Do You Believe in Tinker Bell? The Social Externalities of Trust

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9379)


In the play Peter Pan, the fairy Tinker Bell is about to fade away and die because nobody believes in her any more, but is saved by the belief of the audience. This is a very old meme; the gods in Ancient Greece became less or more powerful depending on how many mortals sacrificed to them. On the face of it, this seems a democratic model of trust; it follows social consensus and crumbles when that is lost. However, the world of trust online is different. People trust CAs because they have to; Verisign and Comodo are dominant not because users trust them, but because merchants do. Two-sided market effects are bolstered by the hope that the large CAs are too big to fail. Proposed remedies from governments are little better; they declare themselves to be trusted and appoint favoured contractors as their bishops. Academics have proposed, for example in SPKI/SDSI, that trust should flow from individual users’ decisions; but how can that be aggregated in ways compatible with incentives? The final part of the problem is that current CAs are not just powerful but all-powerful: a compromise can let a hostile actor not just take over your session or impersonate your bank, but ‘upgrade’ the software on your computer. Omnipotent CAs with invisible failure modes are better seen as demons rather than as gods.

Inspired by Tinker Bell, we propose a new approach: a trust service whose power arises directly from the number of users who decide to rely on it. Its power is limited to the provision of a single service, and failures to deliver this service should fairly rapidly become evident. As a proof of concept, we present a privacy-preserving reputation system to enhance quality of service in Tor, or a similar proxy network, with built-in incentives for correct behaviour. Tokens enable a node to interact directly with other nodes and are regulated by a distributed authority. Reputation is directly proportional to the number of tokens a node accumulates. By using blind signatures, we prevent the authority learning which entity has which tokens, so it cannot compromise privacy. Tokens lose value exponentially over time; this negative interest rate discourages hoarding. We demotivate costly system operations using taxes. We propose this reputation system not just as a concrete mechanism for systems requiring robust and privacy-preserving reputation metrics, but also as a thought experiment in how to fix the security economics of emergent trust.


Trust Reputation Metrics Unlinkability Anonymity 



The first author thanks colleagues Laurent Simon and Stephan Kollmann for discussions regarding anonymity networks.


  1. 1.
    Acquisti, A., Dingledine, R., Syverson, P.F.: On the economics of anonymity. In: Wright, R.N. (ed.) FC 2003. LNCS, vol. 2742, pp. 84–102. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  2. 2.
    Androulaki, E., Raykova, M., Srivatsan, S., Stavrou, A., Bellovin, S.M.: PAR: payment for anonymous routing. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 219–236. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  3. 3.
    Biryukov, A., Pustogarov, I.: Proof-of-work as anonymous micropayment: rewarding a tor relay. In: Böhme, R., Okamoto, T. (eds.) FC 2015. LNCS, vol. 8975, pp. 445–455. Springer, Heidelberg (2015) CrossRefGoogle Scholar
  4. 4.
    Chaum, D.: Blind signatures for untraceable payments. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 199–203. Springer, New York (1983)CrossRefGoogle Scholar
  5. 5.
    Chen, Y., Sion, R., Carbunar, B.: XPay: practical anonymous payments for Tor routing and other networked services. In: Proceedings of the 8th ACM workshop on Privacy in the electronic society, pp. 41–50, ACM (2009)Google Scholar
  6. 6.
    Dingledine, R., Freedman, M.J., Hopwood, D., Molnar, D.: A reputation system to increase MIX-Net reliability. In: Moskowitz, I.S. (ed.) IH 2001. LNCS, vol. 2137, pp. 126–141. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  7. 7.
    Dingledine, R., Freedman, M.J., Molnar, D.: The free haven project: distributed anonymous storage service. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 67–95. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  8. 8.
    Dingledine, R., Mathewson, N., Syverson, P.: Reputation in P2P anonymity systems. In: Workshop on Economics of Peer-to-Peer Systems, vol. 92 (2003)Google Scholar
  9. 9.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, DTIC Document (2004)Google Scholar
  10. 10.
    Dingledine, R., Syverson, P.: Reliable mix cascade networks through reputation. In: Blaze, M. (ed.) Financial Cryptography. LNCS, vol. 2357, pp. 253–268. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    “Johnny” Ngan, T.-W., Dingledine, R., Wallach, D.S.: Building incentives into Tor. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 238–256. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  12. 12.
    Ghosh, M., Richardson, M., Ford, B., Jansen, R.: A TorPath to TorCoin: proof-of-bandwidth altcoins for compensating relays. In: Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs) (2014)Google Scholar
  13. 13.
    Jansen, R., Hopper, N., Kim, Y.: Recruiting new Tor relays with BRAIDS. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 319–328, ACM (2010)Google Scholar
  14. 14.
    Jansen, R., Johnson, A., Syverson, P.: LIRA: lightweight incentivized routing for anonymity. Technical report, DTIC Document (2013)Google Scholar
  15. 15.
    Jansen, R., Miller, A., Syverson, P., Ford, B.: From onions to shallots: rewarding Tor relays with TEARS. HotPETS, July 2014Google Scholar
  16. 16.
    Levien, R.: Attack-resistant trust metrics. In: Golbeck, J. (ed.) Computing with Social Trust. Human–Computer Interaction Series, pp. 121–132. Springer, London (2009)CrossRefGoogle Scholar
  17. 17.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster protocol-version 2. Draft, July 2003Google Scholar
  18. 18.
    Moreton, T., Twigg, A.: Trading in trust, tokens, and stamps. In: Proceedings of the First Workshop on Economics of Peer-to-Peer Systems (2003)Google Scholar
  19. 19.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system. Consulted 1(2012), 28 (2008)Google Scholar
  20. 20.
    Page, L., Brin, S., Motwani, R., Winograd, T.: The PageRank citation ranking: bringing order to the web (1999)Google Scholar
  21. 21.
    Ray, J.: Malpertuis, vol. 142. Marabout, Brussel (1943)Google Scholar
  22. 22.
    Rivest, R.L., Shamir, A.: PayWord and MicroMint: two simple micropayment schemes. In: Lomas, M. (ed.) Security Protocols. LNCS, vol. 1189, pp. 69–87. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  23. 23.
    Wang, Q., Lin, Z., Borisov, N., Hopper, N.: rBridge: user reputation based Tor bridge distribution with privacy preservation. In: NDSS (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Computer LaboratoryUniversity of CambridgeCambridgeUK

Personalised recommendations