Poster: Committee Moderation on Encrypted Messaging Platforms^†^†thanks: This work was supported by NSF grant 1814753.

Alistair Pattison Carleton College, University of Minnesota
[email protected] Nicholas Hopper University of Minnesota
[email protected]

I Introduction

Over the past decade, the increased prevalence of mobile computing and a growing desire for privacy have lead to a surge in the use of encrypted messaging services like WhatsApp, Facebook Messenger, and Signal. The deniability, anonymity, and security provided by these services are crucial to their widespread adoption, but by construction, these properties make it impossible to hold users accountable for the messages they send. With no accountability, these platforms are ripe for abuse, and WhatsApp group chats have been used to spread misinformation that has influenced elections [1, 2] and even incited the murder of a woman in India [3]. With no way of identifying or verifying the senders of these messages, little can be done.

Previous works [4, 5] have attempted to find a middle ground between accountability and privacy by allowing a moderator to verify the original sender of a message if the message is reported; if not reported, messages maintain all security guarantees. However, these works concentrate all responsibility for determining if a message requires moderation to a single party. This is undesirable. Using primitives from threshold cryptography, this work extends the message-reporting protocol Hecate [4] to a setting in which consensus among a group of moderators is required to reveal and verify the identity of a message’s sender.

II Previous Works

An obvious road to accountability is to require users to sign their messages, but this completely destroys deniability, which is an important feature in many use cases. [5] preserve deniability by using a cryptographic primitive that allows signatures to be verified only by one person who is chosen at the time of signing. By making the designated verifier a trusted third party (for example, law enforcement or a school principal) and attaching to each message a zero-knowledge proof that the signature is valid, users can be confident that abusive messengers can be held accountable for the messages they send while still preserving deniability against everyone else. However, this protocol uses heavy crypto machinery and is quite expensive.

More recent work by [4] introduced a protocol called Hecate that provides the same security guarantees as [5] but is significantly cheaper in terms of the number of invocations of cryptographic primitives. It works as follows: In advance of sending any messages, users request “tokens” from a moderator containing (among other things) an encryption of the message-sender’s identity,

x_{1}\coloneqq\Call{Enc}{}_{mod}(id_{src}),

(1)

and a single-use ephemeral key pair $(pk_{eph},sk_{eph})$ . The token also includes a signature $\sigma_{mod}$ made with the moderators private key that binds the key pair to $x_{1}$ .

When a user sends a message, he consumes a token and attaches the signature

\sigma_{src}=\Call{Sign}{}_{sk_{eph}}(x_{2})\quad\text{where}\quad x_{2}\coloneqq x_{1}\oplus H(m)

(2)

to the message along with the original moderator token. The signature binds $x_{1}$ to the sent message, and this metadata is carried with the message throughout its entire forwarding chain. If the message is ever reported, the moderator decrypts $x_{1}$ with her private key to obtain the original sender’s identity. To everyone else, the token provides no information.

We direct readers to [4] for a richer description of the protocol and its properties.

III Our Protocol

Our modified protocol retains the same general flow of token-issuing and message reporting from Hecate [4], but modifies the process by which $x_{1}$ is created and decrypted. We call our new protocol Cerberus (the name of the multi-headed dog that guards the river Styx) as a nod to the multiple moderators in the protocol and the greek name of the original Hecate protocol.

In Cerberus, there are $n$ moderators, and $k$ of them must cooperate to recover $id_{src}$ from $x_{1}$ . (These $k$ and $n$ values are tunable protocol parameters.) The token-creation process is described below using Elgamal threshold encryption and the FROST [6] signature algorithm, although different threshold schemes could be substituted. In \CallCreateToken, $G$ is a (secure) group of order $q$ with generator $g$ , the moderators’ public encryption key is $pk_{mod}$ , and the corresponding private encryption key is divided into shares $s_{1},\ldots,s_{n}$ using a Shamir secret-sharing scheme [7]. The token generated by \CallCreateToken is identical to a token in the Hecate protocol [4], and the message is processed as is described in that paper.

CreateToken

id_{src}

1:Generate

r\leftarrow_{\$}\mathbb{Z}_{q}

and an an ephemeral keypair

(pk_{eph},sk_{eph})

2:Compute

x_{1}\coloneqq\left(g^{r},\ id_{src}\oplus H(pk_{mod}^{r})\right)

3:Package

x_{1}

into a token and send a signature request to each moderator along with the randomness

r

4:Each moderator verifies that

x_{1}

is a valid encryption of

id_{src}

with the provided randomness and returns their signature share on the token.

5:Once sufficient responses are received, combine the signature shares into a valid Schnorr signature

\sigma_{mod}

. \EndFunction

\Function

To report a message, a user sends out requests to every moderator, each of whom decides individually whether or not to respond with a decryption share $d_{i}$ serving as a vote that the message should be acted upon. If more than $k$ decryption shares are received, i.e., if more than $k$ moderators believe that the message requires moderation, then one can recover the identity of the sender, $id_{src}$ . If there are insufficient responses, $id_{src}$ remains hidden. This process of “voting” adresses the question posed in [4] of how to handle reported messages that are not necessarily abusive or misinfirmative. A formal description is as follows:

HandleReport

m

T=(x_{1},\ldots)

1:A user sends a request to all

n

moderators containing the reported message

m

and its attatched token

T

containing the encrypted id,

x_{1}=(c_{1},c_{2})

2:Each moderator verifies the token and—if she believes that the message requires intervention—responds with the decryption share

d_{i}\coloneqq c_{1}^{s_{i}}

3:If

k

decryption shares are received, they can be combined with appropriate Lagrange coefficients

\lambda_{i}\coloneqq\prod_{j\neq i}\frac{j}{j-i}

to obtain

id_{src}=H\left(\prod_{i}d_{i}^{\lambda_{i}}\right)\oplus c_{2}.

(3)

\EndFunction

\Function

IV Benchmarks

[4] includes an implementation and benchmark of the whole message cycle, so we focus on the modified portions of the protocol: token creation and message reporting. We implement these steps in Rust and run each party in a separate Linux container communicating over HTTP. Source code and more details are available on github [8]. Cerberus is much slower to create tokens than Hecate (on the order of 50x), but this isn’t a huge surprise: the benchmarks were run on slower hardware, and the distributed nature of this protocol involves a multitude of verification, serialization, and communication steps that are not required in Hecate. With that said, the operational costs of implementing a protocol such as this are still well within the budgetary constraints of a large company like Facebook. Extending the analysis in [4], we estimate the total cost of running all necessary servers to be under $100 a day for the entirety of WhatsApp.

TABLE I: Mean end-to-end runtimes (ms).

$n$	3	5	7
Token creation (per token)	1.86	3.06	4.61
Report handling (per report)	0.626	0.904	1.18

Figure 1: End-to-end token creation times as a function of batch size and number of moderators. Times include all rounds of communication.

References

[1] Luca Belli “Opinion: WhatsApp skewed Brazilian election, showing social media’s danger to democracy” In PBS, 2018 URL: https://www.pbs.org/newshour/science/whatsapp-skewed-brazilian-election-showing-social-medias-danger-to-democracy
[2] Samuel Woolley and Philip Howard “Computational Propaganda Worldwide: Executive Summary”, 2017 URL: https://demtech.oii.ox.ac.uk/wp-content/uploads/sites/12/2017/06/Casestudies-ExecutiveSummary.pdf
[3] Vindu Goel, Suhasini Raj and Priyadarshini Ravichandran “How WhatsApp Leads Mobs to Murder in India” In The New York Times, 2018 URL: https://nyti.ms/383uZ59
[4] Rawane Issa, Nicolas Alhaddad and Mayank Varia “Hecate: Abuse Reporting in Secure Messengers with Sealed Sender” In 31st USENIX Security Symposium (USENIX Security ’22) USENIX Association, 2022 URL: https://www.usenix.org/conference/usenixsecurity22/presentation/issa
[5] Nirvan Tyagi et al. “Asymmetric Message Franking: Content Moderation for Metadata-Private End-to-End Encryption”, Cryptology ePrint Archive, Paper 2019/565, 2019 URL: https://eprint.iacr.org/2019/565
[6] Chelsea Komlo and Ian Goldberg “FROST: Flexible Round-Optimized Schnorr Threshold Signatures”, Cryptology ePrint Archive, Paper 2020/852, 2020 URL: https://eprint.iacr.org/2020/852
[7] Adi Shamir “How to Share a Secret” In Commun. ACM 22.11 New York, NY, USA: Association for Computing Machinery, 1979, pp. 612–613 DOI: 10.1145/359168.359176
[8] Alistair Pattison “Cerberus”, github, 2023 URL: http://github.com/alipatti/cerberus