LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight...
Transcript of LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight...
![Page 1: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/1.jpg)
LIRA: Lightweight Incentivized Routing for Anonymity
Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research Laboratory
20th Annual Network & Distributed System Security Symposium
February 27, 2013
![Page 2: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/2.jpg)
Problem
2
![Page 3: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/3.jpg)
Onion Routing
User Destination
Onion Routers
encrypted
unencrypted
3
![Page 4: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/4.jpg)
Onion Routing
User Destination
Onion Routers
encrypted
unencrypted
4
![Page 5: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/5.jpg)
Onion Routing
User Destination
Onion Routers
encrypted
unencrypted
5
![Page 6: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/6.jpg)
Onion Routing
User Destination
Onion Routers
encrypted
unencrypted
torproject.org 6
![Page 7: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/7.jpg)
Onion Routing
User Destination
Onion Routers
encrypted
unencrypted
torproject.org 7
![Page 8: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/8.jpg)
Tor is Slow Web (320 KiB) Bulk (5 MiB)
8
![Page 9: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/9.jpg)
Tor Utilization
~3000 relays
9
![Page 10: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/10.jpg)
~3000 relays
Tor Utilization ~500,000 users/day
10
![Page 11: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/11.jpg)
Tor Utilization Total relay bandwidth
The Tor Project − https://metrics.torproject.org/
Band
wid
th (M
iB/s
)
0
500
1000
1500
2000
2500
3000
3500
Dec−2012 Jan−2013 Feb−2013
Advertised bandwidthBandwidth history
11
![Page 12: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/12.jpg)
Tor’s Top 20 Exit Relays Exit Probability Advertised Bandwidth Nickname Country
7.25% 0.87% chaoscomputerclub18 DE
6.35% 0.93% chaoscomputerclub20 DE
5.92% 1.48% herngaard US
3.60% 0.66% chomsky NL
3.35% 1.17% dorrisdeebrown DE
3.32% 1.18% bolobolo1 DE
3.26% 0.65% rainbowwarrior NL
2.32% 0.36% sdnettor01 SE
2.23% 0.69% TheSignul RO
2.22% 0.41% raskin DE
2.05% 0.40% bouazizi DE
1.93% 0.65% assk SE
1.82% 0.39% kramse DK
1.67% 0.35% BostonUCompSci US
1.53% 0.40% bach DE
1.31% 0.73% DFRI0 SE
1.26% 0.31% Amunet2 US
1.13% 0.27% Amunet8 US
0.84% 0.27% chaoscomputerclub28 DE
0.76% 0.37% DFRI3 SE
Total: 54.14% compass.torproject.org 12
![Page 13: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/13.jpg)
Bytes Flows
2008*
2010**
*McCoy et al. PETS 2008, **Chaabane et al. NSS 2010
40%
58%
3%
92%
52% 36%
11%
69%
13
![Page 14: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/14.jpg)
Our Solution
14
![Page 15: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/15.jpg)
• LIRA Relays’ own traffic gets better performance
Incentive Scheme
15
![Page 16: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/16.jpg)
• LIRA • Gold star • Tortoise • BRAIDS • Freedom • PAR • XPay
Relays’ own traffic gets better performance
Charge users, pay relays
Incentive Schemes
16
![Page 17: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/17.jpg)
Incentive Schemes External payment
Non-relays pay
Efficiency concerns
Anonymity concerns
Freedom
PAR
XPay
Gold star
Tortoise
BRAIDS
17
![Page 18: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/18.jpg)
Anonymous Incentives prioritized
normal
Problem: Priority identifies user as a relay
![Page 19: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/19.jpg)
Anonymous Incentives prioritized
normal
Problem: Priority identifies user as a relay Solutions
1. Give some priority “tickets” to all users (BRAIDS).
![Page 20: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/20.jpg)
Anonymous Incentives prioritized
normal
Problem: Priority identifies user as a relay Solutions
1. Give some priority “tickets” to all users (BRAIDS). 2. Cryptographic lottery gives priority; winning tickets
can be (secretly) bought (LIRA).
![Page 21: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/21.jpg)
LIRA Design
Bank
![Page 22: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/22.jpg)
Bank gives anonymous coins to relays based on amount of traffic forwarded
LIRA Design
![Page 23: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/23.jpg)
Bank sets up lottery with each relay
LIRA Design
![Page 24: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/24.jpg)
Buy “winners” with coins
LIRA Design
![Page 25: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/25.jpg)
Clients guess winners
LIRA Design
![Page 26: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/26.jpg)
Priority scheduling
LIRA Design
![Page 27: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/27.jpg)
Cryptographic Lotteries • Lottery at relay r
gr: {0,1}2L {0,1}2L
x wins if – gr(x) = y0 || y1 – 0 ≤ y0 y1 < p 2L
27
![Page 28: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/28.jpg)
Cryptographic Lotteries • Lottery at relay r
gr: {0,1}2L {0,1}2L
x wins if – gr(x) = y0 || y1 – 0 ≤ y0 y1 < p 2L
• gr defined from PRF fr using a Luby-Rackoff-like construction – y0 = fr(x1) x0 – y1 = fr(y0) x1 – gr(x) = y0 || y1
28
![Page 29: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/29.jpg)
Cryptographic Lotteries • Lottery at relay r
gr: {0,1}2L {0,1}2L
x wins if – gr(x) = y0 || y1 – 0 ≤ y0 y1 < p 2L
• gr defined from PRF fr using a Luby-Rackoff-like construction – y0 = fr(x1) x0 – y1 = fr(y0) x1 – gr(x) = y0 || y1
• fr(x) = H(x(H(H(x) xrd)))
– H is a hash function – xr is public; bank gives xr
d to r during setup, – d is bank’s private RSA key
29
![Page 30: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/30.jpg)
Analysis
30
![Page 31: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/31.jpg)
Efficiency
LIRA BRAIDS Blind signatures/s 127.5+127.5f
(256B/sig) 637.5 (488 B/sig)
f is fraction of credit redeemed. Entire network is transferring 1700 MiB/s. Signature size: 1024 bits. Ticket size: 320 bits. Linux OpenSSL benchmarks on Intel Core2 Duo 2.67 GHz
Bank
Priority verification 6 hashes (18 us)
PBS verify (1500 us) Relay
Tickets / connection 0 1 Normal Client
31
![Page 32: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/32.jpg)
Anonymity
• With m buyers and n guessers, the probability that a prioritized circuit source is a given buyer is 1 / (m + np3) compared to 1/(m+n) without priority.
• Linked priority degrades anonymity exponentially to 1/m.
32
![Page 33: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/33.jpg)
Performance
Web (320 KiB) Bulk (5 MiB)
![Page 34: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/34.jpg)
Performance, More Capacity
Web (320 KiB) Bulk (5 MiB)
![Page 35: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/35.jpg)
Conclusion
1. Volunteer-run Tor network is overloaded. 2. LIRA provides incentives to contribute by
rewards with better network performance. 3. LIRA is more efficient than previous
schemes while maintaining anonymity. 4. Full-network experiments demonstrate
better performance and scalability.
35
![Page 36: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/36.jpg)
Buying winning tickets • Client chooses y0, y1, 0 ≤ y0 XOR y1 < p2L • Using using PRF protocol, client reverses
Luby-Rackoff process to get gr-1(y0 || y1).
Client c and bank B evaluate fr(x) 1. C sends aexr
d to B, a random. 2. B returns abxr
d, b random. 3. c sends b H(x)xr
d to B. 4. B returns H(H(x)xr
d) to c. 5. c outputs fr(x) = H(x H(H(x)xr
d)).
PRF Protocol 36
![Page 37: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/37.jpg)
Winning circuits are prioritized
1. Client sends tickets to each relay in circuit. 2. Relays evaluate tickets. Winners must have
unseen PRF inputs. Neighbors sent results. 3. If ticket wins and neighbors report wins,
circuit is prioritized for next β bytes. 37
![Page 38: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/38.jpg)
Priority Scheduling
• Proportional Differentiated Services – Split traffic into “paid” and “unpaid” classes – Prioritize classes using quality differentiation
parameters pi and quality measure Q (EWMA)
p1/p2 = Q1(Δt) / Q2(Δt)
38
![Page 39: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/39.jpg)
Bank secrecy (honest-but-curious)
• Clients oblivious to xrd.
• B cannot produce r, input x, or output fr(x).
• Relay purchases are batched, preventing bank from knowing when prioritized circuits are constructed.
c and B evaluate fr(x) 1. c obtains bxr
d. 2. c sends b H(x)xr
d to B. 3. B sends H(H(x)xr
d) to c. 4. c outputs H(x(H(H(x)xr
d))).
PRF Protocol
39
![Page 40: LIRA: Lightweight Incentivized Routing for Anonymity · 2019-01-22 · LIRA: Lightweight Incentivized Routing for Anonymity Rob Jansen Aaron Johnson Paul Syverson U.S. Naval Research](https://reader030.fdocuments.in/reader030/viewer/2022041111/5f1069357e708231d448f9f4/html5/thumbnails/40.jpg)
Creating winning tickets
y0 = fr(x1) x0 y1 = fr(y0) x1 gr(x) = y0 || y1
fr(x) = H(x(H(H(x) xrd))) • fr is random in ROM
when xrd unknown.
• y0 XOR y1 is random. for y0 or y1 unknown
• One-time-use inputs to fr prevent double spending.
• Tickets not fully purchased win with probability p.
Cryptographic Lottery
0 ≤ y0 y1 < p 2L
40