Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs
Anonymous Channel AliceCharlieBob I ♥ Alice Nobody loves Bob Is it Bob, Charlie, or self-love?
What are Anonymous Channels Useful for? They underlie most privacy applications: –Anonymous elections –Anonymous –Anonymous payments –Anonymous Web browsing –Censorship resistant publication
Implementation: Mix Network Inputs Outputs
Mix Network Inputs Outputs ? ? ? One honest server guarantees privacy ? ?
A Look Under the Hood… Sealing an envelope: public key encryption –Decryption key is shared among mix servers Opening an envelope: joint decryption –Requires cooperation of a quorum of servers Mixing envelopes: “re-encryption” –We use a randomized encryption scheme: »“many” (2 160 ) different ways to encrypt a message –Re-encryption: create a new ciphertext that decrypts to the same message »Message is unchanged »Ciphertext is unrecognizable »Re-encryption is a public key operation
Computational Cost Cost of mixing: –Dominated by re-encryption –Re-encryption: 2 modular exponentiations per input Assume n inputs and k servers –Cost per server: O(n) –Assume sequential mixing –Total mixing time is O(k.n) Can we decrease the total mixing time? Most of the mix servers are idle most of the time Idea: parallelize the mixing! knTotal time 310,0008 min 3100,00070 min
Batch 1 Batch 2 Batch 3 Batch 2 Batch 3 Batch 1 Batch 3 Batch 2 Parallel Mixing (1 st Try) Inputs Outputs Batch 1 Batch 2 Batch 3 Round 1 Round 2 Round 3 Batch 3 Batch 1 Batch 2
Parallel Mixing (1 st Try) Assume n inputs and k servers –Divide inputs into k batches of size n/k –Every server mixes every batch (in parallel) Computational cost: –Per server: k. (n/k) = n(as before) –Total cost: k. n = kn(as before) –Total mixing time: k.(n/k) = n (instead of kn) We cut the total mixing time by a factor of k But: anonymity set is n/k instead of n –Inputs are mixed within a batch –There is no mixing between batches
Batch 3 Batch 2 Batch 1 Building Block: Rotation Batch 1 Batch 2 Batch 3 Round i Round i+1 Rotation: Each server passes its batch on to the next server in round robin fashion
Building Block: Distribution Round i Round i+1 Distribution: Each server splits its batch and gives one piece to every other server.
Parallel Mixing Protocol k’ rounds of mixing & rotation One distribution k’ rounds of mixing & rotation Parameters –n inputs –k mix servers –Adversary controls at most k’ servers (e.g. k’=k-1)
Example ( k=5, k’ =3) Rotation Mixing
Example ( k=5, k’ =3) Distribution Mixing
Example ( k=5, k’ =3) Distribution Rotation Mixing
Parallel Mixing Protocol –Divide inputs into k batches of size n/k –k’ rounds of mixing and rotation (k’<k) –Distribution –k’ rounds of mixing and rotation Computational cost: –Per server: 2(k’+1)n/k ≤ 2n –Total cost: 2(k’+1)n ≤ 2kn –Total mixing time: 2(k’+1)n/k ≤ 2n Total mixing time divided by k 2 /2(k’+1) ≥ k/2 Anonymity set of size n Cost per server is at most doubled
Anonymity Set Recall that the adversary A may –Control up to k’ mix servers –Submit up to a fraction α of the n inputs Let p 0 be an input (not submitted by A). We compute the probability that input p 0 became output p 1, in the view of A. Ideally,
Anonymity Set Inputs Outputs p0p0 p1p1 Distribution n/k Batch B 0 Batch B 1
Anonymity Set Adversary controls no input: Adversary controls a fraction α of the inputs: (assuming uniform distribution…)
Optimality Our construction has nearly optimal total mixing time: 2(k’+1)n/k Proposition: Let A be an adversary who controls k’ 1 with respect to A must have total mixing time at least (k’+1)n/k. Proposition: Let A be an adversary who controls k’=k-1 servers. Any mixnet with anonymity >1 with respect to A must have total mixing time at least 2n.
Conclusion Our protocol reduces total mixing time from O(kn) to O(n) This is optimal within a factor of 2 –Open problem: exact optimality? Questions?