Paying the Guard: An Entry-Guard-Based Payment System for Tor
When choosing the three relays that compose a circuit, Tor selects the first hop among a restricted number of relays called entry guards, pre-selected by the user himself. The reduced number of entry guards, that until recently was fixed to three, helps in mitigating the effects of several traffic analysis attacks. However, recent literature indicates that the number should be further reduced, and the time during which the user keeps the relays as guards increased. Therefore, developers of Tor recently proposed selecting only one entry guard, which is to be used by the user for all circuits and for a prolonged period of time (nine months). While this design choice was made to increase the security of the protocol, it also opens an unprecedented opportunity for a market mechanism where relays get paid for traffic by the users.
In this paper, we propose to use the entry guard as the point-of-sale: users subscribe to their entry guard of choice, and deposit an amount that will be used for paying for the circuits. From the entry guard, income is then distributed to the other relays included in circuits through an inter-relay accounting system. While the user may pay the entry guard using BitCoins, or any other anonymous payment system, the relays exchange I Owe You (IOU) certificates during communication, and settle their balances only at synchronized, later points in time. This novel deferred payment approach overcomes the weaknesses of the previously proposed Tor payment mechanisms: we separate the user’s payment from the inter-relay payments, and we effectively unlink both from the chosen path, thus preserving the secrecy of the circuit.
KeywordsTor Anonymous payments Economy of privacy enhancing technologies
- 2.Arnold, C., Jansen, R., Lin, Z., Parker, J.: On par for attack. Technical report, May 2009Google Scholar
- 3.Biryukov, A., Pustogarov, I., Weinmann, R.: Trawling for tor hidden services: Detection, measurement, deanonymization. In: 2013 IEEE Symposium on Security and Privacy, SP 2013. pp. 80–94. IEEE Computer Society (2013)Google Scholar
- 4.Borisov, N., Danezis, G., Mittal, P., Tabriz, P.: Denial of service or denial of security? In: Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007. pp. 92–102. ACM (2007)Google Scholar
- 8.Dingledine, R., Kadianakis, N.H.A.G., Mathewson, N.: One fast guard for life (or 9 months). In: 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014) (2014)Google Scholar
- 9.Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)Google Scholar
- 10.Elahi, T., Bauer, K.S., AlSabah, M., Dingledine, R., Goldberg, I.: Changing of the guards: a framework for understanding and improving entry guard selection in Tor. In: Yu, T., Borisov, N. (eds.) Proceedings of the 11th annual ACM Workshop on Privacy in the Electronic Society, WPES 2012, pp. 43–54. ACM (2012)Google Scholar
- 14.Humbert, M., Manshaei, H., Hubaux, J.P.: One-to-n scrip systems for cooperative privacy-enhancing technologies. In: 2011 49th Annual Allerton Conference on Communication, Control, and Computing (Allerton), pp. 682–692 (2011)Google Scholar
- 16.Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.F.: Users get routed: traffic correlation on tor by realistic adversaries. In: Sadeghi, A., Gligor, V.D., Yung, M. (eds.) 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS 2013, pp. 337–348. ACM, New York (2013)CrossRefGoogle Scholar
- 17.Nielson, S.J., Wallach, D.S.: The bittorrent anonymity marketplace. CoRR abs/1108.2718
- 18.Palmieri, P., Pouwelse, J.: Key management for onion routing in a true peer to peer setting. In: Yoshida, M., Mouri, K. (eds.) IWSEC 2014. LNCS, vol. 8639, pp. 62–71. Springer, Heidelberg (2014) Google Scholar
- 19.Wendolsky, R.: A volume-based accounting system for fixed-route mix cascade systems. In: Second Privacy Enhancing Technologies Convention (PET-CON). pp. 26–33 (2008)Google Scholar