Atom. Horizontally Scaling Strong Anonymity. Albert Kwon Henry Corrigan-Gibbs 10/30/17, SOSP 17

Similar documents
arxiv: v3 [cs.cr] 2 Oct 2017

1 Introduction. Albert Kwon*, David Lazar, Srinivas Devadas, and Bryan Ford Riffle. An Efficient Communication System With Strong Anonymity

Stadium. A Distributed Metadata-private Messaging System. Matei Zaharia Nickolai Zeldovich SOSP 2017

The Loopix Anonymity System

Karaoke. Distributed Private Messaging Immune to Passive Traffic Analysis. David Lazar, Yossi Gilad, Nickolai Zeldovich

Design and Implementation of Privacy-Preserving Surveillance. Aaron Segal

DISSENT: Accountable, Anonymous Communication

Young Hyun Kwon. at the. June Department of Electrical Engineering and Computer Science May 20, ((

CPSC 467b: Cryptography and Computer Security

Dissent: Accountable Anonymous Group Communication

Circuit Fingerprinting Attack: Passive Deanonymization of Tor Hidden Services

Herbivore: An Anonymous Information Sharing System

Maintaining the Anonymity of Direct Anonymous Attestation with Subverted Platforms MIT PRIMES Computer Science Conference October 13, 2018

Securing Distributed Computation via Trusted Quorums. Yan Michalevsky, Valeria Nikolaenko, Dan Boneh

Privacy Preserving Collaborative Filtering

Avoiding The Man on the Wire: Improving Tor s Security with Trust-Aware Path Selection

0x1A Great Papers in Computer Security

Design and Implementation of the Ascend Secure Processor. Ling Ren, Christopher W. Fletcher, Albert Kwon, Marten van Dijk, Srinivas Devadas

Scalable Bias-Resistant Distributed Randomness

Dandelion: Privacy-Preserving Transaction Propagation in Bitcoin s P2P Network

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis

Key establishment in sensor networks

VPriv: Protecting Privacy in Location- Based Vehicular Services

Practical Anonymity for the Masses with MorphMix

Dissent in Numbers: Making Strong Anonymity Scale

PrivCount: A Distributed System for Safely Measuring Tor

Anonymous Communication: DC-nets, Crowds, Onion Routing. Simone Fischer-Hübner PETs PhD course Spring 2012

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

HOST Authentication Overview ECE 525

How Alice and Bob meet if they don t like onions

Metrics for Security and Performance in Low-Latency Anonymity Systems

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Plaintext Awareness via Key Registration

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Authentication Part IV NOTE: Part IV includes all of Part III!

A Privacy-Aware Service Protocol for Ubiquitous Computing Environments

An Efficient Scheme for Detecting Malicious Nodes in Mobile ad Hoc Networks

Peer-to-Peer Systems and Security

Block ciphers, stream ciphers

Scavenging for Anonymity with BlogDrop

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Block ciphers. CS 161: Computer Security Prof. Raluca Ada Popa. February 26, 2016

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

Problem: Equivocation!

Yale University Department of Computer Science

ENEE 459-C Computer Security. Security protocols

Ascend: Architecture for Secure Computation on Encrypted Data Oblivious RAM (ORAM)

ENEE 459-C Computer Security. Security protocols (continued)

A Security Infrastructure for Trusted Devices

Cryptanalysis of a Universally Verifiable Efficient Re-encryption Mixnet

Crypto Background & Concepts SGX Software Attestation

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

A SIMPLE INTRODUCTION TO TOR

Security in Data Science

P 5 : A Protocol for Scalable Anonymous Communications

Key establishment in sensor networks

Karaoke: Distributed Private Messaging Immune to Passive Traffic Analysis

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

Low-Cost Traffic Analysis of Tor

Dissent in Numbers: Making Strong Anonymity Scale

TinySec: A Link Layer Security Architecture for Wireless Sensor Networks. Presented by Paul Ruggieri

Design and Analysis of Efficient Anonymous Communication Protocols

What's the buzz about HORNET?

Tor: An Anonymizing Overlay Network for TCP

Secure Programming for Fun and Profit

Concrete cryptographic security in F*

Efficient Private Information Retrieval

Cashmere: Resilient Anonymous Routing

CRYPTOGRAPHIC PROTOCOLS: PRACTICAL REVOCATION AND KEY ROTATION

How to (not) Share a Password:

Analyzing Tor s Anonymity with Machine Learning. Sanjit Bhat, David Lu May 21 st, 2017 Mentor: Albert Kwon

CS 425 / ECE 428 Distributed Systems Fall 2017

Private Web Search with Malicious Adversaries

Chaum, Untraceable Electronic Mail, Return Addresses, and Digital Pseudonym, Communications of the ACM, 24:2, Feb. 1981

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

Remote E-Voting System

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Protocols for Anonymous Communication

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

Low Latency Anonymity with Mix Rings

CS 494/594 Computer and Network Security

Network Security Technology Project

Security. Communication security. System Security

Refresher: Applied Cryptography

Security Analysis of Accountable Anonymity in Dissent

Cooperation in Open Distributed Systems. Stefan Schmid

Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012

CIS 6930/4930 Computer and Network Security. Project requirements

Secure Multi-Hop Infrastructure Access

CSE484 Final Study Guide

M 2 R: ENABLING STRONGER PRIVACY IN MAPREDUCE COMPUTATION

Security issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.

Cryptography: More Primitives

Securing Cloud Computing

Block Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)

Transcription:

Atom Horizontally Scaling Strong Anonymity Albert Kwon Henry Corrigan-Gibbs MIT Stanford Srinivas Devadas Bryan Ford MIT EPFL 10/30/17, SOSP 17

Motivation Anonymous bulletin board (broadcast) in the face of global adversary Protest at 4 p.m.! 2

Anonymous communication networks Anonymity provider (set of servers) 3

Existing systems vs. Atom Properties Tor [USENIX Sec 04] Riposte [Oakland 15] Atom Horizontal Vertical Horizontal Scaling Latency (1 million users) < 10s 11 hrs 28min Anonymity against global adversaries Vulnerable Secure Secure 4

Deployment and threat model Global network adversary A large number of users are malicious Constant fraction of the servers are malicious 20% 5

Atom overview 6

Atom overview 1 2 Layer 1 Layer 2 Layer L 2 4... 4 1 4 1 Unknown random permutation of all inputs 3 1 3 3 2 4 3 2 7

Horizontally scalability Depth Fixed (Independent of the width)... Width More servers => Larger width......... 8

Challenges 1. Guaranteeing anytrust property 9

Challenges 1. Guaranteeing anytrust property 2. Group mixing and routing protocol 1 2 2 2 1 2 1 1 2 1 10

Challenges 1. Guaranteeing anytrust property 2. Group mixing and routing protocol 3. Active adversaries 1 0 2 0 0 0 11

Active attacks 1 0 0 2 0... 0 0 0 3 1 0 0 1 4 0 1 12

Challenges 1. Guaranteeing anytrust property 2. Group mixing and routing protocol 3. Active adversaries 4. Tolerating server churn 1 13

Challenges 1. Guaranteeing anytrust property 2. Group mixing and routing protocol 3. Active adversaries 4. Tolerating server churn 1 14

Generating anytrust groups 20% malicious Public randomness k = 32 Randomly select k servers Pr[group is fully malicious] = 0.2 k Pr[any group is fully malicious] < (# of groups) 0.2 k < 2-64 15

Handling actively malicious servers Trap messages (nonces) Trusted third party & $ # @ Idea: use verifiable trap messages & $... # @ 16

Send trap and real messages in a random order Trusted third party : encrypted for TTP & $ # @ & 2 3 1 $ #... @ 4 17

TTP checks for the traps : encrypted for TTP Trusted third party & $ # @... @ $ 3 & 1 # 2 4 18

What happens when a trap message is dropped? 0 : encrypted for TTP Trusted third party & $ # @... 0 @ $ 3 & 1 # 2 4 19

What happens when a real message is dropped? : encrypted for TTP 0 Trusted third party & $ # @... 0 @ $ 3 & 1 # 2 4 20

Improving the trap messages Distributing the trust in the third party Distributing the trap verification and decryption 21

Properties of trap-based defense If the adversary tampers with any trap, then no plaintext revealed Can remove 1 message with probability ½ Remove t messages with probability 2 -t Realistically remove < ~64 msgs Reactive 22

Two modes of operation Trap messages Zero-knowledge Proof Idea Verify untamperable traps Verify protocol with ZKP Anonymity set size N - t N Defense type Reactive Proactive Latency 1x 4x 23

Implementation ~4000 lines of Go Both trap and ZKP based defenses Code available at github.com/kwonalbert/atom 24

Evaluation setup Heterogenous set of 1024 EC2 servers 80% of the servers were 4-core machines 20% malicious servers Trap messages 160-byte msgs 32 server group Depth = 10 25

Latency is inversely proportional to the number of servers 23x Better 26

Latency scales linearly with the number of users Better 27

Limitations Medium to high latency Denial-of-service Depth = 10 32 server group 28

Related work Strong anonymity but veritically scaling Dissent[OSDI 12], Riffle [PETS 16], Riposte [Oakland 15],... Horizontally scaling systems but weaker anonymity Crowds [ACM 99], Mixminion [Oakland 03], Tor [USENIX Sec 04], Aqua [SIGCOMM 13], Loopix [USENIX Sec 17], Distributed mixing Parallel mix-net [CCS 04], matrix shuffling [Håstad 06], random switching networks [SODA 99, CRYPTO 15],... Private point-to-point messaging Vuvuzela [SOSP 15], Pung [OSDI 16], Stadium [SOSP 17] 29

Conclusion Atom provides horizontally-scaling strong anonymity Global anonymity set Latency is inversely proportional to the number of servers Supports 1 million users with 160 byte msgs in 28min github.com/kwonalbert/atom 30

These icons were acquired from thenounprojcet.com, and are under CC BY 3.0 US Created by H Alberto Gongora Created by H Alberto Gongora Created by Andre Luiz Gollo Created by Creative Stall Created by Anil 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback