Stadium. A Distributed Metadata-private Messaging System. Matei Zaharia Nickolai Zeldovich SOSP 2017

Similar documents
Karaoke. Distributed Private Messaging Immune to Passive Traffic Analysis. David Lazar, Yossi Gilad, Nickolai Zeldovich

The Loopix Anonymity System

Vuvuzela: Scalable Private Messaging Resistant to Traffic Analysis

Atom. Horizontally Scaling Strong Anonymity. Albert Kwon Henry Corrigan-Gibbs 10/30/17, SOSP 17

How Alice and Bob meet if they don t like onions

Karaoke: Distributed Private Messaging Immune to Passive Traffic Analysis

arxiv: v3 [cs.cr] 2 Oct 2017

0x1A Great Papers in Computer Security

CS526: Information security

PrivCount: A Distributed System for Safely Measuring Tor

1 Introduction. Albert Kwon*, David Lazar, Srinivas Devadas, and Bryan Ford Riffle. An Efficient Communication System With Strong Anonymity

communication Claudia Díaz Katholieke Universiteit Leuven Dept. Electrical Engineering g ESAT/COSIC October 9, 2007 Claudia Diaz (K.U.

DISSENT: Accountable, Anonymous Communication

Hiding Amongst the Clouds

Introduction to Traffic Analysis. George Danezis University of Cambridge, Computer Laboratory

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Safely Measuring Tor. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. EJ Jung

DIY Hosting for Online Privacy

Impact of Network Topology on Anonymity and Overhead in Low-Latency Anonymity Networks

A SIMPLE INTRODUCTION TO TOR

Algorand: Scaling Byzantine Agreements for Cryptocurrencies

CPSC 467b: Cryptography and Computer Security

DIY Hosting for Online Privacy. Shoumik Palkar and Matei Zaharia Stanford University

ENEE 459-C Computer Security. Security protocols

ENEE 459-C Computer Security. Security protocols (continued)

SDN-based Network Obfuscation. Roland Meier PhD Student ETH Zürich

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012

THE SECOND GENERATION ONION ROUTER. Roger Dingledine Nick Mathewson Paul Syverson. -Presented by Arindam Paul

Lecture 8: Privacy and Anonymity Using Anonymizing Networks. CS 336/536: Computer Network Security Fall Nitesh Saxena

Tor: An Anonymizing Overlay Network for TCP

System-Level Failures in Security

The Google File System

Mapping Internet Sensors with Probe Response Attacks

Young Hyun Kwon. at the. June Department of Electrical Engineering and Computer Science May 20, ((

Protocols for Anonymous Communication

CNT Computer and Network Security: Privacy/Anonymity

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, autumn 2015

An Overview of Secure Multiparty Computation

Shadow: Real Applications, Simulated Networks. Dr. Rob Jansen U.S. Naval Research Laboratory Center for High Assurance Computer Systems

Metrics for Security and Performance in Low-Latency Anonymity Systems

Anonymity. Assumption: If we know IP address, we know identity

Anonymization of Network Traces Using Noise Addition Techniques

The Impact of Optics on HPC System Interconnects

Optimizing Network Performance in Distributed Machine Learning. Luo Mai Chuntao Hong Paolo Costa

Tor: The Second-Generation Onion Router. Roger Dingledine, Nick Mathewson, Paul Syverson

Data Sheet Gigamon Visibility Platform for AWS

VPriv: Protecting Privacy in Location- Based Vehicular Services

A MEASUREMENT STUDY ON CO-RESIDENCE THREAT INSIDE THE CLOUD

New Directions in Traffic Measurement and Accounting. Need for traffic measurement. Relation to stream databases. Internet backbone monitoring

CISC859: Topics in Advanced Networks & Distributed Computing: Network & Distributed System Security. A Brief Overview of Security & Privacy Issues

Dissent: Accountable Anonymous Group Communication

Privacy Enhancing Technologies CSE 701 Fall 2017

A proposal for verifiable intra-institutional elections over Plone

Wei Wang, Mehul Motani and Vikram srinivasan Department of Electrical & Computer Engineering National University of Singapore, Singapore

Anonymous Communications

NaaS Network-as-a-Service in the Cloud

CS 134 Winter Privacy and Anonymity

SoftNAS Cloud Performance Evaluation on AWS

Anonymity C S A D VA N C E D S E C U R I T Y TO P I C S P R E S E N TAT I O N BY: PA N AY I OTO U M A R KO S 4 T H O F A P R I L

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

2 ND GENERATION ONION ROUTER

Performance Analysis of TCP Variants

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

CE Advanced Network Security Anonymity II

Homomorphic Encryption. By Raj Thimmiah

INTERNATIONAL LAW ENFORCEMENT CCTV NETWORK SERVICES

CS 161 Computer Security

Mapping Internet Sensors with Probe Response Attacks

Scalable Distributed Training with Parameter Hub: a whirlwind tour

Data Centers and Cloud Computing. Slides courtesy of Tim Wood

MixApart: Decoupled Analytics for Shared Storage Systems

Tungsten Security Whitepaper

P 5 : A Protocol for Scalable Anonymous Communications

GUIDE. Optimal Network Designs with Cohesity

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Data Centers and Cloud Computing. Data Centers

VNF Chain Allocation and Management at Data Center Scale

HOST Differential Power Attacks ECE 525

AMAZON S3 FOR SCIENCE GRIDS: A VIABLE SOLUTION?

Efficient Private Information Retrieval

Interdomain Routing Design for MobilityFirst

Achieving Privacy in Mesh Networks

Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization

Share Count Analysis HEADERS

2.1 Basic Cryptography Concepts

SCALE AND SECURE MOBILE / IOT MQTT TRAFFIC

Course Curriculum for Master Degree in Network Engineering and Security

CSE 124: THE DATACENTER AS A COMPUTER. George Porter November 20 and 22, 2017

2 Application Support via Proxies Onion Routing can be used with applications that are proxy-aware, as well as several non-proxy-aware applications, w

Anonymity. With material from: Dave Levin and Michelle Mazurek

Towards an Integrated System Model for Testing and Verification

Dyadic Enterprise. Unbound Key Control For Azure Marketplace. The Secure-As-Hardware Software With a Mathematical Proof

Interconnection Networks: Topology. Prof. Natalie Enright Jerger

RIGHTNOW A C E

Securely Outsourcing Garbled Circuit Evaluation

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Lecture 26: Interconnects. James C. Hoe Department of ECE Carnegie Mellon University

Secure Path-Key Revocation for Symmetric Key Pre-distribution Schemes in Sensor Networks

Transcription:

Stadium A Distributed Metadata-private Messaging System Nirvan Tyagi Yossi Gilad Derek Leung Matei Zaharia Nickolai Zeldovich SOSP 2017

Previous talk: Anonymous broadcast

This talk: Private messaging Alice Bob

Problem: Communication metadata Alice Bob (oncologist)

Goal: Hiding communication metadata Stadium Alice Bob (oncologist)

Related work Metadata-private systems with cryptographic security limited in throughput. Dissent [OSDI 12], Riposte [S&P 15] Pung [OSDI 16], Atom [SOSP 17] ~ 1.5-65 K messages / min

Related work Metadata-private systems with cryptographic security limited in throughput. Dissent [OSDI 12], Riposte [S&P 15] Pung [OSDI 16], Atom [SOSP 17] ~ 1.5-65 K messages / min Throughput increased by relaxing guarantees to differential privacy. Vuvuzela [SOSP 15] ~ 2 M messages / min

Related work Metadata-private systems with cryptographic security limited in throughput. Dissent [OSDI 12], Riposte [S&P 15] Pung [OSDI 16], Atom [SOSP 17] ~ 1.5-65 K messages / min Throughput increased by relaxing guarantees to differential privacy. Vuvuzela [SOSP 15] Stadium [SOSP 17] ~ 2 M messages / min > 10 M messages / min First metadata-private messaging system to scale horizontally

Vuvuzela: Differentially private messaging Dead-drops: virtually hosted addresses at which user messages are exchanged dead-drops

Vuvuzela: Differentially private messaging Dead-drops: virtually hosted addresses at which user messages are exchanged Mixnet: servers re-randomize and permute messages mixnet

Vuvuzela: Differentially private messaging Dead-drops: virtually hosted addresses at which user messages are exchanged Mixnet: servers re-randomize and permute messages Noise: servers add fake messages to obscure adversary observations

Scaling limitations Every server handles all messages Running a server is expensive (e.g. 2M users / minute = 1.3 Gbps)

Challenge: How to distribute workload across untrustworthy servers? 1. How to mix messages? 2. How to add noise?

Stadium design Collaborative noise generation + verifiable parallel mixnet

Stadium design Collaborative noise generation + verifiable parallel mixnet

Stadium design Collaborative noise generation + verifiable parallel mixnet

Contributions Stadium design Parallel mixnet Collaborative noise generation Verifiable processing including fast zero-knowledge proofs of shuffle Multidimensional differential privacy analysis Implementation and evaluation of prototype 10 M messages/min with per-server costs of ~100 Mbps

Parallel mixnets with cryptographic security of mixing have large depth. Iterated butterfly topology [ICALP 14] as used by Atom [SOSP 17] Large depth not good for low latency applications Repeat One butterfly iteration # of servers

Stadium uses 2-layer mixnet with differential privacy analysis.

Traffic analysis attacks take advantage of uneven routings. Trace messages by modeling likely paths through mixnet ( Borisov [PET 05] )

Traffic analysis attacks take advantage of uneven routings. Trace messages by modeling likely paths through mixnet ( Borisov [PET 05] ) Even if links are padded with dummy messages, adversary can incorporate adversary-known inputs and outputs to infer uneven routing

Traffic analysis attacks take advantage of uneven routings. Trace messages by modeling likely paths through mixnet ( Borisov [PET 05] ) Even if links are padded with dummy messages, adversary can incorporate adversary-known inputs and outputs to infer uneven routing

Traffic analysis attacks take advantage of uneven routings. Trace messages by modeling likely paths through mixnet ( Borisov [PET 05] ) Even if links are padded with dummy messages, adversary can incorporate adversary-known inputs and outputs to infer uneven routing

Add noise messages to provide differential privacy for uneven routings. Adversary manipulates padding through known message injection Unlike padding, noise messages are independent of adversary action

Noising internal links not helpful if messages aren t mixed. Adversary learns path of all messages through compromised servers

Noising internal links not helpful if messages aren t mixed. Adversary learns path of all messages through compromised servers

Ensure mixing by organizing providers into small groups of servers. Probability of compromise with random assignment falls exponentially with group size

Problem: Scaling noise generation Vuvuzela server # of fake messages

Problem: Distributed noise generation Stadium servers Aggregate # of fake messages

Problem: Distributed noise generation Stadium servers probability distribution Aggregate # of fake messages

Poisson distribution for distributed noise generation Additive Discrete Non-negative Noise mechanism Laplace Gaussian Poisson Poisson provides all properties nicely

Multidimensional analysis for reducing noise requirements When a user changes communication pattern, only a few links are affected Reduce noise by a factor of where is probability link is affected

Verifiable processing pipeline Ensure noise messages stay in system Utilize various cryptographic zero knowledge proofs of integrity Hybrid verification scheme Zero knowledge proof of shuffle is bottleneck processing cost Multicore Bayer-Groth verifiable shuffle on Curve25519 ~ 20X performance speedup over state of the art E.g. 100K ciphertext shuffle speedup from 128 seconds to ~7 seconds

Implementation Prototype Control and networking logic in Go (2500 lines of code) Verifiable processing protocols in C++ (9000 lines of code) Highly optimized Bayer-Groth verifiable shuffle implementation Available at github.com/nirvantyagi/stadium

Evaluation Recall goal: horizontal scalability with inexpensive servers What is the cost of operating a Stadium server? Does Stadium horizontally scale?

Evaluation methodology Deploy Stadium on up to 100 Amazon c4.8xlarge EC2 VMs 36 virtual cores, 60 GB memory US East region Message size: 144 B Extrapolate scaling patterns to larger deployment sizes

Operating costs of a Stadium server are relatively small 88-173 Mbps 6-13% of Vuvuzela s 1.3Gbps Bandwidth is dominant cost Operating costs ~ $110 / month* Top 300 of relays in Tor offer > 140 Mbps *W. Norton. 2010. Internet Transit Prices - Historical and Projected. Technical Report. http://drpeering.net/white-papers/ Internet-Transit-Pricing-Historical-And-Projected.php

Messages are effectively distributed across servers to reduce latency Stadium

Conclusion Stadium: high-throughput, horizontally-scaling, metadata-private system Verifiable parallel mixnet resistant to traffic analysis Fast zero-knowledge proofs of shuffle Collaborative noise generation with Poisson distribution Multidimensional differential privacy analysis Implementation and evaluation of prototype Prototype at github.com/nirvantyagi/stadium

Reserve Slides

Dead-drop message exchange d4cf2802a26e60e489a0b6949a8d881c d4cf2802a26e60e489a0b6949a8d881c e0784f9889a878fdb3c6c27d6a8318fb

Dead-drop message exchange

Dead-drop message exchange Easy to observe conversations

Dead-drop message exchange d4cf2802a26e60e... e0784f9889a878f...

Dead-drop message exchange

Dead-drop message exchange d4cf2802a26e60e... 2 0 e0784f9889a878f... 1 Dead-drop access counts reveal conversation 0

Dead-drop message exchange d4cf2802a26e60e... 2 0 e0784f9889a878f... 1 Dead-drop access counts reveal conversation 0 Add noise to access counts with fake messages!

Differential Privacy Pr[Alice talking to Bob] Pr[Alice not talking to Bob]

Differential Privacy Pr[Alice talking to Bob] Pr[Alice not talking to Bob] probability no noise 0 1 # of 2-message dead-drops

Differential Privacy Pr[Alice talking to Bob] Pr[Alice not talking to Bob] probability no noise with noise 0 1 # of 2-message dead-drops ~1000

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback