Spectrum: High-Bandwidth Anonymous Broadcast with Malicious Security Zachary Newman Sacha Servan-Schreiber Srinivas Devadas MIT CSAIL MIT CSAIL MIT CSAIL [email protected] [email protected] [email protected] Abstract researchers, digital mass surveillance by U.S. government agencies [12]. Political philosophers debate [2, 23] the ethics We present Spectrum, a high-bandwidth, metadata-private of whistleblowing, but agree it often has a positive impact. file broadcasting system with malicious security guarantees. In Spectrum, a small number of publishers broadcast to many Motivation for this work. Whistleblowers take on great subscribers via two or more non-colluding servers. Sub- personal risks in bringing misdeeds to light. The luckiest scribers generate indistinguishable cover traffic, hiding which enjoy legal protections [80] or financial reward [81]. But users are publishers, for full metadata privacy. many face exile [12], incarceration [39,60,66], or risk their Spectrum builds on prior work that uses DC-nets for anony- lives [79]. More recently, political activist Alexei Navalny mous broadcast. Existing anonymous broadcast systems do was detained and sentenced to prison following the release not optimize for a setting where there are fewer publishers of documents accusing Russian president Vladimir Putin of compared to subscribers – a common situation in real-world corruption and embezzlement [72]. broadcasts. To prevent disruption by malicious clients sending To mitigate these risks, many whistleblowers turn to tech- malformed requests, we develop a blind authentication proto- nology to protect themselves [36]. Secure messaging apps col that allows servers to reject malicious requests. We also Signal [17] and SecureDrop [4] have proven to be an im- ensure security against malicious servers deviating from pro- portant resource to whistleblowers and journalists [31, 76]. tocol and potentially colluding with clients. Our techniques Encryption does its job, even against the NSA [83]—but it for providing malicious security are applicable to other sys- may not be enough to protect from powerful adversaries. tems for anonymous broadcast and may be of independent Since the Snowden revelations, governments and the press interest. have focused on metadata. The source, destination, and tim- We implement and evaluate Spectrum. Compared to ing of encrypted data can leak information about its contents. the state-of-the-art in cryptographic anonymous communi- Prosecutors used SFTP metadata in the case against Chelsea cation systems, Spectrum is 3–140× faster (and commensu- Manning [88]. Newer technology is still vulnerable: a federal rately cheaper). Deployed on two commodity servers, Spec- judge found Natalie Edwards guilty on evidence of metadata trum allows publishers to share 500 MB in 1h 24m with an from an encrypted messaging app [39]. To protect whistle- anonymity set of 10,000 (for a total cost of about $1.93). This blowers and protect against powerful adversaries, systems corresponds to an anonymous upload of a full-length 720p must be designed with metadata privacy in mind. documentary movie. Many academic and practical metadata-hiding systems pro- vide solutions to this problem for some applications. Tor [25] 1 Introduction boasts a distributed network of 6,000 nodes and 2 million daily active users (the only such system with wide usage). Free and democratic society depends on an informed public, Tor is fast enough for web browsing, but de-anonymization at- which sometimes depends on whistleblowers shedding light tacks identify users with a high success rate based on observed on misdeeds and corruption. Over the last century, whistle- traffic [5,8, 29, 37, 42, 55, 58]. Moreover, the effectiveness of blowers have exposed financial crimes and government cor- de-anonymization attacks increases with the size of the traffic ruption [50, 59, 67], risks to public health [30, 40], Russian pattern. Whistleblowers using Tor to upload large files can be interference in the 2016 U.S. presidential election [50, 60], more easily de-anonymized compared to casual web users for presidential misconduct [11, 32, 56, 71], war and human this reason. rights crimes [3, 26, 79], and, of note to computer security Some recent academic research systems [1,18,28, 43 –45, 1 47, 78, 82] address the problem of hiding metadata in anony- OK! OK! mous communication, providing precise security guarantees SA SB for both direct messaging and “Twitter”-like broadcast ap- Share plications. However, a limitation of all existing systems is Aggregation that they are designed for low-bandwidth content, incurring Verification Server A Server B Server A Server B impractical latencies with large messages (see Section6). Contributions. Spectrum is the first anonymous broadcast SA Secret Sharing SB SA SB system supporting high-bandwidth broadcasts with security + = against actively malicious clients and servers. We do so by Broadcast designing for the many-subscriber and few-publisher setting, which reflects the real-world usage of broadcast platforms. 0 0 0 Spectrum scales proportionally to the number of broadcasts in the system rather than the total number of users: the primary Figure 1: In Spectrum, users upload secret shares to the servers. bottleneck and cause for high-latency in prior work. Servers validate and combine these shares to recover the broadcast This paper contributes: message while hiding its provenance. 1. Design of Spectrum, a system for high-bandwidth metadata-private broadcasting with strong robustness and 2 Anonymous Broadcast privacy guarantees in a malicious security setting, 2. A general extension we call BlameGame that can be used to “upgrade” anonymous broadcasting protocols for se- In this section we describe high-level techniques for anony- curity against de-anonymization attacks from malicious mous broadcast. servers, 3. An open-source implementation of Spectrum which we The setting. In an anonymous broadcast, one or more users extensively evaluate and compare to existing anonymous (publishers) share a message (e.g., a file) in a manner that broadcasting and communication systems. prevents an adversary from learning its source, even with full view of the entire network. In Spectrum, passive users generate cover traffic (indistinguishable dummy messages) to Limitations. Spectrum shares some limitations with other increase the size of the anonymity set – the users who plau- metadata-private systems: sibly could have originated the broadcast message. We call 1. Spectrum provides anonymity among honest online users these passive users subscribers as we expect that most users and requires all users to contribute cover messages to a in the system that are not broadcasting are instead consuming broadcast (to perfectly hide network metadata). Thus, broadcasts. We will use the term client to mean the program subscribers must upload as much data as a publisher to via which a user communicates with servers. provide anonymity for the publisher. 2. Spectrum achieves peak performance with exactly two DC-nets. A Dining Cryptographer network (DC-net) [15] servers. Instantiating with more than two servers requires allows for anonymous broadcast. DC-nets commonly use using less (concretely) efficient cryptographic primitive: secret-sharing to obscure the source of data in the network. a seed-homomorphic PRG [7]. As in prior work [1, 18, 28], we instantiate a DC-net with two Other metadata-private systems (e.g., [1,18,19,43,45,47,78]) (or more) servers and many clients. also provide anonymity within the set of online users and sending fixed-size messages. Unfortunately, it is a necessary Toy Protocol. Consider a setting with two (non-colluding) cost to pay for strong privacy; if only one user uploads a servers ServerA and ServerB and two or more clients, where very large message, the network metadata alone is sufficient one of the clients wishes to share a file. In a two-server DC- to de-anonymize them. However, we show how to amortize net, the ith client samples a random bit string ri and sends one the practical impact of this limitation by only requiring secret share ri ⊕ mi to ServerA and secret share ri to ServerB. cover message per subscriber, even in the case of multiple Servers can recover mi by combining their respective shares: publishers simultaneously using the system (Section4). ⊕ ⊕ Paper organization. We formalize the setting and function- mi = (mi ri ) (ri ): ality in Section3. We describe the protocol in Section4. Section5 presents the implementation and evaluation. Sec- If exactly one of N clients shares a message mi = m while all tion6 surveys related work. other clients share mi = 0, the servers can recover m (without 2 learning which client sent mi = m) by aggregating: 3.1 Threat Model In Spectrum, an adversary may control an arbitrary subset ServerA ServerB (commutativity of xor) z }| { z}|{ z }| { of clients and servers. Only one of the servers needs to be MN MN MN MN honest (not colluding with the adversary) in order to guarantee ⊕ ⊕ ⊕ ⊕ m = ( ri m i ) r i = ( r i ri ) m i anonymity for all honest clients. On the other hand, all clients i i i i are completely untrusted by the servers and are assumed to = 0 ⊕ ::: ⊕ m ⊕ ::: ⊕ 0: | {z } deviate from protocol in arbitrary ways or collude with the origin of m is hidden adversary. Guarantees. If any subset of malicious clients deviate from This simple scheme protects client anonymity given that protocol, both anonymity and system availability must remain each server obtains a uniformly random value. Only the com- intact for all honest clients. bined shares reveal the resulting message. However, user can If a subset of corrupted servers arbitrarily deviate from undetectably disrupt the broadcast by non-zero shares. The protocol, anonymity for all honest clients is guaranteed but main challenge in metadata-private broadcasting is ensuring availability of the system as a whole is not. Likewise, all correctness in the presence of such disruptors [1,18,28,43]. other system failures may disrupt availability but must not Indeed, preventing disruption by malicious clients is the pri- cause deanonymization of any honest client.