Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom...
Transcript of Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom...
![Page 1: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/1.jpg)
Traceback for End-to-End Encrypted Messaging
Nirvan Tyagi Ian Miers Tom Ristenpart
CCS 2019 1
![Page 2: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/2.jpg)
Setting: End-to-end encrypted (E2EE) messaging
2
PlatformAlice Bob
Hello
![Page 3: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/3.jpg)
Setting: End-to-end encrypted (E2EE) messaging
3
PlatformAlice Bob
Hello > 2 billion users
![Page 4: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/4.jpg)
4
Problem: Viral forwarding of misinformation in E2EE messaging
![Page 5: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/5.jpg)
5
Problem: Viral forwarding of misinformation in E2EE messaging
![Page 6: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/6.jpg)
Content moderation for user-driven reports
6
User submits report Moderation decision based on content
Action taken on relevant parties
![Page 7: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/7.jpg)
Content moderation for user-driven reports
7
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
![Page 8: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/8.jpg)
Content moderation for user-driven reports
8
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
![Page 9: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/9.jpg)
Content moderation for user-driven reports
9
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
Report must provide enough information to execute the following steps
![Page 10: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/10.jpg)
10
E2EE hides information useful for content moderation of misinformation
![Page 11: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/11.jpg)
11
- Platform doesn’t see message content
Message content is encrypted!
E2EE hides information useful for content moderation of misinformation
![Page 12: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/12.jpg)
12Message content is encrypted!
- Platform doesn’t see message content- Platform doesn’t see forwarding relationships
E2EE hides information useful for content moderation of misinformation
![Page 13: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/13.jpg)
13
- Platform doesn’t see message content- Platform doesn’t see forwarding relationships
Message content is encrypted!
Forwarding traffic is muddled by other users and other messages
E2EE hides information useful for content moderation of misinformation
![Page 14: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/14.jpg)
This work: Tracing in E2EE messaging
14
[TMR CCS’19]
User submits report Moderation decision based on content
Action taken on relevant parties
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
![Page 15: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/15.jpg)
This work: Tracing in E2EE messaging
15
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality
[TMR CCS’19]
User submits report Moderation decision based on content
Action taken on relevant parties
![Page 16: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/16.jpg)
Prior work: Abuse reporting in E2EE messaging
16
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
![Page 17: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/17.jpg)
Prior work: Abuse reporting in E2EE messaging
17
!
User reports received message to platform
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
![Page 18: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/18.jpg)
Prior work: Abuse reporting in E2EE messaging
18
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
!
User reports received message to platform
m
![Page 19: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/19.jpg)
Prior work: Abuse reporting in E2EE messaging
19
!
User reports received message to platform
m
Platform learns message and sender, but nothing more about where message came from or where it reached
Message franking [FB white paper ’17], [GLR CRYPTO’17], [DGRW CRYPTO’18]
![Page 20: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/20.jpg)
This work: Tracing in E2EE messaging
20
!
User reports received message to platform
[TMR CCS’19]
![Page 21: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/21.jpg)
This work: Tracing in E2EE messaging
21
!
User reports received message to platform
- Two constructions for message tracing- Path traceback
[TMR CCS’19]
m
![Page 22: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/22.jpg)
This work: Tracing in E2EE messaging
22
!
User reports received message to platform
- Two constructions for message tracing- Path traceback- Tree traceback
[TMR CCS’19]
m
![Page 23: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/23.jpg)
23
Goal: Act like standard E2EE messaging before report
![Page 24: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/24.jpg)
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)
24
Goal: Act like standard E2EE messaging before report
![Page 25: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/25.jpg)
25
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
Goal: Act like standard E2EE messaging before report
![Page 26: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/26.jpg)
26
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
m
m
m
User shouldn’t learn forwarding info of received messages
Goal: Act like standard E2EE messaging before report
![Page 27: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/27.jpg)
27
m
m
User shouldn’t learn forwarding info of received messages
m ?
Before reportPlatform view: encrypted content and metadata (participants, length, and timing)User view: messages they receive or send
Goal: Act like standard E2EE messaging before report
![Page 28: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/28.jpg)
28
Goal: Reveal limited information after report
![Page 29: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/29.jpg)
Goal: Reveal limited information after report
29
!m
After reportPlatform view: message content and forward links of traceback target (e.g. path, tree)
![Page 30: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/30.jpg)
Goal: Report consists of accurate information
30
!m
![Page 31: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/31.jpg)
31
!m
Trace accountabilityAn honest user cannot be framed for an action they didn’t perform
Goal: Report consists of accurate information
![Page 32: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/32.jpg)
32
!m
Trace accountabilityAn honest user cannot be framed for an action they didn’t perform
Goal: Report consists of accurate information
Malicious user can partition trace, but will be blamed as source
![Page 33: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/33.jpg)
33
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
![Page 34: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/34.jpg)
34
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
mE2EE channel
![Page 35: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/35.jpg)
35
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
mE2EE channel
- E2EE channel that is decoupled from message tracing
![Page 36: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/36.jpg)
36
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB
mE2EE channel
- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners
“tracing” key
![Page 37: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/37.jpg)
37
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
- E2EE channel that is decoupled from message tracing- Unique per-message “tracing” key shared between communication partners
kAB
“tracing” key
![Page 38: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/38.jpg)
38
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel kAB
kØ
“null pointer” key randomly generated
![Page 39: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/39.jpg)
39
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
![Page 40: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/40.jpg)
40
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
“encrypted pointer”
![Page 41: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/41.jpg)
41
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
“encrypted pointer”PRF that is also CR
(e.g., HMAC)
![Page 42: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/42.jpg)
42
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
![Page 43: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/43.jpg)
43
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
idAB ctAB
Table stored on platform
kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
idAB
kAB
![Page 44: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/44.jpg)
44
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
idAB
![Page 45: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/45.jpg)
45
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
idAB
idAB
![Page 46: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/46.jpg)
46
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
kAB
idAB
idAB
![Page 47: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/47.jpg)
47
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
F(kBC , m)
kAB
idAB
idAB
![Page 48: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/48.jpg)
48
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
kAB
idAB
idAB
![Page 49: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/49.jpg)
49
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)
kAB
idAB
idAB
![Page 50: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/50.jpg)
50
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)F(kAB , m)
idAB
kAB
idAB
idAB
![Page 51: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/51.jpg)
51
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
!kBC m
idBC
F(kBC , m)
Decrypt and dereference ctBC
kAB = Dec(kBC , ctBC)F(kAB , m)
idAB
Decrypt and dereference ctAB
kØ = Dec(kAB , ctAB)F(kØ , m) not in table
⇒ beginning of forward chain!
kAB
idAB
idAB
![Page 52: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/52.jpg)
52
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Small and fast to compute!idAB
idAB
![Page 53: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/53.jpg)
53
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext
kAB
idAB
idAB
![Page 54: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/54.jpg)
54
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
After reportPlatform view: Learns keys only for rows of trace
kAB
Before reportPlatform view: Ciphertexts and PRF outputs without keysUser view: Keys without ciphertext
ctAB
idBC ctBC
idAB
idAB
![Page 55: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/55.jpg)
55
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Trace accountabilityPointer “dereferences” are bound to a messageidAB
idAB
![Page 56: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/56.jpg)
56
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB
Trace accountabilityPointer “dereferences” are bound to a messageidAB
idAB
![Page 57: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/57.jpg)
57
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!
Trace accountabilityPointer “dereferences” are bound to a message
k’ m’
idAB
idAB
![Page 58: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/58.jpg)
58
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!k’ m’
Trace accountabilityPointer “dereferences” are bound to a message
To break accountability, F(k’ , m’) must collide with idBC
idAB
idAB
![Page 59: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/59.jpg)
Trace accountabilityPointer “dereferences” are bound to a message
59
Path tracebackIdea: Linked list of encrypted pointers
Alice Bob Charlie
kAB kAB
mE2EE channel
ctAB
Table stored on platform
ctBC = Enc(kBC , kAB)
m
idBC = F(kBC , m)
idBC ctBC
kBC kBC
idBC kØ
ctAB = Enc(kAB , kØ)
idAB = F(kAB , m)
kAB!
See paper for security proofs!
k’ m’
To break accountability, F(k’ , m’) must collide with idBC
idAB
idAB
![Page 60: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/60.jpg)
60
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
![Page 61: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/61.jpg)
61
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformation
![Page 62: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/62.jpg)
62
Path tracebackIdea: Linked list of encrypted pointers
User submits report Moderation decision based on content
Action taken on relevant parties
Combination of machine learning and human review
Ban fake/troll accounts injecting misinformation into network
Notify users that have previously shared or received misinformationNeed something more than path traceback!
![Page 63: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/63.jpg)
63
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
![Page 64: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/64.jpg)
64
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
“backward pointer”
![Page 65: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/65.jpg)
65
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
“backward pointer”
“forward pointer”
![Page 66: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/66.jpg)
66
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
Diane
idBD
…
“backward pointer”
“forward pointers”
![Page 67: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/67.jpg)
67
Extension: Tree tracebackIdea: “Doubly” linked list of encrypted pointers
Alice Bob Charlie
idBCidAB
Diane
idBD
…
“backward pointer”
“forward pointers”
See paper for full details of construction!(uses PRG and secret sharing)
![Page 68: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/68.jpg)
68
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
https://github.com/nirvantyagi/tracing
![Page 69: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/69.jpg)
69
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace
https://github.com/nirvantyagi/tracing
![Page 70: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/70.jpg)
70
Performance evaluation
- Path and Tree traceback implemented in < 500 lines of Rust- Server table stored in in-memory Redis database
- Fast (uses only efficient symmetric cryptography)- Client side: < 50 μs to generate and verify tracing tags- Server side: Traceback takes < 100 μs / message in trace
- Platform storage- Stores < 100B / message- 1 billion messages / day ⇒ ~ 2TB / month
- Reasonable to store most recent time period sliding window
https://github.com/nirvantyagi/tracing
![Page 71: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/71.jpg)
71
Deployment considerationsCan tracing be abused to silence socially valuable content?
Future work: Policy and implementation to limit abuse of tracing
User submits report Moderation decision based on content
Action taken on relevant parties
![Page 72: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/72.jpg)
72
Deployment considerations
Future work: Policy and implementation to limit abuse of tracing
User submits report Moderation decision based on content
Action taken on relevant parties
Threshold number of reports?
Tracing ability is only granted after moderation decision on
content is complete?
Can tracing be abused to silence socially valuable content?
![Page 73: Encrypted Messaging Traceback for End-to-Endtyagi/slides/tracing.pdfNirvan Tyagi Ian Miers Tom Ristenpart CCS 2019 1 Setting: End-to-end encrypted (E2EE) messaging 2 Platform Alice](https://reader035.fdocuments.us/reader035/viewer/2022062507/5fde3e3ae0a1a261fb2149de/html5/thumbnails/73.jpg)
73
Conclusion
https://github.com/nirvantyagi/tracing
- Message tracing: new cryptographic functionality for user-driven reporting of forwards in E2EE messaging
- Path traceback: chain of messages from source to reporter- Tree traceback: entire forwarding tree of messages originating from source
- Formal confidentiality and accountability security notions for tracing- Implementation and evaluation of practicality