Fixup prior to 0.4.0
This commit is contained in:
parent
570a48f9c2
commit
1147c4f6d5
|
|
@ -30,6 +30,3 @@ harness = false
|
|||
|
||||
[features]
|
||||
entangled = ["brute-force"]
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
48
README.md
48
README.md
|
|
@ -1,40 +1,57 @@
|
|||
# FuzzyTags
|
||||
|
||||
Anonymous messaging systems (and other privacy-preserving applications) often require a mechanism for one party
|
||||
to learn that another party has messaged them.
|
||||
to learn that another party has messaged them ("notifications").
|
||||
|
||||
Many schemes rely on a bandwidth-intensive "download everything and attempt-decryption" approach. Others rely on a trusted
|
||||
3rd party, or non-collusion assumptions, to provide a "private" service.
|
||||
3rd party, or various non-collusion assumptions, to provide a "private" service. Other schemes
|
||||
require that parties arrange themselves in "buckets" or "mailboxes" effectively creating smaller instances of the
|
||||
"download everything" approach.
|
||||
|
||||
It would be awesome if we could get an **untrusted**, **adversarial** server to do the work for us without compromising metadata-resistance!
|
||||
It would be awesome if we could get an **untrusted**, **adversarial** server to do the work for us
|
||||
without compromising metadata-resistance or requiring parties to split themselves into buckets (effectively
|
||||
dividing the anonymity set of the system)!
|
||||
|
||||
**fuzzytags** is an experimental probabilistic cryptographic tagging structure to do just that!
|
||||
|
||||
Specifically **fuzzytags** provides the following properties:
|
||||
Instead of placing messages into deterministic buckets based on the recipient, **fuzzytags** allow each
|
||||
message to probabilistically address itself to several parties in addition to the intended party - utilizing the
|
||||
anonymity of the whole set of participants, instead of the ones who happen to share a bucket for a given round.
|
||||
|
||||
* Correctness: Valid tags constructed for a specific public key will always validate when tested using a derived detection key.
|
||||
* Fuzziness: Tags will produce false positives with probability _p_ related to the security property (_γ_) when tested against detection keys they
|
||||
were not intended for.
|
||||
* Security: An adversarial server with access to the detection key **is unable to distinguish false positives from true positives**. (Detection Ambiguity)
|
||||
Specifically **fuzzytags** provide the following properties:
|
||||
|
||||
* Correctness: Valid tags constructed for a specific tagging key will always validate when tested using a
|
||||
derived detection key.
|
||||
* Fuzziness: Tags will produce false positive matches with probability _p_ related to the security property (_γ_) when
|
||||
tested against detection keys they were not intended for.
|
||||
* Security: An adversarial server with access to the detection key **is unable to distinguish false
|
||||
positives from true positives**. (this property is referred to as *Detection Ambiguity*)
|
||||
|
||||
## Security (hic sunt dracones)
|
||||
|
||||
This crate provides an experimental implementation of the `FMD2` scheme described in ["Fuzzy Message Detection"](https://eprint.iacr.org/2021/089). Using
|
||||
Ristretto as the prime order group.
|
||||
|
||||
This code has not undergone any significant review.
|
||||
This code has not undergone any significant review.
|
||||
|
||||
Further, the properties provided by this system are highly dependent on selecting a **false positive rate** _p_ and
|
||||
**scheme constant** _γ_ for your system. There is no one-size-fits-all approach.
|
||||
|
||||
If _p_ is too low, then the probability of false positives will be very high.
|
||||
If _p_ is too low, then the probability of false positives for a given party will be very high.
|
||||
|
||||
If _p_ is too high, then an adversarial server will be able to link messages to recipients with low probability.
|
||||
If _p_ is too high, then an adversarial server will be able to link messages to recipients with probability
|
||||
approaching _1_.
|
||||
|
||||
Likewise a large _γ_ means higher bandwidth costs, but a small _γ_ reveals more of the secret keys to the server and
|
||||
increases false positives.
|
||||
Likewise a large _γ_ means higher bandwidth costs, but a small _γ_ reveals more of the root secret to the server while
|
||||
also increasing the change of perfect (but false) matches across all parties.
|
||||
|
||||
## More Detailed System Description
|
||||
We are also [building a simulator](https://git.openprivacy.ca/openprivacy/fuzzytags-sim) to understand these
|
||||
parameter choices in addition to other factors when deploying fuzzytags to real-world systems.
|
||||
|
||||
For more guidance (and warnings) on integrating fuzzytags into a privacy preserving application see [documentation](https://docs.rs/fuzzytags/#integrating-fuzzytags)
|
||||
|
||||
|
||||
## Terminology and a more detailed System Description
|
||||
|
||||
There exists a metadata resistant application that uses untrusted servers to mediate communication between parties.
|
||||
|
||||
|
|
@ -164,9 +181,6 @@ We use [criterion](https://crates.io/crates/criterion) for benchmarking, and ben
|
|||
|
||||
Results will be in `target/criterion/report/index.html`.
|
||||
|
||||
## Integrating fuzzytags
|
||||
|
||||
For more guidance on integrating fuzzytags into a privacy preserving application see [documentation](https://docs.rs/fuzzytags/#integrating-fuzzytags)
|
||||
|
||||
## Credits and Contributions
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue