Presentation is loading. Please wait.

Presentation is loading. Please wait.

LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed.

Published byAbel Hawkins Modified over 9 years ago

Similar presentations

Presentation on theme: "LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed."— Presentation transcript:

1 LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed System Security Symposium February 27, 2013

2 Problem 2

3 Onion Routing User Destination Onion Routers encrypted unencrypted 3

4 Onion Routing User Destination Onion Routers encrypted unencrypted 4

5 Onion Routing User Destination Onion Routers encrypted unencrypted 5

6 Onion Routing User Destination Onion Routers encrypted unencrypted torproject.org 6

7 Onion Routing User Destination Onion Routers encrypted unencrypted torproject.org 7

8 Tor is Slow Web (320 KiB)Bulk (5 MiB) 8

9 Tor Utilization ~3000 relays 9

10 Tor Utilization ~500,000 users/day 10

11 Tor Utilization 11

12 Tor’s Top 20 Exit Relays Exit ProbabilityAdvertised BandwidthNicknameCountry 7.25%0.87%chaoscomputerclub18DE 6.35%0.93%chaoscomputerclub20DE 5.92%1.48%herngaardUS 3.60%0.66%chomskyNL 3.35%1.17%dorrisdeebrownDE 3.32%1.18%bolobolo1DE 3.26%0.65%rainbowwarriorNL 2.32%0.36%sdnettor01SE 2.23%0.69%TheSignulRO 2.22%0.41%raskinDE 2.05%0.40%bouaziziDE 1.93%0.65%asskSE 1.82%0.39%kramseDK 1.67%0.35%BostonUCompSciUS 1.53%0.40%bachDE 1.31%0.73%DFRI0SE 1.26%0.31%Amunet2US 1.13%0.27%Amunet8US 0.84%0.27%chaoscomputerclub28DE 0.76%0.37%DFRI3SE Total: 54.14%compass.torproject.org 12

13 Bytes Flows 2008* 2010** *McCoy et al. PETS 2008, **Chaabane et al. NSS 2010 40% 58% 3% 92% 52% 36% 11% 69% 13

14 Our Solution 14

15 LIRARelays’ own traffic gets better performance Incentive Scheme 15

16 LIRA Gold star Tortoise BRAIDS Freedom PAR XPay Relays’ own traffic gets better performance Charge users, pay relays Incentive Schemes 16

17 Incentive Schemes External payment Non-relays pay Efficiency concerns Anonymity concerns Freedom PAR XPay Gold star Tortoise BRAIDS 17

18 Anonymous Incentives prioritized normal Problem: Priority identifies user as a relay

19 Anonymous Incentives prioritized normal Problem: Priority identifies user as a relay Solutions 1.Give some priority “tickets” to all users (BRAIDS).

20 Anonymous Incentives prioritized normal Problem: Priority identifies user as a relay Solutions 1.Give some priority “tickets” to all users (BRAIDS). 2.Cryptographic lottery gives priority; winning tickets can be (secretly) bought (LIRA).

21 LIRA Design Bank

22 Bank gives anonymous coins to relays based on amount of traffic forwarded LIRA Design

23 Bank sets up lottery with each relay LIRA Design

24 Buy “winners” with coins LIRA Design

25 Clients guess winners LIRA Design

26 Priority scheduling LIRA Design

27 Cryptographic Lotteries Lottery at relay r g r : {0,1} 2L  {0,1} 2L x wins if –g r (x) = y 0 || y 1 –0 ≤ y 0 y 1 < p 2 L 27

28 Cryptographic Lotteries Lottery at relay r g r : {0,1} 2L  {0,1} 2L x wins if –g r (x) = y 0 || y 1 –0 ≤ y 0 y 1 < p 2 L g r defined from PRF f r using a Luby-Rackoff- like construction –y 0 = f r (x 1 ) x 0 –y 1 = f r (y 0 ) x 1 –g r (x) = y 0 || y 1 28

29 Cryptographic Lotteries Lottery at relay r g r : {0,1} 2L  {0,1} 2L x wins if –g r (x) = y 0 || y 1 –0 ≤ y 0 y 1 < p 2 L g r defined from PRF f r using a Luby-Rackoff- like construction –y 0 = f r (x 1 ) x 0 –y 1 = f r (y 0 ) x 1 –g r (x) = y 0 || y 1 f r (x) = H(x(H(H(x) x r d ))) –H is a hash function –x r is public; bank gives x r d to r during setup, –d is bank’s private RSA key 29

30 Analysis 30

31 Efficiency LIRABRAIDS Blind signatures/s127.5+127.5f (256B/sig) 637.5 (488 B/sig) f is fraction of credit redeemed. Entire network is transferring 1700 MiB/s. Signature size: 1024 bits. Ticket size: 320 bits. Linux OpenSSL benchmarks on Intel Core2 Duo 2.67 GHz Bank Priority verification6 hashes (18 us) PBS verify (1500 us) Relay Tickets / connection01 Normal Client 31

32 Anonymity With m buyers and n guessers, the probability that a prioritized circuit source is a given buyer is 1 / (m + np 3 ) compared to 1/(m+n) without priority. Linked priority degrades anonymity exponentially to 1/m. 32

33 Performance Web (320 KiB) Bulk (5 MiB)

34 Performance, More Capacity Web (320 KiB) Bulk (5 MiB)

35 Conclusion 1.Volunteer-run Tor network is overloaded. 2.LIRA provides incentives to contribute by rewards with better network performance. 3.LIRA is more efficient than previous schemes while maintaining anonymity. 4.Full-network experiments demonstrate better performance and scalability. 35

36 Buying winning tickets Client chooses y 0, y 1, 0 ≤ y 0 XOR y 1 < p2 L Using using PRF protocol, client reverses Luby-Rackoff process to get g r -1 (y 0 || y 1 ). Client c and bank B evaluate f r (x) 1.C sends a e x r d to B, a random. 2.B returns abx r d, b random. 3.c sends b H(x)x r d to B. 4.B returns H(H(x)x r d ) to c. 5.c outputs f r (x) = H(x H(H(x)x r d )). PRF Protocol 36

37 Winning circuits are prioritized 1.Client sends tickets to each relay in circuit. 2.Relays evaluate tickets. Winners must have unseen PRF inputs. Neighbors sent results. 3.If ticket wins and neighbors report wins, circuit is prioritized for next β bytes. 37

38 Priority Scheduling Proportional Differentiated Services –Split traffic into “paid” and “unpaid” classes –Prioritize classes using quality differentiation parameters p i and quality measure Q (EWMA) p 1 /p 2 = Q 1 (Δt) / Q 2 (Δt) 38

39 Bank secrecy (honest-but-curious) Clients oblivious to x r d. B cannot produce r, input x, or output f r (x). Relay purchases are batched, preventing bank from knowing when prioritized circuits are constructed. c and B evaluate f r (x) 1.c obtains bx r d. 2.c sends b H(x)x r d to B. 3.B sends H(H(x)x r d ) to c. 4.c outputs H(x(H(H(x)x r d ))). PRF Protocol 39

40 Creating winning tickets y 0 = f r (x 1 ) x 0 y 1 = f r (y 0 ) x 1 g r (x) = y 0 || y 1 f r (x) = H(x(H(H(x) x r d )))f r is random in ROM when x r d unknown. y 0 XOR y 1 is random. for y 0 or y 1 unknown One-time-use inputs to f r prevent double spending. Tickets not fully purchased win with probability p. Cryptographic Lottery 0 ≤ y 0 y 1 < p 2 L 40

Download ppt "LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory 20th Annual Network & Distributed."

Similar presentations

Aaron Johnson with Joan Feigenbaum Paul Syverson

Aaron Johnson with Joan Feigenbaum Paul Syverson
A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.

A Probabilistic Analysis of Onion Routing in a Black-box Model 10/29/2007 Workshop on Privacy in the Electronic Society Aaron Johnson (Yale) with Joan.
A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)

A Formal Analysis of Onion Routing 10/26/2007 Aaron Johnson (Yale) with Joan Feigenbaum (Yale) Paul Syverson (NRL)
Onions for Sale: Putting Privacy on the Market Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory Presented by: Alessandro Acquisti.

Onions for Sale: Putting Privacy on the Market Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory Presented by: Alessandro Acquisti.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.

Predicting Tor Path Compromise by Exit Port IEEE WIDA 2009December 16, 2009 Kevin Bauer, Dirk Grunwald, and Douglas Sicker University of Colorado Client.
Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.

Computer Science Dr. Peng NingCSC 774 Advanced Network Security1 Topic 3.2: Micro Payments.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.

Trust-based Anonymous Communication: Models and Routing Algorithms Aaron Johnson Paul Syverson Roger Dingledine Nick Mathewson U.S. Naval Research Laboratory.
Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory

Memory-based DoS and Deanonymization Attacks on Tor DCAPS Seminar October 11 th, 2013 Rob Jansen U.S. Naval Research Laboratory
Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.

Digital Cash Present By Kevin, Hiren, Amit, Kai. What is Digital Cash?  A payment message bearing a digital signature which functions as a medium of.
Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.

Slide 1 Vitaly Shmatikov CS 378 Digital Cash. slide 2 Digital Cash: Properties uDigital “payment message” with properties of cash uUnforgeable Users cannot.
Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.

Payment Systems 1. Electronic Payment Schemes Schemes for electronic payment are multi-party protocols Payment instrument modeled by electronic coin that.
Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.

Onion Routing Security Analysis Aaron Johnson U.S. Naval Research Laboratory DC-Area Anonymity, Privacy, and Security Seminar.
Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.

Anonymity Analysis of Onion Routing in the Universally Composable Framework Joan Feigenbaum Aaron Johnson Paul Syverson Yale University U.S. Naval Research.
1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:

1 Modeling and Analysis of Anonymous-Communication Systems Joan Feigenbaum WITS’08; Princeton NJ; June 18, 2008 Acknowledgement:
1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.

1 Applications of Computers Lecture-3 2 E-Commerce 4 Almost all major companies have their homes on the web, mainly for advertising 4 Companies were.
Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Responder Anonymity and Anonymous Peer-to-Peer File Sharing. by Vincent Scarlata, Brian Levine and Clay Shields Presentation by Saravanan.

Similar presentations

Ads by Google