Seeking Anonymity in an Internet Panopticon

Obtaining and maintaining anonymity on the Internet is challenging. The state of the art in deployed tools, such as Tor, uses onion routing (OR) to relay encrypted connections on a detour passing through randomly chosen relays scattered around the Internet. Unfortunately, OR is known to be vulnerable at least in principle to several classes of attacks for which no solution is known or believed to be forthcoming soon. Current approaches to anonymity also appear unable to offer accurate, principled measurement of the level or quality of anonymity a user might obtain. Toward this end, we offer a high-level view of the Dissent project, the first systematic effort to build a practical anonymity system based purely on foundations that offer measurable and formally provable anonymity properties. Dissent builds on two key pre-existing primitives - verifiable shuffles and dining cryptographers - but for the first time shows how to scale such techniques to offer measurable anonymity guarantees to thousands of participants. Further, Dissent represents the first anonymity system designed from the ground up to incorporate some systematic countermeasure for each of the major classes of known vulnerabilities in existing approaches, including global traffic analysis, active attacks, and intersection attacks. Finally, because no anonymity protocol alone can address risks such as software exploits or accidental self-identification, we introduce WiNon, an experimental operating system architecture to harden the uses of anonymity tools such as Tor and Dissent against such attacks.Comment: 8 pages, 10 figure

Reuse It Or Lose It: More Efficient Secure Computation Through Reuse of Encrypted Values

Two-party secure function evaluation (SFE) has become significantly more feasible, even on resource-constrained devices, because of advances in server-aided computation systems. However, there are still bottlenecks, particularly in the input validation stage of a computation. Moreover, SFE research has not yet devoted sufficient attention to the important problem of retaining state after a computation has been performed so that expensive processing does not have to be repeated if a similar computation is done again. This paper presents PartialGC, an SFE system that allows the reuse of encrypted values generated during a garbled-circuit computation. We show that using PartialGC can reduce computation time by as much as 96% and bandwidth by as much as 98% in comparison with previous outsourcing schemes for secure computation. We demonstrate the feasibility of our approach with two sets of experiments, one in which the garbled circuit is evaluated on a mobile device and one in which it is evaluated on a server. We also use PartialGC to build a privacy-preserving "friend finder" application for Android. The reuse of previous inputs to allow stateful evaluation represents a new way of looking at SFE and further reduces computational barriers.Comment: 20 pages, shorter conference version published in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Pages 582-596, ACM New York, NY, US

Representing Network Trust and Using It to Improve Anonymous Communication

Motivated by the effectiveness of correlation attacks against Tor, the censorship arms race, and observations of malicious relays in Tor, we propose that Tor users capture their trust in network elements using probability distributions over the sets of elements observed by network adversaries. We present a modular system that allows users to efficiently and conveniently create such distributions and use them to improve their security. The major components of this system are (i) an ontology of network-element types that represents the main threats to and vulnerabilities of anonymous communication over Tor, (ii) a formal language that allows users to naturally express trust beliefs about network elements, and (iii) a conversion procedure that takes the ontology, public information about the network, and user beliefs written in the trust language and produce a Bayesian Belief Network that represents the probability distribution in a way that is concise and easily sampleable. We also present preliminary experimental results that show the distribution produced by our system can improve security when employed by users; further improvement is seen when the system is employed by both users and services.Comment: 24 pages; talk to be presented at HotPETs 201

Flexibility as an Instrument in Digital Rights Management

We consider the optimal design of flexible use in a digital-rights-management policy. The basic model considers a single distributor of digital goods and a continuum of consumers. Each consumer can acquire the digital good either as a licensed product or an unlicensed copy. The availability of (or access to) unlicensed copies is increasing both in the number of licensed copies and in the flexibility accorded to licensed copies. We thus analyze the optimal design of flexibility in the presence of unlicensed distribution channels (the "greynet"). We augment the basic model by introducing a “secure platform” that is required to use the digital good. We compare the optimal design of flexibility in the presence of a platform to the one without a platform. Finally, we analyze the equilibrium provision when platform and content are complimentary goods but are distributed and priced by different sellers.Digital Rights Management, Platform, Flexibility, Piracy

Pricing under the Threat of Piracy: Flexibility and Platforms for Digital Goods

We consider the optimal design of flexible use in a digital-rights-management policy for a digital good subject to piracy. Consumers can acquire the digital good either as a licensed product or as an unlicensed copy. The ease of access to unlicensed copies is increasing in the flexibility accorded to licensed copies. The content provider has to trade off consumers' valuation of a licensed copy against the sales lost to piracy. We enrich the basic model by introducing a "secure platform" that is required to use the digital good. We show that the platform allows for the socially optimal provision of flexibility for the digital good but only if both are sold by an integrated firm.Digital goods, Digital rights management, Platform, Flexibility, Piracy