asymmetric message franking - cornell universitytyagi/slides/amf.pdfsetting: end-to-end encrypted...
TRANSCRIPT
Asymmetric Message FrankingContent Moderation for Metadata-Private End-to-End Encryption
Nirvan Tyagi Paul Grubbs Julia Len
Ian Miers Tom Ristenpart
CRYPTO 2019 1
Setting: End-to-end encrypted messaging
PlatformAlice Bob2
From: AliceTo: Bob
Hello
Setting: End-to-end encrypted messaging
PlatformAlice Bob3
From: AliceTo: Bob
Hello
- Confidentiality and Integrity
PlatformAlice Bob4
From: AliceTo: Bob
Hello
“Public”
Hello- Alice
[OTR BGB ’04], [Signal X3DH ’16]
Setting: End-to-end encrypted messaging- Confidentiality and Integrity- Deniability
From: To:
PlatformAlice Bob5
??
[Dissent OSDI’12], [Riposte S&P’15], [Vuvuzela SOSP’15], [Pung OSDI’16] . . .
Setting: End-to-end encrypted messaging- Confidentiality and Integrity- Deniability- Metadata privacy
From: To: Bob
PlatformAlice Bob6
?
Setting: End-to-end encrypted messaging
[Dissent OSDI’12], [Riposte S&P’15], [Vuvuzela SOSP’15], [Pung OSDI’16] . . .
- Confidentiality and Integrity- Deniability- Metadata privacy
From: To: Bob
What about abuse?
PlatformAlice Bob7
?
From: To: Bob
What about abuse?
PlatformAlice Bob8
?
$#@%!
From: To: Bob
What about abuse?
PlatformAlice Bob9
?
$#@%!
Online bullyAbusive partnerSpammerMisinformation
From: To: Bob
What about abuse?
PlatformAlice Bob10
?
$#@%!
Online bullyAbusive partnerSpammerMisinformation
Moderator $#@%!
From: To: Bob
What about abuse?
PlatformAlice Bob11
?
$#@%!
Online bullyAbusive partnerSpammerMisinformation
Moderator $#@%!
Moderation is a big priority:Facebook employs ≈15K content moderators*
* “The secret lives of Facebook moderators in America” [The Verge 2019]
From: To: Bob
What about abuse?
PlatformAlice Bob12
?
$#@%!
Online bullyAbusive partnerSpammerMisinformation
Moderator $#@%!
Moderation is a big priority:Facebook employs ≈15K content moderators*
* “The secret lives of Facebook moderators in America” [The Verge 2019]
Privacy complicates abuse moderation!
??
From: To: Bob
What about abuse?
PlatformAlice Bob13
?
$#@%!
Online bullyAbusive partnerSpammerMisinformation
Moderator $#@%!
Moderation is a big priority:Facebook employs ≈15K content moderators*
* “The secret lives of Facebook moderators in America” [The Verge 2019]
Privacy complicates abuse moderation!
??
Can we balance need for accountability via moderation with privacy goals?
Our contributions
14
● Asymmetric Message Franking (AMF): a new cryptographic primitive for content moderation○ Metadata-privacy: message sender and/or recipient identities
hidden○ Third-party moderation: moderator decoupled from
message-delivery platform● Formal accountability and deniability security notions for content
moderation● Construction inspired by “designated-verifier” signatures● Implementation and proof-of-concept deployment
[TGLMR CRYPTO’19]
Prior work on moderation in E2E encryption
15
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Prior work on moderation in E2E encryption
Platform
Alice Bob
16
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Prior work on moderation in E2E encryption
Platform
Alice Bob
17
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Symmetric encryption following key agreement
[Signal X3DH ‘16]
Prior work on moderation in E2E encryption
Platform
Alice Bob
18
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Identities authenticated by platform
Prior work on moderation in E2E encryption
Platform
Alice Bob
19
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Alice, Bob, ct
Prior work on moderation in E2E encryption
Platform
Alice Bob
20
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Alice, Bob, ct
k
Prior work on moderation in E2E encryption
Platform
Alice Bob
21
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Alice, Bob, ct
k
m = Deck(ct) Alice sent Bob m
Prior work on moderation in E2E encryption
Platform
Alice Bob
22
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Alice, Bob, ct
k
m = Deck(ct) Alice sent Bob m
Prior work on moderation in E2E encryption
Platform
Alice Bob
23
Moderator
From: AliceTo: Bob
m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
Alice, Bob, ct
k
m = Deck(ct) Alice sent Bob m
Platform
Alice Bob
24
Moderator
m
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
? , Bob, ct
k
From: To: Bob
?
m = Deck(ct) ? sent Bob m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
Message franking for metadata-private setting?
Platform
Alice Bob
25
Moderator
m
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
? , Bob, ct
k
From: To: Bob
?
m = Deck(ct) ? sent Bob m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
Message franking for metadata-private setting?
Platform
Alice Bob
26
Moderator
m, Alice
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
? , Bob, ct
k
From: To: Bob
?
Can we patch by including Alice’s identity in commitment?
m, Alice = Deck(ct) Alice sent Bob m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
Message franking for metadata-private setting?
Message franking for metadata-private setting?
Platform
Charlie Bob
27
Moderator
m, Alice
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
? , Bob, ct
k
From: To: Bob
?
Can we patch by including Alice’s identity in commitment?
m, Alice = Deck(ct) Alice sent Bob m
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
Platform
Charlie Bob
28
Moderator
m, Alice
[FB white paper ‘17], [GLR CRYPTO‘17], [DGRW CRYPTO‘18]
? , Bob, ct
k
From: To: Bob
?
Can we patch by including Alice’s identity in commitment?
m, Alice = Deck(ct) Alice sent Bob m
Core problem: Alice’s identity not cryptographically bound to message content
Message franking- Content-based moderation of encryption that is NOT metadata-private- Compactly-committing authenticated encryption
Message franking for metadata-private setting?
AMFs: High level idea
29
Specialized digital signature scheme that provides:- Accountability- Deniability
AMFs: High level idea
Platform
Alice Bob
30
Moderator
Specialized digital signature scheme that provides:- Accountability- Deniability
From: To:
??
AMFs: High level idea
Platform
Alice Bob
31
Moderator
Specialized digital signature scheme that provides:- Accountability- Deniability
m, σ
skA , pkA
σ = Sign(skA , m)
m, σ
From: To:
??
AMFs: High level idea
Platform
Alice Bob
32
Moderator
Specialized digital signature scheme that provides:- Accountability- Deniability
m, σ
skA , pkA
σ = Sign(skA , m)
m, σ Verify(pkA , m , σ)
Standard digital signatures provide accountability …but not deniability
From: To:
??
AMFs: High level idea
Platform
Alice Bob
33
Moderator
Specialized digital signature scheme that provides:- Accountability- Deniability
m, σ
skA , pkA
σ = Sign(skA , m)
m, σ Verify(pkA , m , σ)
Standard digital signatures provide accountability …but not deniability
“Public”
From: To:
??
Starting point: Designated-verifier signatures
34
Digital signatures where only one party can verify [JSI EUROCRYPT ‘96]
Starting point: Designated-verifier signatures
35
Digital signatures where only one party can verify
- AccountabilityDesignated verifier can’t be fooled by forgery
- DeniabilityThere exists forgery algorithm that fools everyone else
[JSI EUROCRYPT ‘96]
Platform
Alice Bob
36
Moderator
m, σ
skA , pkA
m, σ
Starting point: Designated-verifier signatures
From: To:
??
Idea: Designating the moderator as a verifier?
Platform
Alice Bob
37
Moderator
m, σ
skA , pkA
m, σ skM , pkM
Starting point: Designated-verifier signatures
From: To:
??
Idea: Designating the moderator as a verifier?
Platform
Alice Bob
38
Moderator
m, σ
skA , pkA
σ = Sign(skA , pkM , m)
m, σ
Starting point: Designated-verifier signatures
From: To:
??
Idea: Designating the moderator as a verifier?
skM , pkM
Platform
Alice Bob
39
Moderator
m, σ
skA , pkA
σ = Sign(skA , pkM , m)
m, σ
Verify(pkA , skM , m , σ)
Starting point: Designated-verifier signatures
From: To:
??
Idea: Designating the moderator as a verifier?
skM , pkM
Platform
Alice Bob
40
Moderator
m, σ
skA , pkA
σ = Sign(skA , pkM , m)
m, σ
Verify(pkA , skM , m , σ)
Starting point: Designated-verifier signatures“Public”
From: To:
??
Could be a forgery!
Idea: Designating the moderator as a verifier?
skM , pkM
Platform
Alice Bob
41
Moderator
m, σ
skA , pkA
σ = Sign(skA , pkM , m)
m, σ
Verify(pkA , skM , m , σ)
Starting point: Designated-verifier signaturesIdea: Designating the moderator as a verifier?
“Public”
From: To:
??
Accountability issue: Bob can’t verify!
Could be a forgery!skM , pkM
42
AMFs: Include recipient as verifying partySolution: Designate Bob as verifier of proof that signature to moderator will succeed
Platform
Alice Bob
43
Moderator
m, σ
skA , pkA
m, σ
AMFs: Include recipient as verifying party
From: To:
??
Solution: Designate Bob as verifier of proof that signature to moderator will succeed
skB , pkB
skM , pkM
Platform
Alice Bob
44
Moderator
m, σ
skA , pkA
m, σ
AMFs: Include recipient as verifying party
From: To:
??
Solution: Designate Bob as verifier of proof that signature to moderator will succeed
skB , pkB
σ = Sign(skA , pkB , pkM , m)
skM , pkM
Platform
Alice Bob
45
Moderator
m, σ
skA , pkA
m, σ
AMFs: Include recipient as verifying party
From: To:
??
Solution: Designate Bob as verifier of proof that signature to moderator will succeed
skB , pkB
σ = Sign(skA , pkB , pkM , m) Verify(pkA , skB , pkM , m , σ)
Judge(pkA , pkB , skM , m , σ)skM , pkM
Platform
Alice Bob
46
Moderator
m, σ
skA , pkA
m, σ
AMFs: Include recipient as verifying party
From: To:
??
Solution: Designate Bob as verifier of proof that signature to moderator will succeed
skB , pkB
σ = Sign(skA , pkB , pkM , m) Verify(pkA , skB , pkM , m , σ)
Judge(pkA , pkB , skM , m , σ)Accountability notions- Receiver binding: Bob can’t frame Alice for a message she did not send- Sender binding: Alice can’t send Bob a message that evades moderation
Judge(pkA , pkB , skM , m , σ)skM , pkM
Deniability landscape: “Who can trick whom?”
47
σ’ = Forge(pkA , skB , pkM , m)
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Deniability landscape: “Who can trick whom?”
48
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Alice Bob
Moderator
skA , pkA skB , pkB
m, σ m, σ
σ = Sign(skA , pkB , pkM , m)
“Public”
σ’ = Forge(pkA , skB , pkM , m)
skM , pkM
Deniability landscape: “Who can trick whom?”
49
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Alice Bob
Moderator
skA , pkA skB , pkB
m, σ’ m, σ
σ = Sign(skA , pkB , pkM , m)
“Public”
σ’ = Forge(pkA , skB , pkM , m)
skM , pkM
Deniability landscape: “Who can trick whom?”
50
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Alice Bob
Moderator
skA , pkA skB , pkB
m, σ’
m, σ
σ = Sign(skA , pkB , pkM , m)
“Public”
pkA , pkB , skM
σ’ = Forge(pkA , skB , pkM , m)
skM , pkM
Deniability landscape: “Who can trick whom?”
51
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Alice Bob
Moderator
skA , pkA skB , pkB
skm , m, σ’
m, σ
σ = Sign(skA , pkB , pkM , m)
“Public”
pkA , pkB , skM
key compromise!
σ’ = Forge(pkA , skB , pkM , m)
skM , pkM
Deniability landscape: “Who can trick whom?”
52
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkM
Alice Bob
Moderator
skA , pkA skB , pkB
skm , m, σ’
m, σ
σ = Sign(skA , pkB , pkM , m)
“Public”
pkA , pkB , skM
key compromise!
pkA , pkB , skM
σ’ = Forge(pkA , skB , pkM , m)
skM , pkM
Deniability landscape: “Who can trick whom?”
53
pkA , skB , pkM
pkA , pkB , skMpkA , skB , skM
skA , pkB , pkM
pkA , skB , pkM
skA , skB , pkM
pkA , pkB , skM
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkMσ’ = Forge(pkA , pkB , pkM , m)
Deniability landscape: “Who can trick whom?”
54
pkA , skB , pkM
pkA , pkB , skMpkA , skB , skM
skA , pkB , pkM
pkA , skB , pkM
skA , skB , pkM
pkA , pkB , skM
Forger Distinguisher Dσ ≈D σ’
pkA , pkB , pkMσ’ = Forge(pkA , pkB , pkM , m)
Deniability landscape: “Who can trick whom?”
55
pkA , skB , pkM
pkA , pkB , skMpkA , skB , skM
skA , pkB , pkM
pkA , skB , pkM
skA , skB , pkM
pkA , pkB , skM
Forger Distinguisher DpkA , pkB , pkM
implies non-repudiability
Some deniability relationships are desirable
σ’ = Forge(pkA , pkB , pkM , m)
Deniability landscape: “Who can trick whom?”
56
pkA , skB , pkM
pkA , pkB , skMpkA , skB , skM
skA , pkB , pkM
pkA , skB , pkM
skA , skB , pkM
pkA , pkB , skM
Forger Distinguisher DpkA , pkB , pkM
Some deniability relationships are desirable
implies non-repudiabilityviolates receiver binding
Others contradict directly with accountability
σ’ = Forge(pkA , pkB , pkM , m)
Deniability landscape: “Who can trick whom?”
57
Forg
er
Distinguisher
skM skB
skA
: Incompatible with unforgeability: Incompatible with receiver binding
Deniability landscape: “Who can trick whom?”
58
skM skB
skA
: Incompatible with unforgeability: Incompatible with receiver binding
U : Universal deniabilityR : Receiver compromise deniability J : Judge compromise deniability
U
J
R
Forg
er
Distinguisher
Deniability landscape: “Who can trick whom?”
59
skM skB
skA
: Incompatible with unforgeability: Incompatible with receiver binding
U : Universal deniabilityR : Receiver compromise deniability J : Judge compromise deniability
U
J
R
This represents only one possible set of tradeoffs!
Forg
er
Distinguisher
Summary of AMF goals
60
Specialized digital signature scheme that provides:
- AccountabilityReceiver bindingSender binding
- DeniabilityUniversal deniabilityReceiver compromise deniabilityJudge compromise deniability
Our Construction
61
- Proof of knowledge of carefully-crafted expression of discrete log relationships- Create signature by adding message via Fiat-Shamir transform
Our Construction
62
Example of signature proof of knowledge (SPK) notation:Standard digital signature (Schnorr)
- Proof of knowledge of carefully-crafted expression of discrete log relationships- Create signature by adding message via Fiat-Shamir transform
chal
Our Construction
63
Example of signature proof of knowledge (SPK) notation:Standard digital signature (Schnorr)
- Proof of knowledge of carefully-crafted expression of discrete log relationships- Create signature by adding message via Fiat-Shamir transform
VerifierProver com
resp
Σ-Protocol Proof of Knowledge
chal = H(com, m)
VerifierProver com
resp
SPK via Fiat-Shamir
Our Construction
64
DV signature to moderator DV proof to Bob
Our Construction
65
DV signature to moderator DV proof to Bob
Our Construction
66
DV signature to moderator
DV proof to Bob“What Alice is proving
to the moderator”
Our Construction
67
DV signature to moderator
DV proof to Bob“What Alice is proving
to the moderator”“What allows other
parties to forge”
Our Construction
68
DV signature to moderator
DV proof to Bob“What Alice is proving
to the moderator”“What allows other
parties to forge”
Moderator accepts if aaaaaaaa form a Diffie-Hellman triple
Our Construction
69
DV proof to Bob
Moderator accepts if aaaaaaaa form a Diffie-Hellman triple
DV signature to moderator
Our Construction
70
Moderator accepts if aaaaaaaa form a Diffie-Hellman triple
DV signature to moderator
“What Alice is proving to the recipient”
“What allows other parties to forge”
Our Construction
71
DV proof to Bob
Moderator accepts if aaaaaaaa form a Diffie-Hellman triple
DV signature to moderatorAlice is proving Diffie-Hellman
relationship to Bob!
Our Construction
72
DV proof to Bob
Moderator accepts if aaaaaaaa form a Diffie-Hellman triple
DV signature to moderatorAlice is proving Diffie-Hellman
relationship to Bob!Accountability- Moderator can attribute signature to sender- Recipient can verify moderator will accept signature
Deniability- Signature supports multiple forgery algorithms for various key compromise scenarios
73
Implementation
73
- Implemented in Python 3 using petlib (OpenSSL bindings)- Fast and efficient
- < 500 bytes for P-256 (9 group elements + 6 scalars)- < 10 ms for P-256
- Available at github.com/julialen/asymmetric-message-franking
Perspective API(for toxicity score)
74
Proof-of-concept integration
Alice Bob
Third-party moderation
service
74
Keybase(for PKI)
Platform(Twitter private messages)
Available at github.com/julialen/asymmetric-message-franking
m, σ m, σ
m, σ
Our contributions
75
● Asymmetric Message Franking (AMF)○ new cryptographic primitive for content moderation of
metadata-private messaging○ formal accountability and deniability security notions for
content moderation● Construction based on “designated-verifier” signatures● Implementation and proof-of-concept integration
○ Available at github.com/julialen/asymmetric-message-franking