1 / 21

Parallel Mixing

Parallel Mixing. Philippe Golle, PARC Ari Juels, RSA Labs. Is it Bob, Charlie, or self-love?. Nobody loves Bob. I ♥ Alice. Anonymous Channel. Alice. Bob. Charlie. What are Anonymous Channels Useful for?. They underlie most privacy applications: Anonymous elections

nikki
Download Presentation

Parallel Mixing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs

  2. Is it Bob, Charlie, or self-love? Nobody loves Bob I ♥ Alice Anonymous Channel Alice Bob Charlie

  3. What are Anonymous Channels Useful for? • They underlie most privacy applications: • Anonymous elections • Anonymous email • Anonymous payments • Anonymous Web browsing • Censorship resistant publication

  4. Implementation: Mix Network Outputs Inputs

  5. ? ? Mix Network Outputs Inputs ? ? ? One honest server guarantees privacy

  6. A Look Under the Hood… • Sealing an envelope: public key encryption • Decryption key is shared among mix servers • Opening an envelope: joint decryption • Requires cooperation of a quorum of servers • Mixing envelopes: “re-encryption” • We use a randomized encryption scheme: • “many” (2160) different ways to encrypt a message • Re-encryption: create a new ciphertext that decrypts to the same message • Message is unchanged • Ciphertext is unrecognizable • Re-encryption is a public key operation

  7. Computational Cost • Cost of mixing: • Dominated by re-encryption • Re-encryption: 2 modular exponentiations per input • Assume n inputs and k servers • Cost per server: O(n) • Assume sequential mixing • Total mixing time is O(k.n) • Can we decrease the total mixing time? • Most of the mix servers are idle most of the time • Idea: parallelize the mixing!

  8. Batch 1 Batch 2 Batch 2 Batch 3 Batch 3 Batch 1 Parallel Mixing (1st Try) Round 3 Round 2 Round 1 Outputs Inputs Batch 1 Batch 3 Batch 1 Batch 2 Batch 1 Batch 2 Batch 3 Batch 3 Batch 2

  9. Parallel Mixing (1st Try) • Assume n inputs and k servers • Divide inputs into k batches of size n/k • Every server mixes every batch (in parallel) • Computational cost: • Per server: k. (n/k) = n (as before) • Total cost: k. n = kn (as before) • Total mixing time: k.(n/k) = n (instead of kn) • We cut the total mixing time by a factor of k • But: anonymity set is n/k instead of n • Inputs are mixed within a batch • There is no mixing between batches

  10. Building Block: Rotation Round i+1 Round i Batch 1 Batch 1 Rotation: Each server passes its batch on to the next server in round robin fashion Batch 2 Batch 2 Batch 3 Batch 3

  11. Building Block: Distribution Round i+1 Round i Distribution: Each server splits its batch and gives one piece to every other server.

  12. Parallel Mixing Protocol • k’ rounds of mixing & rotation • One distribution • k’ rounds of mixing & rotation • Parameters • n inputs • k mix servers • Adversary controls at most k’ servers (e.g. k’=k-1)

  13. Example ( k=5, k’ =3) Rotation Mixing

  14. Distribution Example ( k=5, k’ =3) Mixing

  15. Example ( k=5, k’ =3) Mixing Rotation Distribution

  16. Parallel Mixing • Protocol • Divide inputs into k batches of size n/k • k’ rounds of mixing and rotation (k’<k) • Distribution • k’ rounds of mixing and rotation • Computational cost: • Per server: 2(k’+1)n/k≤ 2n • Total cost: 2(k’+1)n ≤ 2kn • Total mixing time: 2(k’+1)n/k ≤ 2n • Total mixing time divided by k2/2(k’+1) ≥ k/2 • Anonymity set of size n • Cost per server is at most doubled

  17. Anonymity Set • Recall that the adversary A may • Control up to k’ mix servers • Submit up to a fraction α of the n inputs • Let p0 be an input (not submitted by A). We compute the probability that input p0 became output p1, in the view of A. • Ideally,

  18. Anonymity Set Outputs Distribution Inputs p0 n/k n/k p1 Batch B0 Batch B1

  19. Anonymity Set • Adversary controls no input: • Adversary controls a fraction α of the inputs: (assuming uniform distribution…)

  20. Optimality • Our construction has nearly optimal total mixing time: 2(k’+1)n/k • Proposition: Let A be an adversary who controls k’<k servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least (k’+1)n/k. • Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.

  21. Conclusion • Our protocol reduces total mixing time from O(kn) to O(n) • This is optimal within a factor of 2 • Open problem: exact optimality? • Questions?

More Related