Riposte: An Anonymous Messaging System Handling Millions of Users


 Geoffrey Owen
 2 years ago
 Views:
Transcription
1 Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry CorrganGbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng. Rposte s the frst such system, to our knowledge, that smultaneously protects aganst traffcanalyss attacks, prevents anonymous denalofservce by malcous clents, and scales to mllonuser anonymty sets. To acheve these propertes, Rposte makes novel use of technques used n systems for prvate nformaton retreval and secure multparty computaton. For latencytolerant workloads wth many more readers than wrters (e.g. Twtter, Wkleaks), we demonstrate that a threeserver Rposte cluster can buld an anonymty set of 2,895,216 users n 32 hours. 1 Introducton In a world of ubqutous network survellance [7, 35, 36, 40, 63], prospectve whstleblowers face a dauntng task. Consder, for example, a government employee who wants to anonymously leak evdence of waste, fraud, or ncompetence to the publc. The whstleblower could emal an nvestgatve reporter drectly, but post hoc analyss of emal server logs could easly reveal the tpster s dentty. The whstleblower could contact a reporter va Tor [28] or another lowlatency anonymzng proxy [32, 54, 60, 72], but ths would leave the leaker vulnerable to traffcanalyss attacks [4, 61, 62]. The whstleblower could nstead use an anonymous messagng system that protects aganst traffc analyss attacks [15, 39, 78], but these systems typcally only support relatvely small anonymty sets (tens of thousands of users, at most). Protectng whstleblowers n the dgtal age requres anonymous messagng systems that provde strong securty guarantees, but that also scale to very large network szes. Ths s the extended verson of a paper by the same name that appeared at the IEEE Symposum on Securty and Prvacy n May In ths paper, we present a new system that attempts to make traffcanalyssresstant anonymous broadcast messagng practcal at Internet scale. Our system, called Rposte, allows a large number of clents to anonymously post messages to a shared bulletn board, mantaned by a small set of mnmally trusted servers. (As few as three noncolludng servers are suffcent). Whstleblowers could use Rposte as a platform for anonymously publshng Tweet or emallength messages and could combne t wth standard publckey encrypton to buld ponttopont prvate messagng channels. Whle there s an extensve lterature on anonymty systems [23,29], Rposte offers a combnaton of securty and scalablty propertes unachevable wth current desgns. To the best of our knowledge, Rposte s the only anonymous messagng system that smultaneously: 1. protects aganst traffc analyss attacks, 2. prevents malcous clents from anonymously executng denalofservce attacks, and 3. scales to anonymty set szes of mllons of users, for certan latencytolerant applcatons. We acheve these three propertes n Rposte by adaptng three dfferent technques from the cryptography and prvacy lterature. Frst, we defeat traffcanalyss attacks and protect aganst malcous servers by usng a protocol, nspred by clent/server DCnets [15, 78], n whch every partcpatng clent sends a fxedlength secretshared message to the system s servers n every tme epoch. Second, we acheve effcent dsrupton resstance by usng a secure multparty protocol to quckly detect and exclude malformed clent requests [30, 42, 79]. Thrd, we acheve scalablty by leveragng a specfc technque developed n the context of prvate nformaton retreval (PIR) to mnmze the number of bts each clent must upload to each server n every tme epoch. The tool we use s called a dstrbuted pont functon [17, 38]. The novel synthess of these technques leads to a system that s effcent (n terms of bandwdth and computaton) and practcal, even for large anonymty sets. 1
2 Our partcular use of prvate nformaton retreval (PIR) protocols s unusual: PIR systems [18] allow a clent to effcently read a row from a database, mantaned collectvely at a set of servers, wthout revealng to the servers whch row t s readng. Rposte acheves scalable anonymous messagng by runnng a prvate nformaton retreval protocol n reverse: wth reverse PIR, a Rposte clent can effcently wrte nto a database mantaned at the set of servers wthout revealng to the servers whch row t has wrtten [68]. As we dscuss later on, a large Rposte deployment could form the bass for an anonymous Twtter servce. Users would tweet by usng Rposte to anonymously wrte nto a database contanng all clents tweets for a partcular tme perod. In addton, by havng readonly users submt empty wrtes to the system, the effectve anonymty set can be much larger than the number of wrters, wth lttle mpact on system performance. Messagng n Rposte proceeds n regular tme epochs (e.g., each tme epoch could be one hour long). To post a message, the clent generates a wrte request, cryptographcally splts t nto many shares, and sends one share to each of the Rposte servers. A coalton of servers smaller than a certan threshold cannot learn anythng about the clent s message or wrte locaton gven ts subset of the shares. The Rposte servers collect wrte requests untl the end of the tme epoch, at whch tme they publsh the aggregaton of the wrte requests they receved durng the epoch. From ths nformaton, anyone can recover the set of posts uploaded durng the epoch, but the system reveals no nformaton about who posted whch message. The dentty of the entre set of clents who posted durng the nterval s known, but no one can lnk a clent to a post. (Thus, each tme epoch must be long enough to ensure that a large number of honest clents are able to partcpate n each epoch.) In ths paper, we descrbe two Rposte varants, whch offer slghtly dfferent securty propertes. The frst varant scales to very large network szes (mllons of clents) but requres three servers such that no two of these servers collude. The second varant s more computatonally expensve, but provdes securty even when all but one of the s > 1 servers are malcous. Both varants mantan ther securty propertes when network lnks are actvely adversaral, when all but two of the clents are actvely malcous, and when the servers are actvely malcous (subject to the noncolluson requrement above). The threeserver varant uses a computatonally nexpensve multparty protocol to detect and exclude malformed clent requests. (Fgure 1 depcts ths protocol at a hghlevel.) The sserver varant uses clentproduced zeroknowledge proofs to guarantee the wellformedness of clent requests. Unlke Tor [28] and other lowlatency anonymty systems [39, 49, 54, 72], Rposte protects aganst actve traffc analyss attacks by a global network adversary. Pror systems have offered traffcanalyssresstance only at the cost of scalablty: Mxnetbased systems [16] requre large zeroknowledge proofs of correctness to provde prvacy n the face of actve attacks by malcous servers [2, 5, 33, 46, 66]. DCnetsbased systems requre clents to transfer data lnear n the sze of the anonymty set [15, 78] and rely on expensve zeroknowledge proofs to protect aganst malcous clents [21, 45]. We dscuss these systems and other pror work n Secton 7. Experments. To demonstrate the practcalty of Rposte for anonymous broadcast messagng (.e., anonymous whstleblowng or mcrobloggng), we mplemented and evaluated the complete threeserver varant of the system. When the servers mantan a database table large enough to ft 65, byte Tweets, the system can process 32.8 clent wrte requests per second. In Secton 6.3, we dscuss how to use a table of ths sze as the bass for very large anonymty sets n readheavy applcatons. When usng a larger 377 MB database table (over 2.3 mllon 160byte Tweets), a Rposte cluster can process 1.4 clent wrte requests per second. Wrtng nto a 377 MB table requres each clent to upload less than 1 MB of data to the servers. In contrast, a twoserver DCnetbased system would requre each clent to upload more than 750 MB of data. More generally, to process a Rposte clent request for a table of sze L, clents and servers perform only O( L) bytes of data transfer. The servers AESNI encrypton throughput lmts the rate at whch Rposte can process clent requests at large table szes. Thus, the system s capacty to handle clent wrte request scales wth the number of avalable CPU cores. A large Rposte deployment could shard the database table across k machnes to acheve a nearkfold speedup. We tested the system wth anonymty set szes of up to 2,895,216 clents, wth a readheavy latencytolerant mcrobloggng workload. To our knowledge, ths s the largest anonymty set ever constructed n a system defendng aganst traffc analyss attacks. Pror DCnetbased systems scaled to 5,120 clents [78] and pror verfableshufflebased systems scaled to 100,000 clents [5]. In 2
3 (a) A clent submts one share of ts wrte request to each of the two database servers. If the database has length L, each share has length O( L). (b) The database servers generate blnded audt request messages derved from ther shares of the wrte request. (c) The audt server uses the audt request messages to valdate the clent s request and returns an OK or Invald bt to the database servers. (d) The servers apply the wrte request to ther local database state. The XOR of the servers states contans the clents message at the gven row. Fgure 1: The process of handlng a sngle clent wrte request. The servers run ths process once per clent n each tme epoch. contrast, Rposte scales to mllons of clents for certan applcatons. Contrbutons. Ths paper contrbutes: two new bandwdtheffcent and traffcanalyssresstant anonymous messagng protocols, obtaned by runnng prvate nformaton retreval protocols n reverse (Sectons 3 and 4), a fast method for excludng malformed clent requests (Secton 5), a method to recover from transmsson collsons n DCnetstyle anonymty systems, expermental evaluaton of these protocols wth anonymty set szes of up to 2,895,216 users (Secton 6). In Secton 2, we ntroduce our goals, threat model, and securty defntons. Secton 3 presents the hghlevel system archtecture. Secton 4 and Secton 5 detal our technques for achevng bandwdth effcency and dsrupton resstance n Rposte. We evaluate the performance of the system n Secton 6, survey related work n Secton 7, and conclude n Secton 8. 2 Goals and Problem Statement In ths secton, we summarze the hghlevel goals of the Rposte system and present our threat model and securty defntons. 2.1 System Goals Rposte mplements an anonymous bulletn board usng a prmtve we call a wrteprvate database scheme. Rposte enables clents to wrte nto a shared database, collectvely mantaned at a small set of servers, wthout revealng to the servers the locaton or contents of the wrte. Conceptually, the database table s just a long fxedlength btstrng dvded nto fxedlength rows. To wrte nto the database, a clent generates a wrte request. The wrte request encodes the message to be wrtten and the row ndex at whch the clent wants to wrte. (A sngle clent wrte request modfes a sngle database row at a tme.) Usng cryptographc technques, the clent splts ts wrte request nto a number of shares and the clent sends one share to each of the servers. By constructon of the shares, no coalton of servers smaller than a partcular prespecfed threshold can learn the contents of a sngle clent s wrte request. Whle the cluster of servers must reman onlne for the duraton of a protocol run, a clent need only stay onlne for long enough to upload ts wrte request to the servers. As soon as the servers receve a wrte request, they can apply t to to ther local state. The Rposte cluster dvdes tme nto a seres of epochs. Durng each tme epoch, servers collect many wrte requests from clents. When the servers agree that the epoch has ended, they combne ther shares of the database to reveal the clents plantext messages. A partcular clent s anonymty set conssts of all of the honest clents who submtted wrte requests to the servers durng the tme epoch. Thus, f 50,000 dstnct honest clents submtted wrte requests durng a partcular tme epoch, each honest clent s perfectly anonymous amongst ths set of 50,000 clents. The epoch could be measured n tme (e.g., 4 hours), n a number of wrte requests (e.g., accumulate 10,000 wrte requests before endng the epoch), or by some more complcated condton (e.g., wat for a wrte request sgned from each of these 150 users dentfed by a predefned lst of publc keys). The defnton of what consttutes an epoch s crucal for securty, snce a clent s anonymty set s only as large as the number of honest clents who submt wrte requests n the same epoch [74]. 3
4 When usng Rposte as a platform for anonymous mcrobloggng, the rows would be long enough to ft a Tweet (140 bytes) and the number of rows would be some multple of the number of antcpated users. To anonymously Tweet, a clent would use the wrteprvate database scheme to wrte ts message nto a random row of the database. After many clents have wrtten to the database, the servers can reveal the clents plantext Tweets. The wrteprvacy of the database scheme prevents eavesdroppers, malcous clents, and coaltons of malcous servers (smaller than a partcular threshold) from learnng whch clent posted whch message. 2.2 Threat Model Clents n our system are completely untrusted: they may submt malcously formed wrte requests to the system and may collude wth servers or wth arbtrarly many other clents to try to break the securty propertes of the system. Servers n our system are trusted for avalablty. The falure whether malcous or bengn of any one server renders the database state unrecoverable but does not compromse the anonymty of the clents. To protect aganst bengn falures, server mantaners could mplement a sngle logcal Rposte server wth a cluster of many physcal servers runnng a standard statemachnereplcaton protocol [55, 67]. For each of the cryptographc nstantatons of Rposte, there s a threshold parameter t that defnes the number of malcous servers that the system can tolerate whle stll mantanng ts securty propertes. We make no assumptons about the behavor of malcous servers they can msbehave by publshng ther secret keys, by colludng wth coaltons of up to t malcous servers and arbtrarly many clents, or by mountng any other sort of attack aganst the system. The threshold t depends on the partcular cryptographc prmtves n use. For our most secure scheme, all but one of the servers can collude wthout compromsng clent prvacy (t = Servers 1). For our most effcent scheme, no two servers can collude (t = 1). 2.3 Securty Goals The Rposte system mplements a wrteprvate and dsruptonresstant database scheme. We descrbe the correctness and securty propertes for such a scheme here. Defnton 1 (Correctness). The scheme s correct f, when all servers execute the protocol fathfully, the plantext state of the database revealed at the end of a protocol run s equal to the result of applyng each vald clent wrte requests to an empty database (.e., a database of all zeros). Snce we rely on all servers for avalablty, correctness need only hold when all servers run the protocol correctly. To be useful as an anonymous bulletn board, the database scheme must be wrteprvate and dsrupton resstant. We defne these securty propertes here. (s, t)wrte Prvacy. Intutvely, the system provdes (s, t)wrteprvacy f an adversary s advantage at guessng whch honest clent wrote nto a partcular row of the database s neglgbly better than random guessng, even when the adversary controls all but two clents and up to t out of s servers (where t s a parameter of the scheme). We defne ths property n terms of a prvacy game, gven n full n Appendx A. Defnton 2 ((s, t)wrte Prvacy). We say that the protocol provdes (s, t)wrte prvacy f the adversary s advantage n the securty game of Appendx A s neglgble n the (mplct) securty parameter. Rposte provdes a very robust sort of prvacy: the adversary can select the messages that the honest clents wll send and can send malcously formed messages that depend on the honest clents messages. Even then, the adversary stll cannot guess whch clent uploaded whch message. Dsrupton resstance. The system s dsrupton resstant f an adversary who controls n clents can wrte nto at most n database rows durng a sngle tme epoch. A system that lacks dsrupton resstance mght be susceptble to denalofservce attacks: a malcous clent could corrupt every row n the database wth a sngle wrte request. Even worse, the wrte prvacy of the system mght prevent the servers from learnng whch clent was the dsruptor. Preventng such attacks s a major focus of pror anonymous messagng schemes [15, 39, 45, 76, 78]. Under our threat model, we trust all servers for avalablty of the system (though not for prvacy). Thus, our defnton of dsrupton resstance concerns tself only wth clents attemptng to dsrupt the system we do not try to prevent servers from corruptng the database state. We formally defne dsrupton resstance usng the followng game, played between a challenger and an adversary. In ths game, the challenger plays the role of all of the servers and the adversary plays the role of all clents. 1. The adversary sends n wrte requests to the challenger (where n s less than or equal to the number of rows n the database). 4
5 2. The challenger runs the protocol for a sngle tme epoch, playng the role of the servers. The challenger then combnes the servers database shares to reveal the plantext output. The adversary wns the game f the plantext output contans more than n nonzero rows. Defnton 3 (Dsrupton Resstance). We say that the protocol s dsrupton resstant f the probablty that the adversary wns the game above s neglgble n the (mplct) securty parameter. 2.4 Intersecton Attacks Rposte makes t nfeasble for an adversary to determne whch clent posted whch message wthn a partcular tme epoch. If an adversary can observe traffc patterns across many epochs, as the set of onlne clents changes, the adversary can make statstcal nferences about whch clent s sendng whch stream of messages [25, 52, 57]. These ntersecton or statstcal dsclosure attacks affect many anonymty systems and defendng aganst them s an mportant, albet orthogonal, problem [57,77]. Even so, ntersecton attacks typcally become more dffcult to mount as the sze of the anonymty set ncreases, so Rposte s support for very large anonymty sets makes t less vulnerable to these attacks than are many pror systems. 3 System Archtecture As descrbed n the pror secton, a Rposte deployment conssts of a small number of servers, who mantan the database state, and a large number of clents. To wrte nto the database, a clent splts ts wrte request usng secret sharng technques and sends a sngle share to each of the servers. Each server updates ts database state usng the clent s share. After collectng wrte requests from many clents, the servers combne ther shares to reveal the plantexts represented by the wrte requests. The securty requrement s that no coalton of t servers can learn whch clent wrote nto whch row of the database. 3.1 A FrstAttempt Constructon: Toy Protocol As a startng pont, we sketch a smple straw man constructon that demonstrates the technques behnd our scheme. Ths frstattempt protocol shares some desgn features wth anonymous communcaton schemes based on clent/server DCnets [15, 78]. In the smple scheme, we have two servers, A and B, and each server stores an Lbt btstrng, ntalzed to all zeros. We assume for now that the servers do not collude.e., that one of the two servers s honest. The btstrngs represent shares of the database state and each row of the database s a sngle bt. Consder a clent who wants to wrte a 1 nto row l of the database. To do so, the clent generates a random Lbt btstrng r. The clent sends r to server A and r e l to server B, where e l s an Lbt vector of zeros wth a one at ndex l and denotes btwse XOR. Upon recevng the wrte request from the clent, each server XORs the receved strng nto ts share of the database. After processng n wrte requests, the database state at server A wll be: d A = r 1 r n and the database at server B wll be: d B = (e l1 e ln ) (r 1 r n ) = (e l1 e ln ) d A At the end of the tme epoch, the servers can reveal the plantext database by combnng ther local states d A and d B. The constructon generalzes to felds larger than F 2. For example, each row of the database could be a kbt btstrng nstead of a sngle bt. To prevent mpersonaton, networktamperng, and replay attacks, we use authentcated and encrypted channels wth permessage nonces bound to the tme epoch dentfer. Ths protocol satsfes the wrteprvacy property as long as the two servers do not collude (assumng that the clents and servers deploy the replay attack defenses mentoned above). Indeed, server A can nformaton theoretcally smulate ts vew of a run of the protocol gven only e l1 e ln as nput. A smlar argument shows that the protocol s wrteprvate wth respect to server B as well. Ths frstattempt protocol has two major lmtatons. The frst lmtaton s that t s not bandwdtheffcent. If mllons of clents want to use the system n each tme epoch, then the database must be at least mllons of bts n length. To flp a sngle bt n the database then, each clent must send mllons of bts to each database, n the form of a wrte request. The second lmtaton s that t s not dsrupton resstant: a malcous clent can corrupt the entre database wth a sngle malformed request. To do so, the malcous clent pcks random Lbt btstrngs r and r, sends r to server A, and sends r (nstead of r e l ) to server B. Thus, 5
6 a sngle malcous clent can effcently and anonymously deny servce to all honest clents. Improvng bandwdth effcency and addng dsrupton resstance are the two core contrbutons of ths work, and we return to them n Sectons 4 and Collsons Puttng asde the ssues of bandwdth effcency and dsrupton resstance for the moment, we now dscuss the ssue of colldng wrtes to the shared database. If clents wrte nto random locatons n the database, there s some chance that one clent s wrte request wll overwrte a prevous clent s message. If clent A wrtes message m A nto locaton l, clent B mght later wrte message m B nto the same locaton l. In ths case, row l wll contan m A m B, and the contents of row l wll be unrecoverable. To address ths ssue, we set the sze of the database table to be large enough to accommodate the expected number of wrte requests for a gven success rate. For example, the servers can choose a table sze that s large enough to accommodate 2 10 wrte requests such that 95% of wrte requests wll not be nvolved n a collson (n expectaton). Under these parameters, 5% of the wrte requests wll fal and those clents wll have to resubmt ther wrte requests n a future tme epoch. We can determne the approprate table sze by solvng a smple balls and bns problem. If we throw m balls ndependently and unformly at random nto n bns, how many bns contan exactly one ball? Here, the m balls represent the wrte requests and the n bns represent the rows of the database. Let B j be the probablty that ball falls nto bn j. For all and j, Pr[B j ] = 1/n. Let O (1) be the event that exactly one ball falls nto bn. Then [ Pr O (1) ] = m n ( 1 1 ) m 1 n Expandng usng the bnomal theorem and gnorng low order terms we obtan [ ] Pr O (1) m ( m ) 2 n 1 ( m ) 3 + n 2 n where the approxmaton gnores terms of order (m/n) 4 and o(1/n). Then n Pr[O (1) ] s the expected number of bns wth exactly one ball whch s the expected number of messages successfully receved. Dvdng ths quantty by m gves the expected success rate so that: E[SuccessRate] = n m Pr[O(1) ] 1 m n + 1 ( m ) 2 2 n So, f we want an expected success rate of 95% then we need n 19.5m. For example, wth m = 2 10 wrters, we would use a table of sze n 20,000. Handlng collsons. We can shrnk the table sze n by codng the wrtes so that we can recover from collsons. We show how to handle twoway collsons. That s, when at most two clents wrte to the same locaton n the database. Let us assume that the messages beng wrtten to the database are elements n some feld F of odd characterstc (say F = F p where p = ). We replace the XOR operaton used n the basc scheme by addton n F. To recover from a twoway collson we wll need to double the sze of each cell n the database, but the overall number of cells n wll shrnk by more than a factor of two. When a clent A wants to wrte the message m A F to locaton l n the database the clent wll actually wrte the par (m A,m 2 A ) F2 nto that locaton. Clearly f no collson occurs at locaton l then recoverng m A at the end of the epoch s trval: smply drop the second coordnate (t s easy to test that no collson occurred because the second coordnate s a square of the frst). Now, suppose a collson occurs wth some clent B who also added her own message (m B,m 2 B ) F2 to the same locaton l (and no other clent wrtes to locaton l). Then at the end of the epoch the publshed values are S 1 = m A +m B (mod p) and S 2 = m 2 A +m 2 B (mod p) From these values t s qute easy to recover both m A and m B by observng that 2S 2 S 2 1 = (m A m B ) 2 (mod p) from whch we obtan m A m B by takng a square root modulo p (t does not matter whch of the two square roots we use they both lead to the same result). Snce S 1 = m A + m B s also gven t s now easy to recover both m A and m B. Now that we can recover from twoway collsons we can shrnk the number of cells n n the table. Let O (2) be the event that exactly two balls fell nto bn. Then the expected number of receved messages s npr[o (1) ] + 2nPr[O (2) ] (1) where Pr[O (2) ] = ( m 1 ( ) 2) n 1 1 m 2. 2 n As before, dvdng the expected number of receved messages (1) by m, expandng usng the bnomal theorem, and gnorng low order terms gves the expected success rate as: E[SuccessRate] ( m n ) 2 1 ( m ) n 6
7 So, f we want an expected success rate of 95% we need a table wth n 2.7m cells. Ths s a far smaller table than before, when we could not handle collsons. In that case we needed n 19.5m whch results n much bgger tables, despte each cell beng half as bg. Shrnkng the table reduces the storage and computatonal burden on the servers. Ths twoway collson handlng technque generalzes to handle kway collsons for k > 2. To handle kway collsons, we ncrease the sze of each cell by a factor of k and have each clent wrte (m,m 2,...,mk ) Fk to ts chosen cell. A kcollson gves k equatons n k varables that can be effcently solved to recover all k messages, as long as the characterstc of F s greater than k. Usng k > 2 further reduces the table sze as the desred success rate approaches one. The collson handlng method descrbed n ths secton wll also mprove performance of our full system, whch we descrbe n the next secton. Adversaral collsons. The analyss above assumes that clents behave honestly. Adversaral clents, however, need not wrte nto random rows of the database.e., all m balls mght not be thrown ndependently and unformly at random. A coalton of clents mght, for example, try to ncrease the probablty of collsons by wrtng nto the database usng some malcous strategy. By symmetry of wrtes we can assume that all ˆm adversaral clents wrte to the database before the honest clents do. Now a message from an honest clent s properly receved at the end of an epoch f t avods all the cells flled by the malcous clents. We can therefore carry out the honest clent analyss above assumng the database contan n ˆm cells nstead of n cells. In other words, gven a bound ˆm on the number of malcous clents we can calculate the requred table sze n. In practce, f too many collsons are detected at the end of an epoch the servers can adaptvely double the sze of the table so that the next epoch has fewer collsons. 3.3 Forward Securty Even the frstattempt scheme sketched n Secton 3.1 provdes forward securty n the event that all of the servers secret keys are compromsed [14]. To be precse: an adversary could compromse the state and secret keys of all servers after the servers have processed n wrte requests from honest clents, but before the tme epoch has ended. Even n ths case, the adversary wll be unable to determne whch of the n clents submtted whch of the n plantext messages wth a nonneglgble advantage over random guessng. (We assume here that clents and servers communcate usng encrypted channels whch themselves have forward secrecy [51].) Ths forward securty property means that clents need not trust that S t servers stay honest forever just that they are honest at the moment when the clent submts ts upload request. Beng able to weaken the trust assumpton about the servers n ths way mght be valuable n hostle envronments, n whch an adversary could compromse a server at any tme wthout warnng. Mxnets do not have ths property, snce servers must accumulate a set of ononencrypted messages before shufflng and decryptng them [16]. If an adversary always controls the frst mx server and f t can compromse the rest of the mx servers after accumulatng a set of cphertexts, the adversary can deanonymze all of the system s users. DCnetbased systems that use blame protocols to retroactvely dscover dsruptors have a smlar weakness [20, 78]. The full Rposte protocol mantans ths forward securty property. 4 Improvng Bandwdth Effcency wth Dstrbuted Pont Functons Ths secton descrbes how applcaton of prvate nformaton retreval technques can mprove the bandwdth effcency of the frstattempt protocol. Notaton. The symbol F denotes an arbtrary fnte feld, Z L s the rng of ntegers modulo L. We use e l F L to represent a vector that s zero everywhere except at ndex l Z L, where t has value 1. Thus, for m F, the vector m e l F L s the vector whose value s zero everywhere except at ndex l, where t has value m. For a fnte set S, the notaton x R S ndcates that the value of x s sampled ndependently and unformly at random from S. The element v[] s the value of a vector v at ndex. We ndex vectors startng at zero. 4.1 Defntons The bandwdth neffcency of the protocol sketched above comes from the fact that the clent must send an Lbt vector to each server to flp a sngle bt n the logcal database. To reduce ths O(L) bandwdth overhead, we apply technques nspred by prvate nformaton retreval protocols [17, 18, 38]. The problem of prvate nformaton retreval (PIR) s essentally the converse of the problem we are nterested n here. In PIR, the clent must read a bt from a replcated database wthout revealng to the servers the ndex beng 7
8 read. In our settng, the clent must wrte a bt nto a replcated database wthout revealng to the servers the ndex beng wrtten. Ostrovsky and Shoup frst made ths connecton n the context of a prvate nformaton storage protocol [68]. PIR schemes allow the clent to splt ts query to the servers nto shares such that (1) a subset of the shares does not leak nformaton about the ndex of nterest, and (2) the length of the query shares s much less than the length of the database. The core buldng block of many PIR schemes, whch we adopt for our purposes, s a dstrbuted pont functon. Although Glboa and Isha [38] defned dstrbuted pont functons as a prmtve only recently, many pror PIR schemes make mplct use the prmtve [17, 18]. Our defnton of a dstrbuted pont functon follows that of Glboa and Isha, except that we generalze the defnton to allow for more than two servers. Frst, we defne a (nondstrbuted) pont functon. Defnton 4 (Pont Functon). Fx a postve nteger L and a fnte feld F. For all l Z L and m F, the pont functon P l,m : Z L F s the functon such that P l,m (l) = m and P l,m (l ) = 0 for all l l. That s, the pont functon P l,m has the value 0 when evaluated at any nput not equal to l and t has the value m when evaluated at l. For example, f L = 5 and F = F 2, the pont functon P 3,1 takes on the values (0,0,0,1,0) when evaluated on the values (0,1,2,3,4) (note that we ndex vectors from zero). An (s, t)dstrbuted pont functon provdes a way to dstrbute a pont functon P l,m amongst s servers such that no coalton of at most t servers learns anythng about l or m gven ther t shares of the functon. Defnton 5 (Dstrbuted Pont Functon (DPF)). Fx a postve nteger L and a fnte feld F. An (s,t)dstrbuted pont functon conssts of a par of possbly randomzed algorthms that mplement the followng functonaltes: Gen(l,m) (k 0,...,k s 1 ). Gven an nteger l Z L and value m F, output a lst of s keys. Eval(k,l ) m. Gven a key k generated usng Gen, and an ndex l Z L, return a value m F. We defne correctness and prvacy for a dstrbuted pont functon as follows: Correctness. For a collecton of s keys generated usng Gen(l,m), the sum of the outputs of these keys (generated usng Eval) must equal the pont functon P l,m. More formally, for all l,l Z L and m F: Pr[(k 0,...,k s 1 ) Gen(l,m) : Σ s 1 =0 Eval(k,l ) = P l,m (l )] = 1 where the probablty s taken over the randomness of the Gen algorthm. Prvacy. Let S be any subset of {0,...,s 1} such that S t. Then for any l Z L and m F, let D S,l,m denote the dstrbuton of keys {(k ) S} nduced by (k 0,...,k s 1 ) Gen(l,m). We say that an (s,t) DPF mantans prvacy f there exsts a p.p.t. algorthm Sm such that the followng dstrbutons are computatonally ndstngushable: D S,l,m c Sm(S) That s, any subset of at most t keys leaks no nformaton about l or m. (We can also strengthen ths defnton to requre statstcal or perfect ndstngushablty.) Toy Constructon. To make ths defnton concrete, we frst construct a trval nformatontheoretcally secure (s, s 1)dstrbuted pont functon wth lengthl keys. As above, we fx a length L and a fnte feld F. Gen(l,m) (k 0,...,k s 1 ). Generate random vectors k 0,...,k s 2 F L. Set k s 1 = m e l Σ s 2 =0 k. Eval(k,l ) m. Interpret k as a vector n F L. Return the value of the vector k at ndex l. The correctness property of ths constructon follows mmedately. Prvacy s mantaned because the dstrbuton of any collecton of s 1 keys s ndependent of l and m. Ths toy constructon uses lengthl keys to dstrbute a pont functon wth doman Z L. Later n ths secton we descrbe DPF constructons whch use much shorter keys. 4.2 Applyng Dstrbuted Pont Functons for Bandwdth Effcency We can now use DPFs to mprove the effcency of the wrteprvate database scheme ntroduced n Secton 3.1. We show that the exstence of an (s,t)dpf wth keys of length k (along wth standard cryptographc assumptons) mples the exstence of wrteprvate database scheme usng s servers that mantans anonymty n the presence of t malcous servers, such that wrte requests have length s k. Any DPF constructon wth short keys thus mmedately mples a bandwdtheffcent wrteprvate database scheme. The constructon s a generalzaton of the one presented n Secton 3.1. We now assume that there are s servers such that no more than t of them collude. Each of the s servers mantans a vector n F L as ther database state, for some fxed fnte feld F and nteger L. Each row n the database s now an element of F and the database has L rows. 8
9 When the clent wants to wrte a message m F nto locaton l Z L n the database, the clent uses an (s,t) dstrbuted pont functon to generate a set of s DPF keys: (k 0,...,k s 1 ) Gen(l,m) The clent then sends one of the keys to each of the servers. Each server can then expand the key nto a vector v F L by computng v(l ) = Eval(k,l ) for l = 0,...,L 1. The server then adds ths vector v nto ts database state, usng addton n F L. At the end of the tme epoch, all servers combne ther database states to reveal the set of clentsubmtted messages. Correctness. The correctness of ths constructon follows drectly from the correctness of the DPF. For each of the n wrte requests submtted by the clents, denote the jth key n the th request as k, j, denote the wrte locaton as l, and the message beng wrtten as m. When the servers combne ther databases at the end of the epoch, the contents of the fnal database at row l wll be: d l = n 1 =0 s 1 j=0 n 1 Eval(k, j,l) = =0 P l,m (l) F In words: as desred, the combned database contans the sum of n pont functons one for each of the wrte requests. Anonymty. The anonymty of ths constructon follows drectly from the prvacy property of the DPF. Gven the plantext database state d (as defned above), any coalton of t servers can smulate ts vew of the protocol. By defnton of DPF prvacy, there exsts a smulator Sm, whch smulates the dstrbuton of any subset of t DPF keys generated usng Gen. The coalton of servers can use ths smulator to smulate each of the n wrte requests t sees durng a run of the protocol. Thus, the servers can smulate ther vew of a protocol run and cannot wn the anonymty game wth nonneglgble advantage. Effcency. A clent n ths scheme sends k bts to each server (where k s a DPF key), so the bandwdth effcency of the scheme depends on the effcency of the DPF. As we wll show later n ths secton, k can be much smaller than the length of the database. 4.3 A TwoServer Scheme Toleratng One Malcous Server Havng establshed that DPFs wth short keys lead to bandwdtheffcent wrteprvate database schemes, we now present one such DPF constructon. Ths constructon s a smplfcaton of computatonal PIR scheme of Chor and Glboa [17]. Ths s a (2,1)DPF wth keys of length O( L) operatng on a doman of sze L. Ths DPF yelds a twoserver wrteprvate database scheme toleratng one malcous server such that wrtng nto a database of sze L requres sendng O( L) bts to each server. Glboa and Isha [38] construct a (2, 1)DPF wth even shorter keys ( k = polylog(l)), but the constructon presented here s effcent enough for the database szes we use n practce. Although the DPF constructon works over any feld, we descrbe t here usng the bnary feld F = F 2 k (the feld of kbt btstrngs) to smplfy the exposton. When Eval(k,l ) s run on every nteger l {0,...,L 1}, ts output s a vector of L feld elements. The DPF key constructon conceptually works by representng ths a vector of L feld elements as an x y matrx, such that xy L. The trck that makes the constructon work s that the sze of the keys needs only to grow wth the sze of the sdes of ths matrx rather than ts area. The DPF keys that Gen(l, m) outputs gve an effcent way to construct two matrces M A and M B that dffer only at one cell l = (l x,l y ) Z x Z y (Fgure 2). Fx a bnary fnte feld F = F 2 k, a DPF doman sze L, and ntegers x and y such that xy L. (Later n ths secton, we descrbe how to choose x and y to mnmze the key sze.) The constructon requres a pseudorandom generator (PRG) G that stretches seeds from some space S nto lengthy vectors of elements of F [48]. So the sgnature of the PRG s G : S F y. In practce, an mplementaton mght use AES128 n counter mode as the pseudorandom generator [65]. The algorthms comprsng the DPF are: Gen(l,m) (k A,k B ). Compute ntegers l x Z x and l y Z y such that l = l x y + l y. Sample a random btvector b A R {0,1} x, a random vector of PRG seeds s A R S x, and a sngle random PRG seed s l x R S. Gven b A and s A, we defne b B and s B as: b A = (b 0,...,b lx,...,b x 1 ) b B = (b 0,..., b lx,...,b x 1 ) s A = (s 0,...,s lx,...,s x 1 ) s B = (s 0,...,s l x,...,s x 1 ) That s, the vectors b A and b B (smlarly s A and s B ) dffer only at ndex l x. Let m e ly be the vector n F y of all zeros except that t has value m at ndex l y. Defne v m e ly +G(s lx )+ G(s l x ). The output DPF keys are: k A = (b A,s A,v) k B = (b B,s B,v) Eval(k,l ) m. Interpret k as a tuple (b,s,v). To evaluate the PRF at ndex l, frst wrte l as an 9
10 Fgure 2: Left: We represent the output of Eval as an x y matrx of feld elements. Leftcenter: Constructon of the v vector used n the DPF keys. Rght: usng the v, s, and b vectors, Eval expands each of the two keys nto an x y matrx of feld elements. These two matrces sum to zero everywhere except at (l x,l y ) = (3,4), where they sum to m. (l x,l y) tuple such that l x Z x, l y Z y, and l = l xy + l y. Use the PRG G to stretch the l xth seed of s nto a lengthy vector: g G(s[l x]). Return m (g[l y] + b[l x]v[l y]). Fgure 2 graphcally depcts how Eval stretches the keys nto a table of x y feld elements. Correctness. We prove correctness of the scheme n Appendx B. Prvacy. The prvacy property requres that there exsts an effcent smulator that, on nput A or B, outputs samples from a dstrbuton that s computatonally ndstngushable from the dstrbuton of DPF keys k A or k B. The smulator Sm smulates each component of the DPF key as follows: It samples b R {0,1} x, s R S x, and v R F y. The smulator returns (b,s,v). We must now argue that the smulator s output dstrbuton s computatonally ndstngushable from that nduced by the dstrbuton of a sngle output of Gen. Snce the b and s vectors outputted by Gen are random, the smulaton s perfect. The v vector outputted by Gen s computatonally ndstngushable from random, snce t s padded wth the output of the PRG seeded wth a seed unknown to the holder of the key. An effcent algorthm to dstngush the smulated v vector from random can then also dstngush the PRG output from random. Key Sze. A key for ths DPF scheme conssts of: a vector n {0,1} x, a vector n S x, and a vector n F y. Let α be the number of bts requred to represent an element of S and let β be the number of bts requred to represent an element of F. The total length of a key s then: k = (1 + α)x + βy For fxed spaces S and F, we can fnd the optmal choces of x and y to mnmze the key length. To do so, we solve: mn((1 + α)x + βy) subject to xy L x,y and conclude that the optmal values of x and y are: x = c L and y = 1 c L where c = β 1 + α. The key sze s then O( L). When usng a database table of one mllon rows n length (L = 2 20 ), a row length of 1 KB per row (F = F ), and a PRG seed sze of 128 bts (usng AES128, for example) the keys wll be roughly 263 KB n length. For these parameters, the keys for the naïve constructon (Secton 3.1) would be 1 GB n length. Applcaton of effcent DPFs thus yelds a 4,000 bandwdth savngs n ths case. Computatonal Effcency. A second beneft of ths scheme s that both the Gen and Eval routnes are computatonally effcent, snce they just requre performng fnte feld addtons (.e., XOR for bnary felds) and PRG operatons (.e., computatons of the AES functon). The constructon requres no publckey prmtves. 4.4 An sserver Scheme Toleratng s 1 Malcous Servers The (2, 1)DPF scheme descrbed above acheved a key sze of O( L) bts usng only symmetrckey prmtves. The lmtaton of that constructon s that t only mantans prvacy when a sngle key s compromsed. In the context of a wrteprvate database scheme, ths means that the constructon can only mantan anonymty n the presence of a sngle malcous server. It would be much better to have a wrteprvate database scheme wth s servers that mantans anonymty n the presence of s 1 malcous servers. To acheve ths stronger securty noton, we need a bandwdtheffcent (s,s 1)dstrbuted pont functon. In ths secton, we construct an (s,s 1)DPF where each key has sze O( L). We do so at the cost of requrng more expensve publckey cryptographc operatons, 10
11 nstead of the symmetrckey operatons used n the pror DPF. Whle the (2, 1)DPF constructon above drectly follows the work of Chor and Glboa [17], ths (s,s 1) DPF constructon s novel, as far as we know. Ths constructon uses a seedhomomorphc pseudorandom generator [3, 11, 64], to splt the key for the pseudorandom generator G across a collecton of s DPF keys. Defnton 6 (SeedHomomorphc PRG). A seedhomomorphc PRG s a pseudorandom generator G mappng seeds n a group (S, ) to outputs n a group (G, ) wth the addtonal property that for any s 0,s 1 S: G(s 0 s 1 ) = G(s 0 ) G(s 1 ) It s possble to construct a smple seedhomomorphc PRG from the decson DffeHellman (DDH) assumpton [11,64]. The publc parameters for the scheme are lst of y generators chosen at random from an orderq group G, n whch the DDH problem s hard [10]. For example, f G s an ellptc curve group [58], then the publc parameters wll be y ponts (P 0,...,P y 1 ) G y. The seed space s Z q and the generator outputs vectors n G y. On nput s Z q, the generator outputs (sp 0,...,sP y 1 ). The generator s seedhomomorphc because, for any s 0,s 1 Z q, and for all {1,...,y}: s 0 P + s 1 P = (s 0 + s 1 )P. As n the pror DPF constructon, we fx a DPF doman sze L, and ntegers x and y such that xy L. The constructon requres a seedhomomorphc PRG G : S G y, for some group G of prme order q. For consstency wth the pror DPF constructon, we wll wrte the group operaton n G usng addtve notaton. Thus, the group operaton appled componentwse to vectors u,v G y results n the vector (u + v) G y. Snce G has order q, qa = 0 for all A G. The algorthms comprsng the (s,s 1)DPF are: Gen(l,m) (k 0,...,k s 1 ). Compute ntegers l x Z x and l y Z y such that l = l x y + l y. Sample random ntegervalued vectors b 0,...,b s 2 R (Z q ) x, random vectors of PRG seeds s 0,...,s s 2 R S x, and a sngle random PRG seed s R S. Select b s 1 (Z q ) x such that Σ s 1 k=0 b k = e lx (mod q) and select s s 1 S x such that Σ s 1 k=0 s k = s e lx G x. Defne v m e ly G(s ). The DPF key for server {0,...,s 1} s k = (b,s,v). Eval(k,l ) m. Interpret k as a tuple (b,s,v). To evaluate the PRF at ndex l, frst wrte l as an (l x,l y) tuple such that l x Z x, l y Z y, and l = l xy + l y. Use the PRG G to stretch the l xth seed of s nto a lengthy vector: g G(s[l x]). Return m (g[l y] + b[l x]v[l y]). We omt correctness and prvacy proofs, snce they follow exactly the same structure as those used to prove securty of our pror DPF constructon. The only dfference s that correctness here reles on the fact that G s a seedhomomorphc PRG, rather than a conventonal PRG. As n the DPF constructon of Secton 4.3, the keys here are of length O( L). Computatonal Effcency. The man computatonal cost of ths DPF constructon comes from the use of the seedhomomorphc PRG G. Unlke a conventonal PRG, whch can be mplemented usng AES or another fast block cpher n counter mode, known constructons of seedhomomorphc PRGs requre algebrac groups [64] or lattcebased cryptography [3, 11]. When nstantatng the (s,s 1)DPF wth the DDHbased PRG constructon n ellptc curve groups, each call to the DPF Eval routne requres an expensve ellptc curve scalar multplcaton. Snce ellptc curve operatons are, per byte, orders of magntude slower than AES operatons, ths (s,s 1)DPF wll be orders of magntude slower than the (2, 1)DPF. Securty aganst an arbtrary number of malcous servers comes at the cost of computatonal effcency, at least for these DPF constructons. Wth DPFs, we can now construct a bandwdtheffcent wrteprvate database scheme that tolerates one malcous server (frst constructon) or s 1 out of s malcous servers (second constructon). 5 Preventng Dsruptors The frstattempt constructon of our wrteprvate database scheme (Secton 3.1) had two lmtatons: (1) clent wrte requests were very large and (2) malcous clents could corrupt the database state by sendng malformed wrte requests. We addressed the frst of these two challenges n Secton 4. In ths secton, we address the second challenge. A clent wrte request n our protocol just conssts of a collecton of s DPF keys. The clent sends one key to each of the s servers. The servers must collectvely decde whether the collecton of s keys s a vald output of the DPF Gen routne, wthout revealng any nformaton about the keys themselves. One way to vew the servers task here s as a secure multparty computaton [42, 79]. Each server s prvate nput s ts DPF key k. The output of the protocol s a sngle bt, whch determnes f the s keys (k 0,...,k s 1 ) are a wellformed collecton of DPF keys. 11
12 Snce we already rely on servers for avalablty (Secton 2.2), we need not protect aganst servers malcously tryng to manpulate the output of the multparty protocol. Such manpulaton could only result n corruptng the database (f a malcous server accepts a wrte request that t should have rejected) or denyng servce to an honest clent (f a malcous server rejects a wrte request that t should have accepted). Snce both attacks are tantamount to denal of servce, we need not consder them. We do care, n contrast, about protectng clent prvacy aganst malcous servers. A malcous server partcpatng n the protocol should not gan any addtonal nformaton about the prvate nputs of other partes, no matter how t devates from the protocol specfcaton. We construct two protocols for checkng the valdty of clent wrte requests. The frst protocol s computatonally nexpensve, but requres ntroducng a thrd noncolludng party to the twoserver scheme. The second protocol requres relatvely expensve zeroknowledge proofs [31, 43, 44, 71], but t mantans securty when all but one of s servers s malcous. Both of these protocols must satsfy the standard notons of soundness, completeness, and zeroknowledge [13]. 5.1 ThreeParty Protocol Our frst protocol for detectng malformed wrte requests works wth the (2, 1)DPF scheme presented n Secton 4.3. The protocol uses only hashng and fnte feld addtons, so t s computatonally nexpensve. The downsde s that t requres ntroducng a thrd audt server, whch must not collude wth ether of the other two servers. We frst develop a threeparty protocol called AlmostEqual that we use as a subroutne to mplement the full wrte request valdaton protocol. The AlmostEqual protocol takes place between three partes: server A, server B, and an audt server. Server A s prvate nput s a vector v A F n and server B s prvate nput s a vector v B F n. The audt server has no prvate nput. The output of the AlmostEqual protocol s 1 bt f v A and v B dffer at exactly one ndex and s 0 bt otherwse. As wth classcal secure multparty computatons, the goal of the protocol s to accurately compute the output wthout leakng any extraneous nformaton about the players prvate nputs [30, 42, 79]. We use AlmostEqual n such a way that, whenever the clent s wrte request s properly formed and whenever no two servers collude, the output of the protocol wll be 1. Thus, we need only prove the protocol secure n the case when the output s 1. We denote an nstance of the threeparty protocol as AlmostEqual(v A,v B ), where the arguments denote the two secret nputs of party A and party B. The protocol proceeds as follows: 1. Servers A and B use a conflppng protocol [9] to sample n hash functons h 0,...,h n 1 from a famly of parwse ndependent hash functons H [56] havng doman F. The servers also agree upon a random shft value f Z n. 2. Server A computes the values m h (v A []) for every ndex {0,...,n 1} and sends (m f,m f +1,...,m n 1,m 0,...,m f 1 ) to the audtor. 3. Server B repeats Step 2 wth v B. 4. The audt server returns 1 to servers A and B f and only f the vectors t receves from the two servers are equal at every ndex except one. The audtor returns 0 otherwse. We nclude proofs of soundness, correctness, and zeroknowledge for ths constructon n Appendx C. The keys for the (2,1)DPF constructon have the form k A = (b A,s A,v) k B = (b B,s B,v). In a correctly formed par of keys, the b and s vectors dffer at a sngle ndex l x, and the v vector s equal to v = m e ly + G(s A [l x ]) + G(s B [l x ]). To determne whether a par of keys s correct, server A constructs a test vector t A such that t A [] = b A [] s A [] for {0,...,x 1}. (where denotes concatenaton). Server B constructs a test vector t B n the same way and the two servers, along wth the audtor run the protocol AlmostEqual(t A,t B ). If the output of ths protocol s 1, then the servers conclude that ther b and s vectors dffer at a sngle ndex, though the protocol does not reveal to the servers whch ndex ths s. Otherwse, the servers reject the wrte request. Next, the servers must verfy that the v vector s wellformed. To do so, the servers compute another par of test vectors: x 1 u A = =0 x 1 G(s A []) u B = v + =0 G(s B []). The servers run AlmostEqual(u A,u B ) and accept the wrte request as vald f t returns 1. We prove securty of ths constructon n Appendx D. An mportant mplementaton note s that f m = 0 that s, f the clent wrtes the strng of all zeros nto the database then the u vectors wll not dffer at any ndex 12
13 and ths nformaton s leaked to the audtor. The protocol only provdes securty f the vectors dffer at exactly one ndex. To avod ths nformaton leakage, clent requests must be defned such that m 0 n every wrte request. To acheve ths, clents could defne some specal nonzero value to ndcate zero or could use a paddng scheme to ensure that zero values occur wth neglgble probablty. As a practcal matter, the audt server needs to be able to match up the portons of wrte requests comng from server A wth those comng from server B. Rposte acheves ths as follows: When the clent sends ts upload request to server A, the clent ncludes a cryptographc hash of the request t sent to server B (and vce versa). Both servers can use these hashes to derve a common nonce for the request. When the servers send audt requests to the audt server, they nclude the nonce for the wrte request n queston. The audt server can use the nonce to match every audt request from server A wth the correspondng request from server B. Ths threeparty protocol s very effcent t only requres O( L) applcatons of a hash functon and O( L) communcaton from the servers to the audtor. The audtor only performs a smple strng comparson, so t needs mnmal computatonal and storage capabltes. 5.2 Zero Knowledge Technques Our second technque for detectng dsruptors makes use of nonnteractve zeroknowledge proofs [12, 44, 71]. We apply zeroknowledge technques to allow clents to prove the wellformedness of ther wrte requests. Ths technque works n combnaton wth the (s,s 1) DPF presented n Secton 4.4 and mantans clent wrteprvacy when all but one of s servers s dshonest. The keys for the (s,s 1)DPF scheme are tuples (b,s,v) such that: s 1 =0 b = e lx s 1 =0 s = s e lx v = m e ly G(s ) To prove that ts wrte request was correctly formed, we have the clent perform zeroknowledge proofs over collectons of Pedersen commtments [69]. The publc parameters for the Pedersen commtment scheme consst of a group G of prme order q and two generators P and Q of G such that no one knows the dscrete logarthm log Q P. A Pedersen commtment to a message m Z q wth randomness r Z q s C(m,r) = (mp + rq) G (wrtng the group operaton addtvely). Pedersen commtments are homomorphc, n that gven commtments to m 0 and m 1, t s possble to compute a commtment to m 0 + m 1 : C(m 0,r 0 ) +C(m 1,r 1 ) = C(m 0 + m 1,r 0 + r 1 ) Here, we assume that the (s,s 1)DPF s nstantated wth the DDHbased PRG ntroduced n Secton 4.4 and that the group G used for the Pedersen commtments s the same orderq group used n the PRG constructon. To execute the proof, the clent frst generates Pedersen commtments to elements of each of the s DPF keys. Then each server can verfy that the clent computed the commtment to the th DPF key elements correctly. The servers use the homomorphc property of Pedersen commtments to generate commtments to the sum of the elements of the DPF keys. Fnally, the clent proves n zero knowledge that these sums have the correct values. The protocols proceed as follows: 1. The clent generates vectors of Pedersen commtments B and S commttng to each element of b and s. clent sends the B and S vectors to every server. 2. To server, the clent sends the openng of the commtments B and S. Each server verfes that B and S are vald commtments to the b and s vectors n the DPF key. If ths check fals at some server, server notfes the other servers and all servers reject the wrte request. 3. Usng the homomorphc property of the commtments, each server can compute vectors of commtments B sum and S sum to the vectors Σ s 1 =0 b and Σ s 1 =0 s. 4. Usng a nonnteractve zeroknowledge proof, the clent proves to the servers that B sum and S sum are commtments to zero everywhere except at a sngle (secret) ndex l x, and that B sum [l x ] s a commtment to one. 1 Ths proof uses standard wtness hdng technques for dscretelogarthmbased zero knowledge proofs [12,22]. If the proof s vald, the servers contnue to check the v vector. Ths frst protocol convnces each server that the b and s components of the DPF keys are well formed. Next, the servers check the v component: 1. For each server, the clent sums up the seed values s t sent to server : σ = Σ s 1 j=0 s [ j]. The clent then generates the output of G(σ k ) and blnds t: G = (σ P 1 + r 1 Q, σ P 2 + r 2 Q,...). 2. The clent sends the G values to all servers and the clent sends the openng of G to each server. 1 Techncally, ths s a zeroknowledge proof of knowledge whch proves that the clent knows an openng of the commtments to the stated values. 13
14 3. Each server verfes that the openngs are correct, and all servers reject the wrte request f ths check fals at any server. 4. Usng the homomorphc property of Pedersen commtments, every server can compute a vector of commtments G sum = (Σ s 1 =0 G ) + v. If v s well formed, then the G sum vector contan commtments to zero at every ndex except one (at whch t wll contan a commtment to the clent s message m). 5. The clent uses a nonnteractve zeroknowledge proof to convnce the servers that the vector of commtments G sum contans commtments to zero at all ndexes except one. If the proof s vald, the servers accept the wrte request. We prove n Appendx E that ths protocol satsfes the standard notons of soundness, completeness, and zeroknowledge [13]. 6 Expermental Evaluaton To demonstrate that Rposte s a practcal platform for traffcanalyssresstant anonymous messagng, we mplemented two varants of the system. The frst varant uses the twoserver dstrbuted pont functon (Secton 4.3) and uses the threeparty protocol (Secton 5.1) to prevent malcous clents from corruptng the database. Ths varant s relatvely fast, snce t reles prmarly on symmetrckey prmtves, but requres that no two of the three servers collude. Our results for the frst varant nclude the cost of dentfyng and excludng malcous clents. The second varant uses the sserver dstrbuted pont functon (Secton 4.4). Ths varant protects aganst s 1 colludng servers, but reles on expensve publckey operatons. We have not mplemented the zeroknowledge proofs necessary to prevent dsruptors for the sserver protocol (Secton 5.2), so the performance numbers represent only an upper bound on the system throughput. We wrote the prototype n the Go programmng language and have publshed the source code onlne at https://btbucket.org/henrycg/rposte/. We used the DeterLab network testbed for our experments [59]. All of the experments used commodty servers runnng Ubuntu wth fourcore AESNIenabled Intel E31260L CPUs and 16 GB of RAM. Our expermental network topology used between two and ten servers (dependng on the protocol varant n use) and eght clent nodes. In each of these experments, the eght clent machnes used many threads of executon to submt wrte requests to the servers as quckly as possble. In all experments, the server nodes connected to a common swtch va 100 Mbps lnks, the clents nodes connected to a common swtch va 1 Gbps lnks, and the clent and server swtches connected va a 1 Gbps lnk. The roundtrp network latency between each par of nodes was 20 ms. We chose ths network topology to lmt the bandwdth between the servers to that of a fast WAN, but to leave clent bandwdth unlmted so that the small number of clent machnes could saturate the servers wth wrte requests. Error bars n the charts ndcate the standard devaton of the throughput measurements. 6.1 ThreeServer Protocol A threeserver Rposte cluster conssts of two database servers and one audt server. The system mantans ts securty propertes as long as no two of these three servers collude. We have fully mplemented the threeserver protocol, ncludng the audt protocol (Secton 5.1), so the throughput numbers lsted here nclude the cost of detectng and rejectng malcous wrte requests. The prototype used AES128 n counter mode as the pseudorandom generator, Poly1305 as the keyed hash functon used n the audt protocol [8], and TLS for lnk encrypton. Fgure 3 shows how many clent wrte requests our Rposte cluster can servce per second as the number of 160 byte rows n the database table grows. For a database table of 64 rows, the system handles wrte requests per second. At a table sze of 65,536 rows, the system handles 32.8 requests per second. At a table sze of 1,048,576 rows, the system handles 2.86 requests per second. We chose the row length of 160 bytes because t was the smallest multple of 32 bytes large enough to to contan a 140byte Tweet. Throughput of the system depends only the total sze of the table (number of rows row length), so larger row lengths mght be preferable for other applcatons. For example, an anonymous emal system usng Rposte wth 4096byte rows could handle 2.86 requests per second at a table sze of 40,960 rows. An upper bound on the performance of the system s the speed of the pseudorandom generator used to stretch out the DPF keys to the length of the database table. The dashed lne n Fgure 3 ndcates ths upper bound (605 MB/s), as determned usng an AES benchmark wrtten n Go. That lne ndcates the maxmum possble throughput we could hope to acheve wthout aggressve optmzaton (e.g., wrtng portons of the code n assembly) or more powerful machnes. Mgratng the performance 14
15 Throughput (clent requests/sec) Actual throughput Maxmum TLS throughput Maxmum AES throughput k 10k 100k 1M 10M Database table sze (# of 160byte rows) Fgure 3: As the database table sze grows, the throughput of our system approaches the maxmum possble gven the AES throughput of our servers. Throughput (clent requests/sec) Database table wdthheght rato Fgure 4: Use of bandwdtheffcent DPFs gves a 768 speedup over the naïve constructons, n whch a clent s request s as large as the database. crtcal portons of our mplementaton from Go to C (usng OpenSSL) mght ncrease the throughput by a factor of as much as 6, snce openssl speed reports AES throughput of 3.9 GB/s, compared wth the 605 MB/s we obtan wth Go s crypto lbrary. At very small table szes, the speed at whch the server can set up TLS connectons wth the clents lmts the overall throughput to roughly 900 requests per second. Fgure 4 demonstrates how the request throughput vares as the wdth of the table changes, whle the number of bytes n the table s held constant at 10 MB. Ths fgure demonstrates the performance advantage of usng a bandwdtheffcent O( L) DPF (Secton 4) over the naïve DPF (Secton 3.1). Usng a DPF wth optmal table sze yelds a throughput of 38.4 requests per second. The extreme left and rght ends of the fgure ndcate the performance yelded by the naïve constructon, n whch makng a wrte request nvolves sendng a (1 L) dmenson vector to each server. At the far rght extreme of the table, performance drops to 0.05 requests per second, so DPFs yeld a 768 speedup. Fgure 5 ndcates the total number of bytes transferred by one of the database servers and by the audt server whle processng a sngle clent wrte request. The dashed Data transfer (bytes) 10GB 1GB 100MB 10MB 1MB 100kB 10kB 1kB No DPF Server  Recv Server  Send Audt  Recv Audt  Send 100 B k 10k 100k 1M 10M 100M Database table sze (# of 160byte rows) Fgure 5: The total clent and server data transfer scales sublnearly wth the sze of the database. lne at the top of the chart ndcates the number of bytes a clent would need to send for a sngle wrte request f we dd not use bandwdtheffcent DPFs (.e., the dashed lne ndcates the sze of the database table). As the fgure demonstrates, the total data transfer n a Rposte cluster scales sublnearly wth the database sze. When the database table s 2.5 GB n sze, the database server transfers only a total of 1.23 MB to process a wrte request. 6.2 sserver Protocol In some deployment scenaros, havng strong protecton aganst server compromse may be more mportant than performance or scalablty. In these cases, the sserver Rposte protocol provdes the same basc functonalty as the threeserver protocol descrbed above, except that t mantans prvacy even f s 1 out of s servers collude or devate arbtrarly from the protocol specfcaton. We mplemented the basc sserver protocol but have not yet mplemented the zeroknowledge proofs necessary to prevent malcous clents from corruptng the database state (Secton 5.2). These performance fgures thus represent an upper bound on the sserver protocol s performance. Addng the zeroknowledge proofs would requre an addtonal Θ( L) ellptc curve operatons per server n an L row database. The computatonal cost of the proofs would almost certanly be dwarfed by the Θ(L) ellptc curve operatons requred to update the state of the database table. The experments use the DDHbased seedhomomorphc pseudorandom generator descrbed n Secton 4.4 and they use the NIST P256 ellptc curve as the underlyng algebrac group. The table row sze s fxed at 160 bytes. Fgure 6 demonstrates the performance of an eghtserver Rposte cluster as the table sze ncreases. At a table sze of 1,024 rows, the cluster can process one re 15
16 Throughput (clent requests/sec) Actual throughput Maxmum EC throughput k 10k Database table sze (# of 160byte rows) Fgure 6: Throughput of an eghtserver Rposte cluster usng the (8,7)dstrbuted pont functon. Throughput (clent requests/sec) Number of servers 16row table 64row table Fgure 7: Throughput of Rposte clusters usng two dfferent database table szes as the number of servers vares. quest every 3.44 seconds. The lmtng factor s the rate at whch the servers can evaluate the DDHbased pseudorandom generator (PRG), snce computng each 32byte block of PRG output requres a costly ellptc curve scalar multplcaton. The dashed lne n the fgure ndcates the maxmum throughput obtanable usng Go s mplementaton of P256 on our servers, whch n turn dctates the maxmum cluster throughput. Processng a sngle request wth a table sze of one mllon rows would take nearly one hour wth ths constructon, compared to 0.3 seconds n the AESbased threeserver protocol. Fgure 7 shows how the throughput of the Rposte cluster changes as the number of servers vares. Snce the workload s heavly CPUbound, the throughput only decreases slghtly as the number of servers ncreases from two to ten. 6.3 Dscusson: Whstleblowng and Mcrobloggng wth MllonUser Anonymty Sets Whstleblowers, poltcal actvsts, or others dscussng senstve or controversal ssues mght beneft from an anonymous mcrobloggng servce. A whstleblower, for example, mght want to anonymously blog about an nstance of bureaucratc corrupton n her organzaton. The utlty of such a system depends on the sze of the anonymty set t would provde: f a whstleblower s only anonymous amongst a group of ten people, t would be easy for the whstleblower s employer to retalate aganst everyone n the anonymty set. Mountng ths punshthemall attack does not requre breakng the anonymty system tself, snce the anonymty set s publc. As the anonymty set sze grows, however, the feasblty of the punshthemall attack quckly tends to zero. At an anonymty set sze of 1,000,000 clents, mountng an punshthemall attack would be prohbtvely expensve n most stuatons. Rposte can handle such large anonymty sets as long as (1) clents are wllng to tolerate hours of messagng latency, and (2) only a small fracton of clents wrtes nto the database n each tme epoch. Both of these requrements are satsfed n the whstleblowng scenaro. Frst, whstleblowers mght not care f the system delays ther posts by a few hours. Second, the vast majorty of users of a mcrobloggng servce (especally n the whstleblowng context) are more lkely to read posts than wrte them. To get very large anonymty sets, mantaners of an anonymous mcrobloggng servce could take advantage of the large set of readonly users to provde anonymty for the relatvely small number of readwrte users. The clent applcaton for such a mcrobloggng servce would enable readwrte users to generate and submt Rposte wrte requests to a Rposte cluster runnng the mcrobloggng servce. However, the clent applcaton would also allow readonly users to submt an empty wrte request to the Rposte cluster that would always wrte a random message nto the frst row of the Rposte database. From the perspectve of the servers, a readonly clent would be ndstngushable from a readwrte clent. By leveragng readonly users n ths way, we can ncrease the sze of the anonymty set wthout needng to ncrease the sze of the database table. To demonstrate that Rposte can support very large anonymty set szes albet wth hgh latency we confgured a cluster of Rposte servers wth a 65,536row database table and left t runnng for 32 hours. In that perod, the system processed a total of 2,895,216 wrte requests at an average rate of requests per second. (To our knowledge, ths s the largest anonymty set ever constructed n a system that offers protecton aganst traffc analyss attacks.) Usng the technques n Secton 3.2, a table of ths sze could handle 0.3% of users wrtng at a collson rate of under 5%. Thus, to get an anonymty 16
17 set of roughly 1,000,000 users wth a threeserver Rposte cluster and a database table of sze 65,536, the tme epoch must be at least 11 hours long. As of 2013, Twtter reported an average throughput of 5, byte Tweets per second [53]. That s equvalent roughly 5,000 of our 160byte messages per second. At a table sze of one mllon messages, our Rposte cluster s endtoend throughput s 2.86 wrte requests per second (Fgure 3). To handle the same volume of Tweets as Twtter does wth anonymty set szes on the order of hundreds of thousands of clents, we would need to ncrease the computng power of our cluster by only a factor of 1, Snce we are usng only three servers now, we would need roughly 5,250 servers (splt nto three noncolludng data centers) to handle the same volume of traffc as Twtter. Furthermore, snce the audt server s just dong strng comparsons, the system would lkely need many fewer audt servers than database servers, so the total number of servers requred mght be closer to 4, Related Work Anonymty systems fall nto one of two general categores: systems that provde lowlatency communcaton and those that protect aganst traffc analyss attacks by a global network adversary. Aqua [54], Crowds [72], LAP [49], ShadowWalker [60], Tarzan [32], and Tor [28] belong to the frst category of systems: they provde an anonymous proxy for realtme Web browsng, but they do not protect aganst an adversary who controls the network, many of the clents, and some of the nodes on a vctm s path through the network. Even provdng a formal defnton of anonymty for lowlatency systems s challengng [50] and such defntons typcally do not capture the need to protect aganst tmng attacks. Even so, t would be possble to combne Tor (or another lowlatency anonymzng proxy) and Rposte to buld a best of both anonymty system: clents would submt ther wrte requests to the Rposte servers va the Tor network. In ths confguraton, even f all of the Rposte servers colluded, they could not learn whch user wrote whch message wthout also breakng the anonymty of the Tor network. Davd Chaum s cascade mx networks were one of the frst systems devsed wth the specfc goal of defendng aganst traffcanalyss attacks [16]. Snce then, there 2 We assume here that scalng the number of machnes by a factor of k ncreases our throughput by a factor of k. Ths assumpton s reasonable gven our workload, snce the processng of wrte requests s an embarrassngly parallel task. have been a number of mxnetstyle systems proposed, many of whch explctly weaken ther protectons aganst a near omnpresent adversary [75] to mprove prospects for practcal usablty (.e., for emal traffc) [24]. In contrast, Rposte attempts to provde very strong anonymty guarantees at the prce of usablty for nteractve applcatons. Evotng systems (also called verfable shuffles ) acheve the sort of prvacy propertes that Rposte offers, and some systems even provde stronger votngspecfc guarantees (receptfreeness, proportonalty, etc.), though most evotng systems cannot provde the forward securty property that Rposte offers (Secton 3.3) [1, 19, 33, 46, 47, 66, 70]. In a typcal evotng system, voters submt ther encrypted ballots to a few trustees, who collectvely shuffle and decrypt them. Whle t s possble to repurpose evotng systems for anonymous messagng, they typcally requre expensve zeroknowledge proofs or are neffcent when message szes are large. Mxnets that do not use zeroknowledge proofs of correctness typcally do not provde prvacy n the face of actve attacks by a subset of the mx servers. For example, the verfable shuffle protocol of Bayer and Groth [5] s one of the most effcent n the lterature. Ther shuffle mplementaton, when used wth an anonymty set of sze N, requres 16N group exponentatons per server and data transfer O(N). In addton, messages must be small enough to be encoded n sngle group elements (a few hundred bytes at most). In contrast, our protocol requres O(L) AES operatons and data transfer O( L), where L s the sze of the database table. When messages are short and when the wrter/reader rato s hgh, the BayerGroth mx may be faster than our system. In contrast, when messages are long and when the wrter/reader rato s low (.e., L O(N)), our system s faster. Chaum s Dnng Cryptographers network (DCnet) s an nformatontheoretcally secure anonymous broadcast channel [15]. A DCnet provdes the same strong anonymty propertes as Rposte does, but t requres every user of a DCnet to partcpate n every run of the protocol. As the number of users grows, ths quckly becomes mpractcal. The Dssent [78] system ntroduced the dea of usng partally trusted servers to make DCnets practcal n dstrbuted networks. Dssent requres weaker trust assumptons than our threeserver protocol does but t requres clents to send O(L) bts to each server per tme epoch (compared wth our O( L)). Also, excludng a sngle dsruptor n a 1,000clent deployment takes over an 17
18 hour. In contrast, Rposte can excludes dsruptors as fast as t processes wrte requests (tens to hundreds per second, dependng on the database sze). Recent work [21] uses zeroknowledge technques to speed up dsrupton resstance n Dssent (buldng on deas of Golle and Juels [45]). Unfortunately, these technques lmt the system s end to endthroughput endtoend throughput to 30 KB/s, compared wth Rposte s 450+ MB/s. Herbvore scales DCnets by dvdng users nto many small anonymty sets [39]. Rposte creates a sngle large anonymty set, and thus enables every clent to be anonymous amongst the entre set of honest clents. Our DPF constructons make extensve use of pror work on prvate nformaton retreval (PIR) [17,18,34,38]. Recent work demonstrates that t s possble to make theoretcal PIR fast enough for practcal use [26, 27, 41]. Gertner et al. [37] consder symmetrc PIR protocols, n whch the servers prevent dshonest clents from learnng about more than a sngle row of the database per query. The problem that Gertner et al. consder s, n a way, the dual of the problem we address n Secton 5, though ther technques do not appear to apply drectly n our settng. Ostrovsky and Shoup frst proposed usng PIR protocol as the bass for wrtng nto a database shared across a set of servers [68]. However, Ostrovsky and Shoup consdered only the case of a sngle honest clent, who uses the untrusted database servers for prvate storage. Snce many mutually dstrustful clents use a sngle Rposte cluster, our protocol must also handle malcous clents. Pynchon Gate [73] bulds a prvate ponttopont messagng system from mxnets and PIR. Clents anonymously upload messages to emal servers usng a tradtonal mxnet and download messages from the emal servers usng a PIR protocol. Rposte could replace the mxnets used n the Pynchon Gate system: clents could anonymously wrte ther messages nto the database usng Rposte and could prvately read ncomng messages usng PIR. 8 Concluson and Open Questons We have presented Rposte, a new system for anonymous messagng. To the best of our knowledge, Rposte s the frst system that smultaneously (1) thwarts traffc analyss attacks, (2) prevents malcous clents from anonymously dsruptng the system, and (3) enables mllonclent anonymty set szes. We acheve these goals through novel applcaton of prvate nformaton retreval and secure multparty computaton technques. We have demonstrated Rposte s practcalty by mplementng t and evaluatng t wth anonymty sets of over two mllon nodes. Ths work leaves open a number of questons for future work, ncludng: Does there exst an (s,s 1)DPF constructon for s > 2 that uses only symmetrckey operatons? Are there effcent technques (.e., usng no publckey prmtves) for achevng dsrupton resstance wthout the need for a noncolludng audt server? Are there DPF constructons that enable processng wrte requests n amortzed tme o(l), for a lengthl database? Wth the desgn and mplementaton of Rposte, we have demonstrated that cryptographc technques can make traffcanalyssresstant anonymous mcrobloggng and whstleblowng more practcal at Internet scale. Acknowledgements We would lke to thank Joe Zmmerman and Davd Wu for helpful dscussons about dstrbuted pont functons. We would lke to thank Stephen Schwab and the staff of DeterLab for gvng us access ther excellent network testbed. Ths work was supported by NSF, an IARPA project provded va DoI/NBC, a grant from ONR, an NDSEG fellowshp, and by a Google faculty scholarshp. Opnons, fndngs and conclusons or recommendatons expressed n ths materal are those of the author(s) and do not necessarly reflect the vews of DARPA or IARPA. References [1] B. Adda, Helos: Webbased openaudt votng. n USENIX Securty Symposum, vol. 17, [2] B. Adda and D. Wkström, How to shuffle n publc, n Theory of Cryptography, [3] A. Banerjee and C. Pekert, New and mproved keyhomomorphc pseudorandom functons, n CRYPTO, [4] K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Scker, Lowresource routng attacks aganst Tor, n WPES. ACM, [5] S. Bayer and J. Groth, Effcent zeroknowledge argument for correctness of a shuffle, n EURO CRYPT, [6] M. Bellare and P. Rogaway, Random oracles are practcal: A paradgm for desgnng effcent protocols, n CCS. ACM,
19 [7] K. Bennhold, In Brtan, gudelnes for spyng on lawyers and clents, New York Tmes, p. A6, 7 Nov [8] D. J. Bernsten, The Poly1305AES messageauthentcaton code, n Fast Software Encrypton, [9] M. Blum, Con flppng by telephone a protocol for solvng mpossble problems, ACM SIGACT News, vol. 15, no. 1, pp , [10] D. Boneh, The decson DffeHellman problem, n Algorthmc Number Theory, ser. Lecture Notes n Computer Scence, J. P. Buhler, Ed. Sprnger, 1998, vol. 1423, pp [11] D. Boneh, K. Lew, H. Montgomery, and A. Raghunathan, Key homomorphc PRFs and ther applcatons, n CRYPTO, [12] J. Camensch and M. Stadler, Proof systems for general statements about dscrete logarthms, Dept. of Computer Scence, ETH Zurch, Tech. Rep. 260, Mar [13] J. L. Camensch, Group sgnature schemes and payment systems based on the dscrete logarthm problem, Ph.D. dssertaton, Swss Federal Insttute of Technology Zürch (ETH Zürch), [14] R. Canett, S. Halev, and J. Katz, A forwardsecure publckey encrypton scheme, n EUROCRYPT, [15] D. Chaum, The Dnng Cryptographers problem: Uncondtonal sender and recpent untraceablty, Journal of Cryptology, pp , Jan [16] D. L. Chaum, Untraceable electronc mal, return addresses, and dgtal pseudonyms, Communcatons of the ACM, vol. 24, no. 2, pp , [17] B. Chor and N. Glboa, Computatonally prvate nformaton retreval, n STOC. ACM, [18] B. Chor, E. Kushlevtz, O. Goldrech, and M. Sudan, Prvate nformaton retreval, Journal of the ACM, vol. 45, no. 6, pp , [19] M. R. Clarkson, S. Chong, and A. C. Myers, Cvtas: A secure votng system, Cornell Unversty, Tech. Rep. TR , May [20] H. CorrganGbbs and B. Ford, Dssent: Accountable anonymous group messagng, n CCS. ACM, October [21] H. CorrganGbbs, D. I. Wolnsky, and B. Ford, Proactvely accountable anonymous messagng n Verdct, n USENIX Securty Symposum, [22] R. Cramer, I. Damgård, and B. Schoenmakers, Proofs of partal knowledge and smplfed desgn of wtness hdng protocols, n CRYPTO, [23] G. Danezs and C. Daz, A survey of anonymous communcaton channels, Techncal Report MSR TR , Mcrosoft Research, Tech. Rep., [24] G. Danezs, R. Dngledne, and N. Mathewson, Mxmnon: Desgn of a type III anonymous remaler protocol, n Securty and Prvacy. IEEE, [25] G. Danezs and A. Serjantov, Statstcal dsclosure or ntersecton attacks on anonymty systems, n Informaton Hdng Workshop, May [26] D. Demmler, A. Herzberg, and T. Schneder, RAIDPIR: Practcal multserver PIR, n WPES, [27] C. Devet and I. Goldberg, The best of both worlds: Combnng nformatontheoretc and computatonal pr for communcaton effcency, n PETS, July [28] R. Dngledne, N. Mathewson, and P. Syverson, Tor: The secondgeneraton onon router, n USENIX Securty Symposum, Aug [29] M. Edman and B. Yener, On anonymty n an electronc socety: A survey of anonymous communcaton systems, ACM Computng Surveys, vol. 42, no. 1, p. 5, [30] R. Fagn, M. Naor, and P. Wnkler, Comparng nformaton wthout leakng t, Communcatons of the ACM, vol. 39, no. 5, pp , [31] U. Fege, A. Fat, and A. Shamr, Zeroknowledge proofs of dentty, Journal of Cryptology, vol. 1, no. 2, pp , [32] M. J. Freedman and R. Morrs, Tarzan: A peertopeer anonymzng network layer, n CCS. ACM, [33] J. Furukawa, Effcent, verfable shuffle decrypton and ts requrement of unlnkablty, n PKC, [34] W. Gasarch, A survey on prvate nformaton retreval, n Bulletn of the EATCS,
20 [35] B. Gellman and A. Soltan, NSA nfltrates lnks to Yahoo, Google data centers worldwde, Snowden documents say, Washngton Post, Oct [36] B. Gellman, J. Tate, and A. Soltan, In NSAntercepted data, those not targeted far outnumber the foregners who are, Washngton Post, 5 Jul [37] Y. Gertner, Y. Isha, E. Kushlevtz, and T. Malkn, Protectng data prvacy n prvate nformaton retreval schemes, n STOC, [38] N. Glboa and Y. Isha, Dstrbuted pont functons and ther applcatons, n EUROCRYPT, [39] S. Goel, M. Robson, M. Polte, and E. Srer, Herbvore: A scalable and effcent protocol for anonymous communcaton, Cornell Unversty, Tech. Rep., [40] V. Goel, Government push for Yahoo s user data set stage for broad survellance, New York Tmes, p. B3, 7 Sept [41] I. Goldberg, Improvng the robustness of prvate nformaton retreval, n Securty and Prvacy. IEEE, [42] O. Goldrech, S. Mcal, and A. Wgderson, How to play any mental game, n STOC. ACM, [43], Proofs that yeld nothng but ther valdty or all languages n NP have zeroknowledge proof systems, Journal of the ACM, vol. 38, no. 3, pp , [44] S. Goldwasser, S. Mcal, and C. Rackoff, The knowledge complexty of nteractve proof systems, SIAM Journal on computng, vol. 18, no. 1, pp , [45] P. Golle and A. Juels, Dnng cryptographers revsted, n EUROCRYPT, [46] J. Groth, A verfable secret shuffle of homomorphc encryptons, Journal of Cryptology, vol. 23, no. 4, pp , [47] J. Groth and S. Lu, Verfable shuffle of large sze cphertexts, n PKC, [48] J. Håstad, R. Impaglazzo, L. A. Levn, and M. Luby, A pseudorandom generator from any oneway functon, SIAM Journal on Computng, vol. 28, no. 4, pp , [49] H.C. Hsao, T.J. Km, A. Perrg, A. Yamada, S. C. Nelson, M. Gruteser, and W. Meng, LAP: Lghtweght anonymty and prvacy, n Securty and Prvacy. IEEE, May [50] A. Johnson, Desgn and analyss of effcent anonymouscommuncaton protocols, Ph.D. dssertaton, Yale Unversty, Dec [51] C. Kaufman, P. Hoffman, Y. Nr, P. Eronen, and K. T, RFC7296: Internet key exchange protocol verson 2 (IKEv2), Oct [52] D. Kedogan, D. Agrawal, and S. Penz, Lmts of anonymty n open envronments, n Informaton Hdng, [53] R. Krkoran, New Tweets per second record, and how! https://blog.twtter.com/2013/ newtweetspersecondrecordandhow, Aug [54] S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballan, and P. Francs, Towards effcent traffcanalyss resstant anonymty networks, n SIG COMM. ACM, [55] B. Lskov and J. Cowlng, Vewstamped replcaton revsted, MIT CSAIL, Tech. Rep. MITCSAIL TR , Jul [56] M. G. Luby, M. Luby, and A. Wgderson, Parwse ndependence and derandomzaton. Now Publshers Inc, [57] N. Mathewson and R. Dngledne, Practcal traffc analyss: Extendng and resstng statstcal dsclosure, n Prvacy Enhancng Technologes, [58] V. S. Mller, Use of ellptc curves n cryptography, n CRYPTO, [59] J. Mrkovc and T. Benzel, Teachng cybersecurty wth DeterLab, Securty & Prvacy, vol. 10, no. 1, [60] P. Mttal and N. Borsov, ShadowWalker: Peertopeer anonymous communcaton usng redundant structured topologes, n CCS. ACM, November [61] S. J. Murdoch and G. Danezs, Lowcost traffc analyss of Tor, n Securty and Prvacy. IEEE,
Proactive Secret Sharing Or: How to Cope With Perpetual Leakage
Proactve Secret Sharng Or: How to Cope Wth Perpetual Leakage Paper by Amr Herzberg Stanslaw Jareck Hugo Krawczyk Mot Yung Presentaton by Davd Zage What s Secret Sharng Basc Idea ((2, 2)threshold scheme):
More informationLuby s Alg. for Maximal Independent Sets using Pairwise Independence
Lecture Notes for Randomzed Algorthms Luby s Alg. for Maxmal Independent Sets usng Parwse Independence Last Updated by Erc Vgoda on February, 006 8. Maxmal Independent Sets For a graph G = (V, E), an ndependent
More informationRecurrence. 1 Definitions and main statements
Recurrence 1 Defntons and man statements Let X n, n = 0, 1, 2,... be a MC wth the state space S = (1, 2,...), transton probabltes p j = P {X n+1 = j X n = }, and the transton matrx P = (p j ),j S def.
More informationWhat is Candidate Sampling
What s Canddate Samplng Say we have a multclass or mult label problem where each tranng example ( x, T ) conssts of a context x a small (mult)set of target classes T out of a large unverse L of possble
More informationbenefit is 2, paid if the policyholder dies within the year, and probability of death within the year is ).
REVIEW OF RISK MANAGEMENT CONCEPTS LOSS DISTRIBUTIONS AND INSURANCE Loss and nsurance: When someone s subject to the rsk of ncurrng a fnancal loss, the loss s generally modeled usng a random varable or
More informationModule 2 LOSSLESS IMAGE COMPRESSION SYSTEMS. Version 2 ECE IIT, Kharagpur
Module LOSSLESS IMAGE COMPRESSION SYSTEMS Lesson 3 Lossless Compresson: Huffman Codng Instructonal Objectves At the end of ths lesson, the students should be able to:. Defne and measure source entropy..
More informationSecure Network Coding Over the Integers
Secure Network Codng Over the Integers Rosaro Gennaro Jonathan Katz Hugo Krawczyk Tal Rabn Abstract Network codng has receved sgnfcant attenton n the networkng communty for ts potental to ncrease throughput
More informationA Secure PasswordAuthenticated Key Agreement Using Smart Cards
A Secure PasswordAuthentcated Key Agreement Usng Smart Cards Ka Chan 1, WenChung Kuo 2 and JnChou Cheng 3 1 Department of Computer and Informaton Scence, R.O.C. Mltary Academy, Kaohsung 83059, Tawan,
More information1 Example 1: Axisaligned rectangles
COS 511: Theoretcal Machne Learnng Lecturer: Rob Schapre Lecture # 6 Scrbe: Aaron Schld February 21, 2013 Last class, we dscussed an analogue for Occam s Razor for nfnte hypothess spaces that, n conjuncton
More informationAn Alternative Way to Measure Private Equity Performance
An Alternatve Way to Measure Prvate Equty Performance Peter Todd Parlux Investment Technology LLC Summary Internal Rate of Return (IRR) s probably the most common way to measure the performance of prvate
More informationThe Development of Web Log Mining Based on ImproveKMeans Clustering Analysis
The Development of Web Log Mnng Based on ImproveKMeans Clusterng Analyss TngZhong Wang * College of Informaton Technology, Luoyang Normal Unversty, Luoyang, 471022, Chna wangtngzhong2@sna.cn Abstract.
More informationCommunication Networks II Contents
8 / 1  Communcaton Networs II (Görg)  www.comnets.unbremen.de Communcaton Networs II Contents 1 Fundamentals of probablty theory 2 Traffc n communcaton networs 3 Stochastc & Marovan Processes (SP
More information8 Algorithm for Binary Searching in Trees
8 Algorthm for Bnary Searchng n Trees In ths secton we present our algorthm for bnary searchng n trees. A crucal observaton employed by the algorthm s that ths problem can be effcently solved when the
More information8.5 UNITARY AND HERMITIAN MATRICES. The conjugate transpose of a complex matrix A, denoted by A*, is given by
6 CHAPTER 8 COMPLEX VECTOR SPACES 5. Fnd the kernel of the lnear transformaton gven n Exercse 5. In Exercses 55 and 56, fnd the mage of v, for the ndcated composton, where and are gven by the followng
More informationAn InterestOriented Network Evolution Mechanism for Online Communities
An InterestOrented Network Evoluton Mechansm for Onlne Communtes Cahong Sun and Xaopng Yang School of Informaton, Renmn Unversty of Chna, Bejng 100872, P.R. Chna {chsun,yang}@ruc.edu.cn Abstract. Onlne
More informationv a 1 b 1 i, a 2 b 2 i,..., a n b n i.
SECTION 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS 455 8.4 COMPLEX VECTOR SPACES AND INNER PRODUCTS All the vector spaces we have studed thus far n the text are real vector spaces snce the scalars are
More informationgreatest common divisor
4. GCD 1 The greatest common dvsor of two ntegers a and b (not both zero) s the largest nteger whch s a common factor of both a and b. We denote ths number by gcd(a, b), or smply (a, b) when there s no
More informationPKIS: practical keyword index search on cloud datacenter
Park et al. EURASIP Journal on Wreless Communcatons and Networkng 20, 20:64 http://jwcn.euraspjournals.com/content/20//64 RESEARCH Open Access PKIS: practcal keyword ndex search on cloud datacenter HyunA
More informationRUHRUNIVERSITÄT BOCHUM
RUHRUNIVERSITÄT BOCHUM Horst Görtz Insttute for IT Securty Techncal Report TRHGI2006002 Survey on Securty Requrements and Models for Group Key Exchange Mark Manuls Char for Network and Data Securty
More informationBERNSTEIN POLYNOMIALS
OnLne Geometrc Modelng Notes BERNSTEIN POLYNOMIALS Kenneth I. Joy Vsualzaton and Graphcs Research Group Department of Computer Scence Unversty of Calforna, Davs Overvew Polynomals are ncredbly useful
More informationTHE DISTRIBUTION OF LOAN PORTFOLIO VALUE * Oldrich Alfons Vasicek
HE DISRIBUION OF LOAN PORFOLIO VALUE * Oldrch Alfons Vascek he amount of captal necessary to support a portfolo of debt securtes depends on the probablty dstrbuton of the portfolo loss. Consder a portfolo
More informationHow Sets of Coherent Probabilities May Serve as Models for Degrees of Incoherence
1 st Internatonal Symposum on Imprecse Probabltes and Ther Applcatons, Ghent, Belgum, 29 June 2 July 1999 How Sets of Coherent Probabltes May Serve as Models for Degrees of Incoherence Mar J. Schervsh
More informationFrom Selective to Full Security: SemiGeneric Transformations in the Standard Model
An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: SemGenerc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département
More informationCHOLESTEROL REFERENCE METHOD LABORATORY NETWORK. Sample Stability Protocol
CHOLESTEROL REFERENCE METHOD LABORATORY NETWORK Sample Stablty Protocol Background The Cholesterol Reference Method Laboratory Network (CRMLN) developed certfcaton protocols for total cholesterol, HDL
More informationWe are now ready to answer the question: What are the possible cardinalities for finite fields?
Chapter 3 Fnte felds We have seen, n the prevous chapters, some examples of fnte felds. For example, the resdue class rng Z/pZ (when p s a prme) forms a feld wth p elements whch may be dentfed wth the
More informationProject Networks With MixedTime Constraints
Project Networs Wth MxedTme Constrants L Caccetta and B Wattananon Western Australan Centre of Excellence n Industral Optmsaton (WACEIO) Curtn Unversty of Technology GPO Box U1987 Perth Western Australa
More informationCompact CCA2secure Hierarchical IdentityBased Broadcast Encryption for Fuzzyentity Data Sharing
Compact CCA2secure Herarchcal IdenttyBased Broadcast Encrypton for Fuzzyentty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and
More informationThe OC Curve of Attribute Acceptance Plans
The OC Curve of Attrbute Acceptance Plans The Operatng Characterstc (OC) curve descrbes the probablty of acceptng a lot as a functon of the lot s qualty. Fgure 1 shows a typcal OC Curve. 10 8 6 4 1 3 4
More informationImplementation of Deutsch's Algorithm Using Mathcad
Implementaton of Deutsch's Algorthm Usng Mathcad Frank Roux The followng s a Mathcad mplementaton of Davd Deutsch's quantum computer prototype as presented on pages  n "Machnes, Logc and Quantum Physcs"
More informationMinimal Coding Network With Combinatorial Structure For Instantaneous Recovery From Edge Failures
Mnmal Codng Network Wth Combnatoral Structure For Instantaneous Recovery From Edge Falures Ashly Joseph 1, Mr.M.Sadsh Sendl 2, Dr.S.Karthk 3 1 Fnal Year ME CSE Student Department of Computer Scence Engneerng
More informationAn RFID Distance Bounding Protocol
An RFID Dstance Boundng Protocol Gerhard P. Hancke and Markus G. Kuhn May 22, 2006 An RFID Dstance Boundng Protocol p. 1 Dstance boundng Verfer d Prover Places an upper bound on physcal dstance Does not
More informationAnswer: A). There is a flatter IS curve in the high MPC economy. Original LM LM after increase in M. IS curve for low MPC economy
4.02 Quz Solutons Fall 2004 MultpleChoce Questons (30/00 ponts) Please, crcle the correct answer for each of the followng 0 multplechoce questons. For each queston, only one of the answers s correct.
More informationDP5: A Private Presence Service
DP5: A Prvate Presence Servce Nkta Borsov Unversty of Illnos at UrbanaChampagn, Unted States nkta@llnos.edu George Danezs Unversty College London, Unted Kngdom g.danezs@ucl.ac.uk Ian Goldberg Unversty
More informationDEFINING %COMPLETE IN MICROSOFT PROJECT
CelersSystems DEFINING %COMPLETE IN MICROSOFT PROJECT PREPARED BY James E Aksel, PMP, PMISP, MVP For Addtonal Informaton about Earned Value Management Systems and reportng, please contact: CelersSystems,
More informationExtending Probabilistic Dynamic Epistemic Logic
Extendng Probablstc Dynamc Epstemc Logc Joshua Sack May 29, 2008 Probablty Space Defnton A probablty space s a tuple (S, A, µ), where 1 S s a set called the sample space. 2 A P(S) s a σalgebra: a set
More information+ + +   This circuit than can be reduced to a planar circuit
MeshCurrent Method The meshcurrent s analog of the nodeoltage method. We sole for a new set of arables, mesh currents, that automatcally satsfy KCLs. As such, meshcurrent method reduces crcut soluton to
More informationSupporting Recovery, Privacy and Security in RFID Systems Using a Robust Authentication Protocol
Supportng Recovery Prvacy and Securty n RFID Systems Usng a Robust Authentcaton Protocol Md. Endadul Hoque MSCS Dept. Marquette Unversty Mlwaukee Wsconsn USA. mhoque@mscs.mu.edu Farzana Rahman MSCS Dept.
More informationScalable and Secure Architecture for Digital Content Distribution
Valer Bocan Scalable and Secure Archtecture for Dgtal Content Dstrbuton Mha FagadarCosma Department of Computer Scence and Engneerng Informaton Technology Department Poltehnca Unversty of Tmsoara Alcatel
More informationTracker: Security and Privacy for RFIDbased Supply Chains
Tracker: Securty and Prvacy for RFIDbased Supply Chans ErkOlver Blass Kaoutar Elkhyaou Refk Molva EURECOM Sopha Antpols, France {blass elkhyao molva}@eurecom.fr Abstract The counterfetng of pharmaceutcs
More informationEfficient Striping Techniques for Variable Bit Rate Continuous Media File Servers æ
Effcent Strpng Technques for Varable Bt Rate Contnuous Meda Fle Servers æ Prashant J. Shenoy Harrck M. Vn Department of Computer Scence, Department of Computer Scences, Unversty of Massachusetts at Amherst
More information1. Fundamentals of probability theory 2. Emergence of communication traffic 3. Stochastic & Markovian Processes (SP & MP)
6.3 /  Communcaton Networks II (Görg) SS20  www.comnets.unbremen.de Communcaton Networks II Contents. Fundamentals of probablty theory 2. Emergence of communcaton traffc 3. Stochastc & Markovan Processes
More informationLoop Parallelization
  Loop Parallelzaton C52 Complaton steps: nested loops operatng on arrays, sequentell executon of teraton space DECLARE B[..,..+] FOR I :=.. FOR J :=.. I B[I,J] := B[I,J]+B[I,J] ED FOR ED FOR analyze
More information1 Approximation Algorithms
CME 305: Dscrete Mathematcs and Algorthms 1 Approxmaton Algorthms In lght of the apparent ntractablty of the problems we beleve not to le n P, t makes sense to pursue deas other than complete solutons
More informationSupport Vector Machines
Support Vector Machnes Max Wellng Department of Computer Scence Unversty of Toronto 10 Kng s College Road Toronto, M5S 3G5 Canada wellng@cs.toronto.edu Abstract Ths s a note to explan support vector machnes.
More informationForecasting the Direction and Strength of Stock Market Movement
Forecastng the Drecton and Strength of Stock Market Movement Jngwe Chen Mng Chen Nan Ye cjngwe@stanford.edu mchen5@stanford.edu nanye@stanford.edu Abstract  Stock market s one of the most complcated systems
More informationFault tolerance in cloud technologies presented as a service
Internatonal Scentfc Conference Computer Scence 2015 Pavel Dzhunev, PhD student Fault tolerance n cloud technologes presented as a servce INTRODUCTION Improvements n technques for vrtualzaton and performance
More informationPractical and Secure Solutions for Integer Comparison
In Publc Key Cryptography PKC 07, Vol. 4450 of Lecture Notes n Computer Scence, SprngerVerlag, 2007. pp. 330342. Practcal and Secure Solutons for Integer Comparson Juan Garay 1, erry Schoenmakers 2,
More informationIdentityBased Encryption Gone Wild
An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume
More informationPERRON FROBENIUS THEOREM
PERRON FROBENIUS THEOREM R. CLARK ROBINSON Defnton. A n n matrx M wth real entres m, s called a stochastc matrx provded () all the entres m satsfy 0 m, () each of the columns sum to one, m = for all, ()
More informationMultiplication Algorithms for Radix2 RNCodings and Two s Complement Numbers
Multplcaton Algorthms for Radx RNCodngs and Two s Complement Numbers JeanLuc Beuchat Projet Arénare, LIP, ENS Lyon 46, Allée d Itale F 69364 Lyon Cedex 07 jeanluc.beuchat@enslyon.fr JeanMchel Muller
More informationPowerofTwo Policies for Single Warehouse MultiRetailer Inventory Systems with Order Frequency Discounts
Powerofwo Polces for Sngle Warehouse MultRetaler Inventory Systems wth Order Frequency Dscounts José A. Ventura Pennsylvana State Unversty (USA) Yale. Herer echnon Israel Insttute of echnology (Israel)
More informationConferencing protocols and Petri net analysis
Conferencng protocols and Petr net analyss E. ANTONIDAKIS Department of Electroncs, Technologcal Educatonal Insttute of Crete, GREECE ena@chana.tecrete.gr Abstract: Durng a computer conference, users desre
More informationOptimal Distributed Password Verification
Optmal Dstrbuted Password Verfcaton Jan Camensch IBM Research Zurch jca@zurch.bm.com Anja Lehmann IBM Research Zurch anj@zurch.bm.com Gregory Neven IBM Research Zurch nev@zurch.bm.com ABSTRACT We present
More informationA new look at atomic broadcast in the asynchronous. crashrecovery model
A new look at atomc broadcast n the asynchronous crashrecovery model Sergo Mena André Schper École Polytechnque Fédérale de Lausanne (EPFL) Dstrbuted Systems Laboratory CH1015 Lausanne, Swtzerland Tel.:
More informationMultiplePeriod Attribution: Residuals and Compounding
MultplePerod Attrbuton: Resduals and Compoundng Our revewer gave these authors full marks for dealng wth an ssue that performance measurers and vendors often regard as propretary nformaton. In 1994, Dens
More informationChapter 4 ECONOMIC DISPATCH AND UNIT COMMITMENT
Chapter 4 ECOOMIC DISATCH AD UIT COMMITMET ITRODUCTIO A power system has several power plants. Each power plant has several generatng unts. At any pont of tme, the total load n the system s met by the
More informationComplete Fairness in Secure TwoParty Computation
Complete Farness n Secure TwoParty Computaton S. Dov Gordon Carmt Hazay Jonathan Katz Yehuda Lndell Abstract In the settng of secure twoparty computaton, two mutually dstrustng partes wsh to compute
More informationEfficient Project Portfolio as a tool for Enterprise Risk Management
Effcent Proect Portfolo as a tool for Enterprse Rsk Management Valentn O. Nkonov Ural State Techncal Unversty Growth Traectory Consultng Company January 5, 27 Effcent Proect Portfolo as a tool for Enterprse
More information1.1 The University may award Higher Doctorate degrees as specified from timetotime in UPR AS11 1.
HIGHER DOCTORATE DEGREES SUMMARY OF PRINCIPAL CHANGES General changes None Secton 3.2 Refer to text (Amendments to verson 03.0, UPR AS02 are shown n talcs.) 1 INTRODUCTION 1.1 The Unversty may award Hgher
More informationSection 5.3 Annuities, Future Value, and Sinking Funds
Secton 5.3 Annutes, Future Value, and Snkng Funds Ordnary Annutes A sequence of equal payments made at equal perods of tme s called an annuty. The tme between payments s the payment perod, and the tme
More informationA Probabilistic Theory of Coherence
A Probablstc Theory of Coherence BRANDEN FITELSON. The Coherence Measure C Let E be a set of n propostons E,..., E n. We seek a probablstc measure C(E) of the degree of coherence of E. Intutvely, we want
More informationAN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS
Internatonal Journal of Network Securty & Its Applcatons (IJNSA), Vol.5, No.3, May 2013 AN EFFICIENT GROUP AUTHENTICATION FOR GROUP COMMUNICATIONS Len Harn 1 and Changlu Ln 2 1 Department of Computer Scence
More informationAn Optimally Robust Hybrid Mix Network (Extended Abstract)
An Optmally Robust Hybrd Mx Network (Extended Abstract) Markus Jakobsson and Ar Juels RSA Laboratores Bedford, MA, USA {mjakobsson,ajuels}@rsasecurty.com Abstract We present a mx network that acheves effcent
More informationJ. Parallel Distrib. Comput.
J. Parallel Dstrb. Comput. 71 (2011) 62 76 Contents lsts avalable at ScenceDrect J. Parallel Dstrb. Comput. journal homepage: www.elsever.com/locate/jpdc Optmzng server placement n dstrbuted systems n
More informationFast Variants of RSA
Fast Varants of RSA Dan Boneh dabo@cs.stanford.edu Hovav Shacham hovav@cs.stanford.edu Abstract We survey three varants of RSA desgned to speed up RSA decrypton. These varants are backwards compatble n
More informationFeature selection for intrusion detection. Slobodan Petrović NISlab, Gjøvik University College
Feature selecton for ntruson detecton Slobodan Petrovć NISlab, Gjøvk Unversty College Contents The feature selecton problem Intruson detecton Traffc features relevant for IDS The CFS measure The mrmr measure
More informationLogistic Regression. Lecture 4: More classifiers and classes. Logistic regression. Adaboost. Optimization. Multiple class classification
Lecture 4: More classfers and classes C4B Machne Learnng Hlary 20 A. Zsserman Logstc regresson Loss functons revsted Adaboost Loss functons revsted Optmzaton Multple class classfcaton Logstc Regresson
More information2.4 Bivariate distributions
page 28 2.4 Bvarate dstrbutons 2.4.1 Defntons Let X and Y be dscrete r.v.s defned on the same probablty space (S, F, P). Instead of treatng them separately, t s often necessary to thnk of them actng together
More informationA role based access in a hierarchical sensor network architecture to provide multilevel security
1 A role based access n a herarchcal sensor network archtecture to provde multlevel securty Bswajt Panja a Sanjay Kumar Madra b and Bharat Bhargava c a Department of Computer Scenc Morehead State Unversty
More informationIDENTIFICATION AND CORRECTION OF A COMMON ERROR IN GENERAL ANNUITY CALCULATIONS
IDENTIFICATION AND CORRECTION OF A COMMON ERROR IN GENERAL ANNUITY CALCULATIONS Chrs Deeley* Last revsed: September 22, 200 * Chrs Deeley s a Senor Lecturer n the School of Accountng, Charles Sturt Unversty,
More informationTrivial lump sum R5.0
Optons form Once you have flled n ths form, please return t wth your orgnal brth certfcate to: Premer PO Box 2067 Croydon CR90 9ND. Fll n ths form usng BLOCK CAPITALS and black nk. Mark all answers wth
More informationINVESTIGATION OF VEHICULAR USERS FAIRNESS IN CDMAHDR NETWORKS
21 22 September 2007, BULGARIA 119 Proceedngs of the Internatonal Conference on Informaton Technologes (InfoTech2007) 21 st 22 nd September 2007, Bulgara vol. 2 INVESTIGATION OF VEHICULAR USERS FAIRNESS
More informationLecture 2: Single Layer Perceptrons Kevin Swingler
Lecture 2: Sngle Layer Perceptrons Kevn Sngler kms@cs.str.ac.uk Recap: McCullochPtts Neuron Ths vastly smplfed model of real neurons s also knon as a Threshold Logc Unt: W 2 A Y 3 n W n. A set of synapses
More informationTraffic State Estimation in the Traffic Management Center of Berlin
Traffc State Estmaton n the Traffc Management Center of Berln Authors: Peter Vortsch, PTV AG, Stumpfstrasse, D763 Karlsruhe, Germany phone ++49/72/965/35, emal peter.vortsch@ptv.de Peter Möhl, PTV AG,
More informationRequIn, a tool for fast web traffic inference
RequIn, a tool for fast web traffc nference Olver aul, Jean Etenne Kba GET/INT, LOR Department 9 rue Charles Fourer 90 Evry, France Olver.aul@ntevry.fr, JeanEtenne.Kba@ntevry.fr Abstract As networked
More informationVision Mouse. Saurabh Sarkar a* University of Cincinnati, Cincinnati, USA ABSTRACT 1. INTRODUCTION
Vson Mouse Saurabh Sarkar a* a Unversty of Cncnnat, Cncnnat, USA ABSTRACT The report dscusses a vson based approach towards trackng of eyes and fngers. The report descrbes the process of locatng the possble
More informationEE201 Circuit Theory I 2015 Spring. Dr. Yılmaz KALKAN
EE201 Crcut Theory I 2015 Sprng Dr. Yılmaz KALKAN 1. Basc Concepts (Chapter 1 of Nlsson  3 Hrs.) Introducton, Current and Voltage, Power and Energy 2. Basc Laws (Chapter 2&3 of Nlsson  6 Hrs.) Voltage
More informationPAS: A Packet Accounting System to Limit the Effects of DoS & DDoS. Debish Fesehaye & Klara Naherstedt University of IllinoisUrbana Champaign
PAS: A Packet Accountng System to Lmt the Effects of DoS & DDoS Debsh Fesehaye & Klara Naherstedt Unversty of IllnosUrbana Champagn DoS and DDoS DDoS attacks are ncreasng threats to our dgtal world. Exstng
More informationFORMAL ANALYSIS FOR REALTIME SCHEDULING
FORMAL ANALYSIS FOR REALTIME SCHEDULING Bruno Dutertre and Vctora Stavrdou, SRI Internatonal, Menlo Park, CA Introducton In modern avoncs archtectures, applcaton software ncreasngly reles on servces provded
More informationMAPP. MERIS level 3 cloud and water vapour products. Issue: 1. Revision: 0. Date: 9.12.1998. Function Name Organisation Signature Date
Ttel: Project: Doc. No.: MERIS level 3 cloud and water vapour products MAPP MAPPATBDClWVL3 Issue: 1 Revson: 0 Date: 9.12.1998 Functon Name Organsaton Sgnature Date Author: Bennartz FUB Preusker FUB Schüller
More informationProvably Secure Single Signon Scheme in Distributed Systems and Networks
0 IEEE th Internatonal Conference on Trust, Securty and Prvacy n Computng and Communcatons Provably Secure Sngle Sgnon Scheme n Dstrbuted Systems and Networks Jangshan Yu, Guln Wang, and Y Mu Center for
More informationFormulating & Solving Integer Problems Chapter 11 289
Formulatng & Solvng Integer Problems Chapter 11 289 The Optonal Stop TSP If we drop the requrement that every stop must be vsted, we then get the optonal stop TSP. Ths mght correspond to a ob sequencng
More informationtaposh_kuet20@yahoo.comcsedchan@cityu.edu.hk rajib_csedept@yahoo.co.uk, alam_shihabul@yahoo.com
G. G. Md. Nawaz Al 1,2, Rajb Chakraborty 2, Md. Shhabul Alam 2 and Edward Chan 1 1 Cty Unversty of Hong Kong, Hong Kong, Chna taposh_kuet20@yahoo.comcsedchan@ctyu.edu.hk 2 Khulna Unversty of Engneerng
More informationActivity Scheduling for CostTime Investment Optimization in Project Management
PROJECT MANAGEMENT 4 th Internatonal Conference on Industral Engneerng and Industral Management XIV Congreso de Ingenería de Organzacón Donosta San Sebastán, September 8 th 10 th 010 Actvty Schedulng
More informationEfficient Dynamic Integrity Verification for Big Data Supporting Users Revocability
nformaton Artcle Effcent Dynamc Integrty Verfcaton for Bg Data Supportng Users Revocablty Xnpeng Zhang 1,2, *, Chunxang Xu 1, Xaojun Zhang 1, Tazong Gu 2, Zh Geng 2 and Guopng Lu 2 1 School of Computer
More informationNetwork Security Situation Evaluation Method for Distributed Denial of Service
Network Securty Stuaton Evaluaton Method for Dstrbuted Denal of Servce Jn Q,2, Cu YMn,2, Huang MnHuan,2, Kuang XaoHu,2, TangHong,2 ) Scence and Technology on Informaton System Securty Laboratory, Bejng,
More informationInequality and The Accounting Period. Quentin Wodon and Shlomo Yitzhaki. World Bank and Hebrew University. September 2001.
Inequalty and The Accountng Perod Quentn Wodon and Shlomo Ytzha World Ban and Hebrew Unversty September Abstract Income nequalty typcally declnes wth the length of tme taen nto account for measurement.
More informationThe EigenTrust Algorithm for Reputation Management in P2P Networks
The EgenTrust Algorthm for Reputaton Management n P2P Networks Sepandar D. Kamvar Stanford Unversty sdkamvar@stanford.edu Maro T. Schlosser Stanford Unversty schloss@db.stanford.edu Hector GarcaMolna
More informationCalculating the high frequency transmission line parameters of power cables
< ' Calculatng the hgh frequency transmsson lne parameters of power cables Authors: Dr. John Dcknson, Laboratory Servces Manager, N 0 RW E B Communcatons Mr. Peter J. Ncholson, Project Assgnment Manager,
More informationSEVERAL trends are opening up the era of Cloud
1 Towards Secure and Dependable Storage Servces n Cloud Computng Cong Wang, Student Member, IEEE, Qan Wang, Student Member, IEEE, Ku Ren, Member, IEEE, Nng Cao, Student Member, IEEE, and Wenjng Lou, Senor
More informationLecture 7 March 20, 2002
MIT 8.996: Topc n TCS: Internet Research Problems Sprng 2002 Lecture 7 March 20, 2002 Lecturer: Bran Dean Global Load Balancng Scrbe: John Kogel, Ben Leong In today s lecture, we dscuss global load balancng
More informationEnsuring Data Storage Security in Cloud Computing
1 Ensurng Data Storage Securty n Cloud Computng Cong Wang,Qan Wang, Ku Ren, and Wenjng Lou Dept of ECE, Illnos Insttute of Technology, Emal: {cwang, qwang, kren}@ecetedu Dept of ECE, Worcester Polytechnc
More informationFuzzy Keyword Search over Encrypted Data in Cloud Computing
Fuzzy Keyword Search over Encrypted Data n Cloud Computng Jn L,QanWang, Cong Wang,NngCao,KuRen, and Wenjng Lou Department of ECE, Illnos Insttute of Technology Department of ECE, Worcester Polytechnc Insttute
More informationdenote the location of a node, and suppose node X . This transmission causes a successful reception by node X for any other node
Fnal Report of EE359 Class Proect Throughput and Delay n Wreless Ad Hoc Networs Changhua He changhua@stanford.edu Abstract: Networ throughput and pacet delay are the two most mportant parameters to evaluate
More informationAddendum to: Importing SkillBiased Technology
Addendum to: Importng SkllBased Technology Arel Bursten UCLA and NBER Javer Cravno UCLA August 202 Jonathan Vogel Columba and NBER Abstract Ths Addendum derves the results dscussed n secton 3.3 of our
More informationPractical PIR for Electronic Commerce
Practcal PIR for Electronc Commerce Ryan Henry Cherton School of Computer Scence Unversty of Waterloo Waterloo ON Canada N2L 3G1 rhenry@cs.uwaterloo.ca Fem Olumofn Cherton School of Computer Scence Unversty
More informationNew bounds in BalogSzemerédiGowers theorem
New bounds n BalogSzemerédGowers theorem By Tomasz Schoen Abstract We prove, n partcular, that every fnte subset A of an abelan group wth the addtve energy κ A 3 contans a set A such that A κ A and A
More informationTools for Privacy Preserving Distributed Data Mining
Tools for Prvacy Preservng Dstrbuted Data Mnng hrs lfton, Murat Kantarcoglu, Jadeep Vadya Purdue Unversty Department of omputer Scences 250 N Unversty St West Lafayette, IN 479072066 USA (clfton, kanmurat,
More informationLecture 3: Force of Interest, Real Interest Rate, Annuity
Lecture 3: Force of Interest, Real Interest Rate, Annuty Goals: Study contnuous compoundng and force of nterest Dscuss real nterest rate Learn annutymmedate, and ts present value Study annutydue, and
More informationSecure and Efficient Proof of Storage with Deduplication
Secure and Effcent Proof of Storage wth Deduplcaton Qng Zheng Department of Computer Scence Unversty of Texas at San Antono qzheng@cs.utsa.edu Shouhua Xu Department of Computer Scence Unversty of Texas
More information