The Effect of False Positives: Why Fuzzy Message Detection Leads to Fuzzy Privacy Guarantees?

TL;DR

This paper analyzes the privacy guarantees of Fuzzy Message Detection (FMD), a cryptographic primitive, through theoretical, differential privacy, and empirical methods, providing guidance on privacy trade-offs in real-world scenarios.

Contribution

It offers a formal analysis of FMD's privacy guarantees from multiple perspectives and introduces a relaxed differential privacy definition for FMD.

Findings

FMD provides recipient unlinkability, relationship anonymity, and temporal detection ambiguity.

Differential privacy analysis reveals privacy-utility trade-offs in FMD.

Simulations on real data help users choose false-positive rates for desired privacy levels.

Abstract

Fuzzy Message Detection (FMD) is a recent cryptographic primitive invented by Beck et al. (CCS'21) where an untrusted server performs coarse message filtering for its clients in a recipient-anonymous way. In FMD - besides the true positive messages - the clients download from the server their cover messages determined by their false-positive detection rates. What is more, within FMD, the server cannot distinguish between genuine and cover traffic. In this paper, we formally analyze the privacy guarantees of FMD from three different angles. First, we analyze three privacy provisions offered by FMD: recipient unlinkability, relationship anonymity, and temporal detection ambiguity. Second, we perform a differential privacy analysis and coin a relaxed definition to capture the privacy guarantees FMD yields. Finally, we simulate FMD on real-world communication data. Our theoretical and empirical results assist FMD users in adequately selecting their false-positive detection rates for various applications with given privacy requirements.