Karaoke - USENIX...• Karaoke provides differential privacy against a global active adversary •...
Transcript of Karaoke - USENIX...• Karaoke provides differential privacy against a global active adversary •...
David Lazar, Yossi Gilad, Nickolai Zeldovich
KaraokeDistributed Private Messaging
Immune to Passive Traffic Analysis
�1
Motivation: Report a crime without getting fired
Journalist
You’re Fired if you talk to the journalist!
Govt. Employees
Govt. Boss(Adversary)
!2
Bob
Goal: Metadata-Private Text Messaging
Text Messaging App
Bob
!3
• Watches the network • Runs some of the servers
Threat Model: Global Adversary
Bob
!4
Can we prevent him from learning who Bob is chatting with?
Prior ApproachesVuvuzela [SOSP 15]Stadium [SOSP 17]
Pung [OSDI 16]Dissent [OSDI 14]
Privacy
No Privacy Guarantee Differential Privacy Cryptographic Privacy
!5
Prior ApproachesVuvuzela [SOSP 15]Stadium [SOSP 17]
Pung [OSDI 16]Dissent [OSDI 14]
Privacy
Scalability
Differential Privacy Cryptographic PrivacyNo Privacy Guarantee
!6
Scalability is critical for security
Whistleblower
Journalist !7
Bob
App must scale to everyone, so it isn’t suspicious when Bob joins
Whistleblower
Journalist !8
Bob
Contributions
• Karaoke: a distributed metadata-private messaging system that scales to more users
• Cryptographic privacy against passive attackers.
• Differential privacy against active attackers.
• 8s end-to-end latency with 4M users.
• 5x to 11x faster than prior work.
!9
Insight: treat passive and active attackers separately
!10
Privacy
Scalability
Karaoke
No Privacy Differential Privacy Cryptographic Privacy
activeattacker
passiveattacker
Global Passive Adversary
• Watches the network • Runs some of the servers
!11
Observations by Adversary
!12
Inputs Server State +
Network Links
Outputs
Observations by Adversary
!13
Inputs
Hiding inputs: constant cover traffic in rounds
!14
Round 1 Round 2
Hiding outputs
!15
Outputs
Hiding outputs with dead drops [Vuvuzela]
!16
Dead drops
• Dead drop: designated location to exchange messages.
• Named by pseudorandom ID, so reveals nothing about the users.
• When two users access the same dead drop, their messages are exchanged.
• Idle users result in dead drop with one access.
Dead drops alone are insufficient
!17
Obvious from outputs if Alice and Bob are chatting.
Chatting Not Chatting
Alice
Bob
Vuvuzela generates dummy accesses (noise)
!18
Chatting Not Chatting
Differential privacy: no single round reveals much, but many rounds of observation might reveal a pattern.
Karaoke dead drops are always doubles
!19
Chatting Not Chatting
Message doubling provides cryptographic privacy
!20
Chatting Not Chatting
Cryptographic privacy: adversary can’t distinguish whether Alice
and Bob are chatting
Observations by Adversary
!21
Inputs Server State +
Network links
Outputs
Mixnet Review
!22
1 2 3
Dead drops
Guarantee: if one server is honest, adversary can not tell which users accessed
which dead drops
Distributed Mixnet: each server processes subset of messages
1
2
3
4
5
!23
…
Users pick random paths through the network
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
1
2
3
4
5
Hop 1 Hop 2 Hop 3 Hop 4
!24
Servers decrypt and shuffle incoming messages at each hop
Hop 1 Hop 2 Hop 3 Hop 4
!25
Last hop does the dead drop exchanges
Hop 1 Hop 2 Hop 3 Hop 4
!26
Dead drops
Challenge: network links between hops show Alice is talking to Bob!
Hop 1 Hop 2 Hop 3 Hop 4
!27
Karaoke’s message doubling gives us some hope!
Hop 1 Hop 2 Hop 3 Hop 4
!28
Possible cases for the last hop
!29
Chatting Not Chatting
Goal: make these cases indistinguishable so the rest of
the links don’t matter.
!30
Tangled Messages
=OR
Tangling one of Alice’s and one of Bob’s messages achieves our goal
!31
Tangled Messages
=OR
Last hop
An honest server tangles messages
!32
Last hop
Problem: Alice and Bob’s messages might not intersect at an honest server
!33
1
2
3
4
Last hop
Problem: Alice and Bob’s messages might not intersect at an honest server
!34
1
2
3
4
…
…Assume the paths of Alice’s and
Bob’s other messages are completely compromised.
Karaoke servers generate dummy messages that can be used for tangling
!35
…
…
noise
1
2
3
4Bob
Bob’s message is now tangled with noise
!36
…
…
noise
1
2
3
4Bob
Similarly, Alice’s message can tangle with noise
!37
…
…
noise
1
2
3
4
Alice
Is it possible that the noise messages swapped places?
!38
…
…
1
2
3
4
As a result, Alice’s and Bob’s messages could also have switched places
!39
…
…
1
2
3
4
Tangling with high probability
• The “shape” we just saw is a bit complicated, but it enables Alice and Bob to get tangled with high probability
• Assuming 80% of the servers are honest
• 14 hops results in tangling with high probability
• Servers need to add a small amount of noise messages per outgoing link
!40
Karaoke Summary
!41
Inputs Server State +
Network links
Dead drops
Defending against a global active adversary
• Karaoke provides differential privacy against a global active adversary
• Karaoke adds additional noise messages to protect against message drops
• Due to message doubling, active attacks (message drops) are rare and detectable, so Karaoke needs far less noise compared to prior work.
• We use bloom filters to ensure malicious servers don’t discard the noise. (See paper)
!42
Implementation
• 4000 lines of Go code
• Major CPU cost is onion decryption
• Configured to resist 200 active attacks per user (see paper)
!43
Evaluation
• Does Karaoke support a large number of users with good end-to-end latency?
• How does Karaoke’s performance compare to prior work?
• Does it scale? (i.e., does Karaoke support more users by adding more servers?)
!44
Experimental Setup
• 50 to 200 Amazon EC2 instances
• c4.8xlarge (36 cores) instances for comparison to Vuvuzela and Stadium
• c5.8xlarge instances for all other experiments
• 10 Gbps links
• 100 ms of simulated network latency between instances
!45
Karaoke achieves low latency for many users
!46
0 s
20 s
40 s
60 s
80 s
100 s
120 s
140 s
160 s
2M 4M 6M 8M 10M 12M 14M 16M
Late
ncy
for
user
mes
sage
s
Number of users
Karaoke
6s 8s 10s16s
22s27s
35s39s
Vuvuzela
10s
37s
55s
Stadium
68s
136s
Karaoke is CPU bound
!47
0 s
20 s
40 s
60 s
80 s
100 s
120 s
140 s
160 s
2M 4M 6M 8M 10M 12M 14M 16M
Late
ncy
for
user
mes
sage
s
Number of users
Karaoke (c5)
6s 6s 7s 8s16s 18s
27s 28s
Karaoke (c4)
6s 8s 10s16s
22s27s
35s39s
Vuvuzela
10s
37s
55s
Stadium
68s
136s
Karaoke supports more users by adding servers
!48
0 s2 s4 s6 s8 s
10 s12 s
50 60 80 100 150 200
Late
ncy
for
user
mes
sage
s
Number of servers
25K users/server
Conclusion
• Karaoke: distributed metadata-private messaging system that scales to more people
• Cryptographic privacy against passive attackers
• Technique: message doubling + message tangling
• 8 seconds end-to-end latency for 4 million users
• 5x-11x faster than Vuvuzela/Stadium
!49
https://vuvuzela.io
!50