From 1147c4f6d529dbcfd55f35406c01309681f5624b Mon Sep 17 00:00:00 2001 From: Sarah Jamie Lewis Date: Tue, 9 Feb 2021 22:42:59 -0800 Subject: [PATCH] Fixup prior to 0.4.0 --- Cargo.toml | 3 --- README.md | 48 +++++++++++++++++++++++++++++++----------------- 2 files changed, 31 insertions(+), 20 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index d19fa7e..f2861b9 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -30,6 +30,3 @@ harness = false [features] entangled = ["brute-force"] - - - diff --git a/README.md b/README.md index 2c74c6e..075c414 100644 --- a/README.md +++ b/README.md @@ -1,40 +1,57 @@ # FuzzyTags Anonymous messaging systems (and other privacy-preserving applications) often require a mechanism for one party -to learn that another party has messaged them. +to learn that another party has messaged them ("notifications"). Many schemes rely on a bandwidth-intensive "download everything and attempt-decryption" approach. Others rely on a trusted -3rd party, or non-collusion assumptions, to provide a "private" service. +3rd party, or various non-collusion assumptions, to provide a "private" service. Other schemes +require that parties arrange themselves in "buckets" or "mailboxes" effectively creating smaller instances of the +"download everything" approach. -It would be awesome if we could get an **untrusted**, **adversarial** server to do the work for us without compromising metadata-resistance! +It would be awesome if we could get an **untrusted**, **adversarial** server to do the work for us +without compromising metadata-resistance or requiring parties to split themselves into buckets (effectively +dividing the anonymity set of the system)! **fuzzytags** is an experimental probabilistic cryptographic tagging structure to do just that! -Specifically **fuzzytags** provides the following properties: +Instead of placing messages into deterministic buckets based on the recipient, **fuzzytags** allow each +message to probabilistically address itself to several parties in addition to the intended party - utilizing the +anonymity of the whole set of participants, instead of the ones who happen to share a bucket for a given round. - * Correctness: Valid tags constructed for a specific public key will always validate when tested using a derived detection key. - * Fuzziness: Tags will produce false positives with probability _p_ related to the security property (_γ_) when tested against detection keys they - were not intended for. - * Security: An adversarial server with access to the detection key **is unable to distinguish false positives from true positives**. (Detection Ambiguity) +Specifically **fuzzytags** provide the following properties: + + * Correctness: Valid tags constructed for a specific tagging key will always validate when tested using a + derived detection key. + * Fuzziness: Tags will produce false positive matches with probability _p_ related to the security property (_γ_) when + tested against detection keys they were not intended for. + * Security: An adversarial server with access to the detection key **is unable to distinguish false + positives from true positives**. (this property is referred to as *Detection Ambiguity*) ## Security (hic sunt dracones) This crate provides an experimental implementation of the `FMD2` scheme described in ["Fuzzy Message Detection"](https://eprint.iacr.org/2021/089). Using Ristretto as the prime order group. -This code has not undergone any significant review. +This code has not undergone any significant review. Further, the properties provided by this system are highly dependent on selecting a **false positive rate** _p_ and **scheme constant** _γ_ for your system. There is no one-size-fits-all approach. -If _p_ is too low, then the probability of false positives will be very high. +If _p_ is too low, then the probability of false positives for a given party will be very high. -If _p_ is too high, then an adversarial server will be able to link messages to recipients with low probability. +If _p_ is too high, then an adversarial server will be able to link messages to recipients with probability +approaching _1_. -Likewise a large _γ_ means higher bandwidth costs, but a small _γ_ reveals more of the secret keys to the server and -increases false positives. +Likewise a large _γ_ means higher bandwidth costs, but a small _γ_ reveals more of the root secret to the server while +also increasing the change of perfect (but false) matches across all parties. -## More Detailed System Description +We are also [building a simulator](https://git.openprivacy.ca/openprivacy/fuzzytags-sim) to understand these +parameter choices in addition to other factors when deploying fuzzytags to real-world systems. + +For more guidance (and warnings) on integrating fuzzytags into a privacy preserving application see [documentation](https://docs.rs/fuzzytags/#integrating-fuzzytags) + + +## Terminology and a more detailed System Description There exists a metadata resistant application that uses untrusted servers to mediate communication between parties. @@ -164,9 +181,6 @@ We use [criterion](https://crates.io/crates/criterion) for benchmarking, and ben Results will be in `target/criterion/report/index.html`. -## Integrating fuzzytags - -For more guidance on integrating fuzzytags into a privacy preserving application see [documentation](https://docs.rs/fuzzytags/#integrating-fuzzytags) ## Credits and Contributions