Spy vs. spy: Anonymous messaging over networks. Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannan Ramchandran, Pramod Viswanath

Transcription

1 Spy vs. spy: Anonymous messaging over networks Giulia Fanti, Peter Kairouz, Sewoong Oh, Kannan Ramchandran, Pramod Viswanath

2 Some people have important, sensitive things to say.

3 Others have less important, sensitive things to say.

4 4

5 Privacy can help. 5

6 Existing anonymous messaging apps Alice Thank you to all the blood donors 6

7 Existing anonymous messaging apps Bob Mary Server Alice Centralized networks are not truly anonymous! 7

8 Compromises in anonymity Avoid trusting servers to do the right thing 8

9 Objective Design a distributed messaging mechanism that: (a) spreads content fast (b) gives authors anonymity 9

10 What can adversaries do? Snapshot Spy-based Full oversight 10 / 54

11 First-Order Solution: Distributed Messaging Bob Mary Alice Snapshot and spy-based adversaries can still infer the source! 11

12 Information flow in social networks message author Diffusion has statistical symmetry 12

13 Disease flow in populations patient zero [Shah and Zaman 2011, Pinto et al. 2012, Zhu et al. 2013] 13

14 Information flow in social networks High likelihood Diffusion spreading = deanonymization Low likelihood [Shah, Zaman 2011] 14

15 Deanonymization on Social Networks Probability of Detection Diffusion Lower bound, 1/N [Seo et al., 2012, SPIE] Number of nodes with message (N) 15

16 First-order solution doesn t work. Spreads fast J Bad anonymity properties L 16

17 Lessons Learned 1) Diffusion = deanonymization 17

18 Engineer the spread to hide authorship. 18

19 Key idea: Break the symmetry. Direction Time 19

20 Breaking symmetry: Adaptive diffusion High likelihood Provides provable anonymity guarantees [Spy vs. Spy: Rumor Source Obfuscation, ACM Sigmetrics 2015] Low likelihood 20

21 d-regular trees: adaptive diffusion Initially, the author is also the virtual source 21

22 d-regular trees: adaptive diffusion Break directional symmetry 22

23 d-regular trees: adaptive diffusion Break directional symmetry chosen neighbor = new virtual source 23

24 d-regular trees: adaptive diffusion Break directional symmetry 24

25 d-regular trees: adaptive diffusion Break temporal symmetry keep the virtual source token pass the virtual source token 25

26 keep the virtual source token 26

27 pass the virtual source token new virtual source 27

28 pass the virtual source token 28

29 Results d-regular trees Irregular trees Facebook graph Snapshot [1] [2] [1] Spy-based [3] [3] [3] [1] Spy vs. Spy: Rumor Source Obfuscation, Sigmetrics 2015 [2] Rumor Source Obfuscation on Irregular Trees, to appear in Sigmetrics 2016 [3] Under review 29

30 Snapshot adversary Craig Bob Mary David Alice 30

31 When to keep the virtual source token? node degree distance from source Virtual source token is kept with probability α = d 1 'h 31

32 Maximum likelihood detection High likelihood Low likelihood All nodes except for the final virtual source are equally likely THEOREM: Probability of detection = ) *') 32

33 hop distance from source h = 1 h = 2 Pr(keep token) Likelihood = ). α Likelihood = ). )'1.') Tree degree Want these to be equal: ( = % & 33

34 Lessons Learned 1) Diffusion = deanonymization 2) For anonymity, break symmetry. 34

35 Irregular trees 3 w. p. 0.7 d 2 = 3 5 w. p. 0.3 d <?@ = 5 d <=> = 3 35

36 How do we analyze this? d 2 = 3 d <=> w. p. p <=> d <?@ w. p. p <?@ 1 P detection snapshot) = min d 2 2 PQRSQT 2 W(2,2 Z ) Path from v to virtual source Degree of node v If p <=> d <=> 1 > 1 min 2 PQRSQT [ d 2 d <=> 1 ]/_ 2 W(2,2 Z ) THEOREM: Probability of detection ) (.`ab ')) Z/c 36

37 Irregular trees Probability of Detection 10-1 Adaptive Diffusion 1-hop Preferential Attachment 2-hop Preferential Attachment 3-hop Preferential Attachment 1/N T Timestep (T) 37

38 Proof sketch for 3 w. p. 0.7 d 2 = 3 5 w. p. 0.3 min 2 PQRSQT [ d 2 d <=> 1 ]/_ 2 W(2,2 Z ) 3 w. p. 0.7 d 2 = 3 1 w. p If p <=> d <=> 1 > 1 then the pruned process survives. 38

39 Lessons Learned 1) Diffusion = deanonymization 2) For anonymity, break symmetry. 3) For more anonymity, hide in a crowd. 39

40 Facebook graph Probability of Detection Adaptive diffusion Diffusion Perfect hiding Nodes Infected (N) 40

41 Results Snapshot d-regular trees Irregular trees Facebook graph Optimal Near-optimal High anonymity Spy-based 41

42 Spy-based adversary -message -T = 8:40 pm Craig Bob Mary With probability p David Alice -message -T = 9:10 pm Adversary sees metadata at spy nodes 42

43 Result on d-regular trees Probability of detection d=3 d=4 d=5 d=15 d=30 d=100 p Spy probability, p Lower bound on detection T = THEOREM: Probability of detection = p + o(p) 43

44 Facebook Graph Probability of detection D Lower bound, p Adaptive diffusion Diffusion, q=0.1 Diffusion, q=0.5 Lower bound on detection Spy probability, p 44

45 Results Snapshot d-regular trees Irregular trees Facebook graph Optimal Near-optimal High anonymity Spy-based Asymptotically- Optimal ML Estimator High anonymity 45

46 Adaptive Diffusion Pros Strong anonymity Fast spreading Distributed Lightweight Cons No guarantees for general graphs Sub-optimal spreading Passes around state 46

47 Wildfire: P2P Anonymous Microblogging Namespace resolution Cyberbullying 47

48 Related Work Adversary Waidner et al., `90, Golle and Juels, `04 Dining Cryptographer Networks Chaum `88 Robson et al. `03 Corrigan-Gibbs et al. `10 Wolinsky et al., `12 F. et al, `15 F. et al, `16 Statistical anonymity Scalability 48

49 Ongoing Work Cellular Location Privacy Anonymous Messaging Cyberbullying Prevention Physical Network Algorithms Social Science Vibration-based Biometrics Anonymous P2P Networking 49

50 Cellular Location Privacy Songbin Gong, Microwave Circuits Pramod Viswanath, Wireless Comm. 50

51 Anonymous P2P Messaging 51

52 Cyberbullying Prevention Suma Bhat, NLP Dorothy Espelage, Educational Psychology 52

53 Ongoing Work Cellular Location Privacy Anonymous Messaging Cyberbullying Prevention Physical Network Algorithms Social Science Vibration-based Biometrics Anonymous P2P Networking 53

54 Acknowledgments Suma Bhat Romit Roy Choudhury Peter Kairouz Dorothy Espelage Sewoong Oh Hongyu Gong Kannan Ramchandran Songbin Gong Pramod Viswanath 54 / 54