-
Reasoning Around Paradox with Grounded Deduction
Authors:
Bryan Ford
Abstract:
How can we reason around logical paradoxes without falling into them? This paper introduces grounded deduction or GD, a Kripke-inspired approach to first-order logic and arithmetic that is neither classical nor intuitionistic, but nevertheless appears both pragmatically usable and intuitively justifiable. GD permits the direct expression of unrestricted recursive definitions -- including paradoxic…
▽ More
How can we reason around logical paradoxes without falling into them? This paper introduces grounded deduction or GD, a Kripke-inspired approach to first-order logic and arithmetic that is neither classical nor intuitionistic, but nevertheless appears both pragmatically usable and intuitively justifiable. GD permits the direct expression of unrestricted recursive definitions -- including paradoxical ones such as 'L := not L' -- while adding dynamic typing premises to certain inference rules so that such paradoxes do not lead to inconsistency. This paper constitutes a preliminary development and investigation of grounded deduction, to be extended with further elaboration and deeper analysis of its intriguing properties.
△ Less
Submitted 3 April, 2025; v1 submitted 12 September, 2024;
originally announced September 2024.
-
E-Vote Your Conscience: Perceptions of Coercion and Vote Buying, and the Usability of Fake Credentials in Online Voting
Authors:
Louis-Henri Merino,
Alaleh Azhir,
Haoqian Zhang,
Simone Colombo,
Bernhard Tellenbach,
Vero Estrada-Galiñanes,
Bryan Ford
Abstract:
Online voting is attractive for convenience and accessibility, but is more susceptible to voter coercion and vote buying than in-person voting. One mitigation is to give voters fake voting credentials that they can yield to a coercer. Fake credentials appear identical to real ones, but cast votes that are silently omitted from the final tally. An important unanswered question is how ordinary voter…
▽ More
Online voting is attractive for convenience and accessibility, but is more susceptible to voter coercion and vote buying than in-person voting. One mitigation is to give voters fake voting credentials that they can yield to a coercer. Fake credentials appear identical to real ones, but cast votes that are silently omitted from the final tally. An important unanswered question is how ordinary voters perceive such a mitigation: whether they could understand and use fake credentials, and whether the coercion risks justify the costs of mitigation. We present the first systematic study of these questions, involving 150 diverse individuals in Boston, Massachusetts. All participants "registered" and "voted" in a mock election: 120 were exposed to coercion resistance via fake credentials, the rest forming a control group. Of the 120 participants exposed to fake credentials, 96% understood their use. 53% reported that they would create fake credentials in a real-world voting scenario, given the opportunity. 10% mistakenly voted with a fake credential, however. 22% reported either personal experience with or direct knowledge of coercion or vote-buying incidents. These latter participants rated the coercion-resistant system essentially as trustworthy as in-person voting via hand-marked paper ballots. Of the 150 total participants to use the system, 87% successfully created their credentials without assistance; 83% both successfully created and properly used their credentials. Participants give a System Usability Scale score of 70.4, which is slightly above the industry's average score of 68. Our findings appear to support the importance of the coercion problem in general, and the promise of fake credentials as a possible mitigation, but user error rates remain an important usability challenge for future work.
△ Less
Submitted 18 April, 2024;
originally announced April 2024.
-
Breaking Blockchain Rationality with Out-of-Band Collusion
Authors:
Haoqian Zhang,
Mahsa Bastankhah,
Louis-Henri Merino,
Vero Estrada-Galiñanes,
Bryan Ford
Abstract:
Blockchain systems often rely on rationality assumptions for their security, expecting that nodes are motivated to maximize their profits. These systems thus design their protocols to incentivize nodes to execute the honest protocol but fail to consider out-of-band collusion. Existing works analyzing rationality assumptions are limited in their scope, either by focusing on a specific protocol or r…
▽ More
Blockchain systems often rely on rationality assumptions for their security, expecting that nodes are motivated to maximize their profits. These systems thus design their protocols to incentivize nodes to execute the honest protocol but fail to consider out-of-band collusion. Existing works analyzing rationality assumptions are limited in their scope, either by focusing on a specific protocol or relying on non-existing financial instruments. We propose a general rational attack on rationality by leveraging an external channel that incentivizes nodes to collude against the honest protocol. Our approach involves an attacker creating an out-of-band bribery smart contract to motivate nodes to double-spend their transactions in exchange for shares in the attacker's profits. We provide a game theory model to prove that any rational node is incentivized to follow the malicious protocol. We discuss our approach to attacking the Bitcoin and Ethereum blockchains, demonstrating that irrational behavior can be rational in real-world blockchain systems when analyzing rationality in a larger ecosystem. We conclude that rational assumptions only appear to make the system more secure and offer a false sense of security under the flawed analysis.
△ Less
Submitted 30 April, 2023;
originally announced May 2023.
-
Matchertext: Towards Verbatim Interlanguage Embedding
Authors:
Bryan Ford
Abstract:
Embedding text in one language within text of another is commonplace for numerous purposes, but usually requires tedious and error-prone "escaping" transformations on the embedded string. We propose a simple cross-language syntactic discipline, matchertext, which enables the safe embedding a string in any compliant language into a string in any other language via simple "copy-and-paste" - in parti…
▽ More
Embedding text in one language within text of another is commonplace for numerous purposes, but usually requires tedious and error-prone "escaping" transformations on the embedded string. We propose a simple cross-language syntactic discipline, matchertext, which enables the safe embedding a string in any compliant language into a string in any other language via simple "copy-and-paste" - in particular with no escaping, obfuscation, or expansion of embedded strings. We apply this syntactic discipline to several common and frequently-embedded language syntaxes such as URIs, HTML, and JavaScript, exploring the benefits, costs, and compatibility issues in adopting the proposed matchertext discipline. One early matchertext-based language is MinML, a concise but general alternative syntax for writing HTML or XML.
△ Less
Submitted 28 December, 2022;
originally announced December 2022.
-
F3B: A Low-Overhead Blockchain Architecture with Per-Transaction Front-Running Protection
Authors:
Haoqian Zhang,
Louis-Henri Merino,
Ziyan Qu,
Mahsa Bastankhah,
Vero Estrada-Galinanes,
Bryan Ford
Abstract:
Front-running attacks, which benefit from advanced knowledge of pending transactions, have proliferated in the blockchain space since the emergence of decentralized finance. Front-running causes devastating losses to honest participants and continues to endanger the fairness of the ecosystem. We present Flash Freezing Flash Boys (F3B), a blockchain architecture that addresses front-running attacks…
▽ More
Front-running attacks, which benefit from advanced knowledge of pending transactions, have proliferated in the blockchain space since the emergence of decentralized finance. Front-running causes devastating losses to honest participants and continues to endanger the fairness of the ecosystem. We present Flash Freezing Flash Boys (F3B), a blockchain architecture that addresses front-running attacks by using threshold cryptography. In F3B, a user generates a symmetric key to encrypt their transaction, and once the underlying consensus layer has finalized the transaction, a decentralized secret-management committee reveals this key. F3B mitigates front-running attacks because, before the consensus group finalizes it, an adversary can no longer read the content of a transaction, thus preventing the adversary from benefiting from advanced knowledge of pending transactions. Unlike other mitigation systems, F3B properly ensures that all unfinalized transactions, even with significant delays, remain private by adopting per-transaction protection. Furthermore, F3B addresses front-running at the execution layer; thus, our solution is agnostic to the underlying consensus algorithm and compatible with existing smart contracts. We evaluated F3B on Ethereum with a modified execution layer and found only a negligible (0.026%) increase in transaction latency, specifically due to running threshold decryption with a 128-member secret-management committee after a transaction is finalized; this indicates that F3B is both practical and low-cost.
△ Less
Submitted 5 September, 2023; v1 submitted 17 May, 2022;
originally announced May 2022.
-
Baxos: Backing off for Robust and Efficient Consensus
Authors:
Pasindu Tennage,
Cristina Basescu,
Eleftherios Kokoris Kogias,
Ewa Syta,
Philipp Jovanovic,
Bryan Ford
Abstract:
Leader-based consensus algorithms are vulnerable to liveness and performance downgrade attacks. We explore the possibility of replacing leader election in Multi-Paxos with random exponential backoff (REB), a simpler approach that requires minimum modifications to the two phase Synod Paxos and achieves better resiliency under attacks. We propose Baxos, a new resilient consensus protocol that levera…
▽ More
Leader-based consensus algorithms are vulnerable to liveness and performance downgrade attacks. We explore the possibility of replacing leader election in Multi-Paxos with random exponential backoff (REB), a simpler approach that requires minimum modifications to the two phase Synod Paxos and achieves better resiliency under attacks. We propose Baxos, a new resilient consensus protocol that leverages a random exponential backoff scheme as a replacement for leader election in consensus algorithms. Our backoff scheme addresses the common challenges of random exponential backoff such as scalability and robustness to changing wide area latency. We extensively evaluate Baxos to illustrate its performance and robustness against two liveness and performance downgrade attacks using an implementation running on Amazon EC2 in a wide area network and a combination of a micro benchmark and YCSB-A workload on Redis. Our results show that Baxos offers more robustness to liveness and performance downgrade attacks than leader-based consensus protocols. Baxos outperforms Multi-Paxos and Raft up to 128% in throughput under liveness and performance downgrade attacks under worst case contention scenarios where each replica proposes requests concurrently.
△ Less
Submitted 19 December, 2024; v1 submitted 22 April, 2022;
originally announced April 2022.
-
TRIP: Trust-Limited Coercion-Resistant In-Person Voter Registration
Authors:
Louis-Henri Merino,
Simone Colombo,
Rene Reyes,
Alaleh Azhir,
Haoqian Zhang,
Jeff Allen,
Bernhard Tellenbach,
Vero Estrada-Galiñanes,
Bryan Ford
Abstract:
Remote electronic voting is convenient and flexible, but presents risks of coercion and vote buying. One promising mitigation strategy enables voters to give a coercer fake voting credentials, which silently cast votes that do not count. However, current proposals make problematic assumptions during credential issuance, such as relying on a trustworthy registrar, on trusted hardware, or on voters…
▽ More
Remote electronic voting is convenient and flexible, but presents risks of coercion and vote buying. One promising mitigation strategy enables voters to give a coercer fake voting credentials, which silently cast votes that do not count. However, current proposals make problematic assumptions during credential issuance, such as relying on a trustworthy registrar, on trusted hardware, or on voters interacting with multiple registrars. We present TRIP, the first voter registration scheme that addresses these challenges by leveraging the physical security of in-person interaction. Voters use a kiosk in a privacy booth to print real and fake paper credentials, which appear indistinguishable to others. Voters interact with only one authority, need no trusted hardware during credential issuance, and need not trust the registrar except when actually under coercion. For verifiability, each credential includes an interactive zero-knowledge proof, which is sound in real credentials and unsound in fake credentials. Voters learn the difference by observing the order of printing steps, and need not understand the technical details. We prove formally that TRIP satisfies coercion-resistance and verifiability. In a user study with 150 participants, 83% successfully used TRIP.
△ Less
Submitted 17 March, 2024; v1 submitted 14 February, 2022;
originally announced February 2022.
-
Identity and Personhood in Digital Democracy: Evaluating Inclusion, Equality, Security, and Privacy in Pseudonym Parties and Other Proofs of Personhood
Authors:
Bryan Ford
Abstract:
Digital identity seems like a prerequisite for digital democracy: how can we ensure "one person, one vote" online without identifying voters? But digital identity solutions - ID checking, biometrics, self-sovereign identity, and trust networks - all present flaws, leaving users vulnerable to exclusion, identity loss or theft, and coercion. These flaws may be insurmountable because digital identity…
▽ More
Digital identity seems like a prerequisite for digital democracy: how can we ensure "one person, one vote" online without identifying voters? But digital identity solutions - ID checking, biometrics, self-sovereign identity, and trust networks - all present flaws, leaving users vulnerable to exclusion, identity loss or theft, and coercion. These flaws may be insurmountable because digital identity is a cart pulling the horse. We cannot achieve digital identity secure enough for the weight of digital democracy, until we build it on a solid foundation of "digital personhood." While identity is about distinguishing one person from another through attributes or affiliations, personhood is about giving all real people inalienable digital participation rights independent of identity, including protection against erosion of their democratic rights through identity loss, theft, coercion, or fakery.
We explore and analyze alternative approaches to "proof of personhood" that may provide this missing foundation. Pseudonym parties marry the transparency of periodic physical-world events with the power of digital tokens between events. These tokens represent limited-term but renewable claims usable for purposes such as online voting or liquid democracy, sampled juries or deliberative polls, abuse-resistant social communication, or minting universal basic income in a permissionless cryptocurrency. Enhancing pseudonym parties to provide participants a moment of enforced physical security and privacy can address coercion and vote-buying risks that plague today's E-voting systems. We also examine other proposed approaches to proof of personhood, some of which offer conveniences such as all-online participation. These alternatives currently fall short of satisfying all the key digital personhood goals, unfortunately, but offer valuable insights into the challenges we face.
△ Less
Submitted 4 November, 2020;
originally announced November 2020.
-
Economic Principles of PoPCoin, a Democratic Time-based Cryptocurrency
Authors:
Haoqian Zhang,
Cristina Basescu,
Bryan Ford
Abstract:
While democracy is founded on the principle of equal opportunity to manage our lives and pursue our fortunes, the forms of money we have inherited from millenia of evolution has brought us to an unsustainable dead-end of exploding inequality. PoPCoin proposes to leverage the unique historical opportunities that digital cryptocurrencies present for a "clean-slate" redesign of money, in particular a…
▽ More
While democracy is founded on the principle of equal opportunity to manage our lives and pursue our fortunes, the forms of money we have inherited from millenia of evolution has brought us to an unsustainable dead-end of exploding inequality. PoPCoin proposes to leverage the unique historical opportunities that digital cryptocurrencies present for a "clean-slate" redesign of money, in particular around long-term equitability and sustainability, rather than solely stability, as our primary goals. We develop and analyze a monetary policy for PoPCoin that embodies these equitability goals in two basic rules that maybe summarized as supporting equal opportunity in "space" and "time": the first by regularly distributing new money equally to all participants much like a basic income, the second by holding the aggregate value of these distributions to a constant and non-diminishing portion of total money supply through demurrage. Through preliminary economic analysis, we find that these rules in combination yield a unique form of money with numerous intriguing and promising properties, such as a quantifiable and provable upper bound on monetary inequality, a natural "early adopter's reward" that could incentivize rapid growth while tapering off as participation saturates, resistance to the risk of deflationary spirals, and migration incentives opposite those created by conventional basic incomes.
△ Less
Submitted 3 November, 2020;
originally announced November 2020.
-
A Liquid Perspective on Democratic Choice
Authors:
Bryan Ford
Abstract:
The idea of liquid democracy responds to a widely-felt desire to make democracy more "fluid" and continuously participatory. Its central premise is to enable users to employ networked technologies to control and delegate voting power, to approximate the ideal of direct democracy in a scalable fashion that accounts for time and attention limits. There are many potential definitions, meanings, and w…
▽ More
The idea of liquid democracy responds to a widely-felt desire to make democracy more "fluid" and continuously participatory. Its central premise is to enable users to employ networked technologies to control and delegate voting power, to approximate the ideal of direct democracy in a scalable fashion that accounts for time and attention limits. There are many potential definitions, meanings, and ways to implement liquid democracy, however, and many distinct purposes to which it might be deployed. This paper develops and explores the "liquid" notion and what it might mean for purposes of enhancing voter choice by spreading voting power, improving proportional representation systems, simplifying or aiding voters in their choice, or scaling direct democracy through specialization. The goal of this paper is to disentangle and further develop some of the many concepts and goals that liquid democracy ideas often embody, to explore their justification with respect to existing democratic traditions such as transferable voting and political parties, and to explore potential risks in liquid democracy systems and ways to address them.
△ Less
Submitted 26 March, 2020;
originally announced March 2020.
-
Democratic Value and Money for Decentralized Digital Society
Authors:
Bryan Ford
Abstract:
Classical monetary systems regularly subject the most vulnerable majority of the world's population to debilitating financial shocks, and have manifestly allowed uncontrolled global inequality over the long term. Given these basic failures, how can we avoid asking whether mainstream macroeconomic principles are actually compatible with democratic principles such as equality or the protection of hu…
▽ More
Classical monetary systems regularly subject the most vulnerable majority of the world's population to debilitating financial shocks, and have manifestly allowed uncontrolled global inequality over the long term. Given these basic failures, how can we avoid asking whether mainstream macroeconomic principles are actually compatible with democratic principles such as equality or the protection of human rights and dignity? This idea paper takes a constructive look at this question, by exploring how alternate monetary principles might result in a form of money more compatible with democratic principles -- dare we call it "democratic money"? In this alternative macroeconomic philosophy, both the supply of and the demand for money must be rooted in people, so as to give all people both equal opportunities for economic participation. Money must be designed around equality, not only across all people alive at a given moment, but also across past and future generations of people, guaranteeing that our descendants cannot be enslaved by their ancestors' economic luck or misfortune. Democratic money must reliably give all people a means to enable everyday commerce, investment, and value creation in good times and bad, and must impose hard limits on financial inequality. Democratic money must itself be governed democratically, and must economically facilitate the needs of citizens in a democracy for trustworthy and unbiased information with which to make wise collective decisions. An intriguing approach to implementing and deploying democratic money is via a cryptocurrency built on a proof-of-personhood foundation, giving each opt-in human participant one equal unit of stake. Such a cryptocurrency would have both interesting similarities to, and important differences from, a Universal Basic Income (UBI) denominated in an existing currency.
△ Less
Submitted 26 March, 2020;
originally announced March 2020.
-
Que Sera Consensus: Simple Asynchronous Agreement with Private Coins and Threshold Logical Clocks
Authors:
Bryan Ford,
Philipp Jovanovic,
Ewa Syta
Abstract:
It is commonly held that asynchronous consensus is much more complex, difficult, and costly than partially-synchronous algorithms, especially without using common coins. This paper challenges that conventional wisdom with que sera consensus QSC, an approach to consensus that cleanly decomposes the agreement problem from that of network asynchrony. QSC uses only private coins and reaches consensus…
▽ More
It is commonly held that asynchronous consensus is much more complex, difficult, and costly than partially-synchronous algorithms, especially without using common coins. This paper challenges that conventional wisdom with que sera consensus QSC, an approach to consensus that cleanly decomposes the agreement problem from that of network asynchrony. QSC uses only private coins and reaches consensus in $O(1)$ expected communication rounds. It relies on "lock-step" synchronous broadcast, but can run atop a threshold logical clock (TLC) algorithm to time and pace partially-reliable communication atop an underlying asynchronous network. This combination is arguably simpler than partially-synchronous consensus approaches like (Multi-)Paxos or Raft with leader election, and is more robust to slow leaders or targeted network denial-of-service attacks. The simplest formulations of QSC atop TLC incur expected $O(n^2)$ messages and $O(n^4)$ bits per agreement, or $O(n^3)$ bits with straightforward optimizations. An on-demand implementation, in which clients act as "natural leaders" to execute the protocol atop stateful servers that merely implement passive key-value stores, can achieve $O(n^2)$ expected communication bits per client-driven agreement.
△ Less
Submitted 4 March, 2020;
originally announced March 2020.
-
Rationality is Self-Defeating in Permissionless Systems
Authors:
Bryan Ford,
Rainer Böhme
Abstract:
We outline a metacircular argument explaining why it is rational to be irrational when attacking open-world decentralized systems, and why systems whose security depend on rationality assumptions are insecure.
We outline a metacircular argument explaining why it is rational to be irrational when attacking open-world decentralized systems, and why systems whose security depend on rationality assumptions are insecure.
△ Less
Submitted 19 October, 2019;
originally announced October 2019.
-
Threshold Logical Clocks for Asynchronous Distributed Coordination and Consensus
Authors:
Bryan Ford
Abstract:
Consensus protocols for asynchronous networks are usually complex and inefficient, leading practical systems to rely on synchronous protocols. This paper attempts to simplify asynchronous consensus by building atop a novel threshold logical clock abstraction, which enables upper layers to operate as if on a synchronous network. This approach yields an asynchronous consensus protocol for fail-stop…
▽ More
Consensus protocols for asynchronous networks are usually complex and inefficient, leading practical systems to rely on synchronous protocols. This paper attempts to simplify asynchronous consensus by building atop a novel threshold logical clock abstraction, which enables upper layers to operate as if on a synchronous network. This approach yields an asynchronous consensus protocol for fail-stop nodes that may be simpler and more robust than Paxos and its leader-based variants, requiring no common coins and achieving consensus in a constant expected number of rounds. The same approach can be strengthened against Byzantine failures by building on well-established techniques such as tamper-evident logging and gossip, accountable state machines, threshold signatures and witness cosigning, and verifiable secret sharing. This combination of existing abstractions and threshold logical clocks yields a modular, cleanly-layered approach to building practical and efficient Byzantine consensus, distributed key generation, time, timestamping, and randomness beacons, and other critical services.
△ Less
Submitted 16 July, 2019;
originally announced July 2019.
-
Reducing Metadata Leakage from Encrypted Files and Communication with PURBs
Authors:
Kirill Nikitin,
Ludovic Barman,
Wouter Lueks,
Matthew Underwood,
Jean-Pierre Hubaux,
Bryan Ford
Abstract:
Most encrypted data formats leak metadata via their plaintext headers, such as format version, encryption schemes used, number of recipients who can decrypt the data, and even the recipients' identities. This leakage can pose security and privacy risks to users, e.g., by revealing the full membership of a group of collaborators from a single encrypted e-mail, or by enabling an eavesdropper to fing…
▽ More
Most encrypted data formats leak metadata via their plaintext headers, such as format version, encryption schemes used, number of recipients who can decrypt the data, and even the recipients' identities. This leakage can pose security and privacy risks to users, e.g., by revealing the full membership of a group of collaborators from a single encrypted e-mail, or by enabling an eavesdropper to fingerprint the precise encryption software version and configuration the sender used. We propose that future encrypted data formats improve security and privacy hygiene by producing $\textit{Padded Uniform Random Blobs}$ or PURBs: ciphertexts indistinguishable from random bit strings to anyone without a decryption key. A PURB's content leaks $\textit{nothing at all}$, even the application that created it, and is padded such that even its length leaks as little as possible. Encoding and decoding ciphertexts with $\textit{no}$ cleartext markers presents efficiency challenges, however. We present cryptographically agile encodings enabling legitimate recipients to decrypt a PURB efficiently, even when encrypted for any number of recipients' public keys and/or passwords, and when these public keys are from different cryptographic suites. PURBs employ Padmé, a~novel padding scheme that limits information leakage via ciphertexts of maximum length $M$ to a practical optimum of $O(\log \log M)$ bits, comparable to padding to a power of two, but with lower overhead of at most $12\%$ and decreasing with larger payloads.
△ Less
Submitted 25 July, 2019; v1 submitted 8 June, 2018;
originally announced June 2018.
-
PriFi: Low-Latency Anonymity for Organizational Networks
Authors:
Ludovic Barman,
Italo Dacosta,
Mahdi Zamani,
Ennan Zhai,
Apostolos Pyrgelis,
Bryan Ford,
Jean-Pierre Hubaux,
Joan Feigenbaum
Abstract:
Organizational networks are vulnerable to traffic-analysis attacks that enable adversaries to infer sensitive information from the network traffic - even if encryption is used. Typical anonymous communication networks are tailored to the Internet and are poorly suited for organizational networks. We present PriFi, an anonymous communication protocol for LANs, which protects users against eavesdrop…
▽ More
Organizational networks are vulnerable to traffic-analysis attacks that enable adversaries to infer sensitive information from the network traffic - even if encryption is used. Typical anonymous communication networks are tailored to the Internet and are poorly suited for organizational networks. We present PriFi, an anonymous communication protocol for LANs, which protects users against eavesdroppers and provides high-performance traffic-analysis resistance. PriFi builds on Dining Cryptographers networks but reduces the high communication latency of prior work via a new client/relay/server architecture, in which a client's packets remain on their usual network path without additional hops, and in which a set of remote servers assist the anonymization process without adding latency. PriFi also solves the challenge of equivocation attacks, which are not addressed by related works, by encrypting the traffic based on the communication history. Our evaluation shows that PriFi introduces a small latency overhead (~100ms for 100 clients) and is compatible with delay-sensitive applications such as VoIP.
△ Less
Submitted 6 April, 2021; v1 submitted 27 October, 2017;
originally announced October 2017.
-
Atom: Horizontally Scaling Strong Anonymity
Authors:
Albert Kwon,
Henry Corrigan-Gibbs,
Srinivas Devadas,
Bryan Ford
Abstract:
Atom is an anonymous messaging system that protects against traffic-analysis attacks. Unlike many prior systems, each Atom server touches only a small fraction of the total messages routed through the network. As a result, the system's capacity scales near-linearly with the number of servers. At the same time, each Atom user benefits from "best possible" anonymity: a user is anonymous among all ho…
▽ More
Atom is an anonymous messaging system that protects against traffic-analysis attacks. Unlike many prior systems, each Atom server touches only a small fraction of the total messages routed through the network. As a result, the system's capacity scales near-linearly with the number of servers. At the same time, each Atom user benefits from "best possible" anonymity: a user is anonymous among all honest users of the system, against an active adversary who controls the entire network, a portion of the system's servers, and any number of malicious users. The architectural ideas behind Atom have been known in theory, but putting them into practice requires new techniques for (1) avoiding the reliance on heavy general-purpose multi-party computation protocols, (2) defeating active attacks by malicious servers at minimal performance cost, and (3) handling server failure and churn.
Atom is most suitable for sending a large number of short messages, as in a microblogging application or a high-security communication bootstrapping ("dialing") for private messaging systems. We show that, on a heterogeneous network of 1,024 servers, Atom can transit a million Tweet-length messages in 28 minutes. This is over 23x faster than prior systems with similar privacy guarantees.
△ Less
Submitted 2 October, 2017; v1 submitted 22 December, 2016;
originally announced December 2016.
-
Open, privacy-preserving protocols for lawful surveillance
Authors:
Aaron Segal,
Joan Feigenbaum,
Bryan Ford
Abstract:
The question of how government agencies can acquire actionable, useful information about legitimate but unknown targets without intruding upon the electronic activity of innocent parties is extremely important. We address this question by providing experimental evidence that actionable, useful information can indeed be obtained in a manner that preserves the privacy of innocent parties and that ho…
▽ More
The question of how government agencies can acquire actionable, useful information about legitimate but unknown targets without intruding upon the electronic activity of innocent parties is extremely important. We address this question by providing experimental evidence that actionable, useful information can indeed be obtained in a manner that preserves the privacy of innocent parties and that holds government agencies accountable. In particular, we present practical, privacy-preserving protocols for two operations that law-enforcement and intelligence agencies have used effectively: set intersection and contact chaining. Experiments with our protocols suggest that privacy-preserving contact chaining can perform a 3-hop privacy-preserving graph traversal producing 27,000 ciphertexts in under two minutes. These ciphertexts are usable in turn via privacy-preserving set intersection to pinpoint potential unknown targets within a body of 150,000 total ciphertexts within 10 minutes, without exposing personal information about non-targets.
△ Less
Submitted 13 July, 2016;
originally announced July 2016.
-
Enhancing Bitcoin Security and Performance with Strong Consistency via Collective Signing
Authors:
Eleftherios Kokoris-Kogias,
Philipp Jovanovic,
Nicolas Gailly,
Ismail Khoffi,
Linus Gasser,
Bryan Ford
Abstract:
While showing great promise, Bitcoin requires users to wait tens of minutes for transactions to commit, and even then, offering only probabilistic guarantees. This paper introduces ByzCoin, a novel Byzantine consensus protocol that leverages scalable collective signing to commit Bitcoin transactions irreversibly within seconds. ByzCoin achieves Byzantine consensus while preserving Bitcoin's open m…
▽ More
While showing great promise, Bitcoin requires users to wait tens of minutes for transactions to commit, and even then, offering only probabilistic guarantees. This paper introduces ByzCoin, a novel Byzantine consensus protocol that leverages scalable collective signing to commit Bitcoin transactions irreversibly within seconds. ByzCoin achieves Byzantine consensus while preserving Bitcoin's open membership by dynamically forming hash power-proportionate consensus groups that represent recently-successful block miners. ByzCoin employs communication trees to optimize transaction commitment and verification under normal operation while guaranteeing safety and liveness under Byzantine faults, up to a near-optimal tolerance of f faulty group members among 3f + 2 total. ByzCoin mitigates double spending and selfish mining attacks by producing collectively signed transaction blocks within one minute of transaction submission. Tree-structured communication further reduces this latency to less than 30 seconds. Due to these optimizations, ByzCoin achieves a throughput higher than PayPal currently handles, with a confirmation latency of 15-20 seconds.
△ Less
Submitted 1 August, 2016; v1 submitted 22 February, 2016;
originally announced February 2016.
-
Deterministically Deterring Timing Attacks in Deterland
Authors:
Weiyi Wu,
Bryan Ford
Abstract:
The massive parallelism and resource sharing embodying today's cloud business model not only exacerbate the security challenge of timing channels, but also undermine the viability of defenses based on resource partitioning. We propose hypervisor-enforced timing mitigation to control timing channels in cloud environments. This approach closes "reference clocks" internal to the cloud by imposing a d…
▽ More
The massive parallelism and resource sharing embodying today's cloud business model not only exacerbate the security challenge of timing channels, but also undermine the viability of defenses based on resource partitioning. We propose hypervisor-enforced timing mitigation to control timing channels in cloud environments. This approach closes "reference clocks" internal to the cloud by imposing a deterministic view of time on guest code, and uses timing mitigators to pace I/O and rate-limit potential information leakage to external observers. Our prototype hypervisor is the first system to mitigate timing-channel leakage across full-scale existing operating systems such as Linux and applications in arbitrary languages. Mitigation incurs a varying performance cost, depending on workload and tunable leakage-limiting parameters, but this cost may be justified for security-critical cloud applications and data.
△ Less
Submitted 30 May, 2016; v1 submitted 27 April, 2015;
originally announced April 2015.
-
Keeping Authorities "Honest or Bust" with Decentralized Witness Cosigning
Authors:
Ewa Syta,
Iulia Tamas,
Dylan Visher,
David Isaac Wolinsky,
Philipp Jovanovic,
Linus Gasser,
Nicolas Gailly,
Ismail Khoffi,
Bryan Ford
Abstract:
The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce CoSi, a scalable witness cosigning protocol ensurin…
▽ More
The secret keys of critical network authorities - such as time, name, certificate, and software update services - represent high-value targets for hackers, criminals, and spy agencies wishing to use these keys secretly to compromise other hosts. To protect authorities and their clients proactively from undetected exploits and misuse, we introduce CoSi, a scalable witness cosigning protocol ensuring that every authoritative statement is validated and publicly logged by a diverse group of witnesses before any client will accept it. A statement S collectively signed by W witnesses assures clients that S has been seen, and not immediately found erroneous, by those W observers. Even if S is compromised in a fashion not readily detectable by the witnesses, CoSi still guarantees S's exposure to public scrutiny, forcing secrecy-minded attackers to risk that the compromise will soon be detected by one of the W witnesses. Because clients can verify collective signatures efficiently without communication, CoSi protects clients' privacy, and offers the first transparency mechanism effective against persistent man-in-the-middle attackers who control a victim's Internet access, the authority's secret key, and several witnesses' secret keys. CoSi builds on existing cryptographic multisignature methods, scaling them to support thousands of witnesses via signature aggregation over efficient communication trees. A working prototype demonstrates CoSi in the context of timestamping and logging authorities, enabling groups of over 8,000 distributed witnesses to cosign authoritative statements in under two seconds.
△ Less
Submitted 30 May, 2016; v1 submitted 30 March, 2015;
originally announced March 2015.
-
Crypto-Book: Bootstrapping Privacy Preserving Online Identities from Social Networks
Authors:
John Maheswaran,
Daniel Jackowitz,
David Isaac Wolinsky,
Lining Wang,
Bryan Ford
Abstract:
Social networking sites supporting federated identities offer a convenient and increasingly popular mechanism for cross-site authentication. Unfortunately, they also exacerbate many privacy and tracking risks. We propose Crypto-Book, an anonymizing layer enabling cross-site authentication while reducing these risks.
Crypto-Book relies on a set of independently managed servers that collectively a…
▽ More
Social networking sites supporting federated identities offer a convenient and increasingly popular mechanism for cross-site authentication. Unfortunately, they also exacerbate many privacy and tracking risks. We propose Crypto-Book, an anonymizing layer enabling cross-site authentication while reducing these risks.
Crypto-Book relies on a set of independently managed servers that collectively assign each social network identity a public/private keypair. Only an identity's owner learns all the private key shares, and can therefore construct the private key, while all participants can obtain any user's public key, even if the corresponding private key has yet to be retrieved. Having obtained an appropriate key set, a user can then leverage anonymous authentication techniques such as linkable ring signatures to log into third-party web sites while preserving privacy.
We have implemented a prototype of Crypto-Book and demonstrate its use with three applications: a Wiki system, an anonymous group communication system, and a whistleblower submission system. Our results show that for anonymity sets of size 100, Crypto-Book login takes 0.56s for signature generation by the client, 0.38s for signature verification on the server, and requires 5.6KB of communication bandwidth.
△ Less
Submitted 16 June, 2014;
originally announced June 2014.
-
Limiting Lamport Exposure to Distant Failures in Globally-Managed Distributed Systems
Authors:
Cristina Băsescu,
Georgia Fragkouli,
Enis Ceyhun Alp,
Michael F. Nowlan,
Jose M. Faleiro,
Gaylor Bosson,
Kelong Cong,
Pierluca Borsò-Tan,
Vero Estrada-Galiñanes,
Bryan Ford
Abstract:
Globalized computing infrastructures offer the convenience and elasticity of globally managed objects and services, but lack the resilience to distant failures that localized infrastructures such as private clouds provide. Providing both global management and resilience to distant failures, however, poses a fundamental problem for configuration services: How to discover a possibly migratory, stron…
▽ More
Globalized computing infrastructures offer the convenience and elasticity of globally managed objects and services, but lack the resilience to distant failures that localized infrastructures such as private clouds provide. Providing both global management and resilience to distant failures, however, poses a fundamental problem for configuration services: How to discover a possibly migratory, strongly-consistent service/object in a globalized infrastructure without dependencies on globalized state? Limix is the first metadata configuration service that addresses this problem. With Limix, global strongly-consistent data-plane services and objects are insulated from remote gray failures by ensuring that the definitive, strongly-consistent metadata for any object is always confined to the same region as the object itself. Limix guarantees availability bounds: any user can continue accessing any strongly consistent object that matters to the user located at distance $Δ$ away, insulated from failures outside a small multiple of $Δ$. We built a Limix metadata service based on CockroachDB. Our experiments on Internet-like networks and on AWS, using realistic trace-driven workloads, show that Limix enables global management and significantly improves availability over the state-of-the-art.
△ Less
Submitted 15 July, 2022; v1 submitted 3 May, 2014;
originally announced May 2014.
-
Seeking Anonymity in an Internet Panopticon
Authors:
Joan Feigenbaum,
Bryan Ford
Abstract:
Obtaining and maintaining anonymity on the Internet is challenging. The state of the art in deployed tools, such as Tor, uses onion routing (OR) to relay encrypted connections on a detour passing through randomly chosen relays scattered around the Internet. Unfortunately, OR is known to be vulnerable at least in principle to several classes of attacks for which no solution is known or believed to…
▽ More
Obtaining and maintaining anonymity on the Internet is challenging. The state of the art in deployed tools, such as Tor, uses onion routing (OR) to relay encrypted connections on a detour passing through randomly chosen relays scattered around the Internet. Unfortunately, OR is known to be vulnerable at least in principle to several classes of attacks for which no solution is known or believed to be forthcoming soon. Current approaches to anonymity also appear unable to offer accurate, principled measurement of the level or quality of anonymity a user might obtain.
Toward this end, we offer a high-level view of the Dissent project, the first systematic effort to build a practical anonymity system based purely on foundations that offer measurable and formally provable anonymity properties. Dissent builds on two key pre-existing primitives - verifiable shuffles and dining cryptographers - but for the first time shows how to scale such techniques to offer measurable anonymity guarantees to thousands of participants. Further, Dissent represents the first anonymity system designed from the ground up to incorporate some systematic countermeasure for each of the major classes of known vulnerabilities in existing approaches, including global traffic analysis, active attacks, and intersection attacks. Finally, because no anonymity protocol alone can address risks such as software exploits or accidental self-identification, we introduce WiNon, an experimental operating system architecture to harden the uses of anonymity tools such as Tor and Dissent against such attacks.
△ Less
Submitted 2 January, 2015; v1 submitted 18 December, 2013;
originally announced December 2013.
-
Managing NymBoxes for Identity and Tracking Protection
Authors:
David Isaac Wolinsky,
Bryan Ford
Abstract:
Despite the attempts of well-designed anonymous communication tools to protect users from tracking or identification, flaws in surrounding software (such as web browsers) and mistakes in configuration may leak the user's identity. We introduce Nymix, an anonymity-centric operating system architecture designed "top-to-bottom" to strengthen identity- and tracking-protection. Nymix's core contributio…
▽ More
Despite the attempts of well-designed anonymous communication tools to protect users from tracking or identification, flaws in surrounding software (such as web browsers) and mistakes in configuration may leak the user's identity. We introduce Nymix, an anonymity-centric operating system architecture designed "top-to-bottom" to strengthen identity- and tracking-protection. Nymix's core contribution is OS support for nym-browsing: independent, parallel, and ephemeral web sessions. Each web session, or pseudonym, runs in a unique virtual machine (VM) instance evolving from a common base state with support for long-lived sessions which can be anonymously stored to the cloud, avoiding de-anonymization despite potential confiscation or theft. Nymix allows a user to safely browse the Web using various different transports simultaneously through a pluggable communication model that supports Tor, Dissent, and a private browsing mode. In evaluations, Nymix consumes 600 MB per nymbox and loads within 15 to 25 seconds.
△ Less
Submitted 5 May, 2014; v1 submitted 12 December, 2013;
originally announced December 2013.
-
Ensuring High-Quality Randomness in Cryptographic Key Generation
Authors:
Henry Corrigan-Gibbs,
Wendy Mu,
Dan Boneh,
Bryan Ford
Abstract:
The security of any cryptosystem relies on the secrecy of the system's secret keys. Yet, recent experimental work demonstrates that tens of thousands of devices on the Internet use RSA and DSA secrets drawn from a small pool of candidate values. As a result, an adversary can derive the device's secret keys without breaking the underlying cryptosystem. We introduce a new threat model, under which t…
▽ More
The security of any cryptosystem relies on the secrecy of the system's secret keys. Yet, recent experimental work demonstrates that tens of thousands of devices on the Internet use RSA and DSA secrets drawn from a small pool of candidate values. As a result, an adversary can derive the device's secret keys without breaking the underlying cryptosystem. We introduce a new threat model, under which there is a systemic solution to such randomness flaws. In our model, when a device generates a cryptographic key, it incorporates some random values from an entropy authority into its cryptographic secrets and then proves to the authority, using zero-knowledge-proof techniques, that it performed this operation correctly. By presenting an entropy-authority-signed public-key certificate to a third party (like a certificate authority or SSH client), the device can demonstrate that its public key incorporates randomness from the authority and is therefore drawn from a large pool of candidate values. Where possible, our protocol protects against eavesdroppers, entropy authority misbehavior, and devices attempting to discredit the entropy authority. To demonstrate the practicality of our protocol, we have implemented and evaluated its performance on a commodity wireless home router. When running on a home router, our protocol incurs a 2.1x slowdown over conventional RSA key generation and it incurs a 4.4x slowdown over conventional EC-DSA key generation.
△ Less
Submitted 8 January, 2014; v1 submitted 27 September, 2013;
originally announced September 2013.
-
Conscript Your Friends into Larger Anonymity Sets with JavaScript
Authors:
Henry Corrigan-Gibbs,
Bryan Ford
Abstract:
We present the design and prototype implementation of ConScript, a framework for using JavaScript to allow casual Web users to participate in an anonymous communication system. When a Web user visits a cooperative Web site, the site serves a JavaScript application that instructs the browser to create and submit "dummy" messages into the anonymity system. Users who want to send non-dummy messages t…
▽ More
We present the design and prototype implementation of ConScript, a framework for using JavaScript to allow casual Web users to participate in an anonymous communication system. When a Web user visits a cooperative Web site, the site serves a JavaScript application that instructs the browser to create and submit "dummy" messages into the anonymity system. Users who want to send non-dummy messages through the anonymity system use a browser plug-in to replace these dummy messages with real messages. Creating such conscripted anonymity sets can increase the anonymity set size available to users of remailer, e-voting, and verifiable shuffle-style anonymity systems. We outline ConScript's architecture, we address a number of potential attacks against ConScript, and we discuss the ethical issues related to deploying such a system. Our implementation results demonstrate the practicality of ConScript: a workstation running our ConScript prototype JavaScript client generates a dummy message for a mix-net in 81 milliseconds and it generates a dummy message for a DoS-resistant DC-net in 156 milliseconds.
△ Less
Submitted 4 September, 2013;
originally announced September 2013.
-
Hang With Your Buddies to Resist Intersection Attacks
Authors:
David Isaac Wolinsky,
Ewa Syta,
Bryan Ford
Abstract:
Some anonymity schemes might in principle protect users from pervasive network surveillance - but only if all messages are independent and unlinkable. Users in practice often need pseudonymity - sending messages intentionally linkable to each other but not to the sender - but pseudonymity in dynamic networks exposes users to intersection attacks. We present Buddies, the first systematic design for…
▽ More
Some anonymity schemes might in principle protect users from pervasive network surveillance - but only if all messages are independent and unlinkable. Users in practice often need pseudonymity - sending messages intentionally linkable to each other but not to the sender - but pseudonymity in dynamic networks exposes users to intersection attacks. We present Buddies, the first systematic design for intersection attack resistance in practical anonymity systems. Buddies groups users dynamically into buddy sets, controlling message transmission to make buddies within a set behaviorally indistinguishable under traffic analysis. To manage the inevitable tradeoffs between anonymity guarantees and communication responsiveness, Buddies enables users to select independent attack mitigation policies for each pseudonym. Using trace-based simulations and a working prototype, we find that Buddies can guarantee non-trivial anonymity set sizes in realistic chat/microblogging scenarios, for both short-lived and long-lived pseudonyms.
△ Less
Submitted 27 August, 2013; v1 submitted 22 May, 2013;
originally announced May 2013.
-
Proactively Accountable Anonymous Messaging in Verdict
Authors:
Henry Corrigan-Gibbs,
David Isaac Wolinsky,
Bryan Ford
Abstract:
The DC-nets approach to anonymity has long held attraction for its strength against traffic analysis, but practical implementations remain vulnerable to internal disruption or "jamming" attacks requiring time-consuming tracing procedures to address. We present Verdict, the first practical anonymous group communication system built using proactively verifiable DC-nets: participants use public key c…
▽ More
The DC-nets approach to anonymity has long held attraction for its strength against traffic analysis, but practical implementations remain vulnerable to internal disruption or "jamming" attacks requiring time-consuming tracing procedures to address. We present Verdict, the first practical anonymous group communication system built using proactively verifiable DC-nets: participants use public key cryptography to construct DC-net ciphertexts, and knowledge proofs to detect and detect and exclude misbehavior before disruption. We compare three alternative constructions for verifiable DC-nets, one using bilinear maps and two based on simpler ElGamal encryption. While verifiable DC-nets incurs higher computation overheads due to the public-key cryptography involved, our experiments suggest Verdict is practical for anonymous group messaging or microblogging applications, supporting groups of 100 clients at 1 second per round or 1000 clients at 10 seconds per round. Furthermore, we show how existing symmetric-key DC-nets can "fall back" to a verifiable DC-net to quickly identify mis- behavior improving previous detections schemes by two orders of magnitude than previous approaches.
△ Less
Submitted 26 June, 2013; v1 submitted 21 September, 2012;
originally announced September 2012.
-
Swarm-NG: a CUDA Library for Parallel n-body Integrations with focus on Simulations of Planetary Systems
Authors:
Saleh Dindar,
Eric B. Ford,
Mario Juric,
Young In Yeo,
Jianwei Gao,
Aaron C. Boley,
Benjamin Nelson,
Jorg Peters
Abstract:
We present Swarm-NG, a C++ library for the efficient direct integration of many n-body systems using highly-parallel Graphics Processing Unit (GPU), such as NVIDIA's Tesla T10 and M2070 GPUs. While previous studies have demonstrated the benefit of GPUs for n-body simulations with thousands to millions of bodies, Swarm-NG focuses on many few-body systems, e.g., thousands of systems with 3...15 bodi…
▽ More
We present Swarm-NG, a C++ library for the efficient direct integration of many n-body systems using highly-parallel Graphics Processing Unit (GPU), such as NVIDIA's Tesla T10 and M2070 GPUs. While previous studies have demonstrated the benefit of GPUs for n-body simulations with thousands to millions of bodies, Swarm-NG focuses on many few-body systems, e.g., thousands of systems with 3...15 bodies each, as is typical for the study of planetary systems. Swarm-NG parallelizes the simulation, including both the numerical integration of the equations of motion and the evaluation of forces using NVIDIA's "Compute Unified Device Architecture" (CUDA) on the GPU. Swarm-NG includes optimized implementations of 4th order time-symmetrized Hermite integration and mixed variable symplectic integration, as well as several sample codes for other algorithms to illustrate how non-CUDA-savvy users may themselves introduce customized integrators into the Swarm-NG framework. To optimize performance, we analyze the effect of GPU-specific parameters on performance under double precision.
Applications of Swarm-NG include studying the late stages of planet formation, testing the stability of planetary systems and evaluating the goodness-of-fit between many planetary system models and observations of extrasolar planet host stars (e.g., radial velocity, astrometry, transit timing). While Swarm-NG focuses on the parallel integration of many planetary systems,the underlying integrators could be applied to a wide variety of problems that require repeatedly integrating a set of ordinary differential equations many times using different initial conditions and/or parameter values.
△ Less
Submitted 24 September, 2012; v1 submitted 6 August, 2012;
originally announced August 2012.
-
Plugging Side-Channel Leaks with Timing Information Flow Control
Authors:
Bryan Ford
Abstract:
The cloud model's dependence on massive parallelism and resource sharing exacerbates the security challenge of timing side-channels. Timing Information Flow Control (TIFC) is a novel adaptation of IFC techniques that may offer a way to reason about, and ultimately control, the flow of sensitive information through systems via timing channels. With TIFC, objects such as files, messages, and process…
▽ More
The cloud model's dependence on massive parallelism and resource sharing exacerbates the security challenge of timing side-channels. Timing Information Flow Control (TIFC) is a novel adaptation of IFC techniques that may offer a way to reason about, and ultimately control, the flow of sensitive information through systems via timing channels. With TIFC, objects such as files, messages, and processes carry not just content labels describing the ownership of the object's "bits," but also timing labels describing information contained in timing events affecting the object, such as process creation/termination or message reception. With two system design tools-deterministic execution and pacing queues-TIFC enables the construction of "timing-hardened" cloud infrastructure that permits statistical multiplexing, while aggregating and rate-limiting timing information leakage between hosted computations.
△ Less
Submitted 16 May, 2012; v1 submitted 8 March, 2012;
originally announced March 2012.
-
Icebergs in the Clouds: the Other Risks of Cloud Computing
Authors:
Bryan Ford
Abstract:
Cloud computing is appealing from management and efficiency perspectives, but brings risks both known and unknown. Well-known and hotly-debated information security risks, due to software vulnerabilities, insider attacks, and side-channels for example, may be only the "tip of the iceberg." As diverse, independently developed cloud services share ever more fluidly and aggressively multiplexed hardw…
▽ More
Cloud computing is appealing from management and efficiency perspectives, but brings risks both known and unknown. Well-known and hotly-debated information security risks, due to software vulnerabilities, insider attacks, and side-channels for example, may be only the "tip of the iceberg." As diverse, independently developed cloud services share ever more fluidly and aggressively multiplexed hardware resource pools, unpredictable interactions between load-balancing and other reactive mechanisms could lead to dynamic instabilities or "meltdowns." Non-transparent layering structures, where alternative cloud services may appear independent but share deep, hidden resource dependencies, may create unexpected and potentially catastrophic failure correlations, reminiscent of financial industry crashes. Finally, cloud computing exacerbates already-difficult digital preservation challenges, because only the provider of a cloud-based application or service can archive a "live," functional copy of a cloud artifact and its data for long-term cultural preservation. This paper explores these largely unrecognized risks, making the case that we should study them before our socioeconomic fabric becomes inextricably dependent on a convenient but potentially unstable computing model.
△ Less
Submitted 16 May, 2012; v1 submitted 8 March, 2012;
originally announced March 2012.
-
Fitting Square Pegs Through Round Pipes: Unordered Delivery Wire-Compatible with TCP and TLS
Authors:
Michael F. Nowlan,
Nabin Tiwari,
Janardhan Iyengar,
Syed Obaid Amin,
Bryan Ford
Abstract:
Internet applications increasingly employ TCP not as a stream abstraction, but as a substrate for application-level transports, a use that converts TCP's in-order semantics from a convenience blessing to a performance curse. As Internet evolution makes TCP's use as a substrate likely to grow, we offer Minion, an architecture for backward-compatible out-of-order delivery atop TCP and TLS. Small OS…
▽ More
Internet applications increasingly employ TCP not as a stream abstraction, but as a substrate for application-level transports, a use that converts TCP's in-order semantics from a convenience blessing to a performance curse. As Internet evolution makes TCP's use as a substrate likely to grow, we offer Minion, an architecture for backward-compatible out-of-order delivery atop TCP and TLS. Small OS API extensions allow applications to manage TCP's send buffer and to receive TCP segments out-of-order. Atop these extensions, Minion builds application-level protocols offering true unordered datagram delivery, within streams preserving strict wire-compatibility with unsecured or TLS-secured TCP connections. Minion's protocols can run on unmodified TCP stacks, but benefit incrementally when either endpoint is upgraded, for a backward-compatible deployment path. Experiments suggest that Minion can noticeably improve performance of applications such as conferencing, virtual private networking, and web browsing, while incurring minimal CPU or bandwidth costs.
△ Less
Submitted 27 August, 2013; v1 submitted 2 March, 2011;
originally announced March 2011.
-
Efficient System-Enforced Deterministic Parallelism
Authors:
Amittai Aviram,
Shu-Chun Weng,
Sen Hu,
Bryan Ford
Abstract:
Deterministic execution offers many benefits for debugging, fault tolerance, and security. Running parallel programs deterministically is usually difficult and costly, however - especially if we desire system-enforced determinism, ensuring precise repeatability of arbitrarily buggy or malicious software. Determinator is a novel operating system that enforces determinism on both multithreaded and m…
▽ More
Deterministic execution offers many benefits for debugging, fault tolerance, and security. Running parallel programs deterministically is usually difficult and costly, however - especially if we desire system-enforced determinism, ensuring precise repeatability of arbitrarily buggy or malicious software. Determinator is a novel operating system that enforces determinism on both multithreaded and multi-process computations. Determinator's kernel provides only single-threaded, "shared-nothing" address spaces interacting via deterministic synchronization. An untrusted user-level runtime uses distributed computing techniques to emulate familiar abstractions such as Unix processes, file systems, and shared memory multithreading. The system runs parallel applications deterministically both on multicore PCs and across nodes in a cluster. Coarse-grained parallel benchmarks perform and scale comparably to - sometimes better than - conventional systems, though determinism is costly for fine-grained parallel applications.
△ Less
Submitted 19 May, 2010;
originally announced May 2010.
-
Accountable Anonymous Group Messaging
Authors:
Henry Corrigan-Gibbs,
Bryan Ford
Abstract:
Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to spam or disrupt the group. Messaging protocols such as Mix-nets and DC-nets leave online groups vulnerable to denial-of-service and Sybil attacks, while accountable voting protocols are unusable or inefficient for general anonymous messaging.
We present the first general messagin…
▽ More
Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to spam or disrupt the group. Messaging protocols such as Mix-nets and DC-nets leave online groups vulnerable to denial-of-service and Sybil attacks, while accountable voting protocols are unusable or inefficient for general anonymous messaging.
We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members have much data to transmit in a given round. The N group members first cooperatively shuffle an NxN matrix of pseudorandom seeds, then use these seeds in N "pre-planned" DC-nets protocol runs. Each DC-nets run transmits the variable-length bulk data comprising one member's message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large and unbalanced message loads. A working prototype demonstrates the protocol's practicality for anonymous messaging in groups of 40+ member nodes.
△ Less
Submitted 18 April, 2010;
originally announced April 2010.
-
Determinating Timing Channels in Compute Clouds
Authors:
Amittai Aviram,
Sen Hu,
Bryan Ford,
Ramakrishna Gummadi
Abstract:
Timing side-channels represent an insidious security challenge for cloud computing, because: (a) massive parallelism in the cloud makes timing channels pervasive and hard to control; (b) timing channels enable one customer to steal information from another without leaving a trail or raising alarms; (c) only the cloud provider can feasibly detect and report such attacks, but the provider's incentiv…
▽ More
Timing side-channels represent an insidious security challenge for cloud computing, because: (a) massive parallelism in the cloud makes timing channels pervasive and hard to control; (b) timing channels enable one customer to steal information from another without leaving a trail or raising alarms; (c) only the cloud provider can feasibly detect and report such attacks, but the provider's incentives are not to; and (d) resource partitioning schemes for timing channel control undermine statistical sharing efficiency, and, with it, the cloud computing business model. We propose a new approach to timing channel control, using provider-enforced deterministic execution instead of resource partitioning to eliminate timing channels within a shared cloud domain. Provider-enforced determinism prevents execution timing from affecting the results of a compute task, however large or parallel, ensuring that a task's outputs leak no timing information apart from explicit timing inputs and total compute duration. Experiments with a prototype OS for deterministic cloud computing suggest that such an approach may be practical and efficient. The OS supports deterministic versions of familiar APIs such as processes, threads, shared memory, and file systems, and runs coarse-grained parallel tasks as efficiently and scalably as current timing channel-ridden systems.
△ Less
Submitted 25 July, 2010; v1 submitted 27 March, 2010;
originally announced March 2010.
-
Deterministic Consistency: A Programming Model for Shared Memory Parallelism
Authors:
Amittai Aviram,
Bryan Ford
Abstract:
The difficulty of developing reliable parallel software is generating interest in deterministic environments, where a given program and input can yield only one possible result. Languages or type systems can enforce determinism in new code, and runtime systems can impose synthetic schedules on legacy parallel code. To parallelize existing serial code, however, we would like a programming model t…
▽ More
The difficulty of developing reliable parallel software is generating interest in deterministic environments, where a given program and input can yield only one possible result. Languages or type systems can enforce determinism in new code, and runtime systems can impose synthetic schedules on legacy parallel code. To parallelize existing serial code, however, we would like a programming model that is naturally deterministic without language restrictions or artificial scheduling. We propose "deterministic consistency", a parallel programming model as easy to understand as the "parallel assignment" construct in sequential languages such as Perl and JavaScript, where concurrent threads always read their inputs before writing shared outputs. DC supports common data- and task-parallel synchronization abstractions such as fork/join and barriers, as well as non-hierarchical structures such as producer/consumer pipelines and futures. A preliminary prototype suggests that software-only implementations of DC can run applications written for popular parallel environments such as OpenMP with low (<10%) overhead for some applications.
△ Less
Submitted 1 February, 2010; v1 submitted 4 December, 2009;
originally announced December 2009.
-
Flow Splitting with Fate Sharing in a Next Generation Transport Services Architecture
Authors:
Janardhan Iyengar,
Bryan Ford
Abstract:
The challenges of optimizing end-to-end performance over diverse Internet paths has driven widespread adoption of in-path optimizers, which can destructively interfere with TCP's end-to-end semantics and with each other, and are incompatible with end-to-end IPsec. We identify the architectural cause of these conflicts and resolve them in Tng, an experimental next-generation transport services ar…
▽ More
The challenges of optimizing end-to-end performance over diverse Internet paths has driven widespread adoption of in-path optimizers, which can destructively interfere with TCP's end-to-end semantics and with each other, and are incompatible with end-to-end IPsec. We identify the architectural cause of these conflicts and resolve them in Tng, an experimental next-generation transport services architecture, by factoring congestion control from end-to-end semantic functions. Through a technique we call "queue sharing", Tng enables in-path devices to interpose on, split, and optimize congestion controlled flows without affecting or seeing the end-to-end content riding these flows. Simulations show that Tng's decoupling cleanly addresses several common performance problems, such as communication over lossy wireless links and reduction of buffering-induced latency on residential links. A working prototype and several incremental deployment paths suggest Tng's practicality.
△ Less
Submitted 4 December, 2009;
originally announced December 2009.
-
Packrat Parsing: Simple, Powerful, Lazy, Linear Time
Authors:
Bryan Ford
Abstract:
Packrat parsing is a novel technique for implementing parsers in a lazy functional programming language. A packrat parser provides the power and flexibility of top-down parsing with backtracking and unlimited lookahead, but nevertheless guarantees linear parse time. Any language defined by an LL(k) or LR(k) grammar can be recognized by a packrat parser, in addition to many languages that convent…
▽ More
Packrat parsing is a novel technique for implementing parsers in a lazy functional programming language. A packrat parser provides the power and flexibility of top-down parsing with backtracking and unlimited lookahead, but nevertheless guarantees linear parse time. Any language defined by an LL(k) or LR(k) grammar can be recognized by a packrat parser, in addition to many languages that conventional linear-time algorithms do not support. This additional power simplifies the handling of common syntactic idioms such as the widespread but troublesome longest-match rule, enables the use of sophisticated disambiguation strategies such as syntactic and semantic predicates, provides better grammar composition properties, and allows lexical analysis to be integrated seamlessly into parsing. Yet despite its power, packrat parsing shares the same simplicity and elegance as recursive descent parsing; in fact converting a backtracking recursive descent parser into a linear-time packrat parser often involves only a fairly straightforward structural change. This paper describes packrat parsing informally with emphasis on its use in practical applications, and explores its advantages and disadvantages with respect to the more conventional alternatives.
△ Less
Submitted 18 March, 2006;
originally announced March 2006.
-
User-Relative Names for Globally Connected Personal Devices
Authors:
Bryan Ford,
Jacob Strauss,
Chris Lesniewski-Laas,
Sean Rhea,
Frans Kaashoek,
Robert Morris
Abstract:
Nontechnical users who own increasingly ubiquitous network-enabled personal devices such as laptops, digital cameras, and smart phones need a simple, intuitive, and secure way to share information and services between their devices. User Information Architecture, or UIA, is a novel naming and peer-to-peer connectivity architecture addressing this need. Users assign UIA names by "introducing" dev…
▽ More
Nontechnical users who own increasingly ubiquitous network-enabled personal devices such as laptops, digital cameras, and smart phones need a simple, intuitive, and secure way to share information and services between their devices. User Information Architecture, or UIA, is a novel naming and peer-to-peer connectivity architecture addressing this need. Users assign UIA names by "introducing" devices to each other on a common local-area network, but these names remain securely bound to their target as devices migrate. Multiple devices owned by the same user, once introduced, automatically merge their namespaces to form a distributed "personal cluster" that the owner can access or modify from any of his devices. Instead of requiring users to allocate globally unique names from a central authority, UIA enables users to assign their own "user-relative" names both to their own devices and to other users. With UIA, for example, Alice can always access her iPod from any of her own personal devices at any location via the name "ipod", and her friend Bob can access her iPod via a relative name like "ipod.Alice".
△ Less
Submitted 18 March, 2006;
originally announced March 2006.
-
Unmanaged Internet Protocol: Taming the Edge Network Management Crisis
Authors:
Bryan Ford
Abstract:
Though appropriate for core Internet infrastructure, the Internet Protocol is unsuited to routing within and between emerging ad-hoc edge networks due to its dependence on hierarchical, administratively assigned addresses. Existing ad-hoc routing protocols address the management problem but do not scale to Internet-wide networks. The promise of ubiquitous network computing cannot be fulfilled un…
▽ More
Though appropriate for core Internet infrastructure, the Internet Protocol is unsuited to routing within and between emerging ad-hoc edge networks due to its dependence on hierarchical, administratively assigned addresses. Existing ad-hoc routing protocols address the management problem but do not scale to Internet-wide networks. The promise of ubiquitous network computing cannot be fulfilled until we develop an Unmanaged Internet Protocol (UIP), a scalable routing protocol that manages itself automatically. UIP must route within and between constantly changing edge networks potentially containing millions or billions of nodes, and must still function within edge networks disconnected from the main Internet, all without imposing the administrative burden of hierarchical address assignment. Such a protocol appears challenging but feasible. We propose an architecture based on self-certifying, cryptographic node identities and a routing algorithm adapted from distributed hash tables.
△ Less
Submitted 18 March, 2006;
originally announced March 2006.
-
Peer-to-Peer Communication Across Network Address Translators
Authors:
Bryan Ford,
Pyda Srisuresh,
Dan Kegel
Abstract:
Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and p…
▽ More
Network Address Translation (NAT) causes well-known difficulties for peer-to-peer (P2P) communication, since the peers involved may not be reachable at any globally valid IP address. Several NAT traversal techniques are known, but their documentation is slim, and data about their robustness or relative merits is slimmer. This paper documents and analyzes one of the simplest but most robust and practical NAT traversal techniques, commonly known as "hole punching." Hole punching is moderately well-understood for UDP communication, but we show how it can be reliably used to set up peer-to-peer TCP streams as well. After gathering data on the reliability of this technique on a wide variety of deployed NATs, we find that about 82% of the NATs tested support hole punching for UDP, and about 64% support hole punching for TCP streams. As NAT vendors become increasingly conscious of the needs of important P2P applications such as Voice over IP and online gaming protocols, support for hole punching is likely to increase in the future.
△ Less
Submitted 18 March, 2006;
originally announced March 2006.
-
VXA: A Virtual Architecture for Durable Compressed Archives
Authors:
Bryan Ford
Abstract:
Data compression algorithms change frequently, and obsolete decoders do not always run on new hardware and operating systems, threatening the long-term usability of content archived using those algorithms. Re-encoding content into new formats is cumbersome, and highly undesirable when lossy compression is involved. Processor architectures, in contrast, have remained comparatively stable over rec…
▽ More
Data compression algorithms change frequently, and obsolete decoders do not always run on new hardware and operating systems, threatening the long-term usability of content archived using those algorithms. Re-encoding content into new formats is cumbersome, and highly undesirable when lossy compression is involved. Processor architectures, in contrast, have remained comparatively stable over recent decades. VXA, an archival storage system designed around this observation, archives executable decoders along with the encoded content it stores. VXA decoders run in a specialized virtual machine that implements an OS-independent execution environment based on the standard x86 architecture. The VXA virtual machine strictly limits access to host system services, making decoders safe to run even if an archive contains malicious code. VXA's adoption of a "native" processor architecture instead of type-safe language technology allows reuse of existing "hand-optimized" decoders in C and assembly language, and permits decoders access to performance-enhancing architecture features such as vector processing instructions. The performance cost of VXA's virtualization is typically less than 15% compared with the same decoders running natively. The storage cost of archived decoders, typically 30-130KB each, can be amortized across many archived files sharing the same compression method.
△ Less
Submitted 18 March, 2006;
originally announced March 2006.
