Strongly Anonymous Communication

Albert Kwon David Lazar Srini Devadas Bryan Ford

April 18, 2016

Tor

2

(( )3)2

( )3

((( )3)2)1

Fingerprinting Attacks on Tor

Learn particular patterns of communication

E.g., number of incoming/outgoing packets,

total number of packets, burst pattern, etc.

Use machine learning to distinguish websites

Only requires guards nodes!

85+% accuracy in most recent work 3

4

We kill people based on metadata. -General Michael Hayden

“Anytrust“ Threat Model

5

Anytrust: Mixnets

6

((( )3)2)1

((( )3)2)1

((( )3)2)1

(( )2)1

(( )2)1

(( )2)1 ( )1

( )1

( )1

Public key encryption

Anytrust: Mixnets

7

((( )3)2)1

((( )3)2)1

((( )3)2)1

(( )2)1

(( )2)1

(( )2)1 ( )1

( )1

( )1

Fixing Mixnets

8

((( )3)2)1

((( )3)2)1

((( )3)2)1

(( )2)1

(( )2)1

(( )2)1

Verifiable Shuffle

Generates a zero-knowledge proof of shuffle

Pioneered by Neff

Output is a valid permutation of input

Zero-knowledge of the permutation

But not necessarily random

Most common for discrete log based systems 9

Verifiable Shuffle

10

((( )3)2)1

((( )3)2)1

((( )3)2)1

ZKP( , , )

(( )2)1

(( )2)1

(( )2)1

Verifiable Shuffle

11

((( )3)2)1

((( )3)2)1

((( )3)2)1

ZKP( , , )

(( )2)1

(( )2)1

(( )2)1

Verifiable Mixnets

12

... ...

Verifiable Mixnets

13

... ...

1. Upload onion-encrypted messages.

Enc1(Enc2(Enc3(M1)))

Enc1(Enc2(Enc3(Mi)))

Enc1(Enc2(Enc3(Mn)))

Verifiable Mixnets

14

... ...

2. Servers verifiable shuffle and decrypt the messages

{Enc1(Enc2(Enc3(Mi)))}i∈[n]

π1({Enc2(Enc3(Mi))}i∈[n])

π2(π1({Enc3(Mi)}i∈[n])

Verifiable Mixnets

15

... ...

3. Send message to receiver

Mi Mn M1

π3(π2(π1({Mi}i∈[n])))

Verifiable Mixnets

16

... ...

π3(π2(π1({Mi}i∈[n])))

Problems with Verifiable Mixnets

Verifiable shuffle is slow

17

Authenticated Encryption

Confidentiality, Integrity, Authenticity

In practice: symmetric encryption + MAC

Analyzed by Ballare and Namprempre

18

Authenticated Encryption

Confidentiality, Integrity, Authenticity

19

Encrypt-and-MAC

Authenticated Encryption

Confidentiality, Integrity, Authenticity

20

MAC-then-Encrypt

Authenticated Encryption

Confidentiality, Integrity, Authenticity

21

Encrypt-then-MAC

Hybrid Shuffle

Setup symmetric key with verifiable shuffle

Use symmetric encryption (w/ AEnc)

Similar to TLS or other secure communication

22

Hybrid Shuffle (Setup)

23

Prover Verifier

0. Get public keys of prover and verifier

pk1 pk2

Hybrid Shuffle (Setup)

24

Prover Verifier

Enc1(k11) Enc1(k21) Enc1(k31)

{k11,k21,k31}

1. Share symmetric keys with prover

Hybrid Shuffle (Setup)

25

Prover Verifier

{k11,k21,k31}

2. Send onion-encrypted symmetric keys

Enc1(Enc2(k12)) Enc1(Enc2(k22)) Enc1(Enc2(k32))

Hybrid Shuffle (Setup)

26

Prover Verifier

{k11,k21,k31}

3. Verifiably shuffle and decrypt. Send to the verifier

Enc2(k32) Enc2(k12) Enc2(k22)

{k32,k12,k22}

Hybrid Shuffle (Communication)

27

Prover Verifier

{k11,k21,k31}

{M1,M2,M3}

{k32,k12,k22}

Hybrid Shuffle (Communication)

28

Prover Verifier

{k11,k21,k31}

{M1,M2,M3}

{k32,k12,k22}

k32

AEnc (M3)

k12

AEnc (M1)

k22

AEnc (M2)

2. Decrypt and shuffle using the permutation from setup.

{M3,M1,M2}

Hybrid Shuffle (Communication)

29

Prover Verifier

{k11,k21,k31}

{M1,M2,M3}

{k32,k12,k22} AEnc (AEnc (M1)) k11 k12

AEnc (AEnc (M2)) k21 k22

AEnc (AEnc (M3)) k31 k32

1. Send onion-encrypted messages with authenticated enc.

Hybrid Shuffle Security

Zero-knowledge?

Verifiable?

Any downsides?

30

Setup

31

... ...

Enc1(k11) Enc1(Enc2(k12)) Enc1(Enc2(Enc3(k13)))

Enc1(ki1) Enc1(Enc2(ki2))

Enc1(Enc2(Enc3(ki3)))

Enc1(kn1) Enc1(Enc2(kn2))

Enc1(Enc2(Enc3(kn3)))

Setup

32

... ...

{ki1}i∈[n]

π1({Enc2(ki2)}i∈[n])

π1({Enc2(Enc3(ki3))}i∈[n])

π1({ki2}i∈[n])

π2(π1({Enc3(ki3))}i∈[n]))

π2(π1({ki3}i∈[n]))

{Enc1(ki1)}i∈[n]

{Enc1(Enc2(ki2))}i∈[n]

{Enc1(Enc2(Enc3(ki3)))}i∈[n]

Setup

33

... ...

{ki1}i∈[n]

π1({ki2}i∈[n])

π2(π1({ki3}i∈[n]))

Upload/Send

34

... ... AEnc (AEnc (AEnc (M1))) k11 k12 k13

AEnc (AEnc (AEnc (Mi))) ki1 ki2 ki3

AEnc (AEnc (AEnc (Mn))) kn1 kn2 kn3

{ki1}i∈[n] π2(π1({ki3}i∈[n]))

π1({ki2}i∈[n])

Upload

35

... ... {AEnc (AEnc (AEnc (Mi)))}i∈[n] ki1 ki2 ki3

ki3 ki2

π1({AEnc (AEnc (Mi)))}i∈[n])

ki3 π2(π1({AEnc (Mi)}i∈[n]))

{ki1}i∈[n] π2(π1({ki3}i∈[n]))

π1({ki2}i∈[n])

Download/Receive

36

... ... Mi Mn M1

π3(π2(π1({Mi}i∈[n])))

Problems with Download/Receive

No receiver anonymity

37

M

Broadcast

38

... ...

π3(π2(π1({Mi}i∈[n])))

π3(π2(π1({Mi}i∈[n])))

Problems with Download/Receive

No receiver anonymity

What if you want to privately download?

Broadcast everything!

At O(n) bandwidth overhead per client...

Client-Server bandwidth is expensive... 39

Private Information Retrieval

Bit of crypto-magic to hide which message you

are downloading

Originally proposed by Chor et al.

Multiple servers w/ replicated database

Many schemes exists for different settings

Most single server schemes are impractical 40

Private Information Retrieval

41

... ...

m1 = 001

m2 = 101

m3 = 110

M1 M2 M3

M1 M2 M3

M1 M2 M3

1. Share masks.

m1 = 001 m2 = 101 ⊕m3 = 110 m = 010

Private Information Retrieval

42

... ...

M1 M2 M3

M1 M2 M3

M1 M2 M3

r2 = M1⊕M3

r3 = M1⊕M2 r1 = M3

2. Servers compute their resp.

m1 = 001

m2 = 101

m3 = 110

Private Information Retrieval

43

... ...

M1 M2 M3

M1 M2 M3

M1 M2 M3

r2 = M1⊕M3

r3 = M1⊕M2

r1 = M3

3. Download resp.

r1 = M3

r2 = M1⊕M3

⊕ r3 = M1⊕M2

r = M2

PIR Bandwidth

m masks (up) + m messages (down)

Compared to n message (down)

(mn + m*|message|) VS. (n*|message|)

|message| >> n, n >> m

44

Private Information Retrieval

45

... ...

M1 M2 M3

M1 M2 M3

M1 M2 M3

3b. Share pairwise secrets

S1

S2

S3

Private Information Retrieval

46

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

r1⊕s1 r3⊕s3

...

4b. Send resp + secret to one server

Private Information Retrieval

47

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

r1⊕s1 r3⊕s3

...

M3⊕s1

M1⊕M3⊕s2

M1⊕M2⊕s3

r = M2⊕s1⊕s2⊕s3

5b. Compute the final response

Private Information Retrieval

48

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

...

r = M2⊕s1⊕s2⊕s3

r⊕s1⊕s2⊕s3 = M2

6b. Send final resp. back

PIR Bandwidth

Client-Server

m masks (up) + m secrets (up) + 1

message (down)

Server-Server

m-1 messages

49

PIR Optimization

Update the secrets and masks using PRNG

No need for communication

50

PIR Optimized

51

... ... m1’ = PRNG(m1) m3’ = PRNG(m3)

M1 M2 M3

M1 M2 M3

M1 M2 M3

1. Update masks

PIR Optimized

52

... ... m1’ = PRNG(m1)

m2’

m3’ = PRNG(m3)

M1 M2 M3

M1 M2 M3

M1 M2 M3

2. Generate and upload last mask

m1’ m2’ ⊕m3’

m = 010

PIR Optimized

53

... ...

M1 M2 M3

M1 M2 M3

M1 M2 M3

3c. Update pairwise secrets

S1’=PRNG(S1)

S2’=PRNG(S2)

S3’=PRNG(S3)

PIR Optimized

54

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

r1⊕s1’ r3⊕s3

’

...

4b. Send resp + secret to one server

PIR Optimized

55

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

...

M3⊕s1’

M1⊕M3⊕s2’

M1⊕M2⊕s3’

r = M2⊕s1’⊕s2’⊕s3’

5b. Compute the final response

PIR Optimized

56

...

M1 M2 M3

M1 M2 M3

M1 M2 M3

...

r = M2⊕s1’⊕s2’⊕s3’

r⊕s1’⊕s2’⊕s3’ = M2

6b. Send final resp. back

PIR Bandwidth

Client-Server

Setup: m masks (up) + m secrets (up)

Download: 1 mask (up) +1 message (down)

Server-Server

m-1 messages 57

PIR Requirements

Need to know the index of the message

Often done by downloading digests

58

Riffle

59

... ...

1. Setup hybrid shuffle keys

π1({ki2}i∈[n])

π2(π1({ki3}i∈[n])) {ki1}i∈[n]

Riffle

60

... ...

2. Upload messages

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

Riffle

61

... ... Mj

Mj

’ Mj’’

3a. Download (via PIR)

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

Riffle

62

... ...

3b. Download (via broadcast)

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))

Applications

63

n i 1 hi hn h1

File Sharing

64

... ...

1. Request 2. Upload 3. Download

n i 1 hi hn h1

File Sharing

65

... ... h1 hi hn

1. Request

n i 1 hi hn h1

File Sharing

66

... ... hn ... h1 ... hi

hn ... h1 ... hi

hn ... h1 ... hi

hn ... h1 ... hi

hn ... h1 ... hi

hn ... h1 ... hi

1. Request

n i 1 hi hn h1

File Sharing

67

... ... hi hn h1

2. Upload

hi hn h1 ... ...

hi hn h1 ... ...

hi hn h1 ... ...

n i 1 hi hn h1

File Sharing

68

... ...

hi hn h1 ... ...

hi hn h1 ... ...

hi hn h1 ... ...

hn ... hi ... h1

hn ... hi ... h1

hn ... hi ... h1

3. Download

n i 1 hi hn h1

File Sharing

69

... ...

hi hn h1 ... ...

hi hn h1 ... ... hi hn h1

... ...

hi hn h1

3. Download

Microblogging

70

... ... M1

Mi Mn

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

Microblogging

71

... ...

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n])))

π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n]))) π3(π2(π1{Mi}i∈[n])))

Evaluation

72

Network Layout

73

(100/(n/3)) Mbps

3 Servers Varying # of clients

1Gbps

File Sharing Evaluation

74

File Sharing Evaluation

75

Sharing 300MB File

Microblogging Evaluation

76

Conclusion

Trade-off latency and anonymity

Anytrust is a powerful threat model

Add verifiability to secure mixnets

Public key crypto => Symmetric crypto

Add PIR to protect receivers 77