i∈[n])))
Problems with Download/Receive
No receiver anonymity
What if you want to privately download?
Broadcast everything!
At O(n) bandwidth overhead per client...
Client-Server bandwidth is expensive... 39
Private Information Retrieval
Bit of crypto-magic to hide which message you
are downloading
Originally proposed by Chor et al.
Multiple servers w/ replicated database
Many schemes exists for different settings
Most single server schemes are impractical 40
Private Information Retrieval
41
... ...
m1 = 001
m2 = 101
m3 = 110
M1 M2 M3
M1 M2 M3
M1 M2 M3
1. Share masks.
m1 = 001 m2 = 101 ⊕m3 = 110 m = 010
Private Information Retrieval
42
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r2 = M1⊕M3
r3 = M1⊕M2 r1 = M3
2. Servers compute their resp.
m1 = 001
m2 = 101
m3 = 110
Private Information Retrieval
43
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r2 = M1⊕M3
r3 = M1⊕M2
r1 = M3
3. Download resp.
r1 = M3
r2 = M1⊕M3
⊕ r3 = M1⊕M2
r = M2
PIR Bandwidth
m masks (up) + m messages (down)
Compared to n message (down)
(mn + m*|message|) VS. (n*|message|)
|message| >> n, n >> m
44
Private Information Retrieval
45
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
3b. Share pairwise secrets
S1
S2
S3
Private Information Retrieval
46
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1 r3⊕s3
...
4b. Send resp + secret to one server
Private Information Retrieval
47
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1 r3⊕s3
...
M3⊕s1
M1⊕M3⊕s2
M1⊕M2⊕s3
r = M2⊕s1⊕s2⊕s3
5b. Compute the final response
Private Information Retrieval
48
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
r = M2⊕s1⊕s2⊕s3
r⊕s1⊕s2⊕s3 = M2
6b. Send final resp. back
PIR Bandwidth
Client-Server
m masks (up) + m secrets (up) + 1
message (down)
Server-Server
m-1 messages
49
PIR Optimization
Update the secrets and masks using PRNG
No need for communication
50
PIR Optimized
51
... ... m1’ = PRNG(m1) m3’ = PRNG(m3)
M1 M2 M3
M1 M2 M3
M1 M2 M3
1. Update masks
PIR Optimized
52
... ... m1’ = PRNG(m1)
m2’
m3’ = PRNG(m3)
M1 M2 M3
M1 M2 M3
M1 M2 M3
2. Generate and upload last mask
m1’ m2’ ⊕m3’
m = 010
PIR Optimized
53
... ...
M1 M2 M3
M1 M2 M3
M1 M2 M3
3c. Update pairwise secrets
S1’=PRNG(S1)
S2’=PRNG(S2)
S3’=PRNG(S3)
PIR Optimized
54
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
r1⊕s1’ r3⊕s3
’
...
4b. Send resp + secret to one server
PIR Optimized
55
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
M3⊕s1’
M1⊕M3⊕s2’
M1⊕M2⊕s3’
r = M2⊕s1’⊕s2’⊕s3’
5b. Compute the final response
PIR Optimized
56
...
M1 M2 M3
M1 M2 M3
M1 M2 M3
...
r = M2⊕s1’⊕s2’⊕s3’
r⊕s1’⊕s2’⊕s3’ = M2
6b. Send final resp. back
PIR Bandwidth
Client-Server
Setup: m masks (up) + m secrets (up)
Download: 1 mask (up) +1 message (down)
Server-Server
m-1 messages 57
PIR Requirements
Need to know the index of the message
Often done by downloading digests
58
Riffle
59
... ...
1. Setup hybrid shuffle keys
π1({ki2}i∈[n])
π2(π1({ki3}i∈[n])) {ki1}i∈[n]
Riffle
60
... ...
2. Upload messages
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
Riffle
61
... ... Mj
Mj
’ Mj’’
3a. Download (via PIR)
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
Riffle
62
... ...
3b. Download (via broadcast)
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))
Applications
63
n i 1 hi hn h1
File Sharing
64
... ...
1. Request 2. Upload 3. Download
n i 1 hi hn h1
File Sharing
65
... ... h1 hi hn
1. Request
n i 1 hi hn h1
File Sharing
66
... ... hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
hn ... h1 ... hi
1. Request
n i 1 hi hn h1
File Sharing
67
... ... hi hn h1
2. Upload
hi hn h1 ... ...
hi hn h1 ... ...
hi hn h1 ... ...
n i 1 hi hn h1
File Sharing
68
... ...
hi hn h1 ... ...
hi hn h1 ... ...
hi hn h1 ... ...
hn ... hi ... h1
hn ... hi ... h1
hn ... hi ... h1
3. Download
n i 1 hi hn h1
File Sharing
69
... ...
hi hn h1 ... ...
hi hn h1 ... ... hi hn h1
... ...
hi hn h1
3. Download
Microblogging
70
... ... M1
Mi Mn
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
Microblogging
71
... ...
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n])))
π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))
Evaluation
72
Network Layout
73
(100/(n/3)) Mbps
3 Servers Varying # of clients
1Gbps
File Sharing Evaluation
74
File Sharing Evaluation
75
Sharing 300MB File
Microblogging Evaluation
76
Conclusion
Trade-off latency and anonymity
Anytrust is a powerful threat model
Add verifiability to secure mixnets
Public key crypto => Symmetric crypto
Add PIR to protect receivers 77