Anonymous ChannelAnonymous Channel
Alice CharlieBob
I ♥Alice
Nobodyloves Bob
Is it Bob, Charlie, or self-love?
What are Anonymous Channels What are Anonymous Channels Useful for?Useful for?
They underlie most privacy applications:– Anonymous elections– Anonymous email– Anonymous payments– Anonymous Web browsing– Censorship resistant publication
A Look Under the Hood…A Look Under the Hood…
Sealing an envelope: public key encryption– Decryption key is shared among mix servers
Opening an envelope: joint decryption– Requires cooperation of a quorum of servers
Mixing envelopes: “re-encryption”– We use a randomized encryption scheme:
» “many” (2160) different ways to encrypt a message
– Re-encryption: create a new ciphertext that decrypts to the same message
» Message is unchanged
» Ciphertext is unrecognizable
» Re-encryption is a public key operation
Computational CostComputational Cost
Cost of mixing:– Dominated by re-encryption
– Re-encryption: 2 modular exponentiations per input
Assume n inputs and k servers– Cost per server: O(n)– Assume sequential mixing
– Total mixing time is O(k.n)
Can we decrease the total mixing time?
Most of the mix servers are idle most of the time Idea: parallelize the mixing!
k n Total time
3 10,000 8 min
3 100,000 70 min
Batch 1Batch 1
Batch 2
Batch 3
Batch 2
Batch 3
Batch 1Batch 3
Batch 2
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Inputs Outputs
Batch 1
Batch 2
Batch 3
Round 1 Round 2 Round 3
Batch 3
Batch 1
Batch 2
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Assume n inputs and k servers– Divide inputs into k batches of size n/k– Every server mixes every batch (in parallel)
Computational cost:– Per server: k. (n/k) = n (as before)– Total cost: k. n = kn (as before)– Total mixing time: k.(n/k) = n (instead of kn)
We cut the total mixing time by a factor of k But: anonymity set is n/k instead of n
– Inputs are mixed within a batch– There is no mixing between batches
Batch 3
Batch 2
Batch 1
Building Block: Rotation Building Block: Rotation
Batch 1
Batch 2
Batch 3
Round i Round i+1
Rotation:Each serverpasses itsbatch on to thenext server in round robinfashion
Building Block: Distribution Building Block: Distribution
Round i Round i+1
Distribution:Each serversplits its batch and gives onepiece to everyother server.
Parallel Mixing ProtocolParallel Mixing Protocol
k’ rounds of mixing & rotation One distribution k’ rounds of mixing & rotation
Parameters– n inputs– k mix servers– Adversary controls at most k’ servers (e.g. k’=k-1)
Parallel MixingParallel Mixing
Protocol– Divide inputs into k batches of size n/k– k’ rounds of mixing and rotation (k’<k)– Distribution– k’ rounds of mixing and rotation
Computational cost:– Per server: 2(k’+1)n/k ≤ 2n– Total cost: 2(k’+1)n ≤ 2kn– Total mixing time: 2(k’+1)n/k ≤ 2n
Total mixing time divided by k2/2(k’+1) ≥ k/2 Anonymity set of size n Cost per server is at most doubled
Anonymity SetAnonymity Set
Recall that the adversary A may– Control up to k’ mix servers– Submit up to a fraction α of the n inputs
Let p0 be an input (not submitted by A). We compute the probability
that input p0 became output p1, in the view of A.
Ideally,
),( 10 ppPA
)1(
1),( 10 n
ppPA
Anonymity SetAnonymity Set
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
Inputs Outputs
p0
p1
Distribution
n/k n/k
Batch B0 Batch B1
Anonymity SetAnonymity Set
Adversary controls no input:
Adversary controls a fraction α of the inputs:
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
nknkn
knppPA
1
)/)(/(
/),(
2
10
)1(
1
)//)(//(
//),(
22
10
nknknknkn
knknppPA
(assuming uniform distribution…)
OptimalityOptimality
Our construction has nearly optimal total mixing time: 2(k’+1)n/k
Proposition: Let A be an adversary who controls k’<k servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least (k’+1)n/k.
Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.
Recommended