PAR: Payment for Anonymous Routing

1
PAR Payment for Anonymous Routing
Mariana Raykova Columbia University
2
Talk Outline

• Anonymizing Services - what is Tor?
• Why do we need payment in Tor?
• Other payment systems
• PAR payment system overview
• Some technical details
• Privacy preserved?

3
What is Network Anonymity?
4
Sender-Receiver Unlinkability
5
Sender Anonymity w.r.t. Recover
6
Anonymizing Networks

• Untraceable electronic mail (Chaum 1981)
• Crowds (Reiter et al., 1998)
• Universal Re-encryption for Mixnets (Golle et
  al., 2004)
• Tor (Dingledine et al., 2004)
• Implemented and available (www.torproject.org)
• Widely used - clients from 126 countries (McCoy
  et al., 2008)

7
Tor Anonymity Network
8
Tor Anonymity Network
9
Tor Anonymity Network
10
Tor Anonymity Network
11
Privacy in Tor

• Relay nodes (onion routers) - traffic indirection
  points
• Forwarding path incrementally established -
  Diffie-Hellman key exchange procedure between
  each two consecutive nodes
• Layered encryption of message - each node knows
  only its predecessor and successor, no node knows
  both sender and receiver
• Privacy still a concern

12
DoS Attack against Tor
13
DoS Attack against Tor
14
Sybil Attack
15
Sybil Attack
16
Why Payment in Tor?

• Anonymity depends on the number of relays
• More possible paths
• Malicious party need to control more routers
• About 1500 routers (McCoy et al., 2008)
• Payment - incentive for participation
• Injecting traffic cost
• PAR (Payment for Anonymous Routing) - payment
  functionality on top of TOR

17
PAR Requirements

• TOR - anonymity against local adversary
• Sender-Receiver unlinkability
• Sender anonymity w.r.t. Receiver
• No additional attacks (solving existing attacks
  NOT a goal)

• Payment System
• Fairness
• Accountability
• Unforgeability
• Efficiency

18
Our Approach
19
Our Approach
20
Our Approach
21
Our Approach
22
Our Approach
23
Our Approach
24
Our Approach
25
Payment Schemes

• Identity-bound Payment Schemes - micropayments
  (Micali et al., 2002)
• Anonymous Payment Schemes - untraceable
  electronic cash (Chaum et al., 1988), efficient
  blind signatures (Okamoto 2006)
• PAR - hybrid payment schemes

26
Micropayments

• Payments - signed endorsements from payer to
  payee
• Accountability
• Efficient deposit - only a fraction of the coins
  are depositable at a higher rate
• If the sender pays the forwarding nodes, his
  identity is revealed
• Solution payments between consecutive nodes
  (Tl ? Tl-1)
• Identity of the sender is revealed to the Bank

27
Blind Signatures

• Digital cash idea
• Payment generated by the Bank
• User withdraws coins from the Bank and pays with
  them
• Blind Signatures - coins are Banks signatures
• light-weight cryptography (digital cash much more
  inefficient)
• signer does not have to know the input
• Accountability requires immediate deposit ?
  deposit timing attacks to expose anonymity

28
PAR

• Use both Anonymous and Signed coins
• A-coins - anonymous coins, blind signatures of
  the Bank
• used by the sender to pay the first node in the
  forwarding path
• S-coins - signed coins
• used by each node in the forwarding path to pay
  the next one
• Each node is paid one coin
• Each node generates payment for its successor
• receives n coins
• pays n-1 coins to its successor.

29
Coin Receipts

• Each coin has a corresponding receipt.
• A coin can be deposited only with its
  corresponding receipt.
• A node gets its receipts from its successor (last
  node in the path can be pre-paid).
• Incentives for the nodes to forward the message.

30
Payment Protocol
31
Payment Protocol
32
Payment Protocol
33
Payment Protocol
34
Payment Protocol
35
Receipts Role
36
Message Detail
37
Meeting PAR Requirements

• Anonymity
• Trade off between deposit period and information
  leaked from the deposits at the Bank
• About O(n2) connections per deposit period with n
  relays
• Underlying TOR

• Payment System
• Each node is paid equally
• All coins are protected with signatures
• Double-spending detected
• S-coins - signed by payer
• A-coins - sent in a message together with hash
  signed by the payer

38
Conclusion

• Payment system to be used in TOR
• Preserves anonymity with appropriate deposit rate
• Fairness, Accountability, Unforgeability
• Efficiency
• uses the underlying message exchanges of TOR
• coin generation - single signature
• efficient deposit rate for S-coins
• Incentive for Participation in TOR
• Provides better anonymity
• Makes harder attacks launched by malicious
  parties controlling relays
• Facilitates detection of malicious behavior

39
Thank you!

• PAR Payment for Anonymous Routing,
• Elli Androulaki, Mariana Raykova, Shreyas
  Srivatsan, Angelos Stavrou, Steven Bellovin,
• In Proceedings of the Eight Workshop on Privacy
  Enhancing Technologies (PET 2008), Leuven,
  Belgium, Springer (2008)

40
Questions?
mariana_at_cs.columbia.edu