Parallel Mixing
description
Transcript of Parallel Mixing
![Page 1: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/1.jpg)
Parallel MixingParallel Mixing
Philippe Golle, PARC
Ari Juels, RSA Labs
![Page 2: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/2.jpg)
Anonymous ChannelAnonymous Channel
Alice CharlieBob
I ♥Alice
Nobodyloves Bob
Is it Bob, Charlie, or self-love?
![Page 3: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/3.jpg)
What are Anonymous Channels What are Anonymous Channels Useful for?Useful for?
They underlie most privacy applications:– Anonymous elections– Anonymous email– Anonymous payments– Anonymous Web browsing– Censorship resistant publication
![Page 4: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/4.jpg)
Implementation: Mix NetworkImplementation: Mix Network
Inputs Outputs
![Page 5: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/5.jpg)
Mix NetworkMix Network
Inputs Outputs
???
One honest server guarantees privacy
?
?
![Page 6: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/6.jpg)
A Look Under the Hood…A Look Under the Hood…
Sealing an envelope: public key encryption– Decryption key is shared among mix servers
Opening an envelope: joint decryption– Requires cooperation of a quorum of servers
Mixing envelopes: “re-encryption”– We use a randomized encryption scheme:
» “many” (2160) different ways to encrypt a message
– Re-encryption: create a new ciphertext that decrypts to the same message
» Message is unchanged
» Ciphertext is unrecognizable
» Re-encryption is a public key operation
![Page 7: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/7.jpg)
Computational CostComputational Cost
Cost of mixing:– Dominated by re-encryption
– Re-encryption: 2 modular exponentiations per input
Assume n inputs and k servers– Cost per server: O(n)– Assume sequential mixing
– Total mixing time is O(k.n)
Can we decrease the total mixing time?
Most of the mix servers are idle most of the time Idea: parallelize the mixing!
k n Total time
3 10,000 8 min
3 100,000 70 min
![Page 8: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/8.jpg)
Batch 1Batch 1
Batch 2
Batch 3
Batch 2
Batch 3
Batch 1Batch 3
Batch 2
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Inputs Outputs
Batch 1
Batch 2
Batch 3
Round 1 Round 2 Round 3
Batch 3
Batch 1
Batch 2
![Page 9: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/9.jpg)
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Assume n inputs and k servers– Divide inputs into k batches of size n/k– Every server mixes every batch (in parallel)
Computational cost:– Per server: k. (n/k) = n (as before)– Total cost: k. n = kn (as before)– Total mixing time: k.(n/k) = n (instead of kn)
We cut the total mixing time by a factor of k But: anonymity set is n/k instead of n
– Inputs are mixed within a batch– There is no mixing between batches
![Page 10: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/10.jpg)
Batch 3
Batch 2
Batch 1
Building Block: Rotation Building Block: Rotation
Batch 1
Batch 2
Batch 3
Round i Round i+1
Rotation:Each serverpasses itsbatch on to thenext server in round robinfashion
![Page 11: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/11.jpg)
Building Block: Distribution Building Block: Distribution
Round i Round i+1
Distribution:Each serversplits its batch and gives onepiece to everyother server.
![Page 12: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/12.jpg)
Parallel Mixing ProtocolParallel Mixing Protocol
k’ rounds of mixing & rotation One distribution k’ rounds of mixing & rotation
Parameters– n inputs– k mix servers– Adversary controls at most k’ servers (e.g. k’=k-1)
![Page 13: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/13.jpg)
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
RotationMixing
![Page 14: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/14.jpg)
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
Distribution
Mixing
![Page 15: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/15.jpg)
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
Distribution
RotationMixing
![Page 16: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/16.jpg)
Parallel MixingParallel Mixing
Protocol– Divide inputs into k batches of size n/k– k’ rounds of mixing and rotation (k’<k)– Distribution– k’ rounds of mixing and rotation
Computational cost:– Per server: 2(k’+1)n/k ≤ 2n– Total cost: 2(k’+1)n ≤ 2kn– Total mixing time: 2(k’+1)n/k ≤ 2n
Total mixing time divided by k2/2(k’+1) ≥ k/2 Anonymity set of size n Cost per server is at most doubled
![Page 17: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/17.jpg)
Anonymity SetAnonymity Set
Recall that the adversary A may– Control up to k’ mix servers– Submit up to a fraction α of the n inputs
Let p0 be an input (not submitted by A). We compute the probability
that input p0 became output p1, in the view of A.
Ideally,
),( 10 ppPA
)1(
1),( 10 n
ppPA
![Page 18: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/18.jpg)
Anonymity SetAnonymity Set
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
Inputs Outputs
p0
p1
Distribution
n/k n/k
Batch B0 Batch B1
![Page 19: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/19.jpg)
Anonymity SetAnonymity Set
Adversary controls no input:
Adversary controls a fraction α of the inputs:
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
nknkn
knppPA
1
)/)(/(
/),(
2
10
)1(
1
)//)(//(
//),(
22
10
nknknknkn
knknppPA
(assuming uniform distribution…)
![Page 20: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/20.jpg)
OptimalityOptimality
Our construction has nearly optimal total mixing time: 2(k’+1)n/k
Proposition: Let A be an adversary who controls k’<k servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least (k’+1)n/k.
Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.
![Page 21: Parallel Mixing](https://reader036.fdocuments.net/reader036/viewer/2022081501/5681458c550346895db273fb/html5/thumbnails/21.jpg)
ConclusionConclusion
Our protocol reduces total mixing time from O(kn) to O(n)
This is optimal within a factor of 2– Open problem: exact optimality?
Questions?