A Distributed Metadata - Private Messaging System

Private communication over the Internet continues to be a difficult problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable systems such as Tor are susceptible to traffic analysis. In contrast, the largest-scale systems with metadata privacy require passing all messages through a single server, which places a hard cap on their scalability. This paper presents Stadium, the first system to protect both messages and metadata while being able to scale its work efficiently across multiple servers. Stadium uses the same differential privacy definition for metadata privacy as Vuvuzela, the currently highest-scale system. However, providing privacy in Stadium is significantly more challenging because distributing users' traffic across servers creates more opportunities for adversaries to observe it. To solve this challenge, Stadium uses a novel verifiable mixnet design. We use a verifiable shuffle scheme that we extend to allow for efficient group verification, and present a verifiable distribution primitive to check message transfers across servers. We show that Stadium can scale to use hundreds of servers, support an order of magnitude more users than Vuvuzela, and cut the costs of operating each server. Thesis Supervisor: Dr. Matei Zaharia Title: Assistant Professor