Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g....
Transcript of Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g....
![Page 1: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/1.jpg)
Rendezvous: Private Communication without Synchronization
Saba Eskandarian, Henry Corrigan-Gibbs, Matei Zaharia, Dan Boneh
![Page 2: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/2.jpg)
Our Story
![Page 3: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/3.jpg)
Our Story
![Page 4: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/4.jpg)
Our Story
![Page 5: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/5.jpg)
How to Communicate Privately?Option 1:
End to end encrypted messaging apps
E.g. Signal, WhatsApp
Problem: metadata
![Page 6: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/6.jpg)
How to Communicate Privately?Option 1:
End to end encrypted messaging apps
E.g. Signal, WhatsApp
Problem: metadata
Option 2:
Anonymizing proxy
E.g. Tor, SecureDrop
Problem: global adversaries
![Page 7: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/7.jpg)
How to Communicate Privately?Option 3: Metadata-hiding communication systems
![Page 8: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/8.jpg)
How to Communicate Privately?Option 3: Metadata-hiding communication systems
E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict, Dissent, Herbivore, ….
![Page 9: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/9.jpg)
How to Communicate Privately?Option 3: Metadata-hiding communication systems
E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict, Dissent, Herbivore, ….
Drawback: Require running in rounds/synchronization
![Page 10: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/10.jpg)
How to Communicate Privately?Option 3: Metadata-hiding communication systems
E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict, Dissent, Herbivore, ….
Drawback: Require running in rounds/synchronization
Can we get any metadata-hiding system that does not require running in rounds?
![Page 11: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/11.jpg)
Introducing RendezvousFirst metadata-hiding communication system with no requirement for users to contact server at regular intervals
![Page 12: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/12.jpg)
Introducing RendezvousFirst metadata-hiding communication system with no requirement for users to contact server at regular intervals
Journalists can register mailboxes for sources to send messages/documents
![Page 13: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/13.jpg)
Introducing RendezvousFirst metadata-hiding communication system with no requirement for users to contact server at regular intervals
Journalists can register mailboxes for sources to send messages/documents
Asymptotic improvements: client computation costs O(log N)communication costs O(log N)(both previously O(√N))
![Page 14: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/14.jpg)
Introducing RendezvousFirst metadata-hiding communication system with no requirement for users to contact server at regular intervals
Journalists can register mailboxes for sources to send messages/documents
Asymptotic improvements: client computation costs O(log N)communication costs O(log N)(both previously O(√N))
Practical improvements: 4x improvement in server computation time8x improvement in client computation time>10x improvement in communication costs
![Page 15: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/15.jpg)
Rendezvous Overview3 server system, secure against:
- Arbitrarily many corrupt users- Up to one corrupt server
![Page 16: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/16.jpg)
Rendezvous Overview3 server system, secure against:
- Arbitrarily many corrupt users- Up to one corrupt server
Supported operations:Register mailbox(Private) write to mailboxRead from mailbox
![Page 17: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/17.jpg)
Rendezvous Overview3 server system, secure against:
- Arbitrarily many corrupt users- Up to one corrupt server
Supported operations:Register mailbox(Private) write to mailboxRead from mailbox
Servers A/B store DB, handle requestsAuditor filters malformed/malicious requests
![Page 18: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/18.jpg)
Rendezvous Overview3 server system, secure against:
- Arbitrarily many corrupt users- Up to one corrupt server
Supported operations:Register mailbox(Private) write to mailboxRead from mailbox
Servers A/B store DB, handle requestsAuditor filters malformed/malicious requests
Security: can’t tell who the recipient of a message is (unless you are the recipient)
![Page 19: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/19.jpg)
OutlineIntroduction/Overview
Hiding metadata without rounds
Handling malicious parties
Evaluation
![Page 20: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/20.jpg)
Tool: Private Writing with Distributed Point FunctionsPoint function: a function that is zero everywhere, except at one point
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.
![Page 21: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/21.jpg)
Tool: Private Writing with Distributed Point FunctionsPoint function: a function that is zero everywhere, except at one point
x f(x)
0 0
1 0
2 0
3 “Hi!”
4 0
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.
![Page 22: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/22.jpg)
Tool: Private Writing with Distributed Point FunctionsPoint function: a function that is zero everywhere, except at one point
x f(x)
0 0
1 0
2 0
3 “Hi!”
4 0
x f2(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
x f1(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.
=⊕
![Page 23: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/23.jpg)
Tool: Private Writing with Distributed Point FunctionsPoint function: a function that is zero everywhere, except at one point
Distributed point function: technique for efficiently splitting a point function into two pieces, each a (non-point) function whose XOR is the original point function
x f(x)
0 0
1 0
2 0
3 “Hi!”
4 0
x f2(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
x f1(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.
=⊕
Key features:
- concise representation
- fast to generate
![Page 24: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/24.jpg)
Tool: Private Writing with Distributed Point Functions
Addr Data
0 0
1 0
2 0
3 0
4 0
Addr Data
0 0
1 0
2 0
3 0
4 0
I want to write “Hi!” to address 3
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
![Page 25: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/25.jpg)
Tool: Private Writing with Distributed Point Functions
x f(x)
0 0
1 0
2 0
3 “Hi!”
4 0
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
Addr Data
0 0
1 0
2 0
3 0
4 0
Addr Data
0 0
1 0
2 0
3 0
4 0
![Page 26: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/26.jpg)
Tool: Private Writing with Distributed Point Functions
x f2(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
x f1(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
Addr Data
0 0
1 0
2 0
3 0
4 0
Addr Data
0 0
1 0
2 0
3 0
4 0
![Page 27: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/27.jpg)
Tool: Private Writing with Distributed Point Functions
f1 f2
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
Addr Data
0 0
1 0
2 0
3 0
4 0
Addr Data
0 0
1 0
2 0
3 0
4 0
![Page 28: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/28.jpg)
Tool: Private Writing with Distributed Point Functions
f1 f2
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
Addr Data
0 f2(0)
1 f2(1)
2 f2(2)
3 f2(3)
4 f2(4)
Addr Data
0 f1(0)
1 f1(1)
2 f1(2)
3 f1(3)
4 f1(4)
![Page 29: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/29.jpg)
Tool: Private Writing with Distributed Point Functions
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
f1 f2
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
![Page 30: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/30.jpg)
Tool: Private Writing with Distributed Point Functions
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
f1 f2
⊕
“Hi!”
Distributed Point Functions and their Applications, Niv Gilboa, Yuval Ishai, Eurocrypt’14.Private Information Storage, Rafail Ostrovsky, Victor Shoup, STOC’97
![Page 31: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/31.jpg)
Hiding DataHow to prevent curious clients from reading others’ mailboxes?
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
![Page 32: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/32.jpg)
Hiding DataHow to prevent curious clients from reading others’ mailboxes?
Encrypt each row with a different key held by the owner of the mailbox
Addr Data Key
0 “abc” kNYT
1 “xf$” kWaPo
2 “^tg” kWSJ
3 “‘2!)” kBuzzfeed
4 “jhV” kInquirer
Addr Data Key
0 “abc” kNYT
1 “xf$” kWaPo
2 “^tg” kWSJ
3 “!7≈” kBuzzfeed
4 “jhV” kInquirer
![Page 33: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/33.jpg)
Hiding DataHow to prevent curious clients from reading others’ mailboxes?
Encrypt each row with a different key held by the owner of the mailbox
Different key sent to each server
Addr Data Key
0 “abc” kNYT2
1 “xf$” kWaPo2
2 “^tg” kWSJ2
3 “‘2!)” kBuzzfeed2
4 “jhV” kInquirer2
Addr Data Key
0 “abc” kNYT1
1 “xf$” kWaPo1
2 “^tg” kWSJ1
3 “!7≈” kBuzzfeed1
4 “jhV” kInquirer1
![Page 34: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/34.jpg)
Hiding MetadataConstruction thus far vulnerable to polling attack:
Attacker reads every row after each write to see which one was changed
![Page 35: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/35.jpg)
Hiding MetadataConstruction thus far vulnerable to polling attack:
Attacker reads every row after each write to see which one was changed
Solution: servers non-interactively re-randomize every row after each write
Additional cost is low since they already write to each row
![Page 36: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/36.jpg)
Hiding MetadataConstruction thus far vulnerable to polling attack:
Attacker reads every row after each write to see which one was changed
Solution: servers non-interactively re-randomize every row after each write
Additional cost is low since they already write to each row
See paper for details
![Page 37: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/37.jpg)
Plausible DeniabilityHow to protect privacy of whistleblowers if all users are whistleblowers?
Conscript your friends into larger anonymity sets with JavaScript, Henry Corrigan-Gibbs, Bryan Ford, WPES’13
![Page 38: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/38.jpg)
Plausible DeniabilityHow to protect privacy of whistleblowers if all users are whistleblowers?
Idea: Cooperative web sites embed JS that sends dummy write requests
Conscript your friends into larger anonymity sets with JavaScript, Henry Corrigan-Gibbs, Bryan Ford, WPES’13
![Page 39: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/39.jpg)
Plausible DeniabilityHow to protect privacy of whistleblowers if all users are whistleblowers?
Idea: Cooperative web sites embed JS that sends dummy write requests
- Incentives properly aligned for news organizations
- Metadata-hiding means we only need 1 recipient mailbox for dummy writes
- Client-side costs low enough to not affect browsing experience
Conscript your friends into larger anonymity sets with JavaScript, Henry Corrigan-Gibbs, Bryan Ford, WPES’13
![Page 40: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/40.jpg)
Handling Disruptive UsersAny number of users can act maliciously in arbitrary ways
A compromised server can act maliciously to steal information (but must remain online to handle requests)
![Page 41: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/41.jpg)
Handling Disruptive UsersAny number of users can act maliciously in arbitrary ways
A compromised server can act maliciously to steal information (but must remain online to handle requests)
Two kinds of attacks:
1. Disruptive user writes to others’ mailbox2. Disruptive user sends malformed DPF to write to many mailboxes
![Page 42: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/42.jpg)
Virtual AddressesProblem: disruptive user writes to others’
mailboxes
I want to write “hjvkjfykjdvvbk” to Reporter 1
I want to write “oijfncuglekfjojfd” to Reporter 2
I want to write “sw08pf9hjpofjo” to Reporter N
...
![Page 43: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/43.jpg)
Virtual AddressesProblem: disruptive user writes to others’
mailboxes
Solution: hide mailboxes in exponentially large address space
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
... ...
... ...
... ...
2128-2 “!7≈”
2128-1 “jhV”
![Page 44: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/44.jpg)
Virtual AddressesProblem: disruptive user writes to others’
mailboxes
Solution: hide mailboxes in exponentially large address space
New problem: too many addresses, bad performance
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
... ...
... ...
... ...
2128-2 “!7≈”
2128-1 “jhV”
![Page 45: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/45.jpg)
Virtual AddressesProblem: disruptive user writes to others’
mailboxes
Solution: hide mailboxes in exponentially large address space
New problem: too many addresses, bad performance
Solution: virtual addresses
Addr Data
0 “abc”
1 “xf$”
2 “^tg”
... ...
... ...
... ...
2128-2 “!7≈”
2128-1 “jhV”
Addr i Data
0 0 “abc”
1 1 “xf$”
2 2 “^tg”
2128-2 3 “!7≈”
2128-1 4 “jhV”
Virtual DB
Physical DB
![Page 46: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/46.jpg)
AuditingProblem: disruptive user sends malformed DPF to write to many mailboxes
x f(x)
0 0
1 0
...
2128-2 “Hi!”
2128-1 0
![Page 47: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/47.jpg)
AuditingProblem: disruptive user sends malformed DPF to write to many mailboxes
x f(x)
0 0
1 0
...
2128-2 “Hi!”
2128-1 0
x f2(x)
0 “abc”
1 “xf$”
...
2128-2 “‘2!)”
2128-1 “jhV”
x f1(x)
0 “abc”
1 “xf$”
...
2128-2 “!7≈”
2128-1 “jhV”
![Page 48: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/48.jpg)
AuditingProblem: disruptive user sends malformed DPF to write to many mailboxes
x f(x)
0 989f4
1 dDf73
...
2128-2 08dji3
2128-1 89hfif
![Page 49: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/49.jpg)
AuditingProblem: disruptive user sends malformed DPF to write to many mailboxes
Solution: third server audits all incoming write requests
Riposte: An Anonymous Messaging System Handling Millions of Users, Henry Corrigan-Gibbs, Dan Boneh, David Mazieres, Oakland’15.
![Page 50: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/50.jpg)
AuditingProblem: disruptive user sends malformed DPF to write to many mailboxes
Solution: third server audits all incoming write requests
New auditing protocol:- O(log N) communication- O(log N) client/auditor computation- Prior work: all O(√N)
![Page 51: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/51.jpg)
AuditingOur problem: proving DPF write only modifies one entry in DB
x f2(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “‘2!)”
4 “jhV”
x f1(x)
0 “abc”
1 “xf$”
2 “^tg”
3 “!7≈”
4 “jhV”
![Page 52: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/52.jpg)
AuditingOur problem: proving DPF write only modifies one entry in DB
More general problem: proving two vectors differ at one point
![Page 53: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/53.jpg)
AuditingOur problem: proving DPF write only modifies one entry in DB
More general problem: proving two vectors differ at one point
=⊕
![Page 54: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/54.jpg)
AuditingIdea: Recursively prove that one half is zero
0
![Page 55: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/55.jpg)
AuditingIdea: Recursively prove that one half is zero
0
+ =
![Page 56: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/56.jpg)
AuditingIdea: Recursively prove that one half is zero
0
+ =
0
![Page 57: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/57.jpg)
AuditingIdea: Recursively prove that one half is zero
0
+ =
0
+ =
![Page 58: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/58.jpg)
AuditingIdea: Recursively prove that one half is zero
0
+ =
0
+ =
0
![Page 59: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/59.jpg)
AuditingIdea: Recursively prove that one half is zero
0
+ =
0
+ =
0
If there is more than one nonzero entry, the proof will fail on at least one level of recursion
![Page 60: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/60.jpg)
AuditingHow to prove a vector is all zeros?
![Page 61: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/61.jpg)
AuditingHow to prove a vector is all zeros?
Interpret each DPF output as an element in a prime-order field
Multiply each element by a random value and sum
![Page 62: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/62.jpg)
AuditingHow to prove a vector is all zeros?
Interpret each DPF output as an element in a prime-order field
Multiply each element by a random value and sum
Servers do this separately on their shares of the vector and send to auditor
![Page 63: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/63.jpg)
AuditingHow to prove a vector is all zeros?
Interpret each DPF output as an element in a prime-order field
Multiply each element by a random value and sum
Servers do this separately on their shares of the vector and send to auditor
Server doesn’t know which half is zero, sends sums for both sides
![Page 64: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/64.jpg)
AuditingHow to prove a vector is all zeros?
Interpret each DPF output as an element in a prime-order field
Multiply each element by a random value and sum
Servers do this separately on their shares of the vector and send to auditor
Server doesn’t know which half is zero, sends sums for both sides
See paper for details on handling malicious servers
![Page 65: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/65.jpg)
Evaluation
![Page 66: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/66.jpg)
EvaluationAuditing Microbenchmarks
Under 10 microseconds for 1m mailboxes (compare to 159, 98 microseconds)
Enables 8x improvement in client computation time
Riposte: An Anonymous Messaging System Handling Millions of Users, Henry Corrigan-Gibbs, Dan Boneh, David Mazieres, Oakland’15.
![Page 67: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/67.jpg)
EvaluationClient Costs
Asymptotically O(log N) in number of mailboxes
In practice, almost independent
Less than 1ms increase from 100 to 1m
JS code size: 71KB
Less than 2% of major news sites’ sizes(Sending 1KB messages)
![Page 68: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/68.jpg)
EvaluationCommunication Costs
For 214 mailboxes: 10x improvementFor 220 mailboxes: 100x improvement (client/server), 50x improvement (auditor)
Riposte: An Anonymous Messaging System Handling Millions of Users, Henry Corrigan-Gibbs, Dan Boneh, David Mazieres, Oakland’15.Unobservable Communication over Fully Untrusted Infrastructure, Sebastian Angel, Srinath Setty, OSDI’16.
(Sending 160B messages)
![Page 69: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/69.jpg)
RendezvousFirst metadata-hiding communication system with no synchronization requirement
Asymptotic speedup from O(√N) to O(log N)
Practical speedup up to 4x on server, 8x on client
10x or more reduction in communication costs
See paper for application to metadata-hiding web browsing
Contact: [email protected]
Paper and code to be posted soon
![Page 70: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/70.jpg)
Bonus Slide(s)!
![Page 71: Rendezvous: Private Communication without Synchronizationsaba/slides/Express_BACrypto.pdf · E.g. Riposte, Pung, Vuvuzela, Talek, Alpenhorn, Stadium, Karaoke, Atom, XRD, Verdict,](https://reader030.fdocuments.net/reader030/viewer/2022041223/5e0d8344b5b679624b4882bf/html5/thumbnails/71.jpg)
EvaluationComparison to Riposte
Up to 4x gap when number of mailboxes is around 10,000
Always higher throughput regardless of number of mailboxes
Performance becomes similar as both systems become compute-bound on server side
(Sending 1KB messages)
Riposte: An Anonymous Messaging System Handling Millions of Users, Henry Corrigan-Gibbs, Dan Boneh, David Mazieres, Oakland’15.