Riposte: An Anonymous Messaging System Handling Millions of Users

Rposte: An Anonymous Messagng System Handlng Mllons of Users Henry Corrgan-Gbbs, Dan Boneh, and Davd Mazères Stanford Unversty Abstract Ths paper presents Rposte, a new system for anonymous broadcast messagng. Rposte s the frst such system, to our knowledge, that smultaneously protects aganst traffc-analyss attacks, prevents anonymous denal-ofservce by malcous clents, and scales to mllon-user anonymty sets. To acheve these propertes, Rposte makes novel use of technques used n systems for prvate nformaton retreval and secure mult-party computaton. For latency-tolerant workloads wth many more readers than wrters (e.g. Twtter, Wkleaks), we demonstrate that a three-server Rposte cluster can buld an anonymty set of 2,895,216 users n 32 hours. 1 Introducton In a world of ubqutous network survellance [7, 35, 36, 40, 63], prospectve whstleblowers face a dauntng task. Consder, for example, a government employee who wants to anonymously leak evdence of waste, fraud, or ncompetence to the publc. The whstleblower could emal an nvestgatve reporter drectly, but post hoc analyss of emal server logs could easly reveal the tpster s dentty. The whstleblower could contact a reporter va Tor [28] or another low-latency anonymzng proxy [32, 54, 60, 72], but ths would leave the leaker vulnerable to traffc-analyss attacks [4, 61, 62]. The whstleblower could nstead use an anonymous messagng system that protects aganst traffc analyss attacks [15, 39, 78], but these systems typcally only support relatvely small anonymty sets (tens of thousands of users, at most). Protectng whstleblowers n the dgtal age requres anonymous messagng systems that provde strong securty guarantees, but that also scale to very large network szes. Ths s the extended verson of a paper by the same name that appeared at the IEEE Symposum on Securty and Prvacy n May 2015. In ths paper, we present a new system that attempts to make traffc-analyss-resstant anonymous broadcast messagng practcal at Internet scale. Our system, called Rposte, allows a large number of clents to anonymously post messages to a shared bulletn board, mantaned by a small set of mnmally trusted servers. (As few as three non-colludng servers are suffcent). Whstleblowers could use Rposte as a platform for anonymously publshng Tweet- or emal-length messages and could combne t wth standard publc-key encrypton to buld pontto-pont prvate messagng channels. Whle there s an extensve lterature on anonymty systems [23,29], Rposte offers a combnaton of securty and scalablty propertes unachevable wth current desgns. To the best of our knowledge, Rposte s the only anonymous messagng system that smultaneously: 1. protects aganst traffc analyss attacks, 2. prevents malcous clents from anonymously executng denal-of-servce attacks, and 3. scales to anonymty set szes of mllons of users, for certan latency-tolerant applcatons. We acheve these three propertes n Rposte by adaptng three dfferent technques from the cryptography and prvacy lterature. Frst, we defeat traffc-analyss attacks and protect aganst malcous servers by usng a protocol, nspred by clent/server DC-nets [15, 78], n whch every partcpatng clent sends a fxed-length secret-shared message to the system s servers n every tme epoch. Second, we acheve effcent dsrupton resstance by usng a secure mult-party protocol to quckly detect and exclude malformed clent requests [30, 42, 79]. Thrd, we acheve scalablty by leveragng a specfc technque developed n the context of prvate nformaton retreval (PIR) to mnmze the number of bts each clent must upload to each server n every tme epoch. The tool we use s called a dstrbuted pont functon [17, 38]. The novel synthess of these technques leads to a system that s effcent (n terms of bandwdth and computaton) and practcal, even for large anonymty sets. 1

Our partcular use of prvate nformaton retreval (PIR) protocols s unusual: PIR systems [18] allow a clent to effcently read a row from a database, mantaned collectvely at a set of servers, wthout revealng to the servers whch row t s readng. Rposte acheves scalable anonymous messagng by runnng a prvate nformaton retreval protocol n reverse: wth reverse PIR, a Rposte clent can effcently wrte nto a database mantaned at the set of servers wthout revealng to the servers whch row t has wrtten [68]. As we dscuss later on, a large Rposte deployment could form the bass for an anonymous Twtter servce. Users would tweet by usng Rposte to anonymously wrte nto a database contanng all clents tweets for a partcular tme perod. In addton, by havng read-only users submt empty wrtes to the system, the effectve anonymty set can be much larger than the number of wrters, wth lttle mpact on system performance. Messagng n Rposte proceeds n regular tme epochs (e.g., each tme epoch could be one hour long). To post a message, the clent generates a wrte request, cryptographcally splts t nto many shares, and sends one share to each of the Rposte servers. A coalton of servers smaller than a certan threshold cannot learn anythng about the clent s message or wrte locaton gven ts subset of the shares. The Rposte servers collect wrte requests untl the end of the tme epoch, at whch tme they publsh the aggregaton of the wrte requests they receved durng the epoch. From ths nformaton, anyone can recover the set of posts uploaded durng the epoch, but the system reveals no nformaton about who posted whch message. The dentty of the entre set of clents who posted durng the nterval s known, but no one can lnk a clent to a post. (Thus, each tme epoch must be long enough to ensure that a large number of honest clents are able to partcpate n each epoch.) In ths paper, we descrbe two Rposte varants, whch offer slghtly dfferent securty propertes. The frst varant scales to very large network szes (mllons of clents) but requres three servers such that no two of these servers collude. The second varant s more computatonally expensve, but provdes securty even when all but one of the s > 1 servers are malcous. Both varants mantan ther securty propertes when network lnks are actvely adversaral, when all but two of the clents are actvely malcous, and when the servers are actvely malcous (subject to the non-colluson requrement above). The three-server varant uses a computatonally nexpensve mult-party protocol to detect and exclude malformed clent requests. (Fgure 1 depcts ths protocol at a hgh-level.) The s-server varant uses clent-produced zero-knowledge proofs to guarantee the well-formedness of clent requests. Unlke Tor [28] and other low-latency anonymty systems [39, 49, 54, 72], Rposte protects aganst actve traffc analyss attacks by a global network adversary. Pror systems have offered traffc-analyss-resstance only at the cost of scalablty: Mx-net-based systems [16] requre large zeroknowledge proofs of correctness to provde prvacy n the face of actve attacks by malcous servers [2, 5, 33, 46, 66]. DC-nets-based systems requre clents to transfer data lnear n the sze of the anonymty set [15, 78] and rely on expensve zero-knowledge proofs to protect aganst malcous clents [21, 45]. We dscuss these systems and other pror work n Secton 7. Experments. To demonstrate the practcalty of Rposte for anonymous broadcast messagng (.e., anonymous whstleblowng or mcrobloggng), we mplemented and evaluated the complete three-server varant of the system. When the servers mantan a database table large enough to ft 65,536 160-byte Tweets, the system can process 32.8 clent wrte requests per second. In Secton 6.3, we dscuss how to use a table of ths sze as the bass for very large anonymty sets n read-heavy applcatons. When usng a larger 377 MB database table (over 2.3 mllon 160-byte Tweets), a Rposte cluster can process 1.4 clent wrte requests per second. Wrtng nto a 377 MB table requres each clent to upload less than 1 MB of data to the servers. In contrast, a two-server DC-net-based system would requre each clent to upload more than 750 MB of data. More generally, to process a Rposte clent request for a table of sze L, clents and servers perform only O( L) bytes of data transfer. The servers AES-NI encrypton throughput lmts the rate at whch Rposte can process clent requests at large table szes. Thus, the system s capacty to handle clent wrte request scales wth the number of avalable CPU cores. A large Rposte deployment could shard the database table across k machnes to acheve a near-k-fold speedup. We tested the system wth anonymty set szes of up to 2,895,216 clents, wth a read-heavy latency-tolerant mcrobloggng workload. To our knowledge, ths s the largest anonymty set ever constructed n a system defendng aganst traffc analyss attacks. Pror DC-net-based systems scaled to 5,120 clents [78] and pror verfableshuffle-based systems scaled to 100,000 clents [5]. In 2

(a) A clent submts one share of ts wrte request to each of the two database servers. If the database has length L, each share has length O( L). (b) The database servers generate blnded audt request messages derved from ther shares of the wrte request. (c) The audt server uses the audt request messages to valdate the clent s request and returns an OK or Invald bt to the database servers. (d) The servers apply the wrte request to ther local database state. The XOR of the servers states contans the clents message at the gven row. Fgure 1: The process of handlng a sngle clent wrte request. The servers run ths process once per clent n each tme epoch. contrast, Rposte scales to mllons of clents for certan applcatons. Contrbutons. Ths paper contrbutes: two new bandwdth-effcent and traffc-analyssresstant anonymous messagng protocols, obtaned by runnng prvate nformaton retreval protocols n reverse (Sectons 3 and 4), a fast method for excludng malformed clent requests (Secton 5), a method to recover from transmsson collsons n DC-net-style anonymty systems, expermental evaluaton of these protocols wth anonymty set szes of up to 2,895,216 users (Secton 6). In Secton 2, we ntroduce our goals, threat model, and securty defntons. Secton 3 presents the hgh-level system archtecture. Secton 4 and Secton 5 detal our technques for achevng bandwdth effcency and dsrupton resstance n Rposte. We evaluate the performance of the system n Secton 6, survey related work n Secton 7, and conclude n Secton 8. 2 Goals and Problem Statement In ths secton, we summarze the hgh-level goals of the Rposte system and present our threat model and securty defntons. 2.1 System Goals Rposte mplements an anonymous bulletn board usng a prmtve we call a wrte-prvate database scheme. Rposte enables clents to wrte nto a shared database, collectvely mantaned at a small set of servers, wthout revealng to the servers the locaton or contents of the wrte. Conceptually, the database table s just a long fxed-length btstrng dvded nto fxed-length rows. To wrte nto the database, a clent generates a wrte request. The wrte request encodes the message to be wrtten and the row ndex at whch the clent wants to wrte. (A sngle clent wrte request modfes a sngle database row at a tme.) Usng cryptographc technques, the clent splts ts wrte request nto a number of shares and the clent sends one share to each of the servers. By constructon of the shares, no coalton of servers smaller than a partcular pre-specfed threshold can learn the contents of a sngle clent s wrte request. Whle the cluster of servers must reman onlne for the duraton of a protocol run, a clent need only stay onlne for long enough to upload ts wrte request to the servers. As soon as the servers receve a wrte request, they can apply t to to ther local state. The Rposte cluster dvdes tme nto a seres of epochs. Durng each tme epoch, servers collect many wrte requests from clents. When the servers agree that the epoch has ended, they combne ther shares of the database to reveal the clents plantext messages. A partcular clent s anonymty set conssts of all of the honest clents who submtted wrte requests to the servers durng the tme epoch. Thus, f 50,000 dstnct honest clents submtted wrte requests durng a partcular tme epoch, each honest clent s perfectly anonymous amongst ths set of 50,000 clents. The epoch could be measured n tme (e.g., 4 hours), n a number of wrte requests (e.g., accumulate 10,000 wrte requests before endng the epoch), or by some more complcated condton (e.g., wat for a wrte request sgned from each of these 150 users dentfed by a pre-defned lst of publc keys). The defnton of what consttutes an epoch s crucal for securty, snce a clent s anonymty set s only as large as the number of honest clents who submt wrte requests n the same epoch [74]. 3

When usng Rposte as a platform for anonymous mcrobloggng, the rows would be long enough to ft a Tweet (140 bytes) and the number of rows would be some multple of the number of antcpated users. To anonymously Tweet, a clent would use the wrte-prvate database scheme to wrte ts message nto a random row of the database. After many clents have wrtten to the database, the servers can reveal the clents plantext Tweets. The wrte-prvacy of the database scheme prevents eavesdroppers, malcous clents, and coaltons of malcous servers (smaller than a partcular threshold) from learnng whch clent posted whch message. 2.2 Threat Model Clents n our system are completely untrusted: they may submt malcously formed wrte requests to the system and may collude wth servers or wth arbtrarly many other clents to try to break the securty propertes of the system. Servers n our system are trusted for avalablty. The falure whether malcous or bengn of any one server renders the database state unrecoverable but does not compromse the anonymty of the clents. To protect aganst bengn falures, server mantaners could mplement a sngle logcal Rposte server wth a cluster of many physcal servers runnng a standard state-machnereplcaton protocol [55, 67]. For each of the cryptographc nstantatons of Rposte, there s a threshold parameter t that defnes the number of malcous servers that the system can tolerate whle stll mantanng ts securty propertes. We make no assumptons about the behavor of malcous servers they can msbehave by publshng ther secret keys, by colludng wth coaltons of up to t malcous servers and arbtrarly many clents, or by mountng any other sort of attack aganst the system. The threshold t depends on the partcular cryptographc prmtves n use. For our most secure scheme, all but one of the servers can collude wthout compromsng clent prvacy (t = Servers 1). For our most effcent scheme, no two servers can collude (t = 1). 2.3 Securty Goals The Rposte system mplements a wrte-prvate and dsrupton-resstant database scheme. We descrbe the correctness and securty propertes for such a scheme here. Defnton 1 (Correctness). The scheme s correct f, when all servers execute the protocol fathfully, the plantext state of the database revealed at the end of a protocol run s equal to the result of applyng each vald clent wrte requests to an empty database (.e., a database of all zeros). Snce we rely on all servers for avalablty, correctness need only hold when all servers run the protocol correctly. To be useful as an anonymous bulletn board, the database scheme must be wrte-prvate and dsrupton resstant. We defne these securty propertes here. (s, t)-wrte Prvacy. Intutvely, the system provdes (s, t)-wrte-prvacy f an adversary s advantage at guessng whch honest clent wrote nto a partcular row of the database s neglgbly better than random guessng, even when the adversary controls all but two clents and up to t out of s servers (where t s a parameter of the scheme). We defne ths property n terms of a prvacy game, gven n full n Appendx A. Defnton 2 ((s, t)-wrte Prvacy). We say that the protocol provdes (s, t)-wrte prvacy f the adversary s advantage n the securty game of Appendx A s neglgble n the (mplct) securty parameter. Rposte provdes a very robust sort of prvacy: the adversary can select the messages that the honest clents wll send and can send malcously formed messages that depend on the honest clents messages. Even then, the adversary stll cannot guess whch clent uploaded whch message. Dsrupton resstance. The system s dsrupton resstant f an adversary who controls n clents can wrte nto at most n database rows durng a sngle tme epoch. A system that lacks dsrupton resstance mght be susceptble to denal-of-servce attacks: a malcous clent could corrupt every row n the database wth a sngle wrte request. Even worse, the wrte prvacy of the system mght prevent the servers from learnng whch clent was the dsruptor. Preventng such attacks s a major focus of pror anonymous messagng schemes [15, 39, 45, 76, 78]. Under our threat model, we trust all servers for avalablty of the system (though not for prvacy). Thus, our defnton of dsrupton resstance concerns tself only wth clents attemptng to dsrupt the system we do not try to prevent servers from corruptng the database state. We formally defne dsrupton resstance usng the followng game, played between a challenger and an adversary. In ths game, the challenger plays the role of all of the servers and the adversary plays the role of all clents. 1. The adversary sends n wrte requests to the challenger (where n s less than or equal to the number of rows n the database). 4

2. The challenger runs the protocol for a sngle tme epoch, playng the role of the servers. The challenger then combnes the servers database shares to reveal the plantext output. The adversary wns the game f the plantext output contans more than n non-zero rows. Defnton 3 (Dsrupton Resstance). We say that the protocol s dsrupton resstant f the probablty that the adversary wns the game above s neglgble n the (mplct) securty parameter. 2.4 Intersecton Attacks Rposte makes t nfeasble for an adversary to determne whch clent posted whch message wthn a partcular tme epoch. If an adversary can observe traffc patterns across many epochs, as the set of onlne clents changes, the adversary can make statstcal nferences about whch clent s sendng whch stream of messages [25, 52, 57]. These ntersecton or statstcal dsclosure attacks affect many anonymty systems and defendng aganst them s an mportant, albet orthogonal, problem [57,77]. Even so, ntersecton attacks typcally become more dffcult to mount as the sze of the anonymty set ncreases, so Rposte s support for very large anonymty sets makes t less vulnerable to these attacks than are many pror systems. 3 System Archtecture As descrbed n the pror secton, a Rposte deployment conssts of a small number of servers, who mantan the database state, and a large number of clents. To wrte nto the database, a clent splts ts wrte request usng secret sharng technques and sends a sngle share to each of the servers. Each server updates ts database state usng the clent s share. After collectng wrte requests from many clents, the servers combne ther shares to reveal the plantexts represented by the wrte requests. The securty requrement s that no coalton of t servers can learn whch clent wrote nto whch row of the database. 3.1 A Frst-Attempt Constructon: Toy Protocol As a startng pont, we sketch a smple straw man constructon that demonstrates the technques behnd our scheme. Ths frst-attempt protocol shares some desgn features wth anonymous communcaton schemes based on clent/server DC-nets [15, 78]. In the smple scheme, we have two servers, A and B, and each server stores an L-bt btstrng, ntalzed to all zeros. We assume for now that the servers do not collude.e., that one of the two servers s honest. The btstrngs represent shares of the database state and each row of the database s a sngle bt. Consder a clent who wants to wrte a 1 nto row l of the database. To do so, the clent generates a random L-bt btstrng r. The clent sends r to server A and r e l to server B, where e l s an L-bt vector of zeros wth a one at ndex l and denotes btwse XOR. Upon recevng the wrte request from the clent, each server XORs the receved strng nto ts share of the database. After processng n wrte requests, the database state at server A wll be: d A = r 1 r n and the database at server B wll be: d B = (e l1 e ln ) (r 1 r n ) = (e l1 e ln ) d A At the end of the tme epoch, the servers can reveal the plantext database by combnng ther local states d A and d B. The constructon generalzes to felds larger than F 2. For example, each row of the database could be a k-bt btstrng nstead of a sngle bt. To prevent mpersonaton, network-tamperng, and replay attacks, we use authentcated and encrypted channels wth per-message nonces bound to the tme epoch dentfer. Ths protocol satsfes the wrte-prvacy property as long as the two servers do not collude (assumng that the clents and servers deploy the replay attack defenses mentoned above). Indeed, server A can nformaton theoretcally smulate ts vew of a run of the protocol gven only e l1 e ln as nput. A smlar argument shows that the protocol s wrte-prvate wth respect to server B as well. Ths frst-attempt protocol has two major lmtatons. The frst lmtaton s that t s not bandwdth-effcent. If mllons of clents want to use the system n each tme epoch, then the database must be at least mllons of bts n length. To flp a sngle bt n the database then, each clent must send mllons of bts to each database, n the form of a wrte request. The second lmtaton s that t s not dsrupton resstant: a malcous clent can corrupt the entre database wth a sngle malformed request. To do so, the malcous clent pcks random L-bt btstrngs r and r, sends r to server A, and sends r (nstead of r e l ) to server B. Thus, 5

a sngle malcous clent can effcently and anonymously deny servce to all honest clents. Improvng bandwdth effcency and addng dsrupton resstance are the two core contrbutons of ths work, and we return to them n Sectons 4 and 5. 3.2 Collsons Puttng asde the ssues of bandwdth effcency and dsrupton resstance for the moment, we now dscuss the ssue of colldng wrtes to the shared database. If clents wrte nto random locatons n the database, there s some chance that one clent s wrte request wll overwrte a prevous clent s message. If clent A wrtes message m A nto locaton l, clent B mght later wrte message m B nto the same locaton l. In ths case, row l wll contan m A m B, and the contents of row l wll be unrecoverable. To address ths ssue, we set the sze of the database table to be large enough to accommodate the expected number of wrte requests for a gven success rate. For example, the servers can choose a table sze that s large enough to accommodate 2 10 wrte requests such that 95% of wrte requests wll not be nvolved n a collson (n expectaton). Under these parameters, 5% of the wrte requests wll fal and those clents wll have to resubmt ther wrte requests n a future tme epoch. We can determne the approprate table sze by solvng a smple balls and bns problem. If we throw m balls ndependently and unformly at random nto n bns, how many bns contan exactly one ball? Here, the m balls represent the wrte requests and the n bns represent the rows of the database. Let B j be the probablty that ball falls nto bn j. For all and j, Pr[B j ] = 1/n. Let O (1) be the event that exactly one ball falls nto bn. Then [ Pr O (1) ] = m n ( 1 1 ) m 1 n Expandng usng the bnomal theorem and gnorng low order terms we obtan [ ] Pr O (1) m ( m ) 2 n 1 ( m ) 3 + n 2 n where the approxmaton gnores terms of order (m/n) 4 and o(1/n). Then n Pr[O (1) ] s the expected number of bns wth exactly one ball whch s the expected number of messages successfully receved. Dvdng ths quantty by m gves the expected success rate so that: E[SuccessRate] = n m Pr[O(1) ] 1 m n + 1 ( m ) 2 2 n So, f we want an expected success rate of 95% then we need n 19.5m. For example, wth m = 2 10 wrters, we would use a table of sze n 20,000. Handlng collsons. We can shrnk the table sze n by codng the wrtes so that we can recover from collsons. We show how to handle two-way collsons. That s, when at most two clents wrte to the same locaton n the database. Let us assume that the messages beng wrtten to the database are elements n some feld F of odd characterstc (say F = F p where p = 2 64 59). We replace the XOR operaton used n the basc scheme by addton n F. To recover from a two-way collson we wll need to double the sze of each cell n the database, but the overall number of cells n wll shrnk by more than a factor of two. When a clent A wants to wrte the message m A F to locaton l n the database the clent wll actually wrte the par (m A,m 2 A ) F2 nto that locaton. Clearly f no collson occurs at locaton l then recoverng m A at the end of the epoch s trval: smply drop the second coordnate (t s easy to test that no collson occurred because the second coordnate s a square of the frst). Now, suppose a collson occurs wth some clent B who also added her own message (m B,m 2 B ) F2 to the same locaton l (and no other clent wrtes to locaton l). Then at the end of the epoch the publshed values are S 1 = m A +m B (mod p) and S 2 = m 2 A +m 2 B (mod p) From these values t s qute easy to recover both m A and m B by observng that 2S 2 S 2 1 = (m A m B ) 2 (mod p) from whch we obtan m A m B by takng a square root modulo p (t does not matter whch of the two square roots we use they both lead to the same result). Snce S 1 = m A + m B s also gven t s now easy to recover both m A and m B. Now that we can recover from two-way collsons we can shrnk the number of cells n n the table. Let O (2) be the event that exactly two balls fell nto bn. Then the expected number of receved messages s npr[o (1) ] + 2nPr[O (2) ] (1) where Pr[O (2) ] = ( m 1 ( ) 2) n 1 1 m 2. 2 n As before, dvdng the expected number of receved messages (1) by m, expandng usng the bnomal theorem, and gnorng low order terms gves the expected success rate as: E[SuccessRate] 1 1 2 ( m n ) 2 1 ( m ) 3 + 3 n 6

So, f we want an expected success rate of 95% we need a table wth n 2.7m cells. Ths s a far smaller table than before, when we could not handle collsons. In that case we needed n 19.5m whch results n much bgger tables, despte each cell beng half as bg. Shrnkng the table reduces the storage and computatonal burden on the servers. Ths two-way collson handlng technque generalzes to handle k-way collsons for k > 2. To handle k-way collsons, we ncrease the sze of each cell by a factor of k and have each clent wrte (m,m 2,...,mk ) Fk to ts chosen cell. A k-collson gves k equatons n k varables that can be effcently solved to recover all k messages, as long as the characterstc of F s greater than k. Usng k > 2 further reduces the table sze as the desred success rate approaches one. The collson handlng method descrbed n ths secton wll also mprove performance of our full system, whch we descrbe n the next secton. Adversaral collsons. The analyss above assumes that clents behave honestly. Adversaral clents, however, need not wrte nto random rows of the database.e., all m balls mght not be thrown ndependently and unformly at random. A coalton of clents mght, for example, try to ncrease the probablty of collsons by wrtng nto the database usng some malcous strategy. By symmetry of wrtes we can assume that all ˆm adversaral clents wrte to the database before the honest clents do. Now a message from an honest clent s properly receved at the end of an epoch f t avods all the cells flled by the malcous clents. We can therefore carry out the honest clent analyss above assumng the database contan n ˆm cells nstead of n cells. In other words, gven a bound ˆm on the number of malcous clents we can calculate the requred table sze n. In practce, f too many collsons are detected at the end of an epoch the servers can adaptvely double the sze of the table so that the next epoch has fewer collsons. 3.3 Forward Securty Even the frst-attempt scheme sketched n Secton 3.1 provdes forward securty n the event that all of the servers secret keys are compromsed [14]. To be precse: an adversary could compromse the state and secret keys of all servers after the servers have processed n wrte requests from honest clents, but before the tme epoch has ended. Even n ths case, the adversary wll be unable to determne whch of the n clents submtted whch of the n plantext messages wth a non-neglgble advantage over random guessng. (We assume here that clents and servers communcate usng encrypted channels whch themselves have forward secrecy [51].) Ths forward securty property means that clents need not trust that S t servers stay honest forever just that they are honest at the moment when the clent submts ts upload request. Beng able to weaken the trust assumpton about the servers n ths way mght be valuable n hostle envronments, n whch an adversary could compromse a server at any tme wthout warnng. Mx-nets do not have ths property, snce servers must accumulate a set of onon-encrypted messages before shufflng and decryptng them [16]. If an adversary always controls the frst mx server and f t can compromse the rest of the mx servers after accumulatng a set of cphertexts, the adversary can de-anonymze all of the system s users. DC-net-based systems that use blame protocols to retroactvely dscover dsruptors have a smlar weakness [20, 78]. The full Rposte protocol mantans ths forward securty property. 4 Improvng Bandwdth Effcency wth Dstrbuted Pont Functons Ths secton descrbes how applcaton of prvate nformaton retreval technques can mprove the bandwdth effcency of the frst-attempt protocol. Notaton. The symbol F denotes an arbtrary fnte feld, Z L s the rng of ntegers modulo L. We use e l F L to represent a vector that s zero everywhere except at ndex l Z L, where t has value 1. Thus, for m F, the vector m e l F L s the vector whose value s zero everywhere except at ndex l, where t has value m. For a fnte set S, the notaton x R S ndcates that the value of x s sampled ndependently and unformly at random from S. The element v[] s the value of a vector v at ndex. We ndex vectors startng at zero. 4.1 Defntons The bandwdth neffcency of the protocol sketched above comes from the fact that the clent must send an L-bt vector to each server to flp a sngle bt n the logcal database. To reduce ths O(L) bandwdth overhead, we apply technques nspred by prvate nformaton retreval protocols [17, 18, 38]. The problem of prvate nformaton retreval (PIR) s essentally the converse of the problem we are nterested n here. In PIR, the clent must read a bt from a replcated database wthout revealng to the servers the ndex beng 7

read. In our settng, the clent must wrte a bt nto a replcated database wthout revealng to the servers the ndex beng wrtten. Ostrovsky and Shoup frst made ths connecton n the context of a prvate nformaton storage protocol [68]. PIR schemes allow the clent to splt ts query to the servers nto shares such that (1) a subset of the shares does not leak nformaton about the ndex of nterest, and (2) the length of the query shares s much less than the length of the database. The core buldng block of many PIR schemes, whch we adopt for our purposes, s a dstrbuted pont functon. Although Glboa and Isha [38] defned dstrbuted pont functons as a prmtve only recently, many pror PIR schemes make mplct use the prmtve [17, 18]. Our defnton of a dstrbuted pont functon follows that of Glboa and Isha, except that we generalze the defnton to allow for more than two servers. Frst, we defne a (non-dstrbuted) pont functon. Defnton 4 (Pont Functon). Fx a postve nteger L and a fnte feld F. For all l Z L and m F, the pont functon P l,m : Z L F s the functon such that P l,m (l) = m and P l,m (l ) = 0 for all l l. That s, the pont functon P l,m has the value 0 when evaluated at any nput not equal to l and t has the value m when evaluated at l. For example, f L = 5 and F = F 2, the pont functon P 3,1 takes on the values (0,0,0,1,0) when evaluated on the values (0,1,2,3,4) (note that we ndex vectors from zero). An (s, t)-dstrbuted pont functon provdes a way to dstrbute a pont functon P l,m amongst s servers such that no coalton of at most t servers learns anythng about l or m gven ther t shares of the functon. Defnton 5 (Dstrbuted Pont Functon (DPF)). Fx a postve nteger L and a fnte feld F. An (s,t)-dstrbuted pont functon conssts of a par of possbly randomzed algorthms that mplement the followng functonaltes: Gen(l,m) (k 0,...,k s 1 ). Gven an nteger l Z L and value m F, output a lst of s keys. Eval(k,l ) m. Gven a key k generated usng Gen, and an ndex l Z L, return a value m F. We defne correctness and prvacy for a dstrbuted pont functon as follows: Correctness. For a collecton of s keys generated usng Gen(l,m), the sum of the outputs of these keys (generated usng Eval) must equal the pont functon P l,m. More formally, for all l,l Z L and m F: Pr[(k 0,...,k s 1 ) Gen(l,m) : Σ s 1 =0 Eval(k,l ) = P l,m (l )] = 1 where the probablty s taken over the randomness of the Gen algorthm. Prvacy. Let S be any subset of {0,...,s 1} such that S t. Then for any l Z L and m F, let D S,l,m denote the dstrbuton of keys {(k ) S} nduced by (k 0,...,k s 1 ) Gen(l,m). We say that an (s,t)- DPF mantans prvacy f there exsts a p.p.t. algorthm Sm such that the followng dstrbutons are computatonally ndstngushable: D S,l,m c Sm(S) That s, any subset of at most t keys leaks no nformaton about l or m. (We can also strengthen ths defnton to requre statstcal or perfect ndstngushablty.) Toy Constructon. To make ths defnton concrete, we frst construct a trval nformaton-theoretcally secure (s, s 1)-dstrbuted pont functon wth length-l keys. As above, we fx a length L and a fnte feld F. Gen(l,m) (k 0,...,k s 1 ). Generate random vectors k 0,...,k s 2 F L. Set k s 1 = m e l Σ s 2 =0 k. Eval(k,l ) m. Interpret k as a vector n F L. Return the value of the vector k at ndex l. The correctness property of ths constructon follows mmedately. Prvacy s mantaned because the dstrbuton of any collecton of s 1 keys s ndependent of l and m. Ths toy constructon uses length-l keys to dstrbute a pont functon wth doman Z L. Later n ths secton we descrbe DPF constructons whch use much shorter keys. 4.2 Applyng Dstrbuted Pont Functons for Bandwdth Effcency We can now use DPFs to mprove the effcency of the wrte-prvate database scheme ntroduced n Secton 3.1. We show that the exstence of an (s,t)-dpf wth keys of length k (along wth standard cryptographc assumptons) mples the exstence of wrte-prvate database scheme usng s servers that mantans anonymty n the presence of t malcous servers, such that wrte requests have length s k. Any DPF constructon wth short keys thus mmedately mples a bandwdth-effcent wrteprvate database scheme. The constructon s a generalzaton of the one presented n Secton 3.1. We now assume that there are s servers such that no more than t of them collude. Each of the s servers mantans a vector n F L as ther database state, for some fxed fnte feld F and nteger L. Each row n the database s now an element of F and the database has L rows. 8

When the clent wants to wrte a message m F nto locaton l Z L n the database, the clent uses an (s,t)- dstrbuted pont functon to generate a set of s DPF keys: (k 0,...,k s 1 ) Gen(l,m) The clent then sends one of the keys to each of the servers. Each server can then expand the key nto a vector v F L by computng v(l ) = Eval(k,l ) for l = 0,...,L 1. The server then adds ths vector v nto ts database state, usng addton n F L. At the end of the tme epoch, all servers combne ther database states to reveal the set of clent-submtted messages. Correctness. The correctness of ths constructon follows drectly from the correctness of the DPF. For each of the n wrte requests submtted by the clents, denote the j-th key n the -th request as k, j, denote the wrte locaton as l, and the message beng wrtten as m. When the servers combne ther databases at the end of the epoch, the contents of the fnal database at row l wll be: d l = n 1 =0 s 1 j=0 n 1 Eval(k, j,l) = =0 P l,m (l) F In words: as desred, the combned database contans the sum of n pont functons one for each of the wrte requests. Anonymty. The anonymty of ths constructon follows drectly from the prvacy property of the DPF. Gven the plantext database state d (as defned above), any coalton of t servers can smulate ts vew of the protocol. By defnton of DPF prvacy, there exsts a smulator Sm, whch smulates the dstrbuton of any subset of t DPF keys generated usng Gen. The coalton of servers can use ths smulator to smulate each of the n wrte requests t sees durng a run of the protocol. Thus, the servers can smulate ther vew of a protocol run and cannot wn the anonymty game wth non-neglgble advantage. Effcency. A clent n ths scheme sends k bts to each server (where k s a DPF key), so the bandwdth effcency of the scheme depends on the effcency of the DPF. As we wll show later n ths secton, k can be much smaller than the length of the database. 4.3 A Two-Server Scheme Toleratng One Malcous Server Havng establshed that DPFs wth short keys lead to bandwdth-effcent wrte-prvate database schemes, we now present one such DPF constructon. Ths constructon s a smplfcaton of computatonal PIR scheme of Chor and Glboa [17]. Ths s a (2,1)-DPF wth keys of length O( L) operatng on a doman of sze L. Ths DPF yelds a twoserver wrte-prvate database scheme toleratng one malcous server such that wrtng nto a database of sze L requres sendng O( L) bts to each server. Glboa and Isha [38] construct a (2, 1)-DPF wth even shorter keys ( k = polylog(l)), but the constructon presented here s effcent enough for the database szes we use n practce. Although the DPF constructon works over any feld, we descrbe t here usng the bnary feld F = F 2 k (the feld of k-bt btstrngs) to smplfy the exposton. When Eval(k,l ) s run on every nteger l {0,...,L 1}, ts output s a vector of L feld elements. The DPF key constructon conceptually works by representng ths a vector of L feld elements as an x y matrx, such that xy L. The trck that makes the constructon work s that the sze of the keys needs only to grow wth the sze of the sdes of ths matrx rather than ts area. The DPF keys that Gen(l, m) outputs gve an effcent way to construct two matrces M A and M B that dffer only at one cell l = (l x,l y ) Z x Z y (Fgure 2). Fx a bnary fnte feld F = F 2 k, a DPF doman sze L, and ntegers x and y such that xy L. (Later n ths secton, we descrbe how to choose x and y to mnmze the key sze.) The constructon requres a pseudo-random generator (PRG) G that stretches seeds from some space S nto length-y vectors of elements of F [48]. So the sgnature of the PRG s G : S F y. In practce, an mplementaton mght use AES-128 n counter mode as the pseudorandom generator [65]. The algorthms comprsng the DPF are: Gen(l,m) (k A,k B ). Compute ntegers l x Z x and l y Z y such that l = l x y + l y. Sample a random btvector b A R {0,1} x, a random vector of PRG seeds s A R S x, and a sngle random PRG seed s l x R S. Gven b A and s A, we defne b B and s B as: b A = (b 0,...,b lx,...,b x 1 ) b B = (b 0,..., b lx,...,b x 1 ) s A = (s 0,...,s lx,...,s x 1 ) s B = (s 0,...,s l x,...,s x 1 ) That s, the vectors b A and b B (smlarly s A and s B ) dffer only at ndex l x. Let m e ly be the vector n F y of all zeros except that t has value m at ndex l y. Defne v m e ly +G(s lx )+ G(s l x ). The output DPF keys are: k A = (b A,s A,v) k B = (b B,s B,v) Eval(k,l ) m. Interpret k as a tuple (b,s,v). To evaluate the PRF at ndex l, frst wrte l as an 9

Fgure 2: Left: We represent the output of Eval as an x y matrx of feld elements. Left-center: Constructon of the v vector used n the DPF keys. Rght: usng the v, s, and b vectors, Eval expands each of the two keys nto an x y matrx of feld elements. These two matrces sum to zero everywhere except at (l x,l y ) = (3,4), where they sum to m. (l x,l y) tuple such that l x Z x, l y Z y, and l = l xy + l y. Use the PRG G to stretch the l x-th seed of s nto a length-y vector: g G(s[l x]). Return m (g[l y] + b[l x]v[l y]). Fgure 2 graphcally depcts how Eval stretches the keys nto a table of x y feld elements. Correctness. We prove correctness of the scheme n Appendx B. Prvacy. The prvacy property requres that there exsts an effcent smulator that, on nput A or B, outputs samples from a dstrbuton that s computatonally ndstngushable from the dstrbuton of DPF keys k A or k B. The smulator Sm smulates each component of the DPF key as follows: It samples b R {0,1} x, s R S x, and v R F y. The smulator returns (b,s,v). We must now argue that the smulator s output dstrbuton s computatonally ndstngushable from that nduced by the dstrbuton of a sngle output of Gen. Snce the b and s vectors outputted by Gen are random, the smulaton s perfect. The v vector outputted by Gen s computatonally ndstngushable from random, snce t s padded wth the output of the PRG seeded wth a seed unknown to the holder of the key. An effcent algorthm to dstngush the smulated v vector from random can then also dstngush the PRG output from random. Key Sze. A key for ths DPF scheme conssts of: a vector n {0,1} x, a vector n S x, and a vector n F y. Let α be the number of bts requred to represent an element of S and let β be the number of bts requred to represent an element of F. The total length of a key s then: k = (1 + α)x + βy For fxed spaces S and F, we can fnd the optmal choces of x and y to mnmze the key length. To do so, we solve: mn((1 + α)x + βy) subject to xy L x,y and conclude that the optmal values of x and y are: x = c L and y = 1 c L where c = β 1 + α. The key sze s then O( L). When usng a database table of one mllon rows n length (L = 2 20 ), a row length of 1 KB per row (F = F 2 8192), and a PRG seed sze of 128 bts (usng AES-128, for example) the keys wll be roughly 263 KB n length. For these parameters, the keys for the naïve constructon (Secton 3.1) would be 1 GB n length. Applcaton of effcent DPFs thus yelds a 4,000 bandwdth savngs n ths case. Computatonal Effcency. A second beneft of ths scheme s that both the Gen and Eval routnes are computatonally effcent, snce they just requre performng fnte feld addtons (.e., XOR for bnary felds) and PRG operatons (.e., computatons of the AES functon). The constructon requres no publc-key prmtves. 4.4 An s-server Scheme Toleratng s 1 Malcous Servers The (2, 1)-DPF scheme descrbed above acheved a key sze of O( L) bts usng only symmetrc-key prmtves. The lmtaton of that constructon s that t only mantans prvacy when a sngle key s compromsed. In the context of a wrte-prvate database scheme, ths means that the constructon can only mantan anonymty n the presence of a sngle malcous server. It would be much better to have a wrte-prvate database scheme wth s servers that mantans anonymty n the presence of s 1 malcous servers. To acheve ths stronger securty noton, we need a bandwdth-effcent (s,s 1)-dstrbuted pont functon. In ths secton, we construct an (s,s 1)-DPF where each key has sze O( L). We do so at the cost of requrng more expensve publc-key cryptographc operatons, 10

nstead of the symmetrc-key operatons used n the pror DPF. Whle the (2, 1)-DPF constructon above drectly follows the work of Chor and Glboa [17], ths (s,s 1)- DPF constructon s novel, as far as we know. Ths constructon uses a seed-homomorphc pseudorandom generator [3, 11, 64], to splt the key for the pseudo-random generator G across a collecton of s DPF keys. Defnton 6 (Seed-Homomorphc PRG). A seedhomomorphc PRG s a pseudo-random generator G mappng seeds n a group (S, ) to outputs n a group (G, ) wth the addtonal property that for any s 0,s 1 S: G(s 0 s 1 ) = G(s 0 ) G(s 1 ) It s possble to construct a smple seed-homomorphc PRG from the decson Dffe-Hellman (DDH) assumpton [11,64]. The publc parameters for the scheme are lst of y generators chosen at random from an order-q group G, n whch the DDH problem s hard [10]. For example, f G s an ellptc curve group [58], then the publc parameters wll be y ponts (P 0,...,P y 1 ) G y. The seed space s Z q and the generator outputs vectors n G y. On nput s Z q, the generator outputs (sp 0,...,sP y 1 ). The generator s seed-homomorphc because, for any s 0,s 1 Z q, and for all {1,...,y}: s 0 P + s 1 P = (s 0 + s 1 )P. As n the pror DPF constructon, we fx a DPF doman sze L, and ntegers x and y such that xy L. The constructon requres a seed-homomorphc PRG G : S G y, for some group G of prme order q. For consstency wth the pror DPF constructon, we wll wrte the group operaton n G usng addtve notaton. Thus, the group operaton appled component-wse to vectors u,v G y results n the vector (u + v) G y. Snce G has order q, qa = 0 for all A G. The algorthms comprsng the (s,s 1)-DPF are: Gen(l,m) (k 0,...,k s 1 ). Compute ntegers l x Z x and l y Z y such that l = l x y + l y. Sample random nteger-valued vectors b 0,...,b s 2 R (Z q ) x, random vectors of PRG seeds s 0,...,s s 2 R S x, and a sngle random PRG seed s R S. Select b s 1 (Z q ) x such that Σ s 1 k=0 b k = e lx (mod q) and select s s 1 S x such that Σ s 1 k=0 s k = s e lx G x. Defne v m e ly G(s ). The DPF key for server {0,...,s 1} s k = (b,s,v). Eval(k,l ) m. Interpret k as a tuple (b,s,v). To evaluate the PRF at ndex l, frst wrte l as an (l x,l y) tuple such that l x Z x, l y Z y, and l = l xy + l y. Use the PRG G to stretch the l x-th seed of s nto a length-y vector: g G(s[l x]). Return m (g[l y] + b[l x]v[l y]). We omt correctness and prvacy proofs, snce they follow exactly the same structure as those used to prove securty of our pror DPF constructon. The only dfference s that correctness here reles on the fact that G s a seedhomomorphc PRG, rather than a conventonal PRG. As n the DPF constructon of Secton 4.3, the keys here are of length O( L). Computatonal Effcency. The man computatonal cost of ths DPF constructon comes from the use of the seed-homomorphc PRG G. Unlke a conventonal PRG, whch can be mplemented usng AES or another fast block cpher n counter mode, known constructons of seed-homomorphc PRGs requre algebrac groups [64] or lattce-based cryptography [3, 11]. When nstantatng the (s,s 1)-DPF wth the DDHbased PRG constructon n ellptc curve groups, each call to the DPF Eval routne requres an expensve ellptc curve scalar multplcaton. Snce ellptc curve operatons are, per byte, orders of magntude slower than AES operatons, ths (s,s 1)-DPF wll be orders of magntude slower than the (2, 1)-DPF. Securty aganst an arbtrary number of malcous servers comes at the cost of computatonal effcency, at least for these DPF constructons. Wth DPFs, we can now construct a bandwdth-effcent wrte-prvate database scheme that tolerates one malcous server (frst constructon) or s 1 out of s malcous servers (second constructon). 5 Preventng Dsruptors The frst-attempt constructon of our wrte-prvate database scheme (Secton 3.1) had two lmtatons: (1) clent wrte requests were very large and (2) malcous clents could corrupt the database state by sendng malformed wrte requests. We addressed the frst of these two challenges n Secton 4. In ths secton, we address the second challenge. A clent wrte request n our protocol just conssts of a collecton of s DPF keys. The clent sends one key to each of the s servers. The servers must collectvely decde whether the collecton of s keys s a vald output of the DPF Gen routne, wthout revealng any nformaton about the keys themselves. One way to vew the servers task here s as a secure mult-party computaton [42, 79]. Each server s prvate nput s ts DPF key k. The output of the protocol s a sngle bt, whch determnes f the s keys (k 0,...,k s 1 ) are a well-formed collecton of DPF keys. 11

Snce we already rely on servers for avalablty (Secton 2.2), we need not protect aganst servers malcously tryng to manpulate the output of the mult-party protocol. Such manpulaton could only result n corruptng the database (f a malcous server accepts a wrte request that t should have rejected) or denyng servce to an honest clent (f a malcous server rejects a wrte request that t should have accepted). Snce both attacks are tantamount to denal of servce, we need not consder them. We do care, n contrast, about protectng clent prvacy aganst malcous servers. A malcous server partcpatng n the protocol should not gan any addtonal nformaton about the prvate nputs of other partes, no matter how t devates from the protocol specfcaton. We construct two protocols for checkng the valdty of clent wrte requests. The frst protocol s computatonally nexpensve, but requres ntroducng a thrd noncolludng party to the two-server scheme. The second protocol requres relatvely expensve zero-knowledge proofs [31, 43, 44, 71], but t mantans securty when all but one of s servers s malcous. Both of these protocols must satsfy the standard notons of soundness, completeness, and zero-knowledge [13]. 5.1 Three-Party Protocol Our frst protocol for detectng malformed wrte requests works wth the (2, 1)-DPF scheme presented n Secton 4.3. The protocol uses only hashng and fnte feld addtons, so t s computatonally nexpensve. The downsde s that t requres ntroducng a thrd audt server, whch must not collude wth ether of the other two servers. We frst develop a three-party protocol called AlmostEqual that we use as a subroutne to mplement the full wrte request valdaton protocol. The AlmostEqual protocol takes place between three partes: server A, server B, and an audt server. Server A s prvate nput s a vector v A F n and server B s prvate nput s a vector v B F n. The audt server has no prvate nput. The output of the AlmostEqual protocol s 1 bt f v A and v B dffer at exactly one ndex and s 0 bt otherwse. As wth classcal secure mult-party computatons, the goal of the protocol s to accurately compute the output wthout leakng any extraneous nformaton about the players prvate nputs [30, 42, 79]. We use AlmostEqual n such a way that, whenever the clent s wrte request s properly formed and whenever no two servers collude, the output of the protocol wll be 1. Thus, we need only prove the protocol secure n the case when the output s 1. We denote an nstance of the three-party protocol as AlmostEqual(v A,v B ), where the arguments denote the two secret nputs of party A and party B. The protocol proceeds as follows: 1. Servers A and B use a con-flppng protocol [9] to sample n hash functons h 0,...,h n 1 from a famly of parwse ndependent hash functons H [56] havng doman F. The servers also agree upon a random shft value f Z n. 2. Server A computes the values m h (v A []) for every ndex {0,...,n 1} and sends (m f,m f +1,...,m n 1,m 0,...,m f 1 ) to the audtor. 3. Server B repeats Step 2 wth v B. 4. The audt server returns 1 to servers A and B f and only f the vectors t receves from the two servers are equal at every ndex except one. The audtor returns 0 otherwse. We nclude proofs of soundness, correctness, and zeroknowledge for ths constructon n Appendx C. The keys for the (2,1)-DPF constructon have the form k A = (b A,s A,v) k B = (b B,s B,v). In a correctly formed par of keys, the b and s vectors dffer at a sngle ndex l x, and the v vector s equal to v = m e ly + G(s A [l x ]) + G(s B [l x ]). To determne whether a par of keys s correct, server A constructs a test vector t A such that t A [] = b A [] s A [] for {0,...,x 1}. (where denotes concatenaton). Server B constructs a test vector t B n the same way and the two servers, along wth the audtor run the protocol AlmostEqual(t A,t B ). If the output of ths protocol s 1, then the servers conclude that ther b and s vectors dffer at a sngle ndex, though the protocol does not reveal to the servers whch ndex ths s. Otherwse, the servers reject the wrte request. Next, the servers must verfy that the v vector s wellformed. To do so, the servers compute another par of test vectors: x 1 u A = =0 x 1 G(s A []) u B = v + =0 G(s B []). The servers run AlmostEqual(u A,u B ) and accept the wrte request as vald f t returns 1. We prove securty of ths constructon n Appendx D. An mportant mplementaton note s that f m = 0 that s, f the clent wrtes the strng of all zeros nto the database then the u vectors wll not dffer at any ndex 12

and ths nformaton s leaked to the audtor. The protocol only provdes securty f the vectors dffer at exactly one ndex. To avod ths nformaton leakage, clent requests must be defned such that m 0 n every wrte request. To acheve ths, clents could defne some specal non-zero value to ndcate zero or could use a paddng scheme to ensure that zero values occur wth neglgble probablty. As a practcal matter, the audt server needs to be able to match up the portons of wrte requests comng from server A wth those comng from server B. Rposte acheves ths as follows: When the clent sends ts upload request to server A, the clent ncludes a cryptographc hash of the request t sent to server B (and vce versa). Both servers can use these hashes to derve a common nonce for the request. When the servers send audt requests to the audt server, they nclude the nonce for the wrte request n queston. The audt server can use the nonce to match every audt request from server A wth the correspondng request from server B. Ths three-party protocol s very effcent t only requres O( L) applcatons of a hash functon and O( L) communcaton from the servers to the audtor. The audtor only performs a smple strng comparson, so t needs mnmal computatonal and storage capabltes. 5.2 Zero Knowledge Technques Our second technque for detectng dsruptors makes use of non-nteractve zero-knowledge proofs [12, 44, 71]. We apply zero-knowledge technques to allow clents to prove the well-formedness of ther wrte requests. Ths technque works n combnaton wth the (s,s 1)- DPF presented n Secton 4.4 and mantans clent wrteprvacy when all but one of s servers s dshonest. The keys for the (s,s 1)-DPF scheme are tuples (b,s,v) such that: s 1 =0 b = e lx s 1 =0 s = s e lx v = m e ly G(s ) To prove that ts wrte request was correctly formed, we have the clent perform zero-knowledge proofs over collectons of Pedersen commtments [69]. The publc parameters for the Pedersen commtment scheme consst of a group G of prme order q and two generators P and Q of G such that no one knows the dscrete logarthm log Q P. A Pedersen commtment to a message m Z q wth randomness r Z q s C(m,r) = (mp + rq) G (wrtng the group operaton addtvely). Pedersen commtments are homomorphc, n that gven commtments to m 0 and m 1, t s possble to compute a commtment to m 0 + m 1 : C(m 0,r 0 ) +C(m 1,r 1 ) = C(m 0 + m 1,r 0 + r 1 ) Here, we assume that the (s,s 1)-DPF s nstantated wth the DDH-based PRG ntroduced n Secton 4.4 and that the group G used for the Pedersen commtments s the same order-q group used n the PRG constructon. To execute the proof, the clent frst generates Pedersen commtments to elements of each of the s DPF keys. Then each server can verfy that the clent computed the commtment to the -th DPF key elements correctly. The servers use the homomorphc property of Pedersen commtments to generate commtments to the sum of the elements of the DPF keys. Fnally, the clent proves n zero knowledge that these sums have the correct values. The protocols proceed as follows: 1. The clent generates vectors of Pedersen commtments B and S commttng to each element of b and s. clent sends the B and S vectors to every server. 2. To server, the clent sends the openng of the commtments B and S. Each server verfes that B and S are vald commtments to the b and s vectors n the DPF key. If ths check fals at some server, server notfes the other servers and all servers reject the wrte request. 3. Usng the homomorphc property of the commtments, each server can compute vectors of commtments B sum and S sum to the vectors Σ s 1 =0 b and Σ s 1 =0 s. 4. Usng a non-nteractve zero-knowledge proof, the clent proves to the servers that B sum and S sum are commtments to zero everywhere except at a sngle (secret) ndex l x, and that B sum [l x ] s a commtment to one. 1 Ths proof uses standard wtness hdng technques for dscrete-logarthm-based zero knowledge proofs [12,22]. If the proof s vald, the servers contnue to check the v vector. Ths frst protocol convnces each server that the b and s components of the DPF keys are well formed. Next, the servers check the v component: 1. For each server, the clent sums up the seed values s t sent to server : σ = Σ s 1 j=0 s [ j]. The clent then generates the output of G(σ k ) and blnds t: G = (σ P 1 + r 1 Q, σ P 2 + r 2 Q,...). 2. The clent sends the G values to all servers and the clent sends the openng of G to each server. 1 Techncally, ths s a zero-knowledge proof of knowledge whch proves that the clent knows an openng of the commtments to the stated values. 13

3. Each server verfes that the openngs are correct, and all servers reject the wrte request f ths check fals at any server. 4. Usng the homomorphc property of Pedersen commtments, every server can compute a vector of commtments G sum = (Σ s 1 =0 G ) + v. If v s well formed, then the G sum vector contan commtments to zero at every ndex except one (at whch t wll contan a commtment to the clent s message m). 5. The clent uses a non-nteractve zero-knowledge proof to convnce the servers that the vector of commtments G sum contans commtments to zero at all ndexes except one. If the proof s vald, the servers accept the wrte request. We prove n Appendx E that ths protocol satsfes the standard notons of soundness, completeness, and zeroknowledge [13]. 6 Expermental Evaluaton To demonstrate that Rposte s a practcal platform for traffc-analyss-resstant anonymous messagng, we mplemented two varants of the system. The frst varant uses the two-server dstrbuted pont functon (Secton 4.3) and uses the three-party protocol (Secton 5.1) to prevent malcous clents from corruptng the database. Ths varant s relatvely fast, snce t reles prmarly on symmetrc-key prmtves, but requres that no two of the three servers collude. Our results for the frst varant nclude the cost of dentfyng and excludng malcous clents. The second varant uses the s-server dstrbuted pont functon (Secton 4.4). Ths varant protects aganst s 1 colludng servers, but reles on expensve publc-key operatons. We have not mplemented the zero-knowledge proofs necessary to prevent dsruptors for the s-server protocol (Secton 5.2), so the performance numbers represent only an upper bound on the system throughput. We wrote the prototype n the Go programmng language and have publshed the source code onlne at https://btbucket.org/henrycg/rposte/. We used the DeterLab network testbed for our experments [59]. All of the experments used commodty servers runnng Ubuntu 14.04 wth four-core AES-NIenabled Intel E3-1260L CPUs and 16 GB of RAM. Our expermental network topology used between two and ten servers (dependng on the protocol varant n use) and eght clent nodes. In each of these experments, the eght clent machnes used many threads of executon to submt wrte requests to the servers as quckly as possble. In all experments, the server nodes connected to a common swtch va 100 Mbps lnks, the clents nodes connected to a common swtch va 1 Gbps lnks, and the clent and server swtches connected va a 1 Gbps lnk. The round-trp network latency between each par of nodes was 20 ms. We chose ths network topology to lmt the bandwdth between the servers to that of a fast WAN, but to leave clent bandwdth unlmted so that the small number of clent machnes could saturate the servers wth wrte requests. Error bars n the charts ndcate the standard devaton of the throughput measurements. 6.1 Three-Server Protocol A three-server Rposte cluster conssts of two database servers and one audt server. The system mantans ts securty propertes as long as no two of these three servers collude. We have fully mplemented the three-server protocol, ncludng the audt protocol (Secton 5.1), so the throughput numbers lsted here nclude the cost of detectng and rejectng malcous wrte requests. The prototype used AES-128 n counter mode as the pseudo-random generator, Poly1305 as the keyed hash functon used n the audt protocol [8], and TLS for lnk encrypton. Fgure 3 shows how many clent wrte requests our Rposte cluster can servce per second as the number of 160- byte rows n the database table grows. For a database table of 64 rows, the system handles 751.5 wrte requests per second. At a table sze of 65,536 rows, the system handles 32.8 requests per second. At a table sze of 1,048,576 rows, the system handles 2.86 requests per second. We chose the row length of 160 bytes because t was the smallest multple of 32 bytes large enough to to contan a 140-byte Tweet. Throughput of the system depends only the total sze of the table (number of rows row length), so larger row lengths mght be preferable for other applcatons. For example, an anonymous emal system usng Rposte wth 4096-byte rows could handle 2.86 requests per second at a table sze of 40,960 rows. An upper bound on the performance of the system s the speed of the pseudo-random generator used to stretch out the DPF keys to the length of the database table. The dashed lne n Fgure 3 ndcates ths upper bound (605 MB/s), as determned usng an AES benchmark wrtten n Go. That lne ndcates the maxmum possble throughput we could hope to acheve wthout aggressve optmzaton (e.g., wrtng portons of the code n assembly) or more powerful machnes. Mgratng the performance- 14

Throughput (clent requests/sec) 1000 100 10 Actual throughput Maxmum TLS throughput Maxmum AES throughput 1 10 100 1k 10k 100k 1M 10M Database table sze (# of 160-byte rows) Fgure 3: As the database table sze grows, the throughput of our system approaches the maxmum possble gven the AES throughput of our servers. Throughput (clent requests/sec) 50 40 30 20 10 0 0.0001 0.01 1 100 10000 Database table wdth-heght rato Fgure 4: Use of bandwdth-effcent DPFs gves a 768 speed-up over the naïve constructons, n whch a clent s request s as large as the database. crtcal portons of our mplementaton from Go to C (usng OpenSSL) mght ncrease the throughput by a factor of as much as 6, snce openssl speed reports AES throughput of 3.9 GB/s, compared wth the 605 MB/s we obtan wth Go s crypto lbrary. At very small table szes, the speed at whch the server can set up TLS connectons wth the clents lmts the overall throughput to roughly 900 requests per second. Fgure 4 demonstrates how the request throughput vares as the wdth of the table changes, whle the number of bytes n the table s held constant at 10 MB. Ths fgure demonstrates the performance advantage of usng a bandwdth-effcent O( L) DPF (Secton 4) over the naïve DPF (Secton 3.1). Usng a DPF wth optmal table sze yelds a throughput of 38.4 requests per second. The extreme left and rght ends of the fgure ndcate the performance yelded by the naïve constructon, n whch makng a wrte request nvolves sendng a (1 L)- dmenson vector to each server. At the far rght extreme of the table, performance drops to 0.05 requests per second, so DPFs yeld a 768 speed-up. Fgure 5 ndcates the total number of bytes transferred by one of the database servers and by the audt server whle processng a sngle clent wrte request. The dashed Data transfer (bytes) 10GB 1GB 100MB 10MB 1MB 100kB 10kB 1kB No DPF Server - Recv Server - Send Audt - Recv Audt - Send 100 B 10 100 1k 10k 100k 1M 10M 100M Database table sze (# of 160-byte rows) Fgure 5: The total clent and server data transfer scales sub-lnearly wth the sze of the database. lne at the top of the chart ndcates the number of bytes a clent would need to send for a sngle wrte request f we dd not use bandwdth-effcent DPFs (.e., the dashed lne ndcates the sze of the database table). As the fgure demonstrates, the total data transfer n a Rposte cluster scales sub-lnearly wth the database sze. When the database table s 2.5 GB n sze, the database server transfers only a total of 1.23 MB to process a wrte request. 6.2 s-server Protocol In some deployment scenaros, havng strong protecton aganst server compromse may be more mportant than performance or scalablty. In these cases, the s-server Rposte protocol provdes the same basc functonalty as the three-server protocol descrbed above, except that t mantans prvacy even f s 1 out of s servers collude or devate arbtrarly from the protocol specfcaton. We mplemented the basc s-server protocol but have not yet mplemented the zero-knowledge proofs necessary to prevent malcous clents from corruptng the database state (Secton 5.2). These performance fgures thus represent an upper bound on the s-server protocol s performance. Addng the zero-knowledge proofs would requre an addtonal Θ( L) ellptc curve operatons per server n an L- row database. The computatonal cost of the proofs would almost certanly be dwarfed by the Θ(L) ellptc curve operatons requred to update the state of the database table. The experments use the DDH-based seedhomomorphc pseudo-random generator descrbed n Secton 4.4 and they use the NIST P-256 ellptc curve as the underlyng algebrac group. The table row sze s fxed at 160 bytes. Fgure 6 demonstrates the performance of an eghtserver Rposte cluster as the table sze ncreases. At a table sze of 1,024 rows, the cluster can process one re- 15

Throughput (clent requests/sec) 100 10 1 0.1 Actual throughput Maxmum EC throughput 0.01 10 100 1k 10k Database table sze (# of 160-byte rows) Fgure 6: Throughput of an eght-server Rposte cluster usng the (8,7)-dstrbuted pont functon. Throughput (clent requests/sec) 9 8 7 6 5 4 3 2 1 2 3 4 5 6 7 8 9 10 Number of servers 16-row table 64-row table Fgure 7: Throughput of Rposte clusters usng two dfferent database table szes as the number of servers vares. quest every 3.44 seconds. The lmtng factor s the rate at whch the servers can evaluate the DDH-based pseudorandom generator (PRG), snce computng each 32-byte block of PRG output requres a costly ellptc curve scalar multplcaton. The dashed lne n the fgure ndcates the maxmum throughput obtanable usng Go s mplementaton of P-256 on our servers, whch n turn dctates the maxmum cluster throughput. Processng a sngle request wth a table sze of one mllon rows would take nearly one hour wth ths constructon, compared to 0.3 seconds n the AES-based three-server protocol. Fgure 7 shows how the throughput of the Rposte cluster changes as the number of servers vares. Snce the workload s heavly CPU-bound, the throughput only decreases slghtly as the number of servers ncreases from two to ten. 6.3 Dscusson: Whstleblowng and Mcrobloggng wth Mllon-User Anonymty Sets Whstleblowers, poltcal actvsts, or others dscussng senstve or controversal ssues mght beneft from an anonymous mcrobloggng servce. A whstleblower, for example, mght want to anonymously blog about an nstance of bureaucratc corrupton n her organzaton. The utlty of such a system depends on the sze of the anonymty set t would provde: f a whstleblower s only anonymous amongst a group of ten people, t would be easy for the whstleblower s employer to retalate aganst everyone n the anonymty set. Mountng ths punshthem-all attack does not requre breakng the anonymty system tself, snce the anonymty set s publc. As the anonymty set sze grows, however, the feasblty of the punsh-them-all attack quckly tends to zero. At an anonymty set sze of 1,000,000 clents, mountng an punsh-them-all attack would be prohbtvely expensve n most stuatons. Rposte can handle such large anonymty sets as long as (1) clents are wllng to tolerate hours of messagng latency, and (2) only a small fracton of clents wrtes nto the database n each tme epoch. Both of these requrements are satsfed n the whstleblowng scenaro. Frst, whstleblowers mght not care f the system delays ther posts by a few hours. Second, the vast majorty of users of a mcrobloggng servce (especally n the whstleblowng context) are more lkely to read posts than wrte them. To get very large anonymty sets, mantaners of an anonymous mcrobloggng servce could take advantage of the large set of read-only users to provde anonymty for the relatvely small number of read-wrte users. The clent applcaton for such a mcrobloggng servce would enable read-wrte users to generate and submt Rposte wrte requests to a Rposte cluster runnng the mcrobloggng servce. However, the clent applcaton would also allow read-only users to submt an empty wrte request to the Rposte cluster that would always wrte a random message nto the frst row of the Rposte database. From the perspectve of the servers, a read-only clent would be ndstngushable from a read-wrte clent. By leveragng read-only users n ths way, we can ncrease the sze of the anonymty set wthout needng to ncrease the sze of the database table. To demonstrate that Rposte can support very large anonymty set szes albet wth hgh latency we confgured a cluster of Rposte servers wth a 65,536-row database table and left t runnng for 32 hours. In that perod, the system processed a total of 2,895,216 wrte requests at an average rate of 25.19 requests per second. (To our knowledge, ths s the largest anonymty set ever constructed n a system that offers protecton aganst traffc analyss attacks.) Usng the technques n Secton 3.2, a table of ths sze could handle 0.3% of users wrtng at a collson rate of under 5%. Thus, to get an anonymty 16

set of roughly 1,000,000 users wth a three-server Rposte cluster and a database table of sze 65,536, the tme epoch must be at least 11 hours long. As of 2013, Twtter reported an average throughput of 5,700 140-byte Tweets per second [53]. That s equvalent roughly 5,000 of our 160-byte messages per second. At a table sze of one mllon messages, our Rposte cluster s end-to-end throughput s 2.86 wrte requests per second (Fgure 3). To handle the same volume of Tweets as Twtter does wth anonymty set szes on the order of hundreds of thousands of clents, we would need to ncrease the computng power of our cluster by only a factor of 1,750. 2 Snce we are usng only three servers now, we would need roughly 5,250 servers (splt nto three noncolludng data centers) to handle the same volume of traffc as Twtter. Furthermore, snce the audt server s just dong strng comparsons, the system would lkely need many fewer audt servers than database servers, so the total number of servers requred mght be closer to 4,000. 7 Related Work Anonymty systems fall nto one of two general categores: systems that provde low-latency communcaton and those that protect aganst traffc analyss attacks by a global network adversary. Aqua [54], Crowds [72], LAP [49], ShadowWalker [60], Tarzan [32], and Tor [28] belong to the frst category of systems: they provde an anonymous proxy for real-tme Web browsng, but they do not protect aganst an adversary who controls the network, many of the clents, and some of the nodes on a vctm s path through the network. Even provdng a formal defnton of anonymty for low-latency systems s challengng [50] and such defntons typcally do not capture the need to protect aganst tmng attacks. Even so, t would be possble to combne Tor (or another low-latency anonymzng proxy) and Rposte to buld a best of both anonymty system: clents would submt ther wrte requests to the Rposte servers va the Tor network. In ths confguraton, even f all of the Rposte servers colluded, they could not learn whch user wrote whch message wthout also breakng the anonymty of the Tor network. Davd Chaum s cascade mx networks were one of the frst systems devsed wth the specfc goal of defendng aganst traffc-analyss attacks [16]. Snce then, there 2 We assume here that scalng the number of machnes by a factor of k ncreases our throughput by a factor of k. Ths assumpton s reasonable gven our workload, snce the processng of wrte requests s an embarrassngly parallel task. have been a number of mx-net-style systems proposed, many of whch explctly weaken ther protectons aganst a near omn-present adversary [75] to mprove prospects for practcal usablty (.e., for emal traffc) [24]. In contrast, Rposte attempts to provde very strong anonymty guarantees at the prce of usablty for nteractve applcatons. E-votng systems (also called verfable shuffles ) acheve the sort of prvacy propertes that Rposte offers, and some systems even provde stronger votng-specfc guarantees (recept-freeness, proportonalty, etc.), though most e-votng systems cannot provde the forward securty property that Rposte offers (Secton 3.3) [1, 19, 33, 46, 47, 66, 70]. In a typcal e-votng system, voters submt ther encrypted ballots to a few trustees, who collectvely shuffle and decrypt them. Whle t s possble to repurpose e-votng systems for anonymous messagng, they typcally requre expensve zero-knowledge proofs or are neffcent when message szes are large. Mx-nets that do not use zero-knowledge proofs of correctness typcally do not provde prvacy n the face of actve attacks by a subset of the mx servers. For example, the verfable shuffle protocol of Bayer and Groth [5] s one of the most effcent n the lterature. Ther shuffle mplementaton, when used wth an anonymty set of sze N, requres 16N group exponentatons per server and data transfer O(N). In addton, messages must be small enough to be encoded n sngle group elements (a few hundred bytes at most). In contrast, our protocol requres O(L) AES operatons and data transfer O( L), where L s the sze of the database table. When messages are short and when the wrter/reader rato s hgh, the Bayer-Groth mx may be faster than our system. In contrast, when messages are long and when the wrter/reader rato s low (.e., L O(N)), our system s faster. Chaum s Dnng Cryptographers network (DC-net) s an nformaton-theoretcally secure anonymous broadcast channel [15]. A DC-net provdes the same strong anonymty propertes as Rposte does, but t requres every user of a DC-net to partcpate n every run of the protocol. As the number of users grows, ths quckly becomes mpractcal. The Dssent [78] system ntroduced the dea of usng partally trusted servers to make DC-nets practcal n dstrbuted networks. Dssent requres weaker trust assumptons than our three-server protocol does but t requres clents to send O(L) bts to each server per tme epoch (compared wth our O( L)). Also, excludng a sngle dsruptor n a 1,000-clent deployment takes over an 17

hour. In contrast, Rposte can excludes dsruptors as fast as t processes wrte requests (tens to hundreds per second, dependng on the database sze). Recent work [21] uses zero-knowledge technques to speed up dsrupton resstance n Dssent (buldng on deas of Golle and Juels [45]). Unfortunately, these technques lmt the system s end to end-throughput end-to-end throughput to 30 KB/s, compared wth Rposte s 450+ MB/s. Herbvore scales DC-nets by dvdng users nto many small anonymty sets [39]. Rposte creates a sngle large anonymty set, and thus enables every clent to be anonymous amongst the entre set of honest clents. Our DPF constructons make extensve use of pror work on prvate nformaton retreval (PIR) [17,18,34,38]. Recent work demonstrates that t s possble to make theoretcal PIR fast enough for practcal use [26, 27, 41]. Gertner et al. [37] consder symmetrc PIR protocols, n whch the servers prevent dshonest clents from learnng about more than a sngle row of the database per query. The problem that Gertner et al. consder s, n a way, the dual of the problem we address n Secton 5, though ther technques do not appear to apply drectly n our settng. Ostrovsky and Shoup frst proposed usng PIR protocol as the bass for wrtng nto a database shared across a set of servers [68]. However, Ostrovsky and Shoup consdered only the case of a sngle honest clent, who uses the untrusted database servers for prvate storage. Snce many mutually dstrustful clents use a sngle Rposte cluster, our protocol must also handle malcous clents. Pynchon Gate [73] bulds a prvate pont-to-pont messagng system from mx-nets and PIR. Clents anonymously upload messages to emal servers usng a tradtonal mx-net and download messages from the emal servers usng a PIR protocol. Rposte could replace the mx-nets used n the Pynchon Gate system: clents could anonymously wrte ther messages nto the database usng Rposte and could prvately read ncomng messages usng PIR. 8 Concluson and Open Questons We have presented Rposte, a new system for anonymous messagng. To the best of our knowledge, Rposte s the frst system that smultaneously (1) thwarts traffc analyss attacks, (2) prevents malcous clents from anonymously dsruptng the system, and (3) enables mllon-clent anonymty set szes. We acheve these goals through novel applcaton of prvate nformaton retreval and secure multparty computaton technques. We have demonstrated Rposte s practcalty by mplementng t and evaluatng t wth anonymty sets of over two mllon nodes. Ths work leaves open a number of questons for future work, ncludng: Does there exst an (s,s 1)-DPF constructon for s > 2 that uses only symmetrc-key operatons? Are there effcent technques (.e., usng no publckey prmtves) for achevng dsrupton resstance wthout the need for a non-colludng audt server? Are there DPF constructons that enable processng wrte requests n amortzed tme o(l), for a length-l database? Wth the desgn and mplementaton of Rposte, we have demonstrated that cryptographc technques can make traffc-analyss-resstant anonymous mcrobloggng and whstleblowng more practcal at Internet scale. Acknowledgements We would lke to thank Joe Zmmerman and Davd Wu for helpful dscussons about dstrbuted pont functons. We would lke to thank Stephen Schwab and the staff of DeterLab for gvng us access ther excellent network testbed. Ths work was supported by NSF, an IARPA project provded va DoI/NBC, a grant from ONR, an NDSEG fellowshp, and by a Google faculty scholarshp. Opnons, fndngs and conclusons or recommendatons expressed n ths materal are those of the author(s) and do not necessarly reflect the vews of DARPA or IARPA. References [1] B. Adda, Helos: Web-based open-audt votng. n USENIX Securty Symposum, vol. 17, 2008. [2] B. Adda and D. Wkström, How to shuffle n publc, n Theory of Cryptography, 2007. [3] A. Banerjee and C. Pekert, New and mproved key-homomorphc pseudorandom functons, n CRYPTO, 2014. [4] K. Bauer, D. McCoy, D. Grunwald, T. Kohno, and D. Scker, Low-resource routng attacks aganst Tor, n WPES. ACM, 2007. [5] S. Bayer and J. Groth, Effcent zero-knowledge argument for correctness of a shuffle, n EURO- CRYPT, 2012. [6] M. Bellare and P. Rogaway, Random oracles are practcal: A paradgm for desgnng effcent protocols, n CCS. ACM, 1993. 18

[7] K. Bennhold, In Brtan, gudelnes for spyng on lawyers and clents, New York Tmes, p. A6, 7 Nov. 2014. [8] D. J. Bernsten, The Poly1305-AES messageauthentcaton code, n Fast Software Encrypton, 2005. [9] M. Blum, Con flppng by telephone a protocol for solvng mpossble problems, ACM SIGACT News, vol. 15, no. 1, pp. 23 27, 1983. [10] D. Boneh, The decson Dffe-Hellman problem, n Algorthmc Number Theory, ser. Lecture Notes n Computer Scence, J. P. Buhler, Ed. Sprnger, 1998, vol. 1423, pp. 48 63. [11] D. Boneh, K. Lew, H. Montgomery, and A. Raghunathan, Key homomorphc PRFs and ther applcatons, n CRYPTO, 2013. [12] J. Camensch and M. Stadler, Proof systems for general statements about dscrete logarthms, Dept. of Computer Scence, ETH Zurch, Tech. Rep. 260, Mar. 1997. [13] J. L. Camensch, Group sgnature schemes and payment systems based on the dscrete logarthm problem, Ph.D. dssertaton, Swss Federal Insttute of Technology Zürch (ETH Zürch), 1998. [14] R. Canett, S. Halev, and J. Katz, A forward-secure publc-key encrypton scheme, n EUROCRYPT, 2003. [15] D. Chaum, The Dnng Cryptographers problem: Uncondtonal sender and recpent untraceablty, Journal of Cryptology, pp. 65 75, Jan. 1988. [16] D. L. Chaum, Untraceable electronc mal, return addresses, and dgtal pseudonyms, Communcatons of the ACM, vol. 24, no. 2, pp. 84 90, 1981. [17] B. Chor and N. Glboa, Computatonally prvate nformaton retreval, n STOC. ACM, 1997. [18] B. Chor, E. Kushlevtz, O. Goldrech, and M. Sudan, Prvate nformaton retreval, Journal of the ACM, vol. 45, no. 6, pp. 965 981, 1998. [19] M. R. Clarkson, S. Chong, and A. C. Myers, Cvtas: A secure votng system, Cornell Unversty, Tech. Rep. TR 2007-2081, May 2007. [20] H. Corrgan-Gbbs and B. Ford, Dssent: Accountable anonymous group messagng, n CCS. ACM, October 2010. [21] H. Corrgan-Gbbs, D. I. Wolnsky, and B. Ford, Proactvely accountable anonymous messagng n Verdct, n USENIX Securty Symposum, 2013. [22] R. Cramer, I. Damgård, and B. Schoenmakers, Proofs of partal knowledge and smplfed desgn of wtness hdng protocols, n CRYPTO, 1994. [23] G. Danezs and C. Daz, A survey of anonymous communcaton channels, Techncal Report MSR- TR-2008-35, Mcrosoft Research, Tech. Rep., 2008. [24] G. Danezs, R. Dngledne, and N. Mathewson, Mxmnon: Desgn of a type III anonymous remaler protocol, n Securty and Prvacy. IEEE, 2003. [25] G. Danezs and A. Serjantov, Statstcal dsclosure or ntersecton attacks on anonymty systems, n Informaton Hdng Workshop, May 2004. [26] D. Demmler, A. Herzberg, and T. Schneder, RAID-PIR: Practcal mult-server PIR, n WPES, 2014. [27] C. Devet and I. Goldberg, The best of both worlds: Combnng nformaton-theoretc and computatonal pr for communcaton effcency, n PETS, July 2014. [28] R. Dngledne, N. Mathewson, and P. Syverson, Tor: The second-generaton onon router, n USENIX Securty Symposum, Aug. 2004. [29] M. Edman and B. Yener, On anonymty n an electronc socety: A survey of anonymous communcaton systems, ACM Computng Surveys, vol. 42, no. 1, p. 5, 2009. [30] R. Fagn, M. Naor, and P. Wnkler, Comparng nformaton wthout leakng t, Communcatons of the ACM, vol. 39, no. 5, pp. 77 85, 1996. [31] U. Fege, A. Fat, and A. Shamr, Zero-knowledge proofs of dentty, Journal of Cryptology, vol. 1, no. 2, pp. 77 94, 1988. [32] M. J. Freedman and R. Morrs, Tarzan: A peer-topeer anonymzng network layer, n CCS. ACM, 2002. [33] J. Furukawa, Effcent, verfable shuffle decrypton and ts requrement of unlnkablty, n PKC, 2004. [34] W. Gasarch, A survey on prvate nformaton retreval, n Bulletn of the EATCS, 2004. 19

[35] B. Gellman and A. Soltan, NSA nfltrates lnks to Yahoo, Google data centers worldwde, Snowden documents say, Washngton Post, Oct. 30 2013. [36] B. Gellman, J. Tate, and A. Soltan, In NSAntercepted data, those not targeted far outnumber the foregners who are, Washngton Post, 5 Jul. 2014. [37] Y. Gertner, Y. Isha, E. Kushlevtz, and T. Malkn, Protectng data prvacy n prvate nformaton retreval schemes, n STOC, 1998. [38] N. Glboa and Y. Isha, Dstrbuted pont functons and ther applcatons, n EUROCRYPT, 2014. [39] S. Goel, M. Robson, M. Polte, and E. Srer, Herbvore: A scalable and effcent protocol for anonymous communcaton, Cornell Unversty, Tech. Rep., 2003. [40] V. Goel, Government push for Yahoo s user data set stage for broad survellance, New York Tmes, p. B3, 7 Sept. 2014. [41] I. Goldberg, Improvng the robustness of prvate nformaton retreval, n Securty and Prvacy. IEEE, 2007. [42] O. Goldrech, S. Mcal, and A. Wgderson, How to play any mental game, n STOC. ACM, 1987. [43], Proofs that yeld nothng but ther valdty or all languages n NP have zero-knowledge proof systems, Journal of the ACM, vol. 38, no. 3, pp. 690 728, 1991. [44] S. Goldwasser, S. Mcal, and C. Rackoff, The knowledge complexty of nteractve proof systems, SIAM Journal on computng, vol. 18, no. 1, pp. 186 208, 1989. [45] P. Golle and A. Juels, Dnng cryptographers revsted, n EUROCRYPT, 2004. [46] J. Groth, A verfable secret shuffle of homomorphc encryptons, Journal of Cryptology, vol. 23, no. 4, pp. 546 579, 2010. [47] J. Groth and S. Lu, Verfable shuffle of large sze cphertexts, n PKC, 2007. [48] J. Håstad, R. Impaglazzo, L. A. Levn, and M. Luby, A pseudorandom generator from any one-way functon, SIAM Journal on Computng, vol. 28, no. 4, pp. 1364 1396, 1999. [49] H.-C. Hsao, T.-J. Km, A. Perrg, A. Yamada, S. C. Nelson, M. Gruteser, and W. Meng, LAP: Lghtweght anonymty and prvacy, n Securty and Prvacy. IEEE, May 2012. [50] A. Johnson, Desgn and analyss of effcent anonymous-communcaton protocols, Ph.D. dssertaton, Yale Unversty, Dec. 2009. [51] C. Kaufman, P. Hoffman, Y. Nr, P. Eronen, and K. T, RFC7296: Internet key exchange protocol verson 2 (IKEv2), Oct. 2014. [52] D. Kedogan, D. Agrawal, and S. Penz, Lmts of anonymty n open envronments, n Informaton Hdng, 2003. [53] R. Krkoran, New Tweets per second record, and how! https://blog.twtter.com/2013/ new-tweets-per-second-record-and-how, Aug. 2013. [54] S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballan, and P. Francs, Towards effcent traffcanalyss resstant anonymty networks, n SIG- COMM. ACM, 2013. [55] B. Lskov and J. Cowlng, Vewstamped replcaton revsted, MIT CSAIL, Tech. Rep. MIT-CSAIL- TR-2012-021, Jul. 2013. [56] M. G. Luby, M. Luby, and A. Wgderson, Parwse ndependence and derandomzaton. Now Publshers Inc, 2006. [57] N. Mathewson and R. Dngledne, Practcal traffc analyss: Extendng and resstng statstcal dsclosure, n Prvacy Enhancng Technologes, 2005. [58] V. S. Mller, Use of ellptc curves n cryptography, n CRYPTO, 1986. [59] J. Mrkovc and T. Benzel, Teachng cybersecurty wth DeterLab, Securty & Prvacy, vol. 10, no. 1, 2012. [60] P. Mttal and N. Borsov, ShadowWalker: Peerto-peer anonymous communcaton usng redundant structured topologes, n CCS. ACM, November 2009. [61] S. J. Murdoch and G. Danezs, Low-cost traffc analyss of Tor, n Securty and Prvacy. IEEE, 2005. 20

[62] S. J. Murdoch and P. Zelńsk, Sampled traffc analyss by Internet-exchange-level adversares, n PETS, June 2007. [63] E. Nakashma and B. Gellman, Court gave NSA broad leeway n survellance, documents show, Washngton Post, 30 Jun. 2014. [64] M. Naor, B. Pnkas, and O. Rengold, Dstrbuted pseudo-random functons and KDCs, n EURO- CRYPT, 1999. [65] Natonal Insttute of Standards and Technology, Specfcaton for the advanced encrypton standard (AES), Federal Informaton Processng Standards Publcaton 197, Nov. 2001. [66] C. A. Neff, A verfable secret shuffle and ts applcaton to e-votng, n CCS. ACM, 2001. [67] D. Ongaro and J. Ousterhout, In search of an understandable consensus algorthm, n ATC. USENIX, Jun. 2014. [68] R. Ostrovsky and V. Shoup, Prvate nformaton storage, n STOC, 1997. [69] T. P. Pedersen, Non-nteractve and nformatontheoretc secure verfable secret sharng, n CRYPTO, 1992. [70] M. O. Rabn and R. L. Rvest, Effcent end to end verfable electronc votng employng splt value representatons, n EVOTE 2014, Aug. 2014. [71] C. Rackoff and D. R. Smon, Non-nteractve zeroknowledge proof of knowledge and chosen cphertext attack, n CRYPTO, 1992. [72] M. K. Reter and A. D. Rubn, Crowds: Anonymty for Web transactons, ACM Transactons on Informaton and System Securty, vol. 1, no. 1, pp. 66 92, 1998. [73] L. Sassaman, B. Cohen, and N. Mathewson, The Pynchon gate: A secure method of pseudonymous mal retreval, n WPES, November 2005. [74] A. Serjantov, R. Dngledne, and P. Syverson, From a trckle to a flood: Actve attacks on several mx types, n Informaton Hdng, 2003. [75] P. Syverson, Why I m not an entropst, n Securty Protocols XVII, 2013. [76] M. Wadner and B. Pftzmann, The Dnng Cryptographers n the dsco: Uncondtonal sender and recpent untraceablty wth computatonally secure servceablty, n EUROCRYPT, Apr. 1989. [77] D. Wolnsky, E. Syta, and B. Ford, Hang wth your buddes to resst ntersecton attacks, n CCS, November 2013. [78] D. I. Wolnsky, H. Corrgan-Gbbs, A. Johnson, and B. Ford, Dssent n numbers: Makng strong anonymty scale, n 10th OSDI. USENIX, Oct. 2012. [79] A. C. Yao, Protocols for secure computatons, n FOCS. IEEE, 1982. A Defnton of Wrte Prvacy An (s, t)-wrte-prvate database scheme conssts of the followng three (possbly randomzed) algorthms: Wrte(l,m) (w (0),...,w (s 1) ). Clents use the Wrte functonalty to generate the wrte request queres sent to the s servers. The Wrte functon takes as nput a message m (from some fnte message space) and an nteger l and produces a set of s wrte requests one per server. Update(σ,w) σ. Servers use the Update functonalty to process ncomng wrte requests. The Update functon takes as nput a server s nternal state σ, a wrte request w, and outputs the updated state of the server σ. Reveal(σ 0,...,σ s 1 ) D. At the end of the tme epoch, servers use the Reveal functonalty to recover the contents of the database. The Reveal functon takes as nput the set of states from each of the s servers and produces the plantext database contents D. We defne the wrte-prvacy property usng the followng securty game, played between the adversary (who statcally corrupts up to t servers and all but two clents) and a challenger. 1. In the frst step, the adversary performs the followng actons: The adversary selects a subset A s {0,...,s 1} of the servers, such that A s t. The set A s represents the set of adversaral servers. Let the set H s = {0,...,s 1} \ A s represent the set of honest servers. 21

The adversary selects a set of clents H c {0,...,n 1}, such that H c 2, representng the set of honest clents. The adversary selects one message-locaton par per honest clent: M = {(,m,l ) H c } The adversary sends A s and M to the challenger. 2. In the second step, the challenger responds to the adversary: For each (,m,l ) M, the challenger generates a wrte request: (w (0),...,w (s 1) ) Wrte(l,m ) The set of shares of the th wrte request revealed to the malcous servers s W = {w ( j) } j AS. In the next steps of the game, the challenger wll randomly reorder the honest clents wrte requests. The challenger should learn nothng about whch clent wrote what, despte all the nformaton at ts dsposal. The challenger then samples a random permutaton π over {0,..., H c 1}. The challenger sends the followng set of wrte requests to the adversary, permuted accordng to π: W π(0),w π(1),...,w π( Hc 1) 3. For each clent n {0,...,n 1} \ H c, the adversary computes a wrte request (w (0),...,w (s 1) ) (possbly accordng to some malcous strategy) and sends the set of these wrte requests to the challenger. 4. For each server j H s, the challenger computes the server s fnal state σ j by runnng the Update functonalty on each of the n clent wrte requests n order. Let S = {( j,σ j ) j H s } be the set of states of the honest servers. The challenger samples a bt b R {0,1}. If b = 0, the challenger send (S,π) to the adversary. Otherwse, the challenger samples a fresh permutaton π on H c and sets (S,π ) to the adversary. 5. The adversary makes a guess b for the value of b. The adversary wns the game f b = b. We defne the adversary s advantage as Pr[b = b ] 1/2. The scheme mantans (s, t)-wrte prvacy f no effcent adversary wns the game wth non-neglgble advantage (n the mplct securty parameter). B Correctness Proof for (2,1)-DPF Ths appendx proves correctness of the dstrbuted pont constructon of Secton 4.3. For the scheme to be correct, t must be that, for (k A,k B ) Gen(l,m), for all l Z L : Eval(k A,l ) + Eval(k B,l ) = P l,m (l ). Let (l x,l y ) be the tuple n Z x Z y representng locaton l and let (l x,l y) be the tuple representng l. Let: m A Eval(k A,l ) m B Eval(k B,l ). We use a case analyss to show that the left-hand sde of the equaton above equals P l,m for all l : Case I: l x l x. When l x l x, the seeds s A [l x] and s B [l x] are equal, so g A = g B. Smlarly b A [l x] = b B [l x]. The output m A wll be g A[l y]+b A [l x]v[l y], The output m B wll be dentcal to m A. Snce the feld s a bnary feld, addng a value to tself results n the zero element, so the sum m A + m B wll be zero as desred. Case II: l x = l x and l y l y. When l x = l x, the seeds s A [l x] and s B [l x] are not equal, so g A g B. Smlarly b A [l x] b B [l x]. When l y l y, v[l y] = g A [l y] + g B [l y]. Assume b A [l x] = 0 (an analogous argument apples when b A [l x] = 1), then: v[l y] = (m e ly )[l y] + g A [l y] + g B [l y]. The sum m A + m B wll then be: m A + m B = g A [l y] + g B [l y] + v[l y] = 0. Case III: l x = l x and l y = l y. Ths s the same as Case II, except that (m e ly )[l y] = m when l y = l y, so the sum m A + m B = m, as desred. C Proofs for the AlmostEqual Protocol Ths appendx proves securty of the AlmostEqual protocol of Secton 5.1. Soundness. We compute the probablty that an honest audt server wll output 1 when the vectors are not equal at exactly one ndex. Frst, consder the case when the v vectors are equal everywhere. In ths case, the test vectors that servers A and B send to the audt server wll be equal everywhere and the audt server wll always output 0. Next, consder the case when the v vectors dffer at k + 1 postons, where k > 0. The soundness error ε k s 22

equal to the probablty that, for every ndex where the vectors are unequal (except one), there s a hash collson. Snce the probablty of many hash collsons s bounded by the probablty of a sngle hash collson, ε k ε 1. The probablty, ε 1, of a sngle collson we know from the propertes of a parwse-ndependent hash functon famly, where each member of the famly has range R: ε 1 = Pr[h R H : h (v A []) = h (v B [])] 1 R 2 The overall soundness error s then at most ε 1/ R. Snce R (the output space of the hash functon) s exponentally large n the securty parameter, ths probablty s neglgble. Completeness. If the vectors v A and v B dffer n exactly one poston, the audt server must output 1 wth overwhelmng probablty. Snce the audt server only outputs 1 f exactly one element of the test vectors s equal, whenever there s at least one collson n the hash functon, the protocol wll return an ncorrect result. The probablty of ths event happenng s neglgble, however, as long as the length of the vectors s polynomal n the securty parameter. Zero Knowledge. The zero-knowledge property need only hold when the vectors dffer at exactly one ndex. In ths case, servers A and B receve a sngle bt from the audt server (a 1 ), so the smulaton s trval for the database servers. Thus, we only need to prove that the zero-knowledge property holds for the audt server. Whenever the vectors dffer at exactly one poston the audt server can also smulate ts vew of the protocol. The audt server smulator runs by pckng length-n vectors of random elements n the range of the parwse hash functon famly H subject to the constrant that the vectors are equal at a random ndex Z n. The smulator outputs the two vectors as the vectors receved from servers A and B. The smulaton s vald because H s a parwsendependent hash functon famly. Let H be a famly of hash functon h : D R Then for all x,y D, by defnton of parwse ndependence: Pr[h R H : h(x) = h(y)] 1 R Ths property mples that the two vectors sent to the audt server leak no nformaton about the v vectors, snce an honest clent s v vector wll be ndependent of the choce of hash functon h, and so every element of the vectors sent to the audt servers takes on every value n R wth equal probablty. As n the real protocol, the smulated vectors are equal at one random ndex. D Securty Proof for Three-Server Protocol Ths appendx contans the securty proofs for the threeserver protocol for detectng malcous clent requests (Secton 5.1). Completeness. If the par of keys s well-formed then the b A and b B vectors (also the s A and s B vectors) are equal at every ndex l x and they dffer at ndex = l x. Even n the neglgbly unlkely event that the random seed chosen at s A [l x ] s equal to the random seed chosen at s B [l x ], the test vectors t A and t B wll stll dffer because b A [l x ] b B [l x ]. Thus, a correct par of b and s vectors wll pass the frst AlmostEqual check. The second AlmostEqual check s more subtle. If the v vector s well formed then, lettng l x be the ndex where the s vectors dffer, we have: ( ) x 1 u B = G(s A []) + G(s A [l x ]) + G(s B [l x ]) + v =0 = u A + G(s A [l x ]) + G(s B [l x ]) + v = u A + m e ly If v s well-formed, then two test vectors u A and u B dffer only at ndex l y. Soundness. To show soundness, we must bound the probablty that the audt server wll output 1 when the servers take a malformed par of DPF keys as nput. If the b and s vectors are not equal everywhere except at one ndex, the soundness of the AlmostEqual protocol mples that the audt server wll return 0 wth overwhelmng probablty when nvoked the frst tme. Now, gven that the s vectors dffer at one ndex, we can demonstrate that f the u vectors pass the second AlmostEqual check, then v s also well formed. Let l x be the ndex at whch the s vectors dffer. Wrte the values of the s vectors at ndex l x as s A and s B. Then, by constructon: ) ( x 1 u A = G(s A []) + G(s A) l x ( ) x 1 u B = G(s B []) + G(s B) + v l x The frst term of these two expressons are equal (because the s vectors are equal almost everywhere). Thus, to volate the soundness property, an adversary must construct a tuple (s A,s B,v) such that the vectors G(s A ) and (G(s B ) + v) dffer at exactly one ndex and such that 23

v G(s A ) + G(s B ) + m e l. Ths s a contradcton, however, snce f G(s A ) and (G(s B ) + v) dffer at exactly one ndex, then: m e ly = G(s A) + [(G(s B) + v)] for some l y and m, by defnton of m e ly. Zero Knowledge. The audt server can smulate ts vew of a successful run of the protocol (one n whch the nput keys are well-formed) by nvokng the AlmostEqual smulator twce. E Securty Proof for Zero- Knowledge Protocol Completeness. Completeness for the frst half of the protocol, whch checks the form of the B and S vectors, follows drectly from the constructon of those vectors. The one slghtly subtle step comes n Step 5 of the second half of the protocol. For the protocol to be complete, t must be that G sum s zero at every ndex except one. Ths s true because: G sum = (Σ s 1 =0 G ) + v = G(s ) + m e ly G(s ) = m e ly Soundness. The soundness of the non-nteractve zeroknowledge proof n the frst half of the protocol guarantees that the B vectors sum to e lx and that the s vectors sum to s e lx for some values l x Z x and s S. We must now argue that the probablty that all servers accept an nvald wrte request n the second half of the protocol s neglgble. The soundness property of the underlyng zero-knowledge proof used n Step 5 mples that the vector G sum contans commtments to zero at all ndces except one. A clent who volates the soundness property produces a vector v and seed value s such that (Σ s 1 =0 G )+v = m e ly for some values l y Z y and m G, and that v m e ly G(s ). Ths s a contradcton, however, snce (Σ s 1 =0 G ) = G(s ), by the frst half of the protocol, and so: (Σ s 1 =0 G ) + v = m e ly = G(s ) + v Fnally, we conclude that v = m e ly G(s ). Zero Knowledge. The servers can smulate every message they receve durng a run of the protocol. In partcular, they see only Pedersen commtments, whch are statstcally hdng, and non-nteractve zero-knowledge proofs, whch are smulatable n the random-oracle model [6]. 24