MCMix: Anonymous Messaging via Secure Multiparty Computation

Transcription

1 MCMix: Anonymous Messaging via Secure Multiparty Computation Nikolaos Alexopoulos 1, Aggelos Kiayias 2, Riivo Talviste 3, an Thomas Zacharias 2 1 Technische Universität Darmstat 2 School of Informatics, University of Einburgh, UK 3 Cybernetica AS, Estonia {alexopoulos@tk.tu-armstat.e, akiayias@inf.e.ac.uk, riivo@cyber.ee, tzachari@inf.e.ac.uk} Abstract We present MCMix, an anonymous messaging system that completely hies communication metaata an can scale in the orer of hunres of thousans of users. Our approach is to isolate two suitable functionalities, calle ialing an conversation, that when use in succession realize anonymous messaging. With this as a starting point, we apply secure multiparty computation ( MC or MPC) an procee to realize them. We present an implementation using a prevalent MPC system (Sharemin) that is competitive in terms of latency with previous messaging systems that only offer much weaker privacy guarantees. Our solution can be instantiate in a variety of ifferent ways with ifferent MPC implementations, overall illustrating how MPC is a viable an competitive alternative to mix-nets an DC-nets for anonymous communication. 1 Introuction In an era in which privacy in communications is becoming increasingly important, it is often the case that two parties want to communicate anonymously, that is to exchange messages while hiing the very fact that they are in conversation. A major problem in this setting is hiing the communication metaata: while existing cryptographic techniques (e.g., secure point-to-point channels implemente with TLS) are sufficiently well evelope to hie the communication content, they are not intene for hiing the metaata of the communication such as its length, its irectionality, an the ientities of the communicating en points. Metaata are particularly important, arguably some times as important to protect as the communication content itself. The importance of metaata is reflecte in General Michael Hayen s quote We kill people base on metaata 1 an in the persistence of security agencies with programs like PRISM (by the NSA) an TEMPORA (by the GCHQ) in collecting metaata for storage an mining. Anonymous communication has been pioneere in the work of Chaum, with mix-nets [Cha81] an DC-nets [Cha88] proviing the first solutions to the problem of sener-anonymous communication. In particular, a mix-net enables the elivery of a set of messages from n seners to a recipient so that the recipient is incapable of mapping outgoing messages to their respective seners. A DC-net on the other han, allows n parties to implement an anonymous broacast channel so that any one of them can use it 1 Complete quote: We kill people base on metaata. But that s not what we o with this metaata. General M. Hayen. The Johns Hopkins Foreign Affairs Symposium. 1/4/

2 to broacast a message to the set of parties without any participant being able to istinguish the source. While initially pose as theoretical constructs, these works have evolve to actual systems that have been implemente an teste, for instance in the case of Mixminion [DDM03], that applies the mix-net concept to , in the case of Vuvuzela [VDHLZZ15] that applies the mix-nets concept to messaging an in the case of Dissent [WCGFJ12] that implements DC-nets in a client-server moel. It is important to emphasize that the aversarial setting we wish to protect against is a moel where the aversary has a global view of the network, akin say to what a global eavesropper woul have if they were passively observing the Internet backbone, rather than a localize view that a specific server or sub-network may have. Furthermore, the aversary may manipulate messages as they are transmitte an receive from users as well as block users aaptively. Note that in a more localize aversary setting one may apply concepts like Onion routing [SGR97], e.g., as implemente in the Tor system [DMS04], or Freenet [CSWH01] to obtain a reasonable level of anonymity with very low latency. Unfortunately such systems are susceptible to traffic analysis, see e.g., [JWJ + 13], an, in principal, they cannot withstan a global aversary. Given the complexity of the anonymous communication problem in general, we focus our application objective to the important special case of anonymous messaging, i.e., biirectional communication with both sener an receiver anonymity against a thir party, that requires moerately low latency an has relatively small payloas (akin to SMS text messaging). The question we ask is whether it is possible to achieve it with simulation-base security 2 while scaling to hunres of thousans of users. In particular, we consier two types of entities in our problem specification, clients an servers, an we ask how is it possible that the servers assist the clients that are online to communicate privately without leaking any type of metaata to a global aversary, apart from the fact that they are using the system. Furthermore, we seek a ecentralize solution, specifically one where no single entity in the system can break the privacy of the clients even if it is compromise. We allow the aversary to completely control the network as well as a subset of the servers an aaptively rop clients messages or manipulate them as it wishes. Our Contributions. We present MCMix, the first anonymous messaging service that offers simulationbase security, uner a well specifie set of assumptions, an can scale to hunres of thousans of users. In our solution, we aopt a ifferent strategy compare to previous approaches to anonymous communication. Specifically, we provie a way to cast the problem of anonymous messaging natively in the setting of secure multiparty computation (MPC). MPC, since its initial inception [GMW87], is known to be able to istribute an compute securely any function, nevertheless, it is typically consiere to be not particularly efficient for a large number of parties an thus inconsistent with problems like anonymous messaging. However, the commoity-base approach for MPC [Bea97] (client-server moel), an more recent implementation efforts such as Fairplay [BDNP08], VIFF [DGKN09], Sharemin [Bog13], PICCO [ZSB13], ObliVM [LWN + 15], Araki et al. [AFL + 16] an [FLNW17] increasingly suggest otherwise. We first propose two ieal functionalities that correspon to the ialing operation an the conversation operation. The MCMix system procees in rouns, where in each roun an invocation of either the ialing or the conversation ieal functionality is performe. The ialing functionality enables clients to either choose to ial another client or check whether anyone is trying to ial them (in practice in most ialing rouns the overwhelming majority of clients will be in ial-checking moe). If a matching pair is etermine by the ieal functionality, then the caller will be notifie that the other client has accepte their call an the callee will be notifie about the caller. Moreover, the ieal functionality will eliver 2 We use this term to refer to a level of metaata hiing that ensures, in a simulation base sense, that no information is leake to an aversary. This is istinguishe from weaker levels of privacy, such as e.g., a ifferential privacy setting where some controlle but non-trivial amount of information is leake to the aversary. 2

3 to both clients a ranom tag that can be thought of as the equivalent of a ea rop or renezvous point. Subsequently, the clients can access the conversation functionality using the establishe ranom tag. When two clients use the same ranom tag in the conversation functionality, their messages are swappe an thus they can sen messages to each other (even concurrently). The two ieal functionalities provie a useful abstraction of the anonymous messaging problem. We procee now to escribe how they can be implemente by an MPC system. It is easy to see that a straightforwar implementation of the functionality programs results in a circuit of size Θ(n 2 ), where n is the number of online users accessing the functionalities. Such a solution woul clearly be not scalable. We provie more efficient implementations that achieve O(n log n) complexity in both cases with very efficient constants using state of the art oblivious sorting algorithms [HKI + 12, BLT14]. Given our high level functionality realizations, we procee to an explicit implementation in the Sharemin system [Bog13] using its SecreC programming language [BLR14]. We provie benchmarks for the Dialing an Conversation solutions. The Sharemin platform provies a 3-server implementation of information theoretically secure MPC. Our results showcase that our system can hanle hunres of thousans of users in a reasonable latency (little over a minute), that is consistent with messaging. In orer to provie theoretical evience of further improving performance an scaling to even larger anonymity sets, we provie a parallelize version of the conversation functionality. Parallelization is a non-trivial problem in our setting since we woul like to maintain anonymity across the whole user set; thus, a simplistic approach that breaks users into chunks solving ialing an conversation inepenently will isolate them to smaller communication islans ; if two users have to be on the same islan in orer to communicate, this will lea to privacy loss that is non-simulatable an we woul like to avoi. Our parallelize solution manages to make the interaction between islans, in a way that maintains strong privacy guarantees, at the cost of a correctness error that can become arbitrarily small. In this way, by utilizing a large number of servers, we provie evience that the system can scale up to anonymity sets of up to half a million of users. To sum up, our contributions can be expresse by the following points: 1. A moel for simulation-base anonymous messaging. 2. A realization of this moel with a set of programs that are provably secure an expresse in a way so that they can be implemente in any MPC platform. 3. An implementation of our programs in Sharemin that can accomoate anonymity sets of hunres of thousans of users. 4. A novel parallelization technique that allows our system to scale, in theory, even beyon the orer of hunres of thousans of users. Organization. After shortly presenting some preliminary topics in section 2, we formalize the concept of anonymous messaging via an ieal MPC functionality an introuce the Dialing an Conversation programs in an abstract form that together solve the sener an receiver anonymous messaging problem (cf. Section 3). In Section 4, we present the general architecture of MCMix an in Sections 5 an 6, we propose a way to realize the Dialing an Conversation programs, using MPC. Then, in Section 7, we give more etails regaring how the MCMix system implements anonymous messaging in a provably secure an privacy-preserving way. In Section 8, we present the results of benchmarking our prototype an in Section 9, we account for the client-sie loa of our system. In Section 11, we introuce a novel way to parallelize our conversation protocol in orer to achieve even better scalability. Finally, in Section 10, we provie an overview of noticeable anonymous communication systems an when applicable, we compare their performance an security level to MCMix. Our concluing remarks are in Section 12. 3

4 2 Backgroun 2.1 Secure Multiparty Computation an the Sharemin framework Secure Multiparty Computation (MPC), is an area of cryptography concerne with methos an protocols that enable a set of users U = u 1,..., u n with private ata 1,..., n from a omain set D, to compute the result of a public function f( 1,..., n ) in a range set Y, without revealing their private inputs. For clarity, we assume that D consists only of actual messages, but f accepts also as input, which enotes abstain behavior. Sharemin. Sharemin [Bog13] is an MPC framework that offers a higher level representation of the circuit being compute in the form of a program written in a C-like language, namely the SecreC language [BLR14]. It uses three-server protocols that offer security in the presence of an honest server majority. That is, we assume that no two servers will collue in orer to break the systems privacy. Our implementation is esigne over the Sharemin system, but the general approach that we introuce for anonymous messaging can also be eploye over other MPC protocols. The security of Sharemin has been analyze several settings incluing semi-honest an active attacks (e.g., [Bog13, PL15]). 2.2 Oblivious sorting Sorting is use as a vital part of many algorithms. In the context of secure multiparty computation, sorting an array of values without revealing their final position, is calle oblivious sorting. The first approach to sorting obliviously is using a ata-inepenent algorithm an performing each compare an exchange execution obliviously. This approach uses sorting networks to perform oblivious sorting. Sorting networks are circuits that solve the sorting problem on any set with an orer relation. What sets sorting networks apart from general comparison sorts is that their sequence of comparisons is set in avance, regarless of the outcome of previous comparisons. Various algorithms exist to construct simple an efficient networks of epth O(log 2 n) an size O(n log 2 n). The three more use ones are Batcher s o-even mergesort an bitonic sort [Bat68] an Shellsort [She59]. All three of these networks are simple in principle an efficient. Sorting networks that achieve the theoretically optimal O(log n) an O(n log n) complexity in epth an total number of comparisons, such as the AKS-network [AKS83] exist, but the constants involve are so large that make them impractical for use. Note that even for 1 billion values, i.e., n = 10 9, it hols that log n < 30 so, in practice, the extra log factor is preferable to the large constants. A major rawback of all sorting network approaches is that sorting a matrix by one of its columns woul require oblivious exchange operations of complete matrix rows, which woul be very expensive. In recent years techniques have been propose from Hamaa et. al [HKI + 12] to use well known ata-epenent algorithms such as quicksort in an oblivious manner to achieve very efficient implementations, especially when consiering a small number of MPC servers, which is very often the case. This approach uses the shuffling before sorting iea, which means that if a vector has alreay been ranomly permute, information leake about the outcome of comparisons oes not leak information about the initial an final position of any element of the vector. More specifically, the variant of quicksort propose in [HKI + 12], nees on average O(log n) rouns an a total of O(n log n) oblivious comparisons. Complete privacy is guarantee when the input vector contains no equal sorting keys, an in the case of equal keys, their number leaks. Furthermore, performance of the algorithm is ata-epenent an generally epens on the number of equal elements, with the optimal case being that no equal pairs exist. Practical results have shown [BLT14] that this quicksort variant is the most efficient oblivious sorting algorithm available, when the input keys are constructe in a way that makes them unique. In our algorithms we use the Quicksort algorithm together with a secret-share inex vector as 4

5 escribe in [BLT14]. This way, each sortable element becomes a unique value-inex pair, proviing us the optimal Quicksort performance an complete privacy. It also has the ae benefit of making the sorting algorithm stable. 2.3 Ientity-Base Key Agreement Protocols Like in [LZ16], we make use of ientity-base cryptography [Sha84] to circumvent the nee for a Public Key Infrastructure (PKI), here, for the computation of the ea rops 3. In ientity-base cryptography, a Key Generation Center (KGC) using a master secret key, generates the users secret keys, while the users public keys are a eterministic function of their ientity. In an ientity-base key agreement (ID-KA) protocol (e.g. [Gün89,SKO00,Sma01,CK03,YL05,FG10,Wan13]), after receiving their secret keys, the users can mutually agree on share keys given their secret keys an the other user s ientity. In our setting, we will apply ID-KA for the computation of the ea rops, where now the users compute their secret keys by combining partial secret keys issue by the MPC servers. Therefore, we ajust ID-KA to a multiple KGC setting where each MPC server plays the role of a KGC. In general, we can manage istribute key generation in a fault tolerant manner, using threshol secret-sharing techniques. However, since our threat moel consiers a passive (semi-honest aversary), we consier an m-out-of-m instantiation, keeping protocol escription simple. In particular, we naturally exten a pairing-base single KGC ID-KA protocol to a setting with m KGCs enote by KGC 1,..., KGC m. A cryptographic pairing e : G 1 G 2 G T, where G 1, G 2, G T are multiplicative cyclic groups of prime orer q, is an efficiently computable function such that for every pair of generators g 1 G 1, g 2 G 2 an every pair of exponents x, y Z q it hols that: 1. e(g x 1, gy 2 ) = e(g 1, g 2 ) xy (bilinearity). 2. e(g 1, g 2 ) xy is a generator of G T (non-egeneracy). The pairing e is calle symmetric if G 1 = G 2 = G, an asymmetric otherwise. We provie two secure constructions of multiple KGC ID-KA protocol. The secon construction aitionally achieves forwar secrecy, i.e. if the users secret keys are compromise then past session keys are not leake. Construction 1: Multiple KGC ID-KA. We buil upon the SOK ID-KA protocol introuce in [SKO00] proven secure in [PS09]. Our multiple KGC ID-KA protocol consists of the following algorithms: Setup: On common input 1 λ, where λ is the security parameter, KGC 1,..., KGC m agree on a symmetric cryptographic pairing e with parameters (e, G, G T, q, g), where g is a generator of G, an two cryptographic hash functions H 1 : {0, 1} G an H 2 : {0, 1} {0, 1} λ. $ Next, each KGC j, j [m] ranomly chooses a partial master secret key msk j = x j Zq an publishes its partial public key mpk j = g x j that are combine in the protocol s public key pk := j [m] pk j. The public parameters of the protocol are params := (e, G, G T, q, g, H 1, H 2, pk). Secret Key Derivation: For every user u i with ientity ID i, each KGC j, j [m], on input msk j generates the partial secret key sk i,j := H 1 (ID i ) x j an sens it to u i. Upon receiving sk i,1,..., sk i,m, the user u i obtains its secret key sk i by setting sk i := sk i,j = H 1 (ID i ) j [m] x j. j [m] Key Agreement: Using their secret keys sk a, sk b, two users u a, u b agree on a key value K as follows: 3 If preexisting PKI has alreay resolve the issue of users public key istribution, then we can turn to the easier solution of classic Diffie-Hellman key exchange for ea rop computation (cf. Remark 6). 5

6 u a computes the value K a,b = e ( sk a, H 1 (ID b ) ). u b computes the value K b,a = e ( sk b, H 1 (ID a ) ). u a an u b agree on the key K = H 2 (K a,b ) = H 2 (K b,a ). The correctness of the protocol follows from the bilinearity property of e as shown below: K a,b = e ( sk a, H 1 (ID b ) ) = e ( H 1 (ID a ) j [m] x j, H 1 (ID b ) ) = e ( H 1 (ID a ), H 1 (ID b ) ) j [m] x j = = e ( H 1 (ID b ), H 1 (ID a ) ) j [m] x j = e ( H 1 (ID b ) j [m] x j, H 1 (ID a ) ) = e ( sk b, H 1 (ID a ) ) = K b,a. The security of the original single SOK ID-KA protocol proven in [PS09], which is a special case of the multiple KGC protocol escribe above for m = 1, hols uner the assumptions that H 1 an H 2 are moele as ranom oracles an that the computational bilinear Diffie-Hellman problem (CBDH) is har for the group G of pairing e. Briefly, CBDH harness assumption for G states that for a ranomly chosen triple of exponents x, y, z Z q an on input (g x, g y, g z ) it is har to compute the value e(g, g) xyz. Given the security of the original ID-KA protocol for m = 1, it is straightforwar that the multiple KGC ID-KA protocol escribe above is secure against any polynomially boune semi-honest aversary that corrupts all-but-one of the m KGCs. Construction 2: Multiple KGC ID-KA with forwar secrecy. We buil upon the pairing-base ID- KA protocol introuce in [Sma01] as moifie in [CK03] that achieves security an forwar secrecy as proven in [CCS07]. Our multiple KGC ID-KA protocol with forwar secrecy consists of the following algorithms: Setup: On common input 1 λ, KGC 1,..., KGC m agree on an asymmetric cryptographic pairing e with parameters (e, G 1, G 2, G T, q, g 1, g 2 ) an two cryptographic hash functions H 1 : {0, 1} G 1 an H 2 : {0, 1} {0, 1} G 2 G 2 G T {0, 1} κ. $ Next, each KGC j, j [m] ranomly chooses a partial master secret key msk j = x j Zq an publishes its partial public key mpk j = g x j 2 that are combine in the protocol s public key pk := j [m] pk j. The public parameters of the protocol are params := (e, G 1, G 2, G T, q, g 1, g 2, H 1, H 2, pk). Secret Key Derivation: For every user u i with ientity ID i, each KGC j, j [m], on input msk j generates the partial secret key sk i,j := H 1 (ID i ) x j an sens it to u i. Upon receiving sk i,1,..., sk i,m, the user u i obtains its secret key sk i by setting sk i := sk i,j = H 1 (ID i ) j [m] x j. j [m] Key Agreement: Using their secret keys sk a := (s a, r a ), sk b := (s b, r b ), two users u a, u b agree on a key value K a,b = K b,a as follows: u a picks a ranom value t a $ Zq an sens g ta 2 to u b; $ u b picks a ranom value t b Zq an sens g t b 2 to u a; u a computes the values K a,1 = e ( H 1 (ID b ) ta, pk ) e ( sk a, g t ) b an Ka,2 = (g t b u b computes the values K b,1 = e ( H 1 (ID a ) t b, pk ) e ( sk b, g ta 2 u a an u b agree on the key 2 2 )ta ; ) an Kb,2 = (g ta 2 )t b; K a,b := H 2 (ID a, ID b, g ta 2, gt b 2, K a,2, K a,1 ) = H 2 (ID a, ID b, g ta 2, gt b 2, K b,2, K b,1 ). 6

7 The correctness of the protocol follows from the bilinearity property of e as shown below: K a,1 = e ( H 1 (ID b ) ta, pk ) e ( sk a, g t ) ( ) b ta 2 = e H1 j [m] (ID b ), g xj 2 e ( ) tb j [m] H 1 (ID a ), g x j 2 = = e ( ) (ta+t H 1 (ID b )H 1 (ID a ), g b ) j [m] x j 2 = e ( ) (tb +t H 1 (ID a )H 1 (ID b ), g a) j [m] x j 2 = = e ( ) tb j [m] H 1 (ID a ), g xj 2 e ( ) ta j [m] H 1 (ID b ), g x j 2 = e ( H 1 (ID a ) t b, pk ) e ( ) sk b, g ta = Kb,1 K a,2 = (g ta 2 )t b = (g t b 2 )ta = K b,2. The security an forwar secrecy of the original single KGC ID-KA protocol proven in [CK03], which is a special case of the multiple KGC protocol escribe above for m = 1, hols uner the assumptions that H 1 an H 2 are moele as ranom oracles an that CBDH is har for the group pair (G 2, G 1 ) of pairing e. Briefly, CBDH harness assumption for (G 2, G 1 ) states that for a ranomly chosen triple of exponents x, y, z Z q an on input (g x 2, gy 1, gz 2 ) it is har to compute the value e(g 1, g 2 ) xyz. Given the security an forwar secrecy of the original ID-KA protocol for m = 1, it is straightforwar that the multiple KGC ID-KA protocol escribe above preserves security an forwar secrecy against any polynomially boune semi-honest aversary that corrupts all-but-one of the m KGCs. 2 3 Ieal Anonymous Messaging We formalize the concept of anonymous messaging in line with stanar MPC security moeling. In particular, we capture the notion of an ieal MPC functionality F that in presence of an ieal aversary S receives inputs from a number of n users an computes the esire result w.r.t. some program f. An MPC protocol is sai to be secure w.r.t. a class of programs, if its execution running in the presence of a real-worl aversary results in input/output transcripts that are inistinguishable from the ieal setting that F specifies for program f. Subsequently, inspire by Tor, Vuvuzela an other relate systems, we make use of the renezvous points iea. Specifically, we instantiate F w.r.t. two istinct abstract programs DLN abs an CNV abs that reflect the Dialing an Conversation functionalities respectively; the two programs are abstract in the sense that, in this section, they will be escribe at a high level algorithmic way that we will make concrete in the coming sections. The use of a ranom renezvous point in the establishment of a communication channel between two users averts any enial of service attacks targeting specific users by other users at the conversation phase. Notation. We write x $ X to enote that x is sample uniformly at ranom from set X. For a positive integer n, the set {1,..., n} is enote by [n]. The j-th component of n-length tuple a is enote by a[j], i.e. a := (a[1],..., a[n]). We use c to express inistinguishability between transcripts, seen as ranom variables. By negl( ) we enote that a function is negligible, i.e. asymptotically smaller than the inverse of any polynomial. We use λ as the security parameter. Let x = x 1,..., x n be a vector of users inputs. We enote by EXEC F,f S,x (λ) the transcript of input/outputs in an ieal MPC execution of F interacting with the ieal aversary S, an by EXEC P,f A,x (λ) the transcript of inputs/outputs in a real-worl execution of MPC protocol P w.r.t. f uner the presence of aversary A. By PPT, we mean that A runs in probabilistic polynomial time. 3.1 Entities an threat moel We consier a client-server MPC setting. Namely, the entities involve in an MPC protocol P are (i) a number of n users u 1,..., u n that provie their inputs x 1,..., x n an (ii) a number of m servers Ser 1,..., Ser m that collectively compute an evaluation on the users inputs w.r.t. a program f. The users 7

8 engage in a specific MPC execution form an active set U act. We consier an a-hoc setting [BGIK16] of secure computation, where the program f is known in avance, but not the active user set U act. An aversary against P is allowe to have a global view of the protocol network. In aition, it may corrupt up to a fixe subset of θ servers an has limite computational resources preventing it from breaking the security of the unerlying cryptographic primitives. In stanar MPC cryptographic moeling, the security of P is argue w.r.t. the functionality F that specifies an ieal evaluation of f, where the privacy leakage is the minimum possible for the honest users. Thus, inistinguishability between the ieal an the real worl setting implies that an aversary against P obtains essentially no more information than this minimum leakage. In our escription, F merely leaks whether an honest user is online or not. This information is impossible to hie against a network aversary an hence it is a minimum level of leakage. On the other han, information that can be typically inferre by traffic analysis, is totally protecte by F. This level of anonymity, sometimes referre to as unobservability, requires the participation of all online parties an the generation of ummy traffic inepenently of whether or not they wish to sen a message in a particular roun. As a result, any protocol P that securely realizes F where f represents a ialing or conversation program, shoul incorporate such a methoology. As we emonstrate, using MPC to realize P is a natural way to etermine the appropriate level an form of ummy traffic neee to realize this level of anonymity. 3.2 An ieal MPC functionality with aversarial influence for a family of programs In a messaging system, ialing an conversation among users are operations where conflicts are likely to appear, e.g. two users may ial the same person, or conversation may be accientally establishe on colluing communication channels (three equal renezvous points are compute). One can think several other examples of operations where conflicts are possible, such as election tally where exactly one out of multiple ballots per voter must be counte, or eciing on the vali sequence of transactions on a blockchain leger when forking occurs. Any program implementing this type of an operation must be able to resolve these conflicts. The way that conflict resolution is achieve, may epen on parameters like computation efficiency, communication complexity or user priority, yet in any case, a set of programs that implement the same operation are in some sense equivalent an may be clustere uner the same family. A plausible requirement is that the choice of the family member that will be utilize shoul not affect the security stanars of the operation implementation. Consequently, in an MPC setting that supports the realization of any program in the family, it is esirable that security is preserve w.r.t. to the entire family, so that one can choose the family member that suits their custom requirements. To express this formally, we introuce a relaxation of the usual MPC functionality. Namely, the relaxe ieal MPC functionality F is for a family of programs {f z } z in the presence of an ieal aversary S that chooses the inex z (this is the relaxation), where z can be parse as the coe that etermines the family member f z. We call this MPC with aversarial influence. The program f z accepts as input a vector x = x 1,..., x n of (i) vali messages from some omain D or (ii), if the user is inactive, i.e. not in U act. In our escription, computation takes place even when a subset of users abstain from the specific execution by not proviing inputs. To formalize the abstain behavior of user u i, for every i [n] we efine an abstain i ( ) preicate over D { } as follows: { 1, if xi = abstain i (x i ) := (1) 0, if x i D The ieal MPC functionality F is presente in Fig. 1. Note that the relaxation suggests that the users will receive output from a program f z for z that will be the ieal aversary s choosing. The security of a real-worl MPC protocol P is efine w.r.t. a class of programs F as well as a family selecte from F as follows: 8

9 Ieal MPC functionality F with aversarial influence for programs {f z } z Upon receiving start from S, it sets the status to input an initializes two lists L input an L corr as empty. Upon receiving (corrupt, u i ) from S, it as u i to L corr. Upon receiving (sen input, x i ) from u i, if u i L corr, then it sens (sen input, u i, x i ) to S. If u i / L corr, then it sens (i) ( sen input, u i, abstain i (x i ) ) to S, where abstain i ( ) is efine in Eq. (1). Upon receiving (receive input, u i, ˆx i ) from S, if (i) the status is input an (ii) (u i, ) / L input, then if u i / L corr, it sets x i := x i, else it sets x i := ˆx i. Next, it as (u i, x i ) to L input. Upon receiving (compute, z) from S, if L input contains recors for all users in U, it executes the following steps: first, then it computes the value vector y = y 1,..., y n f z ( x 1,..., x n ). Then, it sens y i to u i for i,..., n, (hence, S obtains {y i } ui L corr ). Figure 1: The ieal MPC functionality F with aversarial influence for a family of programs {f z : ( D { } ) n Y }z on input x = x 1,..., x n, interacting with the ieal aversary S. Definition 1. Let P be an MPC protocol with n users an m servers an let F be a class of programs. We say that P is a (θ, m)-secure MPC protocol w.r.t. {f z } z F, if for every active user set U act U an every PPT aversary A corrupting up to θ out of m servers, there is an ieal aversary S s.t. for every input vector x = x,..., x n, EXEC F S,x (λ) c EXEC P A,x (λ). 3.3 The families of programs DLN abs an CNV abs An anonymous messaging scheme comprises the following two functionalities: (i) the Dialing functionality, which consists of the computation of a renezvous point for a given pair of users who want to communicate, an (ii) the Conversation functionality, which represents the actual exchange of messages. For the families DLN abs an CNV abs, the parameter z, enables the aversary to choose (i) how to hanle collisions between multiple ialers in the case of DLN abs, an (ii) how to hanle the presence of three or more equal ea rops in the case CNV abs (which happens only in the case of malicious users). We note that this minimum level of aversarial manipulation oes not affect the security features of the anonymity system, yet it allows for substantial performance gains in terms of the implementation. We formally express the above functionalities by instantiating the generic MPC functionality F w.r.t. the Dialing program family DLN abs an the Conversation program family CNV abs (i.e. we set f as DLN abs an CNV abs ). We note that for both the ialing an conversation program families, the verification that the parameter z has the proper structure can be suitably restricte so that it is teste efficiently by the program. For brevity, we omit further etails The Dialing program family DLN abs In the Dialing functionality, a renezvous point for users u i an u j is set when two requests of the form (DIAL, u i, u j ) an (DIALCHECK, u j ) have been prouce. Thus, the Dialing program family DLN abs receives inputs that are vectors of (DIAL,, ) or (DIALCHECK, ) requests, as well as to enote user inactivity. That is, U act is the set of users that o not provie a input. The program DLN abs is 9

10 Program family DLN abs parameterize by z Domain: (D DLNabs { }) n, where { {(DIAL, D DLNabs := ui, u j ) } }, (DIALCHECK, u i ) u i u j U Namely, let U act := {u i U x i }; a vali input x i for user u i U act consists of either (i) a (DIAL, u i, u j ) request for some user u j that u i wants to ial, or (ii) a (DIALCHECK, u i ) request. For a vector of inputs x = x 1,..., x n, if x i = (DIALCHECK, u i ) then M i (x) = {j x j = (DIAL, u j, u i )}, else is. Parse z as a eterministic program R z DLN, such that for any x if M i (x), then R z DLN(i, x) M i (x), else it is equal to. Range: Y DLNabs := {y i y i [a, b]} ui U act, where [a, b] is a preetermine integer interval. Function: On input a vector x = x 1,..., x n where each non- value x i is either a (DIAL, u i, u j ) request, or a (DIALCHECK, u i ) request, DLN abs computes a vector y = y i ui U act, as follows: Let I act := {i u i U act } be the set of inices that refer to active users. For i, j I act, DLN abs samples istinct ranom integers t i,j from range [a, b]. For every i I act : If x i = (DIAL, u i, u j ), then if there is a j I act such that x j = (DIALCHECK, u j ) an i = R z DLN(j, x), then it sets t i = t i,j. Otherwise (i.e., there is no such j), it sets t i = t i,i. In both cases, it sets y i = t i. If x i = (DIALCHECK, u j ), then if there is a j I act such that j = R z DLN(i, x), then it sets t i = t i,j an a bit c i = 1. Otherwise (i.e., there is no such j), it sets t i = t i,i an a bit c i = 0. In both cases, it sets y i = (t i, c i ). It returns the value vector y := y i ui U act. Figure 2: The Dialing program family DLN abs : (D DLNabs { }) n Y DLNabs with parameter z, where non- range values are integers sample from range [a, b]. parameterize by z, that specifies a eterministic program R z DLN(, ) over pairs of inputs to resolve the case where more than one ial requests aress the same user/ial checker. The Dialing program family DLN abs is presente formally in Figure 2. By the efinition of DLN abs, two active users u i, u j that have submitte matching ialing an ial check requests are going to be provie the same ranom integer t i = t j {t i,j, t j,i }, which establishes a renezvous point. We will refer to these non- values in t 1,..., t n as ea rops. In aition, DLN abs returns to each ialchecker u i a bit c i which is 1 iff u i has succesfully establishe a renezvous with some ialer. Such information is reasonable to be provie to a ialchecker, as t i might be a ranom value that is not an actual ea-rop. Hence, the bit c i communicates to the ialchecker that she has an incoming call (if noboy calls the ialchecker, then a ranom ea rop value is returne that noboy else shares with her). On the other han, a ialer shoul not be able to infer information about the ial traffic an availability concerning some ialchecker, therefore DLN abs oes not provie this success check to the ialers The Conversation program family CNV abs Given the establishment of the ea rops, as set by DLN abs, the Conversation program family CNV abs realizes the operation of message exchange, where messages lie in some space M. The program family CNV abs is presente in Figure 3. 10

11 By the efinition of CNV abs, if every ea rop is not share among three or more users, then two users u i, u j are going to exchange their messages m i, m j only if they provie the same ea rop t i = t j. Recall that if the ea rops are compute as outputs of the Dialing program family DLN abs w.r.t. the same active set U act, then no more than two users share the same ea rop, which implies the correctness of CNV abs. In the other cases, either (i) there is no matching ea rop or (ii) more than 2 matching ea rops exist. In case (ii), the parameter z specifies a eterministic program R z CNV among inputs which in turn etermines the pair of matching ea rops. In any case, when a message exchange fails for some user, then CNV abs returns back this message to the user for resubmission in an upcoming roun. Domain: (D CNVabs { }) n, where Program family CNV abs parameterize by z D CNVabs := { (CONV, t i, m i ) } t i [a,b],m i M u i U Namely, let U act := {u i U x i }; a vali input for user u i consists of a (CONV, t i, m i ) request for renezvous point tagge by t i for sening message m i. For a vector of inputs x, efine N i (x) = {j x j = (CONV, t i, m j )}. Parse z as a eterministic program R z CNV, such that for any x if N i (x) then R z CNV(i, x) N i (x), else it is equal to. Range: {m i m i U act } ui U act. Function: On input a vector x 1,..., x n where each non- value x i is a (CONV, t i, m i ) request, CNV abs returns a value y = y i ui U act, as follows: Let I act := {i u i U act } be the set of inices that refer to active users. For every i I act : if j = R z CNV(i, x), then it sets y i = m j. Otherwise, it sets y i = m i. It returns the value vector y = y i ui U act. Figure 3: The Conversation program family CNV abs : (D CNVabs { }) n Y CNVabs with parameter z, where non- ea rop values are integers sample from a preetermine interval [a, b] an messages are taken from space M. 3.4 Anonymous Messaging Systems An anonymous messaging system is a pair of protocols that realize any two members of the families DLN abs an CNV abs uner the security guarantee provie in Definition 1. Given such realization, anonymous communication can be achieve as a continuous sequence of interleave invocations of ialing an conversation. In principle, ialing can be more infrequent compare to conversation, e.g., perform only a single ialing every certain number of conversation rouns. We note that the value of our relaxation of MPC security is on the fact that we can realize any member of the respective families. 3.5 Sharemin as a secure MPC platform As alreay iscusse, Sharemin will be the builing platform for the implementation of our anonymous messaging scheme. As shown in [Bog13], Sharemin is information theoretically secure against a passive (honest-but-curious) aversary that corrupts 1-out-of-3 MPC servers. Subsequent work [PL15] provies interesting irections regaring the active security of Sharemin, even specifically for novel oblivious sorting algorithms [LP16]. However, in our implementation, we consier the case of passive security. 11

12 In more etail, let S be the class of programs that can be written in Sharemin s supporting language SecreC. In our analysis, we claim that Sharemin operates as a (1, 3)-secure MPC platform for any program family member of the class S against passive aversaries, as in Definition 1. Using the above claim, we provie two SecreC programs an prove that they realize two members of the families DLN abs an CNV abs, (cf. Sections 5 an 6) hence obtaining an anonymous messaging system. 3.6 Alternative MPC platforms For the purpose of the propose anonymous messaging, Sharemin can be viewe as a black box proviing MPC functionality. Hence, it is also possible to swap Sharemin for another MPC implementation proviing ifferent eployment or security properties. For example, recently, Furukawa et al. propose a highly-optimise protocol for computation with an honest majority an security for malicious aversaries [FLNW17], that was further improve by Araki et al. [ABF + 17]. Similarly, it is possible to support more than three computation parties. SPDZ [DPSZ12] is a practical MPC implementation that provies statistical security against an active aversary that corrupts up to m 1 parties. Its online computation an communication complexities are both O(m C + m 3 ), where C stans for the computable arithmetic circuit size. In our setting, the lower boun for this circuit size is the number of users, n. Both actively secure MPC implementations mentione here work in a preprocessing (i.e. offline/online) moel. 4 System Architecture Our work is presente in a manner that makes it easy to implement using any of the aforementione MPC protocols in Section 2 an with any number of servers. However, for the sake of presentation, we assume three MPC servers, enote by Ser 1, Ser 2, Ser 3. As a general iea, the protocol works in rouns, where in each roun users break their input into shares an forwar the shares to the servers, with each server receiving one share. Then, the servers interactively compute the esire output shares, which are in turn returne to the respective users. In our escription, for simplicity we choose aitive secret sharing, but other sharing schemes woul not affect the functionality of our architecture. Besies the MPC servers, the complete architecture of our system comprises an entry an an output server use to hanle user requests. The entry an output servers may be locate on the same or on ifferent physical machines an are only truste to relay messages. Figure 4: MCMix abstract architecture. 12

13 The complete architecture of our system, as shown in Fig. 4 inclues the secure MPC servers, as well as entry an an output server use to hanle user requests. The entry an output servers may be locate on the same or on ifferent physical machines an are only truste to relay messages. 4.1 Registration phase At the beginning, the MPC servers Ser 1, Ser 2, Ser 3 run the Setup phase of the secure multiple KGC ID-KA protocol (cf. Section 2.3) playing the role of three KGCs: KGC 1, KGC 1, KGC 3 generating their partial master secret keys msk 1, msk 2, msk 3. Before starting to use the system, each user u i registers with a unique username UN i of 64 bits. Then, each MPC server Ser l, l {1, 2, 3} generates u i s partial secret key sk i,l an sens it u i. Upon receiving sk i,1, sk i,2, sk i,3, u i combines the partial keys to obtain her ID-KA secret key sk i as output of the secret key erivation algorithm. In aition, by performing stanar key exchange operation, u i obtains a symmetric key k i,l for communication with each of Ser l, l {1, 2, 3}. From this point on, any authentication an communication between u i an the servers is performe using symmetric key cryptography. In the client-sie, u i can compute u j s ID-KA public key pk j as a function of her username UN j an agree on the ID-KA key K i,l. In the rest of this paper, we set the length of the usernames UN 1,..., UN n UN to be 64 bits. 4.2 Main phase The main phase of the protocol for each roun r, consists of the following steps: 1. Encoing: Each user u i generates a request a i, as input to the MPC that is to be execute. All requests are pae to a fixe length specifie by the running protocol to hie the content size. 2. Secret sharing: Each user u i creates three shares of the request using aitive secret sharing, so that a i = a i,ser1 + a i,ser2 + a i,ser3 hols. Note that the subscripts enote the MPC server that will process the share. Then each of the three shares intene for one of the MPC servers is encrypte with the respective symmetric key k i,l using authenticate encryption. The result is a triple of the form a i = (a i,ser1, a i,ser2, a i,ser3 ), where a i,ser l := Enk ki,l (a i,serl ), l = {1, 2, 3}. Then each user sens the encrypte shares along with her username UN i, as a package to the entry server. 3. MPC input preparation: Before the start of roun r, the entry server groups the packages receive alreay an sens each share along with its associate username to the respective MPC servers. It is important to note that the use of an entry server is only to synchronize the MPC servers an to provie the shares in the same orer to each of them. For notation simplicity an without loss of generality, we assume that the entry server arranges u i as the user that submitte the i-th input. Then, each MPC server Ser l receives a sequence of the form a Ser l = a 1,Ser l,, a n,ser l. We enote as n the number of users that provie an input in roun r. In aition to a Ser l, the MPC servers also receive a sequence of the users usernames in corresponing orer, that is a sequence of the form UN = UN 1,, UN n, where UN i is the registere username of the user that provie input i. 4. Orer check: Each MPC server computes a hash of the usernames in the orer they appear in its input sequence, as H(UN 1 UN n ), an exchanges it with the other MPC servers. In case the three hashes o not match, it is implie that the orer of the usernames provie to the three servers was ifferent. Thus, a enial of service attack has taken place by either the entry server or one of the MPC servers (consiering they reporte a false hash). This step is optional when consiering only privacy implications of a malicious entry server. 5. Decryption an authentication: At this point, authentication is performe implicitly by each server via ecrypting the receive share with the symmetric key corresponing to the username that came with 13

14 the share. Thus shares a Serl MPC. = a Serl,1,, a Serl,n, with a Serl,i := Dec ki,l (a Ser l,i) are reay for the 6. MPC algorithm: The MPC servers execute the MPC protocol. 7. Encryption an return: Each MPC server encrypts each output share with the respective symmetric key an forwars shares of the form b Ser l = b 1,Ser l,, b n,ser l, where each share b i,ser l is paire with the username UN i of u i, to the output server. The output server collects the shares corresponing to the same user an returns a package of the form (b i,ser 1, b i,ser 2, b i,ser 3 ) to each user u i. 8. Decryption an reconstruction: Each user ecrypts the receive shares with the respective symmetric key an as them, resulting in b i = b i,ser1 + b i,ser2 + b i,ser3, where b i,serl = Dec ki,l (b i,ser l ). The value b i is the final output of the MPC protocol for each user u i for roun r. Remark 1. The entry an output servers are use for practical reasons. The main function they perform is grouping the receive packages of shares an forwaring them to/from the servers. As they have no information about the symmetric keys exchange between users an servers at the registration phase, they scheule the traffic consisting of encrypte share ata. Hence, if entry an output servers are malicious, they can o no more than an aversary controlling the network. 5 The Dialing Protocol The ialing protocol enables a user u i to notify another user u j that she wants to start a conversation, much like how the telephone protocol works. The protocol runs in rouns to eter possible timing attacks, where in each roun, every online active user will either sen a DIAL request or a DIALCHECK request. All requests are mutually iniscriminate. For clarity, we first provie a escription of the Dialing protocol steps. Then, we procee with the efficient program DLN sort implementing it. 5.1 Protocol escription The protocol runs in seven steps, where steps 2-6 are execute by the MPC servers. Steps 1 an 7 are execute locally by each user. 1. Encoing: The inputs x 1,..., x n are of the form of (DIAL, u i, u j ) requests, (DIALCHECK, u i ) requests, or, representing the action each user takes for this ialing roun. For simplicity, assume that the users are enumerate as u 1,..., u n consistently with the input sequence x 1,..., x n, i.e. u i is the user that submitte the i-th input. As a result, the active users that submitte non- values, are enumerate as u 1,..., u act, where act is the size of the active set U act. The inputs of the active users are encoe as triples of the form a i := (a i [1], a i [2], a i [3]) where the thir component is an input wire ID wi i. The wire IDs are initially set to zero, but in the following Step 2, wi i will be set unique for u i. In particular, if u i wants to ial u j, then the (DIAL, u i, u j ) request is encoe as (UN i, UN j, 0) where UN i an UN j are the usernames of the ialer an the ialee respectively. If u i is a ial checker, then the (DIALCHECK, u i ) request is encoe as (C, UN j, 0), where (i) C is a special value esignate to enote a ial check an is ifferent from any possible username value, an (ii) UN j is the checker s own username. 2. Assigning wire ID values: As a first step, the MPC protocol assigns unique wire IDs for each user. This is one by setting the thir component a i [3] of the encoe triple a i to i. Given the orer u 1,..., u act, for each u i, we have that wi i := i. These wire IDs are neee internally for the MPC calculation an express the orer in which the inputs were receive so that the respective outputs will be elivere in the same orer. 3. Checking input valiity: The protocol then checks if any of the first two members of each triple, enote by a i [1] an a i [2], is equal to the submitter s username. This check ensures that inputs are 14

15 encoe in a way that oes not compromise the security of the system. The threat here is that a user u i might try to impersonate a user u j by encoing a DIALCHECK input as a i = (C, UN j, wi i ). That attack woul allow user u i to receive a ial request that was intene for user u j. A similar problem arises when consiering a user u i encoing a DIAL input as a i = (UN l, UN j, wi i ). In this case, user u j will think the ial originate from user u l. To avert such impersonation attacks, it is enough for the MPC protocol to check that either the first or the secon member of an input tuple is equal to the username of the user that submitte that input. This, along with the fact that the input is sent from the user to each MPC server using authenticate encryption (cf. step 2 of the architecture in section 4) guarantees that no impersonation attack can take place. In more etail, if the input is a DIALCHECK request, then this check ensures that the secon member of the tuple is the user s own username. In the case of a DIAL request, the check ensures that a user can only impersonate another user when she ials herself, that is a request of the form a i = (UN j, UN i, wi i ) is create by user u i. In this case, this request oes not affect the protocol. If the check fails for the encoe input a i, then the input is set to a i = (0, 0, wi i ) an oes not affect the protocol. 4. Sorting by usernames: The encoe input triples are first sorte accoring to their secon components using the oblivious Quicksort algorithm of [HKI + 12], implemente accoring to [BLT14]. Observe that every non-zero secon component is either (i) the username UN j of ialee u j in a ial request from some user u i, or (ii) the username UN j from ial checker u j. Thus, when a triple (C, UN j, wi j ) is ajacent to some triple (UN i, UN j, wi i ) with a non-zero secon component, this etermines a ial pair between u i, u j. We note that two special conflict cases may appear: I. (C, UN j, wi j ) is ajacent to two ial triples as..., (UN i, UN j, wi i ), (C, UN j, wi j ), (UN i, UN j, wi i ),... II. Two or more ajacent ial triples correspon to (C, UN j, wi j ). The sorting woul then appear as..., (UN i, UN j, wi i ), (UN i, UN j, wi i ), (C, UN j, wi j ), Connecting neighbors: Next, requests are processe iniviually by looking at both their neighbors triples to etermine if there is a ial for any given ial check request. Of course, requests at the first an last place of the sorte vector nee only look at one neighbor. Thus, we can claim that any ial check request will have a suitable ial request as its neighbor or not at all. In more etail, for every user u i, the protocol prouces a pair b := (b i [1], b i [2]), where b i [2] is wi i an b i [1] is either (i) the username UN j of some user u j that iale u i, or (ii) 0, if no ial request has been mae for u i, or u i has mae a ial request. 6. Sorting by wire IDs: As a final sorting step, the protocol nees to sort the processe requests accoring to their wire IDs in orer for the correct requests to be forware to each user. The latter sort, performe on b 1,..., b act accoring to the wire IDs can again be implemente by the Quicksort algorithm of [HKI + 12]. The result of the last sorting is a vector ˆb 1,..., ˆb act where ˆb i is a pair (ˆb i [1], ˆb i [2]) that correspons to u i an ˆb 1 is essentially either (i) a username UN j or (ii) a zero value, in both cases inexe by ˆb 2 := wi i. 7. Computing the ea rops: After the Quicksort algorithm is complete, the active users u 1,..., u act are elivere the values ˆb 1 [1],..., ˆb 1 [act] respectively. Then, ialer u i that knows UN j, an ial checker u j that obtaine UN i, can calculate their share ea rop value for ialing roun r as follows: t i := H ( K i,j, r ), if ˆb i [1] = 0 t j := H ( K j,i, r ), if ˆb i [1] = UN j Above, H is a stanar cryptographic hash function, an r is the roun number. The values K i,j, K j,i are the ID-KA keys that u i an u j compute by running the key agreement algorithm GenerateKey on input (sk i, UN j ) an (sk j, UN i ) respectively (cf. Section 2), where sk i, sk j are the secret keys of u i an u j. Recall that ID-KA operations are over a finite multiplicative group of prime orer q. 15