Parallel Mixing - PowerPoint PPT Presentation

About This Presentation
Title:

Parallel Mixing

Description:

Parallel Mixing Philippe Golle, PARC Ari Juels, RSA Labs – PowerPoint PPT presentation

Number of Views:80
Avg rating:3.0/5.0
Slides: 22
Provided by: pgo56
Category:

less

Transcript and Presenter's Notes

Title: Parallel Mixing


1
Parallel Mixing
  • Philippe Golle, PARC
  • Ari Juels, RSA Labs

2
Anonymous Channel
Alice
Charlie
Bob
3
What are Anonymous Channels Useful for?
  • They underlie most privacy applications
  • Anonymous elections
  • Anonymous email
  • Anonymous payments
  • Anonymous Web browsing
  • Censorship resistant publication

4
Implementation Mix Network
Outputs
Inputs
5
Mix Network
Outputs
Inputs
?
?
?
One honest server guarantees privacy
6
A Look Under the Hood
  • Sealing an envelope public key encryption
  • Decryption key is shared among mix servers
  • Opening an envelope joint decryption
  • Requires cooperation of a quorum of servers
  • Mixing envelopes re-encryption
  • We use a randomized encryption scheme
  • many (2160) different ways to encrypt a message
  • Re-encryption create a new ciphertext that
    decrypts to the same message
  • Message is unchanged
  • Ciphertext is unrecognizable
  • Re-encryption is a public key operation

7
Computational Cost
  • Cost of mixing
  • Dominated by re-encryption
  • Re-encryption 2 modular exponentiations per
    input
  • Assume n inputs and k servers
  • Cost per server O(n)
  • Assume sequential mixing
  • Total mixing time is O(k.n)
  • Can we decrease the total mixing time?
  • Most of the mix servers are idle most of the time
  • Idea parallelize the mixing!

k n Total time
3 10,000 8 min
3 100,000 70 min
8
Parallel Mixing (1st Try)
Round 3
Round 2
Round 1
Outputs
Inputs
Batch 1
Batch 3
Batch 1
Batch 2
Batch 1
Batch 2
Batch 3
Batch 3
Batch 2
9
Parallel Mixing (1st Try)
  • Assume n inputs and k servers
  • Divide inputs into k batches of size n/k
  • Every server mixes every batch (in parallel)
  • Computational cost
  • Per server k. (n/k) n (as before)
  • Total cost k. n kn (as before)
  • Total mixing time k.(n/k) n (instead
    of kn)
  • We cut the total mixing time by a factor of k
  • But anonymity set is n/k instead of n
  • Inputs are mixed within a batch
  • There is no mixing between batches

10
Building Block Rotation
Round i1
Round i
Batch 1
Batch 1
Rotation Each server passes its batch on to
the next server in round robin fashion
Batch 2
Batch 2
Batch 3
Batch 3
11
Building Block Distribution
Round i1
Round i
Distribution Each server splits its batch and
gives one piece to every other server.
12
Parallel Mixing Protocol
  • Parameters
  • n inputs
  • k mix servers
  • Adversary controls at most k servers (e.g.
    kk-1)
  • k rounds of mixing rotation
  • One distribution
  • k rounds of mixing rotation

13
Example ( k5, k 3)
Rotation
Mixing
14
Example ( k5, k 3)
Mixing
15
Example ( k5, k 3)
Mixing
Rotation
Distribution
16
Parallel Mixing
  • Protocol
  • Divide inputs into k batches of size n/k
  • k rounds of mixing and rotation (kltk)
  • Distribution
  • k rounds of mixing and rotation
  • Computational cost
  • Per server 2(k1)n/k 2n
  • Total cost 2(k1)n 2kn
  • Total mixing time 2(k1)n/k 2n
  • Total mixing time divided by k2/2(k1) k/2
  • Anonymity set of size n
  • Cost per server is at most doubled

17
Anonymity Set
  • Recall that the adversary A may
  • Control up to k mix servers
  • Submit up to a fraction a of the n inputs
  • Let p0 be an input (not submitted by A). We
    compute the probability
  • that input p0 became output p1, in the view of
    A.
  • Ideally,

18
Anonymity Set
Outputs
Inputs
Distribution
p0
n/k
n/k
p1
Batch B0
Batch B1
19
Anonymity Set
  • Adversary controls no input
  • Adversary controls a fraction a of the inputs

(assuming uniform distribution)
20
Optimality
  • Our construction has nearly optimal total mixing
    time 2(k1)n/k
  • Proposition Let A be an adversary who controls
    kltk servers. Any mixnet with anonymity gt1 with
    respect to A must have total mixing time at least
    (k1)n/k.
  • Proposition Let A be an adversary who controls
    kk-1 servers. Any mixnet with anonymity gt1 with
    respect to A must have total mixing time at least
    2n.

21
Conclusion
  • Our protocol reduces total mixing time from O(kn)
    to O(n)
  • This is optimal within a factor of 2
  • Open problem exact optimality?
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com