2. Who are we? Quick Introductions
Mainak Ghosh, Miles Richardson Yale ’14
○ Passions for privacy. Newcomers to Tor community.
Professor Bryan Ford DeDiS @ Yale
○ DeDiS: Decentralized/Distributed Systems Research.
Rob Jansen U.S. Naval Research Lab
○ Tor Veteran: TEARS, LIRA, BRAIDS, and more.
3. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.
4. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.
5. What’s the problem? Tor is slow!
● We’ve all seen the graphs
● Speeds improving
● But can always be faster
Tortoise
6. What’s our solution? (1/2) TorCoin
● Proof-of-bandwidth “AltCoin” (cryptocurrency)
● Relays “mine” TorCoins via bandwidth transfer
● Trade TorCoins for cash on AltCoin exchanges
○ (Altcoin investors buy coins. Clients do not pay!)
7. What’s our solution? (2/2) TorPath
● Protocol for assigning Tor clients to circuits
● Anonymously verifiable circuit signatures
● Sign TorCoins with signature, public verifies
8. TorPath Makes TorCoin Verifiable
1) How to mine? TorCoin
● Circuit members agree when they find a coin
● Collectively sign coin, agree on N bits transferred
2) How to verify? TorPath
● Circuits privately addressable, publicly verifiable
● Public can match a coin to a record of a circuit
9. LIRA, Tortoise, BRAIDS, etc.
● Reduce anonymity
● Centralize trust
● Charge for “fast lane”
Prior Work: Another incentive system?
10. Challenge: Anonymous and verifiable?
Need to monitor bandwidth so that:
● Everybody agrees
● Nobody can be identified
● Everybody gets paid
While keeping status-quo of trust.
12. Challenge Accepted: TorCoin, TorPath
● Everybody agrees
○ BitCoin blockchain provides distributed storage
● Nobody can be identified
○ TorPath: you can only identify your two neighbors
13. Challenge Accepted: TorCoin, TorPath
● Everybody agrees
○ BitCoin blockchain provides distributed storage
● Nobody can be identified
○ TorPath: you can only identify your two neighbors
● Everybody gets paid
○ Blockchain also provides distributed payments
14. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.
15. TorCoin: Mined collectively by circuits
● Circuit members establish goodput consensus
● Every n bits, client generates random hash
● Like BitCoin, if n low bits == 0, it’s a TorCoin
16. Every n bits, circuit follows protocol
E M X
C
Receive blob, verify n bits, generate private key, hash it, add to blob, send to right neighbor →
← Receive blob, verify commits, sign blob, reveal private key, send to left neighbor
17. Every n bits, client generates tmp key
E M X
C
n bits hash(tmp key)
24. Client: Verify Blob, Add to Blockchain
C
Proof matches circuit signature, verifiable by anyone
Verify
25. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.
26. TorPath: Collective circuit assignment
● Groups of clients, relays, assignment servers
● Form circuits via contributed randomness
● Circuit members can only identify neighbors
28. TorPath: Protocol Overview
1. Group Formation
○ Clients, relays send pub keys to assignment servers
2. Circuit Assignment
○ Assignment servers shuffle matrix, publish it
29. TorPath: Protocol Overview
1. Group Formation
○ Clients, relays send pub keys to assignment servers
2. Circuit Assignment
○ Assignment servers shuffle matrix, publish it
3. Path Lookup
○ Clients, relays find neighbors in the matrix
30. 1. Clients, relays send
temp public keys
2. Send to assignment
server
3. Assignment server
builds matrix of keys
(1/3) Group Formation: Build matrix
31. (2/3) Circuit Assignment: Neff shuffle
Assignment servers shuffle the
matrix, publish it.
Neff Shuffle:
● Decentralized shuffle
● Contributed randomness
Shuffled Matrix: Each row is a circuit.
32. (3/3) Path Lookup: Find neighbors
● Onion hash w/ neighbor’
s public key,
send to server
● Servers publish new list
● Can only decrypt
neighbors
33. Properties of TorPath
● No client can generate its own circuit.
● No client can know another’s circuit.
● Unique, pub verifiable signature per circuit.
34. TorPath Makes TorCoin Verifiable
1) How to mine? TorCoin
● Circuit members agree when they find a coin
● Collectively sign coin, agree on N bits transferred
2) How to verify? TorPath
● Circuits privately addressable, publicly verifiable
● Public can match a coin to a record of a circuit
36. Security: What can go wrong?
● Sybil attacks in circuit TorCoin mining
● Sybil attacks in assignment groups
● No rational incentive for enforcement
37. Economics: Open Questions
● Is TorCoin valuable just by virtue of Altcoin?
● Limited supply of TorCoins? Periodic resets?
38. Implementation: Path to take?
● Early stage research, many limitations
● “A TorPath to TorCoin”
● TorPath: Advantages on its own
○ Reduced latency in hidden services
○ Hardened anonymity between circuit members