Parallel Mixing Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Parallel MixingParallel Mixing
Philippe Golle, PARC
Ari Juels, RSA Labs
Anonymous ChannelAnonymous Channel
Alice CharlieBob
I ♥Alice
Nobodyloves Bob
Is it Bob, Charlie, or self-love?
What are Anonymous Channels What are Anonymous Channels Useful for?Useful for?
They underlie most privacy applications:– Anonymous elections– Anonymous email– Anonymous payments– Anonymous Web browsing– Censorship resistant publication
Implementation: Mix NetworkImplementation: Mix Network
Inputs Outputs
Mix NetworkMix Network
Inputs Outputs
???
One honest server guarantees privacy
?
?
A Look Under the Hood…A Look Under the Hood…
Sealing an envelope: public key encryption– Decryption key is shared among mix servers
Opening an envelope: joint decryption– Requires cooperation of a quorum of servers
Mixing envelopes: “re-encryption”– We use a randomized encryption scheme:
» “many” (2160) different ways to encrypt a message
– Re-encryption: create a new ciphertext that decrypts to the same message
» Message is unchanged
» Ciphertext is unrecognizable
» Re-encryption is a public key operation
Computational CostComputational Cost
Cost of mixing:– Dominated by re-encryption
– Re-encryption: 2 modular exponentiations per input
Assume n inputs and k servers– Cost per server: O(n)– Assume sequential mixing
– Total mixing time is O(k.n)
Can we decrease the total mixing time?
Most of the mix servers are idle most of the time Idea: parallelize the mixing!
k n Total time
3 10,000 8 min
3 100,000 70 min
Batch 1Batch 1
Batch 2
Batch 3
Batch 2
Batch 3
Batch 1Batch 3
Batch 2
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Inputs Outputs
Batch 1
Batch 2
Batch 3
Round 1 Round 2 Round 3
Batch 3
Batch 1
Batch 2
Parallel Mixing (1Parallel Mixing (1stst Try) Try)
Assume n inputs and k servers– Divide inputs into k batches of size n/k– Every server mixes every batch (in parallel)
Computational cost:– Per server: k. (n/k) = n (as before)– Total cost: k. n = kn (as before)– Total mixing time: k.(n/k) = n (instead of kn)
We cut the total mixing time by a factor of k But: anonymity set is n/k instead of n
– Inputs are mixed within a batch– There is no mixing between batches
Batch 3
Batch 2
Batch 1
Building Block: Rotation Building Block: Rotation
Batch 1
Batch 2
Batch 3
Round i Round i+1
Rotation:Each serverpasses itsbatch on to thenext server in round robinfashion
Building Block: Distribution Building Block: Distribution
Round i Round i+1
Distribution:Each serversplits its batch and gives onepiece to everyother server.
Parallel Mixing ProtocolParallel Mixing Protocol
k’ rounds of mixing & rotation One distribution k’ rounds of mixing & rotation
Parameters– n inputs– k mix servers– Adversary controls at most k’ servers (e.g. k’=k-1)
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
RotationMixing
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
Distribution
Mixing
Example ( Example ( kk=5, =5, k’ k’ =3) =3)
Distribution
RotationMixing
Parallel MixingParallel Mixing
Protocol– Divide inputs into k batches of size n/k– k’ rounds of mixing and rotation (k’<k)– Distribution– k’ rounds of mixing and rotation
Computational cost:– Per server: 2(k’+1)n/k ≤ 2n– Total cost: 2(k’+1)n ≤ 2kn– Total mixing time: 2(k’+1)n/k ≤ 2n
Total mixing time divided by k2/2(k’+1) ≥ k/2 Anonymity set of size n Cost per server is at most doubled
Anonymity SetAnonymity Set
Recall that the adversary A may– Control up to k’ mix servers– Submit up to a fraction α of the n inputs
Let p0 be an input (not submitted by A). We compute the probability
that input p0 became output p1, in the view of A.
Ideally,
),( 10 ppPA
)1(
1),( 10 n
ppPA
Anonymity SetAnonymity Set
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
Inputs Outputs
p0
p1
Distribution
n/k n/k
Batch B0 Batch B1
Anonymity SetAnonymity Set
Adversary controls no input:
Adversary controls a fraction α of the inputs:
|)|/|)(|/(
||/),(
10
102
10 BAknBAkn
BAknppPA
nknkn
knppPA
1
)/)(/(
/),(
2
10
)1(
1
)//)(//(
//),(
22
10
nknknknkn
knknppPA
(assuming uniform distribution…)
OptimalityOptimality
Our construction has nearly optimal total mixing time: 2(k’+1)n/k
Proposition: Let A be an adversary who controls k’<k servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least (k’+1)n/k.
Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.
ConclusionConclusion
Our protocol reduces total mixing time from O(kn) to O(n)
This is optimal within a factor of 2– Open problem: exact optimality?
Questions?
Related Documents
