Abstract
Anonymous message delivery systems, such as private messaging services and privacy-preserving payment systems, need a mechanism for recipients to retrieve the messages addressed to them without leaking metadata or letting their messages be linked. Recipients could download all posted messages and scan for those addressed to them, but communication and computation costs are excessive at scale.
We show how untrusted servers can detect messages on behalf of recipients, and summarize these into a compact encrypted digest that recipients can easily decrypt. These servers operate obliviously and do not learn anything about which messages are addressed to which recipients. Privacy, soundness, and completeness hold even if everyone but the recipient is adversarial and colluding (unlike in prior schemes).
Our starting point is an asymptotically-efficient approach, using Fully Homomorphic Encryption and homomorphically-encoded Sparse Random Linear Codes. We then address the concrete performance using bespoke tailoring of lattice-based cryptographic components, alongside various algebraic and algorithmic optimizations. This reduces the digest size to a few bits per message scanned. Concretely, the servers’ cost is \({\sim }\$1\) per million messages scanned, and the resulting digests can be decoded by recipients in under \({\sim }\)20 ms. Our schemes can thus practically attain the strongest form of receiver privacy for current applications such as privacy-preserving cryptocurrencies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In reality, today’s blockchain privacy solutions suffer from assorted metadata leaks such as variability in transaction record size, ill-defined cryptographic guarantees, inadequate network-level anonymization, exposure of amounts at the interface between transaction pools, and operational mistakes. These are outside our scope.
- 2.
For example, an adversary who acquired a detection key can easily ascertain whether that key belongs to a given person, by simulating a transaction to that person and seeing if it matches that detection key; if so, then all past and future transaction pertinent to that recipient become linked.
- 3.
E.g., Zcash developers [32] deem it an “action item” that the “lightwalletd [server] learns which transactions belong to the wallet”, and described the popular mitigation of using decoy fetches as “security theatre” that fails to achieve unlinkability.
- 4.
Private Signaling [44] is a concurrent and independent work, available only as a preprint at the time of this paper’s submission.
- 5.
For reference, these tables also include full scan, which is the straightforward linear-communication approach where the recipient scans each message (or a relevant part thereof) in the whole bulletin board (used, e.g., in the Zcash light wallet [27]).
- 6.
That is, \(S_1\) is the indices of messages pertinent to the recipient whose keys are \(\mathsf{{sk}}_1, \mathsf{{pk}}_1\), which wlog is the first recipient.
- 7.
The following naturally generalizes to plaintext space \(\mathbb {Z}_t\) for any prime t. For brevity, we kept this section focused on \(\mathbb {Z}_2\), which suffices for its results, and added footnotes to clarify the generalization. Section 6 will use \(t>2\).
- 8.
If the actual number of pertinent messages k exceeds the assumed bound \(\bar{k}\), then retrieval may fail. The recipient can detect overflow and ask for the detection to be redone with a larger \(\bar{k}\). Our scheme gives the exact number of k, as discussed below.
- 9.
For \(\mathsf{{FHE}}\) over \(\mathbb {Z}_{{t}}\), use \(\lceil \log _{{t}}(N)\rceil \) ciphertexts per bucket.
- 10.
Here multiplication is in the field \(\textrm{GF}({2})\), for the plaintext space \(\mathbb {Z}_2\), so the weights are just 0 or 1. In general, this works over \(\textrm{GF}({{t}})\) for prime \({t}\). From this point on we will require both multiplications and addition (to perform linear algebra), and thus consider the field \(\textrm{GF}({t})\) instead of the group \(\mathbb {Z}_t\).
- 11.
- 12.
If such parameters are exceeded, we can avoid undetected decoding failures using a global counter that represents values in [N] without overflow.
- 13.
We note that for encryption schemes like El Gamal, the snake-eye-resistance is trivial, as for a ciphertext to be decrypted to the same plaintext, the secret keys must be the same as the decryption function is a one-to-one function.
- 14.
- 15.
0.065 s/msg (4-core, c2-standard-4 preemptible compute instance, $0.051/h). For finalization, 0.18 ms/msg, 4-core (non-preemptible instance, $0.168/h with sustained use discount). Communication cost is negligible: <$\(10^{-9}\)/msg egress.
References
Ajtai, M.: Generating hard instances of lattice problems (extended abstract). In: ACM Symposium on Theory of Computing, STOC 1996, pp. 99–108. ACM (1996)
Al Badawi, A., Polyakov, Y., Aung, K.M.M., Veeravalli, B., Rohloff, K.: Implementation and performance evaluation of RNS variants of the BFV homomorphic encryption scheme. IEEE Trans. Emerg. Top. Comput. 9, 941–956 (2021)
Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptol. 9, 169–203 (2015)
Ali, A., et al.: Communication-computation trade-offs in PIR. In: USENIX Security 2021, pp. 1811–1828. USENIX, August 2021
Angel, S., Chen, H., Laine, K., Setty, S.T.V.: PIR with compressed queries and amortized query processing. In: 2018 IEEE S &P. IEEE Computer Society Press (2018)
Angel, S., Setty, S.: Unobservable communication over fully untrusted infrastructure. In: OSDI 2016, pp. 551–569. USENIX, November 2016
Beck, G., Len, J., Miers, I., Green, M.: Fuzzy message detection. In: The ACM Conference on Computer and Communications Security, CCS 2021 (2021)
Ben Sasson, E., et al.: Zerocash: decentralized anonymous payments from bitcoin. In: 2014 IEEE S &P, pp. 459–474 (2014)
Bethencourt, J., Song, D.X., Waters, B.: New techniques for private stream searching. ACM Trans. Inf. Syst. Secur. 12, 16:1–16:32 (2009)
Bitansky, N., Canetti, R., Chiesa, A., Tromer, E.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS 2012, pp. 326–349. ACM (2012)
Bittau, A., et al.: Prochlo: strong privacy for analytics in the crowd. In: SOSP, pp. 441–459 (2017)
Boemer, F., Kim, S., Seifu, G., de Souza, F.D., Gopal, V., et al.: Intel HEXL (release 1.2), September 2021. https://github.com/intel/hexl
Brakerski, Z.: Fully homomorphic encryption without modulus switching from classical GapSVP. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 868–886. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32009-5_50
Brakerski, Z., Gentry, C., Vaikuntanathan, V.: (Leveled) fully homomorphic encryption without bootstrapping. In: ITCS 2012. ACM, 8–10 January 2012
Brown, S., Johnson, O., Tassi, A.: Reliability of broadcast communications under sparse random linear network coding. IEEE Trans. Veh. Technol. 67(5), 4677–4682 (2018)
Chillotti, I., Gama, N., Georgieva, M., Izabachène, M.: TFHE: fast fully homomorphic encryption over the torus. J. Cryptol. 33(1), 34–91 (2020)
Choi, S.G., Dachman-Soled, D., Gordon, S.D., Liu, L., Yerukhimovich, A.: Compressed oblivious encoding for homomorphically encrypted search. In: CCS 2021 (2021)
Chor, B., Gilboa, N., Naor, M.: Private information retrieval by keywords (1998). Appeared in the Theory of Cryptography Library. http://ia.cr/1998/003
Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: 36th FOCS, pp. 41–50. IEEE Computer Society Press, 23–25 October 1995
Corrigan-Gibbs, H., Boneh, D., Mazières, D.: Riposte: an anonymous messaging system handling millions of users. In: 2015 IEEE S &P, pp. 321–338 (2015)
Danezis, G., Diaz, C.: Space-efficient private search with applications to Rateless codes. In: Dietrich, S., Dhamija, R. (eds.) FC 2007. LNCS, vol. 4886, pp. 148–162. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77366-5_15
Ducas, L., Micciancio, D.: FHEW: bootstrapping homomorphic encryption in less than a second. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 617–640. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_24
Electric Coin Company: Zcash Rust crates. Commit hash: 99d877e22d58610dc43021b831a28286ef353a89. https://github.com/zcash/librustzcash
Fan, J., Vercauteren, F.: Somewhat practical fully homomorphic encryption. Cryptology ePrint Archive, Report 2012/144 (2012). https://ia.cr/2012/144
Finiasz, M., Ramchandran, K.: Private stream search at almost the same communication cost as a regular search. In: Knudsen, L.R., Wu, H. (eds.) SAC 2012. LNCS, vol. 7707, pp. 372–389. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-35999-6_24
Gentry, C.: Fully homomorphic encryption using ideal lattices. In: ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM (2009)
Grigg, J., Hopwood, D.: Zcash improvement proposal 307: light client protocol for payment detection, September 2018. https://zips.z.cash/zip-0307
Halevi, S.: A sufficient condition for key-privacy. Cryptology ePrint Archive, Report 2005/005 (2005)
Jelle van den Hooff, J., Lazar, D., Zaharia, M., Zeldovich, N.: Vuvuzela: scalable private messaging resistant to traffic analysis. In: SOSP, pp. 137–152. ACM (2015)
Hopwood, D., Bowe, S., Hornby, T., Wilcox, N.: Zcash Protocol Specification Version 2021.2.14. https://github.com/zcash/zips/blob/master/protocol/protocol.pdf
Hopwood, D., et al.: Zcash improvement proposal 316: unified addresses and unified viewing keys, April 2021. https://zips.z.cash/zip-0316
Hornby, T.: Fixing privacy problems in the Zcash light wallet protocol, October 2020. https://defuse.ca/downloads/Fixing%20Privacy%20Problems%20in%20the%20Zcash%20Light%20Wallet%20Protocol.pdf
Iliashenko, I., Nègre, C., Zucca, V.: Integer functions suitable for homomorphic encryption over finite fields. Cryptology ePrint Archive, Report 2021/1335 (2021). WAHC 2021
Kaufman, T., Sudan, M.: Sparse random linear codes are locally decodable and testable. In: FOCS 2007 (2007)
Khan, A.S., Chatzigeorgiou, I.: Improved bounds on the decoding failure probability of network coding over multi-source multi-relay networks. IEEE Commun. Lett. 20(10), 2035–2038 (2016)
Kushilevitz, E., Ostrovsky, R.: Replication is not needed: single database, computationally-private information retrieval. In: FOCS 1997 (1997)
Laine, K.: Simple encrypted arithmetic library 2.3.1. Microsoft Research, Redmond, WA. https://www.microsoft.com/en-us/research/uploads/prod/2017/11/sealmanual-2-3-1.pdf
Lazar, D., Zeldovich, N.: Alpenhorn: bootstrapping secure communication without leaking metadata. In: OSDI 2016, pp. 571–586. USENIX, November 2016
Le, D., Tengana Hurtado, L., Ahmad, A., Minaei, M., Lee, B., Kate, A.: A tale of two trees: one writes, and other reads. In: PETS 2020, pp. 519–536, April 2020
Lewis, S.J.: fuzzytags. https://git.openprivacy.ca/openprivacy/fuzzytags.git
Lewis, S.J.: Discreet log #1: anonymity, bandwidth and fuzzytags, February 2021. https://openprivacy.ca/discreet-log/01-anonymity-bandwidth-and-fuzzytags/
Lund, J.: Technology preview: sealed sender for signal, October 2018. https://signal.org/blog/sealed-sender/
Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. J. ACM 60, 1–35 (2013)
Madathil, V., Scafuro, A., Seres, I.A., Shlomovits, O., Varlakov, D.: Private signaling. Cryptology ePrint Archive, Report 2021/853 (20210624:145011) (2021)
Martiny, I., Kaptchuk, G., Aviv, A., Roche, D., Wustrow, E.: Improving signal’s sealed sender. In: NDSS 2022, January 2021
Matetic, S., Wüst, K., Schneider, M., Kostiainen, K., Karame, G., Capkun, S.: BITE: bitcoin lightweight client privacy using trusted execution. In: USENIX Security 2019, pp. 783–800. USENIX, August 2019
Microsoft SEAL (release 3.6). Microsoft Research, Redmond, WA, November 2020. https://github.com/Microsoft/SEAL
Noether, S.: Ring signature confidential transactions for Monero. IACR Cryptology ePrint Archive 2015/1098 (2015)
Nuttycombe, K., Hopwood, D.: Zcash improvement proposal 321: payment request URIs, August 2010. https://zips.z.cash/zip-0321
Oblivious message retrieval implementation, December 2021. https://github.com/ZeyuThomasLiu/ObliviousMessageRetrieval
Ostrovsky, R., Skeith, W.E.: Private searching on streaming data. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 223–240. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_14
PALISADE lattice cryptography library (release 11.2), June 2021. https://palisade-crypto.org/
Paterson, M., Stockmeyer, L.: On the number of nonscalar multiplications necessary to evaluate polynomials. SIAM J. Comput. 2, 60–66 (1973)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Player, R.: Parameter selection in lattice-based cryptography. Ph.D. thesis, Royal Holloway, University of London (2018)
Reagen, B., et al.: Cheetah: optimizing and accelerating homomorphic encryption for private inference. In: 2021 IEEE HPCA, pp. 26–39 (2021)
Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56, 1–40 (2009)
Salmond, D., Grant, A.J., Grivell, I., Chan, T.: On the rank of random matrices over finite fields. CoRR (2014). http://arxiv.org/abs/1404.3250
Schneider, N., Corallo, M.: Bitcoin improvement proposal 21: URI scheme, January 2012. https://github.com/bitcoin/bips/blob/master/bip-0021.mediawiki
Tassi, A., Chatzigeorgiou, I., Lucani, D.: Analysis and optimization of sparse random linear network coding for reliable multicast services. IEEE Trans. Commun. 64, 285–299 (2016)
Wolinsky, D.I., Corrigan-Gibbs, H., Ford, B., Johnson, A.: Dissent in numbers: making strong anonymity scale. In: OSDI 2012, pp. 179–182. USENIX, October 2012
Wüst, K., Matetic, S., Schneider, M., Miers, I., Kostiainen, K., Čapkun, S.: ZLiTE: lightweight clients for shielded Zcash transactions using trusted execution. In: Goldberg, I., Moore, T. (eds.) FC 2019. LNCS, vol. 11598, pp. 179–198. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32101-7_12
Acknowledgements
We are grateful to Daniele Micciancio for suggesting suitable FHE schemes for Sect. 5; to Ran Canetti, Oded Regev and Noah Stephens-Davidowitz for observations on Conjecture 1; to Matthew Green, Jack Grigg, Daira Hopwood, Taylor Hornby and Madarz Virza for ideas and observations regarding Zcash integration in Sect. 10; to István András Seres and Varun Madathil for assistance in quantitative evaluation of [44] and comparisons to our work; to Miranda Christ for excellent editorial suggestions; and to Wei Dai for assistance in generating level-specific rotation keys using SEAL library.
This material is based upon work supported by DARPA under Contract No. HR001120C0085; the U.S. Department of Energy (DOE), Office of Science, Office of Advanced Scientific Computing Research under award number DE-SC-0001234, the Columbia-IBM center for Blockchain and Data Transparency; JPMorgan Chase & Co, and LexisNexis Risk Solutions. Any opinions, views, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the U.S. Government, DARPA, DOE, JPMorgan Chase & Co. or its affiliates, or other sponsors.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 International Association for Cryptologic Research
About this paper
Cite this paper
Liu, Z., Tromer, E. (2022). Oblivious Message Retrieval. In: Dodis, Y., Shrimpton, T. (eds) Advances in Cryptology – CRYPTO 2022. CRYPTO 2022. Lecture Notes in Computer Science, vol 13507. Springer, Cham. https://doi.org/10.1007/978-3-031-15802-5_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-15802-5_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-15801-8
Online ISBN: 978-3-031-15802-5
eBook Packages: Computer ScienceComputer Science (R0)