Parallel MixingParallel Mixing

Philippe Golle, PARC

Ari Juels, RSA Labs

Anonymous ChannelAnonymous Channel

Alice CharlieBob

I ♥Alice

Nobodyloves Bob

Is it Bob, Charlie, or self-love?

What are Anonymous Channels What are Anonymous Channels Useful for?Useful for?

They underlie most privacy applications:– Anonymous elections– Anonymous email– Anonymous payments– Anonymous Web browsing– Censorship resistant publication

Implementation: Mix NetworkImplementation: Mix Network

Inputs Outputs

Mix NetworkMix Network

Inputs Outputs

???

One honest server guarantees privacy

?

?

A Look Under the Hood…A Look Under the Hood…

Sealing an envelope: public key encryption– Decryption key is shared among mix servers

Opening an envelope: joint decryption– Requires cooperation of a quorum of servers

Mixing envelopes: “re-encryption”– We use a randomized encryption scheme:

» “many” (2160) different ways to encrypt a message

– Re-encryption: create a new ciphertext that decrypts to the same message

» Message is unchanged

» Ciphertext is unrecognizable

» Re-encryption is a public key operation

Computational CostComputational Cost

Cost of mixing:– Dominated by re-encryption

– Re-encryption: 2 modular exponentiations per input

Assume n inputs and k servers– Cost per server: O(n)– Assume sequential mixing

– Total mixing time is O(k.n)

Can we decrease the total mixing time?

Most of the mix servers are idle most of the time Idea: parallelize the mixing!

k n Total time

3 10,000 8 min

3 100,000 70 min

Batch 1Batch 1

Batch 2

Batch 3

Batch 2

Batch 3

Batch 1Batch 3

Batch 2

Parallel Mixing (1Parallel Mixing (1stst Try) Try)

Inputs Outputs

Batch 1

Batch 2

Batch 3

Round 1 Round 2 Round 3

Batch 3

Batch 1

Batch 2

Parallel Mixing (1Parallel Mixing (1stst Try) Try)

Assume n inputs and k servers– Divide inputs into k batches of size n/k– Every server mixes every batch (in parallel)

Computational cost:– Per server: k. (n/k) = n (as before)– Total cost: k. n = kn (as before)– Total mixing time: k.(n/k) = n (instead of kn)

We cut the total mixing time by a factor of k But: anonymity set is n/k instead of n

– Inputs are mixed within a batch– There is no mixing between batches

Batch 3

Batch 2

Batch 1

Building Block: Rotation Building Block: Rotation

Batch 1

Batch 2

Batch 3

Round i Round i+1

Rotation:Each serverpasses itsbatch on to thenext server in round robinfashion

Building Block: Distribution Building Block: Distribution

Round i Round i+1

Distribution:Each serversplits its batch and gives onepiece to everyother server.

Parallel Mixing ProtocolParallel Mixing Protocol

k’ rounds of mixing & rotation One distribution k’ rounds of mixing & rotation

Parameters– n inputs– k mix servers– Adversary controls at most k’ servers (e.g. k’=k-1)

Example ( Example ( kk=5, =5, k’ k’ =3) =3)

RotationMixing

Example ( Example ( kk=5, =5, k’ k’ =3) =3)

Distribution

Mixing

Example ( Example ( kk=5, =5, k’ k’ =3) =3)

Distribution

RotationMixing

Parallel MixingParallel Mixing

Protocol– Divide inputs into k batches of size n/k– k’ rounds of mixing and rotation (k’<k)– Distribution– k’ rounds of mixing and rotation

Computational cost:– Per server: 2(k’+1)n/k ≤ 2n– Total cost: 2(k’+1)n ≤ 2kn– Total mixing time: 2(k’+1)n/k ≤ 2n

Total mixing time divided by k2/2(k’+1) ≥ k/2 Anonymity set of size n Cost per server is at most doubled

Anonymity SetAnonymity Set

Recall that the adversary A may– Control up to k’ mix servers– Submit up to a fraction α of the n inputs

Let p0 be an input (not submitted by A). We compute the probability

that input p0 became output p1, in the view of A.

Ideally,

),( 10 ppPA

)1(

1),( 10 n

ppPA

Anonymity SetAnonymity Set

|)|/|)(|/(

||/),(

10

102

10 BAknBAkn

BAknppPA

Inputs Outputs

p0

p1

Distribution

n/k n/k

Batch B0 Batch B1

Anonymity SetAnonymity Set

Adversary controls no input:

Adversary controls a fraction α of the inputs:

|)|/|)(|/(

||/),(

10

102

10 BAknBAkn

BAknppPA

nknkn

knppPA

1

)/)(/(

/),(

2

10

)1(

1

)//)(//(

//),(

22

10

nknknknkn

knknppPA

(assuming uniform distribution…)

OptimalityOptimality

Our construction has nearly optimal total mixing time: 2(k’+1)n/k

Proposition: Let A be an adversary who controls k’<k servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least (k’+1)n/k.

Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.

ConclusionConclusion

Our protocol reduces total mixing time from O(kn) to O(n)

This is optimal within a factor of 2– Open problem: exact optimality?

Questions?