TY - GEN
T1 - Stadium
T2 - 26th ACM Symposium on Operating Systems Principles, SOSP 2017
AU - Tyagi, Nirvan
AU - Gilad, Yossi
AU - Leung, Derek
AU - Zaharia, Matei
AU - Zeldovich, Nickolai
N1 - Funding Information: Thanks to Justin Martinez and Pratheek Nagaraj for helping us implement and evaluate Stadium, and to David Lazar and Jelle van den Hooff for their feedback on the design of Stadium and on this paper. We would also like to thank our reviewers and our shepherd Michael Walfish. This work was supported by NSF awards CNS-1413920 and CNS-1414119, and by Google. Publisher Copyright: © 2017 Copyright held by the owner/author(s). Publication rights licensed to Association for Computing Machinery.
PY - 2017/10/14
Y1 - 2017/10/14
N2 - Private communication over the Internet remains a challenging problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable anonymity systems, such as Tor, are susceptible to traffic analysis attacks that leak metadata. In contrast, the largest-scale systems with metadata privacy require passing all messages through a small number of providers, requiring a high operational cost for each provider and limiting their deployability in practice. This paper presents Stadium, a point-to-point messaging system that provides metadata and data privacy while scaling its work efficiently across hundreds of low-cost providers operated by different organizations. Much like Vuvuzela, the current largest-scale metadata-private system, Stadium achieves its provable guarantees through differential privacy and the addition of noisy cover traffic. The key challenge in Stadium is limiting the information revealed from the many observable traffic links of a highly distributed system, without requiring an overwhelming amount of noise. To solve this challenge, Stadium introduces techniques for distributed noise generation and differentially private routing as well as a verifiable parallel mixnet design where the servers collaboratively check that others follow the protocol. We show that Stadium can scale to support 4× more users than Vuvuzela using servers that cost an order of magnitude less to operate than Vuvuzela nodes.
AB - Private communication over the Internet remains a challenging problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable anonymity systems, such as Tor, are susceptible to traffic analysis attacks that leak metadata. In contrast, the largest-scale systems with metadata privacy require passing all messages through a small number of providers, requiring a high operational cost for each provider and limiting their deployability in practice. This paper presents Stadium, a point-to-point messaging system that provides metadata and data privacy while scaling its work efficiently across hundreds of low-cost providers operated by different organizations. Much like Vuvuzela, the current largest-scale metadata-private system, Stadium achieves its provable guarantees through differential privacy and the addition of noisy cover traffic. The key challenge in Stadium is limiting the information revealed from the many observable traffic links of a highly distributed system, without requiring an overwhelming amount of noise. To solve this challenge, Stadium introduces techniques for distributed noise generation and differentially private routing as well as a verifiable parallel mixnet design where the servers collaboratively check that others follow the protocol. We show that Stadium can scale to support 4× more users than Vuvuzela using servers that cost an order of magnitude less to operate than Vuvuzela nodes.
KW - Anonymous communication
KW - Differential privacy
KW - Mixnet
KW - Verifiable shuffle
UR - http://www.scopus.com/inward/record.url?scp=85041678126&partnerID=8YFLogxK
U2 - https://doi.org/10.1145/3132747.3132783
DO - https://doi.org/10.1145/3132747.3132783
M3 - Conference contribution
T3 - SOSP 2017 - Proceedings of the 26th ACM Symposium on Operating Systems Principles
SP - 423
EP - 440
BT - SOSP 2017 - Proceedings of the 26th ACM Symposium on Operating Systems Principles
Y2 - 28 October 2017 through 31 October 2017
ER -