1. TorCoin
Proof-of-Bandwidth AltCoin for Tor

2. Who are we? Quick Introductions
Mainak Ghosh, Miles Richardson Yale ’14
○ Passions for privacy. Newcomers to Tor community.
Professor Bryan Ford DeDiS @ Yale
○ DeDiS: Decentralized/Distributed Systems Research.
Rob Jansen U.S. Naval Research Lab
○ Tor Veteran: TEARS, LIRA, BRAIDS, and more.

3. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.

4. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.

5. What’s the problem? Tor is slow!
● We’ve all seen the graphs
● Speeds improving
● But can always be faster
Tortoise

6. What’s our solution? (1/2) TorCoin
● Proof-of-bandwidth “AltCoin” (cryptocurrency)
● Relays “mine” TorCoins via bandwidth transfer
● Trade TorCoins for cash on AltCoin exchanges
○ (Altcoin investors buy coins. Clients do not pay!)

7. What’s our solution? (2/2) TorPath
● Protocol for assigning Tor clients to circuits
● Anonymously verifiable circuit signatures
● Sign TorCoins with signature, public verifies

8. TorPath Makes TorCoin Verifiable
1) How to mine? TorCoin
● Circuit members agree when they find a coin
● Collectively sign coin, agree on N bits transferred
2) How to verify? TorPath
● Circuits privately addressable, publicly verifiable
● Public can match a coin to a record of a circuit

9. LIRA, Tortoise, BRAIDS, etc.
● Reduce anonymity
● Centralize trust
● Charge for “fast lane”
Prior Work: Another incentive system?

10. Challenge: Anonymous and verifiable?
Need to monitor bandwidth so that:
● Everybody agrees
● Nobody can be identified
● Everybody gets paid
While keeping status-quo of trust.

11. Challenge Accepted: TorCoin, TorPath
● Everybody agrees
○ BitCoin blockchain provides distributed storage

12. Challenge Accepted: TorCoin, TorPath
● Everybody agrees
○ BitCoin blockchain provides distributed storage
● Nobody can be identified
○ TorPath: you can only identify your two neighbors

13. Challenge Accepted: TorCoin, TorPath
● Everybody agrees
○ BitCoin blockchain provides distributed storage
● Nobody can be identified
○ TorPath: you can only identify your two neighbors
● Everybody gets paid
○ Blockchain also provides distributed payments

14. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.

15. TorCoin: Mined collectively by circuits
● Circuit members establish goodput consensus
● Every n bits, client generates random hash
● Like BitCoin, if n low bits == 0, it’s a TorCoin

16. Every n bits, circuit follows protocol
E M X
C
Receive blob, verify n bits, generate private key, hash it, add to blob, send to right neighbor →
← Receive blob, verify commits, sign blob, reveal private key, send to left neighbor

17. Every n bits, client generates tmp key
E M X
C
n bits hash(tmp key)

18. Entry relay: Generate tmp key, hash it
E M X
C
hash(tmp key)

19. Mid relay: Generate tmp key, hash it
E M X
C
hash(tmp key)

20. Exit relay: Generate tmp key, hash it
hash(tmp key)
E M X
C

21. Exit relay: Sign blob, reveal key
E M X
C
signature
key

22. Mid relay: Sign blob, reveal key
E M X
C
signaturekey

23. Entry Relay: Sign blob, reveal key
E M X
C
key signature

24. Client: Verify Blob, Add to Blockchain
C
Proof matches circuit signature, verifiable by anyone
Verify

25. Presentation Outline
1. Intro: Problem? Solution? Challenges?
2. TorCoin: Provide bandwidth, get paid.
3. TorPath: Anonymous, verifiable circuits.
4. Discussion: Benefits, risks, open questions.

26. TorPath: Collective circuit assignment
● Groups of clients, relays, assignment servers
● Form circuits via contributed randomness
● Circuit members can only identify neighbors

27. TorPath: Protocol Overview
1. Group Formation
○ Clients, relays send pub keys to assignment servers

28. TorPath: Protocol Overview
1. Group Formation
○ Clients, relays send pub keys to assignment servers
2. Circuit Assignment
○ Assignment servers shuffle matrix, publish it

29. TorPath: Protocol Overview
1. Group Formation
○ Clients, relays send pub keys to assignment servers
2. Circuit Assignment
○ Assignment servers shuffle matrix, publish it
3. Path Lookup
○ Clients, relays find neighbors in the matrix

30. 1. Clients, relays send
temp public keys
2. Send to assignment
server
3. Assignment server
builds matrix of keys
(1/3) Group Formation: Build matrix

31. (2/3) Circuit Assignment: Neff shuffle
Assignment servers shuffle the
matrix, publish it.
Neff Shuffle:
● Decentralized shuffle
● Contributed randomness
Shuffled Matrix: Each row is a circuit.

32. (3/3) Path Lookup: Find neighbors
● Onion hash w/ neighbor’
s public key,
send to server
● Servers publish new list
● Can only decrypt
neighbors

33. Properties of TorPath
● No client can generate its own circuit.
● No client can know another’s circuit.
● Unique, pub verifiable signature per circuit.

34. TorPath Makes TorCoin Verifiable
1) How to mine? TorCoin
● Circuit members agree when they find a coin
● Collectively sign coin, agree on N bits transferred
2) How to verify? TorPath
● Circuits privately addressable, publicly verifiable
● Public can match a coin to a record of a circuit

35. Presentation Outline
1. Problem Overview
2. Our solution: Bandwidth Incentive Scheme
○ TorCoin
○ TorPath
3. Discussion: Cost/benefit, risk, security

36. Security: What can go wrong?
● Sybil attacks in circuit TorCoin mining
● Sybil attacks in assignment groups
● No rational incentive for enforcement

37. Economics: Open Questions
● Is TorCoin valuable just by virtue of Altcoin?
● Limited supply of TorCoins? Periodic resets?

38. Implementation: Path to take?
● Early stage research, many limitations
● “A TorPath to TorCoin”
● TorPath: Advantages on its own
○ Reduced latency in hidden services
○ Hardened anonymity between circuit members