[tor-talk] torslap!

Mike Perry mikeperry at torproject.org
Sat May 4 03:26:21 UTC 2013 

Thus spake Tom Ritter (tom at ritter.vg):

> I used to be a big proponent of proof-of-work schemes, but I've scaled
> back my preference significantly.  There's two problems with them:
> 
> 1) An attacker can use economies of scale to get better results than
> an ordinary user.  If a user takes 5 minutes, an attacker can use GPUs
> or ASICs to take 20 seconds.

What about Memory Based Puzzles? 
https://research.microsoft.com/pubs/54395/memory-longer-acm.pdf is one
example. A Google search for Memory Based Puzzled will turn up a ton
more.
 
> 2) Attackers almost never, or would never, pay or use their own
> computers to compute proof of work schemes - they use victims of a
> botnet.  In which case the only person hampered by a proof of work
> scheme are the legitimate users.[0]

Are such attackers likely to also use Tor?

> Mike Hearn has given a good amount of thought to deposit-based
> systems.  Pay a server $5 or 5 bitcoins, and if you're a legitimate
> user (not dormant) for X months you can get the money back.  (Or you
> never get the money back, and the payment is smaller).  In this
> scenario, the cost of an account cannot be reduced via scaling; and
> while you can use a botnet to mine bitcoins, now that GPU/ASIC/FPGA
> bitcoin mining is the norm CPU-based botnets will be more expensive
> that the income they generate.

This sounds decent, too.

> [0] There's definitely some parallels to DRM there...
> [1] I reserve the right, as always, to change it if swayed by a good argument ;)

For the record, I'm not trying to change your mind wrt memory puzzles.

I think Tor should deploy multiple Mozilla Persona[1] servers that issue
Persona identities, each with their own criteria. 

By leveraging Persona, we would provide sites with an out-of-the-box
ability to choose the rate limiting system they want to accept. For
example, a provider might decide that bitcoin.persona.torproject.org
provides sufficiently expensive "identities" to block abuse, but
discover that multi-captcha.persona.torproject.org and
busywork.persona.torproject.org do not.

We could also create a blinding step to unlink your bitcoin address from
the Persona identity we give you, but then we probably need to introduce
a delay to ensure sufficient mixing. But such a delay will probably only
serve to allow us to more effectively rate limit abuse.


1. https://developer.mozilla.org/en-US/docs/Persona


-- 
Mike Perry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20130503/edd1d9fe/attachment.pgp>

More information about the tor-talk mailing list