Abstract
This paper presents a novel private presence protocol, referred to as MP3, where the service provider does not have any knowledge of the social graph of its users. In prior work, a private presence protocol, referred to as DP5, was presented. However, the size of the presence database in this protocol grows rapidly as the number of users increases; this limits its scalability and increases its cost. In the proposed protocol, the size of the presence database is reduced significantly, enabling significantly cheaper registration and lookup compared to that of DP5. MP3 requires about two-thirds the bandwidth of DP5 for \(N={200\,000}\) users and about one-half the bandwidth of DP5 for \(N={1\,000\,000}\) users. Furthermore, these savings grow asymptotically with the number of users. Additionally, the client-facing latency in MP3 is an order of magnitude less than that of DP5. We provide an evaluation of the performance and scalability of both protocols.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
If this is the very first epoch, Alice must generate an initial and to share with her buddies to bootstrap the protocol.
- 2.
Arguments for why this is a valid assumption are discussed in Sect. 4.
- 3.
As in the PIR protocol in DP5, we constructed \(r=\left\lceil \sqrt{ns} \ \right\rceil \) buckets and we can upper bound the size of each bucket by \(\left( \frac{n}{r} + \sqrt{\frac{n}{r}}\right) \cdot s \approx \sqrt{ns} + \root 4 \of {ns^3}\) (here, s is the size of each record in bytes); since a query results in an entire bucket, this scales with the square root of the size of the database.
- 4.
Social networks such as Twitter disallow bulk unfollowing [16], making our argument about setting \(N_\text {rev}\) and \(N_\text {unrev}\) to a small/constant value even stronger.
References
Rushe, D.: Lavabit founder refused FBI order to hand over email encryption keys. The Guardian, October 2013
Apple: Approach to privacy. http://www.apple.com/privacy/approach-to-privacy/
Open Whisper Systems. https://whispersystems.org/
Marlinspike, M.: Facebook messenger deploys signal protocol for end to end encryption. https://whispersystems.org/blog/facebook-messenger
Borisov, N., Danezis, G., Goldberg, I.: DP5: a private presence service. Proc. Priv. Enhanc. Technol. 2015(2), 4–24 (2015)
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: IEEE Symposium on Foundations of Computer Science (1995)
Delerablée, C., Paillier, P., Pointcheval, D.: Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 39–59. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_4
Wolinsky, D.I., Corrigan-Gibbs, H., Ford, B., Johnson, A.: Dissent in numbers: making strong anonymity scale. Presented as Part of the 10th USENIX Symposium on Operating Systems Design and Implementation (OSDI 2012), pp. 179–182 (2012)
Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Riposte: an anonymous messaging system handling millions of users. In: 2015 IEEE Symposium on Security and Privacy, pp. 321–338. IEEE (2015)
Kwon, A., Lazar, D., Devadas, S., Ford, B.: Riffle. Proc. Priv. Enhanc. Technol. 2016(2), 115–134 (2016)
Angel, S., Setty, S.T.: Unobservable communication over fully untrusted infrastructure. In: OSDI, pp. 551–569 (2016)
ANSI X9.62–1998: Public key cryptography for the financial services industry: the elliptic curve digital signature algorithm (ECDSA). American National Standards Institute (ANSI), Washington, DC (1998)
Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 514–532. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1_30
Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relic-toolkit/relic.
Goldberg, I., Devet, C., Lueks, W., Yang, A., Hendry, P., Henry, R.: Percy++ project on sourceforge (2014). http://percy.sourceforge.net
Suspension - what’s the daily/hourly unfollow limit for each user? What is the aggressive behaviour? https://twittercommunity.com/t/suspension-whats-the-daily-hourly-unfollow-limit-for-each-user-what-is-the-aggressive-behaviour/13971
Liu, J.K., Wei, V.K., Wong, D.S.: Linkable spontaneous anonymous group signature for ad hoc groups. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 325–335. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-27800-9_28
Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: Blacklistable anonymous credentials: blocking misbehaving users without TTPs. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 72–81. ACM (2007)
Devet, C., Goldberg, I., Heninger, N.: Optimally robust private information retrieval. Presented as Part of the 21st USENIX Security Symposium (USENIX Security 12), pp. 269–283 (2012)
Acknowledgments
This research was partially supported by the NSF under grant 1314637 and by an Undergraduate Research Opportunities Program (UROP) Award from the University of Minnesota.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Modifications to Dynamic Broadcast Encryption
Recall the operations of DBE from Sect. 3.3. Our modifications to DBE [7] only add the DBE.ShiftMK and DBE.ShiftDK operations. These operations are required for plausibly deniable revocations and suspensions. Recall that in a long-term database record for Alice in which Bob is actually revoked, Bob’s old decryption key (\(\textit{dk}_{ab}\)) is revoked and he is issued a new, but invalid, decryption key (\(\textit{dk}_{ab}'\)). Without DBE.ShiftMK and DBE.ShiftDK, Bob could use \(\textit{dk}_{ab}'\) to invert the Update operation and detect whether he was revoked or not.
The inverse update function is:
-
DBE.Update\(^{-1}\)(\(\textit{dk}'=(x', A', B', \kappa '), x_r, B_r\)) - takes as input a decryption key and a revocation values and computes a new decryption key where that can decrypt ciphertexts created before the revocation.
Assuming DBE.ShiftMK and DBE.ShiftDK are not in place, a revoked user Bob can use DBE.Update\(^{-1}\) to detect that he has been revoked by Alice. Given two long-term presence records of Alice, where the former has not revoked Bob and the latter has revoked Bob, Bob can apply the DBE.Update\(^{-1}\) function to his new decryption key and compute a decryption key for the former presence record.
Let Bob’s decryption keys for the former presence record be \(\textit{dk}_{ab}\) and let Bob’s decryption key for the latter presence record (after calling DBE.Update\(^{-1}\)) be \(\textit{dk}_{ab}'\). Also let \(C_1, C_2\) be the ciphertext components from the former presence record. To detect if he has been revoked, all he must do is check if \(\textsc {DBE.Decrypt}(\textit{dk}_{ab}, C_1, C_2) \ne \textsc {DBE.Decrypt}(\textit{dk}_{ab}', C_1, C_2)\). If the statement is true, then Bob has been revoked by Alice.
By introducing DBE.ShiftMK and DBE.ShiftDK we create a one-way operation to the revocation process of MP3; thus Bob cannot invert the DBE.ShiftMK and DBE.ShiftDK functions without the knowledge of the plaintext of \((C_1, C_2)\) and therefore cannot detect whether or not he was revoked.
B Availability Against Malicious Parties
Some conventional approaches to ensure availability against malicious parties cannot be applied directly to privacy-preserving protocols, as they can leak information. This causes several challenges: keeping the databases small, ensuring the registration server stores all uploaded presence records, ensuring the lookup servers store all presence records and do not modify them.
A malicious client could upload many presence records during a given epoch, causing a denial of service (DoS) for all other clients. If a malicious client were using an anonymous channel, authentication would compromise the anonymity of that client, defeating the purpose of MP3. To eliminate this, k-times anonymous authentication schemes have been proposed [17, 18]. In these schemes, users are guaranteed anonymity up to k times; that is, if a user authenticates \(k+1\) times, the identity of the user can be computed. Such private rate-limiting schemes can be used to limit the number of times a client registers during a given epoch without losing anonymity.
In the case that the registration server is dishonest and drops records, a user could “friend themself” to ensure that their presence records are being stored, by looking themself up during every epoch. Note that all presence records are indistinguishable, so the registration server can not target specific records for dropping.
Lastly, in the case that the lookup servers are dishonest and modify the database, Devet et al. propose a robust PIR scheme [19] that allows detection of malicious servers. This detection requires at least \(t+2\) honest servers, where t is the number of servers needed to collude to be able to determine the data in a query. This robust PIR scheme is implemented in MP3.
Rights and permissions
Copyright information
© 2018 International Financial Cryptography Association
About this paper
Cite this paper
Parhi, R., Schliep, M., Hopper, N. (2018). MP3: A More Efficient Private Presence Protocol. In: Meiklejohn, S., Sako, K. (eds) Financial Cryptography and Data Security. FC 2018. Lecture Notes in Computer Science(), vol 10957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-58387-6_3
Download citation
DOI: https://doi.org/10.1007/978-3-662-58387-6_3
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-58386-9
Online ISBN: 978-3-662-58387-6
eBook Packages: Computer ScienceComputer Science (R0)