• No results found

Lavinia: An audit-payment protocol for censorship-resistant storage

N/A
N/A
Protected

Academic year: 2021

Share "Lavinia: An audit-payment protocol for censorship-resistant storage"

Copied!
18
0
0

Loading.... (view fulltext now)

Full text

(1)

Lavinia: An audit-payment protocol for

censorship-resistant storage

Cecylia Bocovich

John A. Doucette

Ian Goldberg

University of Waterloo

{

cbocovic, j3doucet, iang

}

@uwaterloo.ca

Abstract

As distributed storage systems grow in popularity, there is now a demand for a reliable incentive and payment system to guarantee and reward the pristine storage of documents. However, many existing proof-of-retrieval and micropayment protocols are not secure in a cen-sorship resistance setting, in which powerful adversaries may infiltrate a system or coerce the original publisher to remove content. Additionally, most existing censorship resistance systems lack a rigorous game-theoretic anal-ysis. We propose Lavinia, an audit and payment proto-col for censorship-resistant storage. Lavinia incentivizes document availability by providing micropayments to participating servers in exchange for honestly storing and serving content. Our protocol enables the implementa-tion of a digital printing press as described in Anderson’s Eternity Service: allowingthe publisher, as opposed to public interest or an appointed editorial board, to decide whether a document is worth storing, and for how long. In addition to proving the security of our protocol, we provide an in-depth game-theoretic analysis and show that self-interested participants of our system will faith-fully implement the desired behaviour and continue to store documents until their expiration date.

1

Introduction

Throughout history, the spread of information has been assisted by technological advances, but has also faced barriers in the form of censorship. With each new ad-vance in technology that facilitates the spread of knowl-edge, ideas, and social understanding, there is a increase in the efforts of the censor to limit this spread.

A popular example in the history of censorship and its resistance is the advent of the printing press [11]. Not only did the ability to print documents easily and effi-ciently result in the distribution of previously guarded works, it also led to an increase in the literacy rate of Eu-rope. Opposition to the spread of printed documents in

Europe, notably religious ones, came the most strongly from the Catholic Church. Citing the dangers of erro-neous translations to vernacular languages, many coun-tries began to punish the printing of bibles and religious texts with imprisonment or death. Despite these censor-ship attempts, the printed documents proved to be resis-tant to state-level attempts to remove them. Borders were difficult to patrol thoroughly, and the production of many copies of each text made them almost impossible to erad-icate completely. The only important impediment to us-ing a printus-ing press was the acquisition of enough capital to purchase the requisite raw materials and labour.

Today, worldwide use of the Internet has enabled an even faster and further spread of ideas than the print-ing press, and provided the means for near-instantaneous conversations between physically and politically distant groups. However, although the Internet has made the dis-tribution and mirroring of content easier and more cost effective than physical printing, it is also much easier to censor electronic content on a large scale due to the centralized nature of storage and routing services. For example, the Great Firewall of China [29], capable of fil-tering and inspecting all traffic that enters and leaves the country, is a much more practical and scalable censorship strategy than finding and searching the contents of ev-ery physical document that crosses the border. Similarly in the United States, the Digital Millennium Copyright Act (DMCA) provides an extremely flexible and versa-tile tool for commercial interests to censor digital content from the web [26]. Under section 512 of the DMCA, In-ternet Service Providers (ISPs), content providers, and search engines are required to immediately comply with extra-judiciary requests to remove content, links, and subscribers from the system or risk losing “safe harbour” status and being held partially accountable for the copy-right violation. Together, these service providers wield a large amount of control over the accessibility of Internet content.

(2)

to-day’s Internet services and provide Internet users with the censorship-resistant properties of the printing press, Anderson proposed the Eternity Service [1] in 1996. The Eternity Service is a description of an ideal digital print-ing press and with it Anderson outlines a conceptual framework for building censorship-resistant publishing systems in the context of modern digital communica-tions. However, despite myriad attempts to build systems that fulfill Anderson’s goals, many of whichdoprovide strong censorship resistance [6, 7, 24, 28], we are still removed from the model of the printing press: existing systems impose barriers above and beyond the publisher simply paying for raw materials and labour.

Anderson’s vision of censorship-resistant storage re-lies on a large number of geo-politically diverse partici-pants providing bandwidth and storage space to the tem. A significant barrier to the adoption of existing sys-tems has been the lack of incentives to participate hon-estly in a distributed storage system. Existing incentive models are unfit for censorship resistance because they rely on a centralized audit and payment system or lack a rigorous game-theoretic analysis of possible attempts to subvert the system and thus maximize earnings. Until recently, incentive systems also lacked a candidate elec-tronic payment system with the security and anonymity properties necessary to provide micropayments to par-ticipant servers in exchange for their storage space and bandwidth. However, the development of cryptocurren-cies has provided a new way to administer electronic payments and enforcepayment contracts, similar to the original printing press.

Using these tools as the building blocks, we have de-veloped Lavinia: a distributed audit and payment proto-col for censorship-resistant storage in which publishers pay for the storage and bandwidth costs associated with distributing content securely in the presence of power-ful censoring adversaries, and receive in return strong guarantees that their content will remain available for the specified amount of time. We give an extensive game-theoretic analysis of our protocol and show that rational, self-interested parties will implement our protocol faith-fully, behaving no differently from an honest, altruistic, participant.

In Section 2, we discuss related work on distributed audit and payment protocols. We then discuss the proper-ties of censorship-resistant storage systems in Section 3. We describe our payment system and protocol in Sec-tion 4 and SecSec-tion 5, and in SecSec-tion 6 we show that self-interest on behalf of participating nodes results in honest participation in the system. We give a security analysis in Section 7, and conclude in Section 8.

2

Related Work

Anderson first proposed a digital version of the printing press 20 years ago [1]. The Eternity Service is an ideal (yet unrealized) censorship-resistant publishing system that comprises properties such as plausible deniability for participating servers, anonymity for publishing au-thors, and notably a payment system to mimic the model of the printing press where a publisher pays to have their work replicated and distributed to readers in a way that is difficult for authorities to track and prevent.

Many existing censorship-resistant publishing systems rely on in-kind payments and reputation-management protocols to incentivizehonestparticipation and to limit the effects of a storage-based denial-of-service attack, in which an adversary prevents the publication of new doc-uments by filling up all available space. Tangler [28] assigns storage credits to participating servers, allow-ing them to store a set amount of content proportional to their own donated capacity. This gives them the option to “rent out” or donate their storage credits at their own dis-cretion. However, Tangler does not provide a protocol for credit rentals or donations, leaving servers to adopt insecure or biased methods of collecting remuneration for their services. Furthermore, there is no audit pro-cess to guarantee that servers continue to store and serve uncorrupted documents over time. While Tangler does use a comparison of messages to inform other participat-ing servers of nearby malicious nodes, such a reputation system is not secure against a large number of colluding nodes.

Free Haven [9] employs a more complex reputation management system in which servers assign areputation andcredibilityvalue to all other known servers. Each of these two values is also accompanied by aconfidence rat-ingthat reflects the depth of a server’s knowledge about the node in question. Servers broadcast referrals that contain suggestions for these values in the event of hon-est, malicious, or suspicious behaviour. Although such a system can pinpoint malicious nodes, it does not de-fend against more complicated game-theoretic attacks in which an adversary behaves honestly but suspiciously in order to bait other servers into giving false reports.

Vasserman et al.’s one-way indexing scheme [27] solves the complexity of distributed trust assignments by using a centralized editorial board to curate content and defend against denial-of-service attacks by deleting unimportant documents from the system. This central-ized design does not realize a digital printing press akin to Anderson’s goals [1] as users cannot store content that the editorial board deems to be uninteresting or offen-sive, unless it is also popular.

Although the development of an electronic payment protocol to incentivize censorship-resistant publishing is

(3)

novel, it builds on related work in the area of distributed data storage and retrieval. A key problem in distributed storage is that once a document is stored, the server re-sponsible for it may decide to discard the data or leave the storage network. Payment at the time of storage is therefore ineffective, and incremental payments require careful management of server reputations. There is a large body of work that addresses the problem of dis-tributed payment in peer-to-peer systems through the use of micropayments, audits, and escrow services. Most early systems relied on a centralized payment system or suffered from problems in scalability or anonymity [8], which render them unsuitable for censorship resistance. More recent systems tend to rely on escrow payments to incentivize storage, but still require centralized au-dits [13] or in-kind payments where publishers pay by offering access to unused CPU cycles or bandwidth [20]. These features are undesirable for censorship resistance, where centralized third parties are vulnerable to attack and publishers (e.g., political dissidents) should be al-lowed to cease interaction with the system after publica-tion.

The proposed storage system most similar to our own [18] is fully distributed and provides micropayments in return for the periodic verification of storage. How-ever, the proof of retrieval technique used to audit doc-ument availability allows servers to distinguish between auditors and regular users. This knowledge allows them to maximize profits by refusing to serve content to any-one but an auditor. While this model is appropriate for storing documents that are meant to be accessible by a single user, it does not fit the needs of a censorship-resistant publishing system in which content is meant to be accessed by many users, and serving content is equally as important as storing it. For this reason, our proposed solution will make users indistinguishable from auditors, forcing servers to deliver content forevery ac-cess. We utilize a novel micropayment system in our pro-tocol, similar to existing work, but with additional fea-tures that ensure suitability for censorship-resistant pub-lication, storage, and retrieval.

3

Censorship-Resistant Storage

The structure of censorship-resistant publishing sys-tems differs from that of traditional storage schemes. Censorship-resistant storage is largely decentralized and dynamic, involving a diverse and constantly changing set of servers. As a result, stored documents often move between servers, and are subject to denial-of-service at-tacks from powerful adversaries. We assume that a sub-set of participating servers in censorship-resistant sys-tems are malicious and will drop content at will, neces-sitating a larger degree of replication than in traditional

storage schemes. In this section, we describe existing censorship-resistant storage systems and define a general model for later use.

3.1

Existing Storage Schemes

As with traditional printed documents, wide dispersal and redundancy are essential for increasing the likeli-hood of a document’s continued existence over time in a digital setting. The dispersal of sensitive documents across multiple jurisdictions has important advantages: state-sponsored attempts to remove information from the system will not be able to reach a significant subset of servers, and a single entity’s attempts to compro-mise each machine will not scale to physically separate servers. Redundancy is essential in the event that a subset of servers becomes compromised or physically attacked. Documents will also remain available even if the system suffers a loss of hardware.

In addition to dispersing documents, many systems use a combination of encryption and thresholding [21] to split a single document into multiple files, each of which is by itself insufficient to reconstruct the original docu-ment. This not only makes the task of an adversary se-lectively dropping files based on content more difficult, but also provides honest servers with plausible deniabil-ity about what they are hosting. In some jurisdictions, this may afford them legal protections.

In early censorship-resistant systems, documents were distributed among a static, predetermined set of servers. In order to retrieve a document, a reader needed only to either know which of the servers were responsible for storing it, or broadcast a request for the document to all servers in the system. While this method is very sim-ple to imsim-plement and relatively easy to defend, it is very limited in scale. To allow for a much more dynamic group of servers, other storage systems are built on top of structured peer-to-peer (P2P) networks such as dis-tributed hash tables (DHTs) [16, 19, 23], that allow par-ticipating servers to join and leave the network. Each piece of a stored document is associated with a keyword, and the space of all keywords is partitioned among parti-pant servers to allow for efficient document storage and retrieval. Full documents are then easily retrievable with a set of keywords.

Despite their usefulness in providing an efficient, structured and dynamic storage environment, DHTs in their most basic form are insecure in our threat model. An adversary capable of infiltrating the network can per-form Eclipse [5] or Sybil attacks [10] to control an over-whelming majority of the network and mislead honest servers as to where content is stored. We note that secur-ing DHT join and lookup protocols is an active area of research [3, 5, 22] and is outside the scope of this paper.

(4)

Freenet [7] is a popular censorship-resistant publish-ing system that takes a different approach to storage. Rather than deterministically partitioning the keyspace among participant servers, in Freenet documents are ini-tially stored at one location, and then cached by many other servers when they are retrieved from the system. The result is that popular documents end up stored at a large number of servers, and each subsequent request for the document is faster and more efficient.

3.2

General Storage Model

While our payment and audit protocol will work with a wide variety of storage schemes, including many exist-ing censorship-resistant publishexist-ing systems, we base our security and game-theoretic analysis on a general model of distributed storage. What follows is a list of proper-ties that the storage system must have, and the notation we will use in the rest of the paper.

Accessibility:A reader should be able to retrieve and discover documents with a single lookup key. Each doc-ument is associated with a storage keykeyword. For in-stance, a democracy activist might search the storage sys-tem for variants of the keyword “democracy”, and be pre-sented with the list of documents stored under that key-word. A keyword search may prompt additional lookups for the multiple files that are required to reconstruct the document; we refer to a single piece of the document as afile f. Each file f is stored under a lookup key denoted lookup(f). Performing a lookup for this key will return the server that is currently responsible for hosting that file. We assume that a lookup will be routed through, on average, a set ofk>1 servers on its way to the server re-sponsible for the file. Each server stores some routing in-formation about other servers in the system, and returns this information whenever a lookup request traverses its node. Additionally, we assume that given a lookup key for f, a user cannot discover all lookup keys necessary to reconstruct the entire document as in the one-way index-ing technique [27]. This will allow servers and auditors in the system to maintain some level of plausible denia-bility.

Redundancy:As part of long-term storage, especially in the presence of an active censor, a high degree of re-dundancy is required. The replication of content ensures that the document does not become lost if some servers drop out or refuse to serve content. We assume that the underlying storage scheme mirrors each filef on a set of n2 servers serverf1,serverf2, . . . ,serverf n. We also assume that the server responsible for the main copy of the file f (i.e., the server that is targeted by performing a lookup on keylookup(f)) has a way of contacting the mirroring servers.

Churn: Censorship-resistant storage systems are, by their nature, dynamic. We assume that new servers may join the system and that existing servers will leave. When a server joins the system, it becomes responsible for a subset of the system files, as determined by its identifica-tion numberserver id. The new server may contact the server(s) that were previously responsible for her files, and any server operator may leave the system at any time, and may contact the server(s) responsible for her files af-ter she leaves.

4

Payment System

The main goal of providing compensation to participant servers in a censorship-resistant storage system is to in-centivize the storage and availability of a document for an arbitrary amount of time. Anderson described an an-nuity that could accomplish this goal by “following data around”, providing incremental payments to any server currently responsible for hosting and serving it [1]. He argued that economic incentives would encourage server operators to maximize their profits by upgrading their hardware and carefully storing pristine copies of docu-ments until their expiration date. When valuable content is stored on electronic devices, past precedent indicates that even small operators will go to great lengths to re-cover missing data [14].

At the time of its writing, the Eternity Service had no access to a reliable payment infrastructure that could re-munerate participants electronically. Anderson posited that any weakness in the payment system (e.g., in terms of anonymity or reliability) is also a weakness in the Eter-nity Service itself. If a payment system is centralized and has the ability to link a payment to a particular document in the system, then it is vulnerable to coercive actions that could cause it to refuse to process certain payments, resulting in censorship of the corresponding document.

Recent innovations in cryptocurrencies have provided a means to create Anderson’s vision of a travelling an-nuity. However, the properties of cryptocurrencies that enable our protocol may also be present in future elec-tronic payment systems. Here, we outline the properties a payment system must have to be compatible with our protocol and demonstrate how the popular Bitcoin cryp-tocurrency [17] satisfies these requirements.

Coercion-resistant:As discussed above, the payment system must not be susceptible to coercion tactics aimed at ceasing payments for a particular document. This can either come from a very strong guarantee that it is impos-sible to link individual payments to specific documents in the system, or a weaker guarantee that payments are probabilistically likely to be processed despite being af-filiated with Lavinia. We do not require payments to be unlinkable to Lavinia itself, and instead require that the

(5)

payment system be amenable to participation in censor-ship resistance activities in general (even if it would pre-fer not to be associated with specific documents).

Redeemable with secret(s): Payments should be re-deemable by anyone, regardless of identity or geograph-ical location, with the possession of one or more prede-termined secrets. This requirement allows the payments to follow the document around as servers join and leave the system. The nature and mechanics of these secrets can vary (e.g., cryptocurrency private keys, bank account numbers, or passwords), as long as they are independent from any one location and identity.

Time locked: The currency must be able to be held in escrow, to be redeemed only after a certain amount of time has passed. The purpose of payment is to remuner-ate servers for theircontinuedparticipation and service. There must be no way to game the system and receive payment before an incremental time period has passed. There must be flexibility in how often and for how long these payments occur. For example, a publisher should be able to pay a server to host and serve a document ev-ery month for two years. The server should receive only one payment a month and these payments should end af-ter the two years have expired.

Public append-only log: In order to communicate payment information and verify that the conditions for payment have been met, we make use of a publicly viewable, append-only log. While this does not need to be a part of the payment system itself, it does need to be monitored by the entities in charge of issuing and transferring payments. In particular, we require the ability to enforce that an annuity payment may not be redeemed until a predetermined valuevis appended to this log.

A payment system with these properties allows a pub-lisher, Alice, to place a set amount of funds x in es-crow, to be redeemed after a timethas passed. To move these funds, the recipient(s) must be in the possession of all predetermined secrets in the set S. The funds, X ={s1:x1,s2:x2, . . .}, specify which portion of the

total amountxare associated with each secretsi∈S. We require that the sum of the funds inXis equal to the total fundsx. As a condition to moving the funds, the recipient must post a valuevto a publicly viewable, append-only log. We refer to the agreement to pay the fundsXafter a timet given a setSand the disclosure ofvas apayment contractP(X,t,S,v).

In order to transfer funds, the recipient(s) need to ful-fill the contractP by providing proof that they possess all secrets in the setSand publicly post the valuev. We denote this transactionas T(proo f(S),v). We require that the commitment to the secrets inSand the proof of these secrets happen in a way that does not leak informa-tion about the values inS. Note that if there are multiple

secrets in Sthat are held by different parties, the funds should be divided amongst these parties in accordance with the specificationXin the payment contract.

There are several candidate payment systems that sat-isfy these properties, some with stronger guarantees than others. We now give an example of how to implement a payment contract using Bitcoin [17].

Example. Bitcoin is resistant to document-payment linkability attacks: by remaining pseudonymous, a pub-lisher can make the task of linking a document to a payment difficult; especially through the use of an anonymizing layer such as Zerocash [4]. We also note that as long as at least 50% of miners accept Lavinia transactions, there is a high probability that they will not be dropped from the system.

Bitcoins are redeemable with one or more secrets. To redeem and spend a coin, a user must be able to sign a transaction with the private key associated with a Bitcoin account. It also has a time-lock feature, which allows the publisher to specify a date before which a payment can-not be redeemed. The payment blockchain doubles as an append-only log, and the Bitcoin scripting language1 al-lows a publisher to enforce that specific values be added to this log before a payment can be redeemed.

We can construct a payment contract P({s1:x1,s2:x2},t,{s1,s2},v)

in Bitcoin using the Bitcoin scripting language. When a transaction to spend a coin is processed, its input script is concatenated to the output script of the transaction that created the coin. We commit toPby submitting a trans-action spending coins worth a total ofxto the blockchain. This transaction contains the following output script: timelock: t Output: [ {x1, <Pubkey s1> <PubKey s2> 2 OP_CHECKMULTISIG OP_SHA256 <hash_of_v> OP_EQUALVERIFY }, {x2, <Pubkey s1><PubKey s2> 2 OP_CHECKMULTISIG OP_SHA256 <hash_of_v> OP_EQUALVERIFY }] It requires a proof of knowledge of the secretss1ands2

in the form of signatures on the subsequent spend trans-action. It also requires the next spend transaction to in-clude the valuevin its input script. It verifies this value by ensuring that it hashes to hash of v. The time lockt ensures that the next spend transaction will not be sub-mitted to the blockchain until the time has passed.

The transactionT that fulfills this contract is a Bitcoin transaction with the following input script:

(6)

<v> <sig s1> <sig s2>

There should be one transaction for each output in the script above. Each owner of a secret in the setSmust pro-vide a transaction with this input script to redeem their funds. Note that this involves signatures from both par-ties on each transaction.

5

Lavinia Protocol

We now discuss the details of Lavinia, given the exis-tence of a payment system with the ability to create con-tractsP(X,t,S,v)and redeem payments with a transac-tionT(proo f(S),v)as discussed in the previous section. Our protocol is secure with any storage system that fits the general model described in Section 3.

5.1

Overview

Lavinia allows a publisher to publish content, submit payments, and then vanish from the system completely— the continued availability of content is not contingent on the actions of the original publisher. This protects against out-of-band coercion tactics such as “rubber-hose crypt-analysis” in the case that the publisher is captured or prosecuted. Additionally, third parties may fund existing documents in order to increase the likelihood that they will remain in the system or extend the document’s life-time. This ensures that even popular content with higher bandwidth costs will remain in the system.

Micropayments to participating servers occur at audit times chosen by the publisher or benefactor during the initial payment step. The publisher chooses a different auditing server for each audit time and places with them the responsibility of checking her file for availability at that time, in exchange for a small remuneration. An au-ditor is indistinguishable from a regular user and requests the file as a regular user would, assuring in the process that the server is faithfully serving content. We place restrictions on the auditor by preventing her from learn-ing which files she will audit until the previous audit time has passed. At that time, she may access the file’s lookup key by searching the payment system’s append-only log. Finally, we place additional incentives to ensure that all audits and remuneration occur in a timely manner at each audit time.

An important challenge associated with making csorship resistance a possibly profitable endeavor is en-suring that a participant is unable to game the system and receive payments without providing services. We assume that all participants in the Lavinia protocol are rational and self-serving entities who will employ any means necessary to receive payments while incurring as few costs as possible in the form of storage space and

network bandwidth. In Section 6, we show that exploit-ing this self-interest strengthens the censorship-resistant properties of the system and increases the likelihood that a document remains available until its expiration date.

Although Lavinia cannot directly help impoverished users publish documents safely, it does provide a way for third parties to help them more efficiently by allowing them to create payment contracts on behalf of the pub-lisher or to suppliment existing documents. For example, concerned free speech advocates could form a fund to store documents they felt were meritorious, and perhaps even participate as servers in the storage system and host content for free. We also anticipate that storage costs for small documents should be minimal, and perhaps acces-sible to impoverished users, in any case.

5.2

Protocol Details

We give the full Lavinia protocol in Figure 1. During publication (or at any time throughout the life of the document) a publisher or benefactor, Alice, may prepare payments for each file f stored in the system.

Alice first determines a set of times T ={t1, . . . ,tn} at which she wishes her document to be checked for availability and creates a payment contract for each au-dit timetT. For example, if she wishes her document to be audited approximately once a month for two years, she would then create 24 payment contracts for each file f she uploads to the system. These contracts form an agreement between Alice, the servers hosting her shares, and the auditors responsible for ensuring her document’s availability.

For each of Alice’s contracts, she randomly generates secrets skA and skS for an auditor and server, respec-tively. She then decides on the amount of the payments X={skA:xa,skS:xs}to the auditor and server.

The time lock on the contract must enforce that funds are not transfered until the audit timet has passed. Let kw(s,K)be a key-wrapping function that encrypts a key K with a secret s. We assume that this key wrapping function is secure and that the ciphertext does not leak information about the secret sor the keyK. Alice en-crypts the auditor’s secret with a random valuerto pro-duce the masked secret v=kw(r,skA); v becomes the value that must be posted to the append-only log to re-deem the contract, as described in Section 4.

Alice now constructs the contract

P({skA:xa,skS:xs},t,{skS,skA},kw(r,skA)). This will place funds for the file f in escrow with the server responsible for hosting the share and the auditor responsible for assuring its existence at timet. Together, the server and auditor must provide proof of knowledge of the secretsskSandskAafter timethas passed, and the auditor must publish his masked secret, to transfer these

(7)

Alice

Server

Auditor

kw

(

r

s

,

skS

)

Commits to

P

(

X

,

t

,

{

skS

,

skA

}

,

kw

(

r

,

skA

))

t

,

kw

(

skA

prev

,

lookup

(

f

))

,

kw

(

H

(

f

k

skA

prev

)

,

skA

)

,

r

prev

,

r

,

kw

(

H

(

f

k

skA

prev

)

,

r

s

)

at time

t

Finds valuekw(rprev,skAprev)

Unlockslookup(f)

Search for

lookup

(

f

)

in storage

f

DecryptsskA,rs

r

s

(Postskw(r,skA)to log)

T

(

proo f

(

{

skS

,

skA

}

)

,

kw

(

r

,

skA

))

Can’t findkw(rprev,skAprev) T(proo f(s0),s0) Figure 1: Protocol for setting up payments and auditing a file f at timet, wherekw(s,K)is a key-wrapping function that encrypts a keyKwith a secrets. The burn procedure is shown in red.

(8)

funds from Alice’s account to their own. She distributes the server secretsskSfor each audit timetto the server responsible for each file by encrypting them with the key-wrapping functionkwand a random valuers to produce the masked server secretkw(rs,skS).

Alice then selects auditors for each of her contracts, and sends to each of them the audit timetand the lookup key for f encrypted with the previous auditor’s secret, kw(skAprev,lookup(f)). She also sends the masked audi-tor secret,kw(H(fkskAprev),skA), encrypted with a hash of the file f concatenated with the previous auditor’s se-cret, where the cryptographic hash function H is both pre-image resistant and collision resistant. Finally, she sends the auditor the random valuerprev, which is used to encrypt the previous auditor’s secret, the random value r, which the auditor will use to encrypt their secret, and kw(H(fkskAprev),rs), the encrypted secret that the server will need to unlock their own secretskS. After this point, the publisher or other benefactor is free to cease all inter-action with the system. The construction and distribution of the above payment information can be performed dur-ing or after the publication of the document. Note that it is in Alice’s interest to construct these values honestly. An incorrect or insecure value that prevents a server or auditor from being paid or allows them to cheat the sys-tem will increase the probability that her files will be dropped.

In order to ensure that her document will be audited during each time period, we need a way of time-locking these payments. The server and auditor should not be paid before each time period begins, and they should not be able to audit the document ahead of time. To accom-plish this, we use a combination of the payment system’s time-lock feature and sequences of auditor secrets for each file. In order for the auditor at timetto unlock their secretskA, they must have information about the secret of the previous auditorskAprev.

This scheme has the advantage of enforcing the time lock with self-interest. Alice’s payment contract en-forces that the auditor at timetprev cannot redeem their payment until timetprev has passed. When they move funds, they must also release their encrypted secret, kw(rprev,skAprev) to a publicly viewable append-only log. At this time, the auditor at timet is able to com-pute their own secret and perform the audit of the file. If the previous auditor releases their secret ahead of time, they run the risk of forfeiting their payment to the next auditor (since their secret will then be visible to that au-ditor). We show the timeline for auditing a file f at audit timetin Figure 2.

Alice initializes this sequence by providing the first auditor with a randomly generated initialization key iv and the following values:

t,lookup(f),kw(H(fkiv),skA),r,kw(H(fkiv),rs)

Auditor att Auditor attnext Payment System

at timet Cannot find

kw(rprev, skAprev)

T(proof(skA0), skA0)

at timetnext Finds valueskA0

Unlockslookup(f)

Figure 3: Burn functionality extension to audit protocol

Note that this first auditor must still conduct a lookup of the file f to unlock their secret skAand the server’s random secretrs.

5.3

Burn contracts

A disadvantage of the method of sequential payments de-scribed above is the impact of an auditor leaving the sys-tem, even temporarily. If the auditor at time tprev fails to release their information, the auditor at timetwill not have the information needed to perform her audit or re-ceive remuneration for her efforts. This in turn will pre-vent subsequent auditors from receiving the information needed to perform their audits, effectively terminating the revenue stream for the file. A malicious party could easily exploit this by posing as an auditor, and simply declining to perform their audit, or coercing an honest auditor into skipping a single payment on some targeted document. To avoid this, we extend the requirements of our payment system to allow an auditor to burn the pre-vious auditor’s payment after their time has passed. If an auditor at timet becomes aware that the previous audit failed, they will be able to burn the money in both their and their predecessor’s accounts and forward the secret to the next auditor in the chain. In order to incentivize burning instead of complete inaction, we allow them to keep a small fraction of the profits they would have re-ceived if an audit were possible (though not so large that they would prefer burning payments to performing au-dits).

The payment contract should be extended to allow Al-ice to specify a burn parameter, B={S:s0:x0}. This lists the burn secrets0 that will invalidate payments to the secrets inS, and the money the burner will receive in return,x0. Alice also specifies that the values0should be posted to the public log.

This money is then burned if and only if an auditor issues a transactionT(proo f(s0),s0)where they posts0 to the log. This will allow the auditor at timetnext to proceed as usual. Alice should include a randomly gen-erated burn secrets0for a timetin the set of information

(9)

publication time = tprev time =t

P(x, t,{skA, skS}, kw(r, skA)) Alice commits to:

Alice gives Auditort:

audit time: t,

random values: rprev, r,kw(H(fkskAprev), rs)

document key: kw(skAprev, lookup(f)),

locked private key: kw(H(fkskAprev), skA)

T(proof(skAprev), kw(rprev, skAprev))

Auditortprev sends:

kw(rprev, skAprev)

Auditortprev posts:

Auditortdecrypts:

skAprev

lookup(f)

Auditor tretrieves

file f from storage

Auditortdecrypts:

skA

T(proof(skA), kw(r, skA))

Auditortsends:

Figure 2: The timeline of an audit sequence for a file f from the perspective of its auditor at timet.

she provides the auditortduring publication. Each audi-tor for timetwill then receive the previous auditor’s se-cret locked with the previous burn sese-cret during publica-tion,kw(s0

prev,skAprev). In addition to preventing delib-erate attacks on the chain of audits, this will incentivize auditors to complete their assigned audits before the next time period begins. We give this extended protocol in Figure 3.

We will now give an example implementation of the burn functionality in Bitcoin using theOP RETURNcall.

Example. The following Bitcoin script implements the extended payment contract whereB={skA:skA0:x3}.

P({skS:x1,skA:x2},t,{skS,skA},kw(r,skA),B)

Output: [ {x1,

<hash_of_skA’> OP_EQUAL

OP_IF

OP_RETURN //burns the money OP_ELSE

<Pubkey skS> <Pubkey skA> 2 OP_CHECKMULTISIG OP_SHA256 <hash_of_kw(r, skA)> OP_EQUALVERIFY OP_ENDIF }, {x2, //same as x1 script }, {x3, <hash_of_skA’> <Pubkey skA’> OP_CHECKSIG }]

Note that the publisher, Alice, does not need to in-crease the amount of money she allocates for each file.

She can simply subtract the value of the burn secret from the value of the auditor’s payment. As the funds asso-ciated with the burn secret are never burned, the auditor can claim this amount at any point after timet.

5.4

Choice of Auditors and Audit Times

Auditors can conceivably be any collection of entities willing to participate in the Lavinia protocol. We do not make any assumptions about whether or not they also participate as servers in the system. However, auditors do need to be discoverable by Alice. For maximum se-curity, Alice should choose a different auditor for each audit time and file. This requires a potentially large num-ber of auditors. One way to increase the ease of distribu-tion and discoverability is to make the set of servers and auditors one and the same. This would allow Alice to choose a random lookup key for each payment contract, and probabilistically ensure that no one auditor will be responsible for multiple audit times of a single file.

To reduce the ability of servers to guess future audit times, a publisher can choose times at random intervals, distributed according to a Poisson process. This defends against an attack in which servers only serve content dur-ing brief time windows around fixed intervals in an effort to distinguish between auditors and regular users.

We also note that any reader can claim to be an auditor for an audit timet, and servers are unable to verify their identity. Even if the server is certain about the next audit time, there will always be at least some period between the release of the previous secret and the retrieval of the document by the next auditor during which the servers will be forced to serve the document to all users.

(10)

6

Game Theory Analysis

In the Lavinia protocol, servers in the storage scheme are incentivized to behave correctly by the potential profits they earn from delivering files. While individual oper-ators might have nobler motives, we claim that the har-nessing of the profit motive is actually anadvantageof our system in many respects. Operators who see an op-portunity for profit can go to great lengths to ensure the integrity of the system, and to ensure they are able to fulfill their obligations. However, the use of the profit motive also has a distinct disadvantage: profit-seeking operators will not necessarily conform to the desired pro-tocols and behaviours of the system if they can find and implement a more profitable protocol, which may not include desired behaviours. For example, recent work by Eyal and Sirer [12] highlights a vulnerability in the Bitcoin mining network when miners exhibit selfish be-haviour. In this section, we characterize the behaviour of rational, profit-maximizing server operators using tech-niques from game theory.

Game theoretically, we model choices of behaviour within a censorship-resistant storage system as agame played by a set ofplayers A, of size|A|, and denote player i byAi. Each player operates one or more servers, all connected to the same network. Each player is self inter-ested and motivated by profit alone, but is not malicious. That is, each player tries to maximize their own profits, but does not try to reduce the profits of other players (un-less doing so increases their own profits).2 We assume

there areηservers being operated in total, and denote the set of all servers byS, and server joperated by playeri withSi,j.

In our model, each player plays several families of games strategically, where each family is an approxima-tion of the network under certain assumpapproxima-tions. We will show that in the relevant subset of such games, there ex-ists a dominant strategy equilibrium. That is, there is one (and only one) way for a rational, profit-maximizing player to behave, and it is to implement the Lavinia pro-tocol correctly, provided that certain sensible conditions are met.

More formally, each game will consist of server oper-ators selecting astrategy in the form of a set of policy decisions. Strategies are selected to maximize theutility functions, or profit functions, of each player, potentially based on what the other players do. The set of strategies selected by all players is called astrategy profile. A strat-egy profile is said to form aNash equilibriumwhen, even with complete knowledge of what the other players have done, no player could improve their profits by retroac-tively adopting a different strategy. An equilibrium is adominant strategy equilibrium when no player could

2We consider the impact of malicious nodes in the next section.

improve its profits,regardlessof what the other players may or may not do. Note that a dominant strategy equi-librium is not necessarily unique (there could be, e.g., two equally good actions for a player to take). When there is a tie in the qualities of two strategies, we as-sume that players prefer the strategy that is closest to the Lavinia protocol (a useful assumption in many game the-oretic contexts [25]). This is essentially an assumption of sloth: no player should waste resources to change from the default client behaviour to something else, if there is no change in their overall profits.

6.1

The Static Game

To begin, we consider a simplified version of the stor-age system where the network topology is fixed. No servers may join or leave the network, and no operator may choose to increase or decrease the number of servers they operate. This environment is unrealistic, but could be a useful approximation of the network in the long run (i.e., after it has operated for a long time, and includes many players). Its study will also provide insights for the model considered in the next subsection, in which nodes can both join and leave the network.

In this game operators must pick a strategy for operat-ing their servers. An operator must adopt a policyΠshare that specifies for each file f held by a server, whether or not to send the file when other parties request it. This policy can be sub-divided into a set of probabilities 0Πshare(f)≤1 each of which specifies the probability that the server responds to a request for file f. Addition-ally, servers must adopt a storage policyΠstore specify-ing whether or not to continue storspecify-ing a file f. Again, 0Πstore(f)≤1. Finally, a server must adopt a routing policyΠroute, which specifies how the server responds to lookup requests that are routed through its node. This last policy is more complex. It cannot depend on any par-ticularf, but may instead depend on the particular server sbeing queried or the details of the lookup key. Πroute specifies whether the server will return honest routing information, or dishonest information in an attempt to increase the server’s profits. This policy can be split into three components,Πroute(s,any),Πroute(s,sel f)and Πroute(s,others), respectively denoting whether the rout-ing information from node sis sent at all, whether the routing information contains correct information about the keyspace managed by s(i.e., whether the nodesis honest about the files it is responsible for), and whether the routing information for the keyspace of other servers is correct.

We further model global properties of the network withΓsend(f), andΓroute(s), the fraction of requests for a file f that are correctly routed (eventually) to the node storing f, and the fraction of routing traffic that passes

(11)

through s as a fraction of all traffic expected to pass throughs(i.e.,η1 of all traffic is expected to pass through s). Additionally, we denote byΓhop the average num-ber of routing steps made by a given request. Finally, the functionλBR(f)denotes the ratio of lookup requests made by ordinary users to lookup requests made by audi-tors for a particular file. The related functionsgtransmit(f) andctransmit(f)denote the profit from sending fto an au-ditor, and the transmission cost of sending f to anyone, respectively. croutesimilarly denotes the cost of sending routing information about one lookup key. T is the total number of lookups into the system.

We are now able to state a formal characterization of how rational actors will behave in at least the most im-portant set of static games of this kind (the proof is pro-vided in Appendix A).

Theorem 1. If every server in the network is a starting point for η1 lookups, and no lookup will visit the same node more than once, then provided that for every server s in the storage system,

∑f η1(gtransmit(f)−λBR(f)ctransmit(f))

T >croute

and for every file f stored at s 1

η(gtransmit(f)−λBR(f)ctransmit(f))>cstore(f), then there exists a dominant strategy Nash equilib-rium where all servers adopt the strategyΠstore(f) =1, Πsend(f) =1,Πroute(s,all) =Rs, where Rsis the correct routing information for s.

The interpretation of this result is that, provided servers do not expect significant churn (i.e., nodes are neither going to leave nor join in the near future), and traffic levels for files are relatively constant in the longer term (i.e.λBR(f)does not change much from the server’s initial belief, so that payments are always sufficiently high), rational servers will conform to the Lavinia pro-tocol even if other nodes behave irrationally, subject to some modest, realistic, constraints. Further, as detailed in the proof, when more and more nodes behave ratio-nally, Γsend(f) increases, while ΓhopΓroute(s) will de-crease, so as more and more nodes behave rationally, the costs of irrational behaviour (relative to rational be-haviour) will increase. (See the proof in Appendix A for further details.) We conclude that this indicates the sys-tem should be quite stable in practice, once established.

We note that, although storage and bandwidth costs will vary by jurisdiction, the price of storage hardware at the moment amounts to approximately $0.03 per GB in the United States,3 and the cost of bandwidth is ap-proximately $10/month per Mbps,4 which also equals

3http://www.mkomo.com/cost-per-gigabyte-update 4

https://blog.cloudflare.com/the-relative-cost-of-bandwidth-around-the-world/

$0.03 per GB. The profit from hosting a file,gtransmit(f), should then be at least(η+λBR)$0GB.03· |f|.

6.2

Estimating

λ

BR

Since the strategy adopted by the server (i.e., a server’s decision to stop storing content, if its long-run value be-comes negative, or to temporarily stop serving it if there is a sudden surge of traffic) is dependent onλBR, we now pause to explain how servers might compute this quan-tity, and consequently compute their strategies.

If we assume that requests for a file f follow a Pois-son distribution, and that audit times are also PoisPois-son distributed, then it initially appears that a serverAi in-terested in computing λBRmust learn the parameters of two Poisson Processes, from which they can then calcu-late the fraction of future traffic that will yield payment. However, in practice the arrival frequency for non-audit traffic may change dramatically over time (e.g., it is an inhomogeneous Poisson process or a Cox process [15]). For instance, one might expect a rapid decrease in actual interarrival times if an important file is posted, and then later discovered and reported in the press. IfAi cannot model the change in the process’s value over time, then it cannot reasonably decide whether to continue serving the file in response to sudden spikes in traffic (like a denial of service attack). It also cannot decide whether or not to continue storing the file if traffic grows too high (in the hope that traffic rates will decline again in the future), or to discard it (under the assumption that transmitting the file will never again be profitable).

In essence this is a traffic prediction problem, which is an active area of research. We suggest the use of a simple piece-wise linear approximation process [15], which can be used to estimate the current arrival rate of requests. Since the auditor’s arrival rates should not change over time, the rate can be estimated using a conventional max-imum likelihood approach, where events take the form of a payment by an auditor. The ratio of the mean arrival times of normal traffic to the auditor’s mean inter-arrival times givesλBR. The node does not directly ob-serve the inter-arrival times of normal traffic, however. It can only observe the inter-arrival times of total requests for the fileλf and the inter-arrival times of payments for the fileλT. ThenλBR=

λf−λT

λT .

6.3

Dynamic Behaviours

Having established that Lavinia is stable when the set of players is static, we now consider strategic behaviour in scenarios where nodes can join and leave the network. In this section, we rely heavily on the presence ofcached content in the storage system. When Alice publishes a document, she should store copies of each file, along

(12)

with its payment keysat mirroring servers. We will show in this section that servers have strong incentives for con-tinuing to store this information in the long term.

Additionally, we rely heavily on the idea of asecure routing system (i.e., a routing protocol where servers cannot report incorrect routing information while re-maining part of the network). This is a strong assump-tion, but it is needed to prevent incentives for side pay-ments that incumbent nodes might use to prevent new players from joining. A storage system set up by a ded-icated group with no plans to allow further operators to join could function without this requirement, and would exist in the equilibrium for the stable game, discussed above. However, such a network would be vulnerable because its content would not be very well dispersed, re-ducing plausible deniability for operators. Additionally, we do not address the possibility of Sybil attacks in this paper, although this is an active area of research [3,5,22]. As we have assumed that a node can join the network, and after a time will be present in the routing information of all nodes that point to its key space, the only needed result is to show that nodes will be able to acquire the content, and vitally, the payment information, associated with the keyspace they are taking over. We refer to this as themirroring subgame. As stated, we assume that each filef is mirrored by at least two other serverssf1andsf2.

The mirroring subgame is then a game played between a new node that wishes to join the network, which we call snew, and three other nodes, sorig,sf1 andsf2. We

de-note bykey(s)the identity determining the keyspace of a particular server. The other servers are defined as fol-lows:sorigis the server that holds some files that the new serversnewwould like to take over. sf1andsf2are

cur-rently mirroring the file f. We derive the following equi-librium result (see Appendix A for the proof and more formalized version of the problem):

Theorem 2. In the mirroring subgame, there is a Nash equilibrium where the joining node snewoffers a one-time payment to either sf1or sf2, selected randomly, and will

receive f with certainty. Further, this amount is not more than half the long-run total value of the mirrored file, ensuring a long-run profit for snew.

We have now established that, under the assumption a joining server snew will receive all income from ac-quired content, it can still plausibly acquire said content. Having established this, it is straightforward to show that servers are able to come and go from the network at will. To leave the network, a server simply copies the content to the server that will be responsible for the files after it leaves and mirrors the content at the new mirroring serversserverf1, . . . ,serverf n. These mirror nodes will accept the extra load, provided that the content is prof-itable to host in the first place (if the mirror will be the

node serving it), and because it can be sold to future join-ing nodes for a sum that will likely cover its costs, pro-vided that network churn occurs frequently enough rela-tive to the storage cost of the content (if the mirror will not be immediately serving the content itself). Since pay-ment times are Poisson distributed, no particular block of time is worth more than any other in expectation, so nodes cannot gain value by repeatedly joining and leav-ing. Note that although many nodes may thus end up with a given piece of content, and the associated pay-ment keys, only the node reached by a given auditor will receive the rs value needed to unlock payment for that time period.

Under our assumptions regarding secure routing, Lavinia incentivizes an equilibrium where nodes can join and leave at will, and where content will be stored redun-dantly. Coupled with the more robust equilibrium for a system with low churn, our results reinforce the idea that Lavinia satisfies the goals of our payment protocol.

7

Security

We claim our audit protocol is secure if an attacker is unable to:

1. compute the value ofskAfor any audit timet, un-less they are the auditor at that time, or timet has passed and they are the auditor in the subsequent time period,

2. receive a payment for auditing a filef at timet, un-less they have retrieved the file f from the system sometime after the previous audit time, tprev, has passed, and

3. receive a payment for serving a file f at timet, un-less they have served the file f some time after the previous audit time,tprev, has passed.

Theorem 3. The Lavinia audit protocol is secure. Proof. We first prove that an attacker is unable to per-form attack (1) above. Let us assume for the sake of con-tradiction that an attacker can learn information about the auditor’s secret skA. There are only four messages that depend on skA: kw(r,skA), kw(H(fkskA),skA), kw(H(fkskA),rs), andkw(skA0,skA)as well as the pro-tocol for commiting to a contractPand proving the pos-session of a secret in the transaction T. LearningskA from any of these messages, without knowledge ofror skA0 violates our assumption on the security of the key-wrapping functionkw, the collision and pre-image resis-tance of the hash function H, and the requirements we placed on our payment system in Section 4.

We now show that an attacker cannot perform attack (2). If the attacker is not tasked with auditing the file

(13)

f at timet, they do not possesskw(r,skA)and therefore cannot perform a transactionT(proo f(skA),kw(r,skA)) and cannot receive a payment for auditing the file. Let us then assume that the attacker is an auditor at this time and possesses the valuest,kw(lookup(f),skAprev), kw(H(fkskAprev),skA),rprev,r, andrs. The auditor can not fulfill the contractP without the secretskA. To un-lock this secret, the auditor must possess the previous audit keyskAprev and the file f. SinceskAprev will not become available until the audit timetprevhas passed, the attacker is unable to collect a payment before timetprev. Additionally, the auditor has no way of knowing which file f they are in charge of until they unlock the lookup key. This can only be done with skAprev. Therefore, the attacker can not collect payment unless they have re-trieved the file f from storage aftertprevhas passed. As we mentioned in subsection 5.4, as long as Alice chose her auditors reasonably, there is a very small probability that an auditor will have cached the filef from a previous audit time.

Finally, we show that an attacker cannot perform at-tack (3) above. A server can only receive the payment for serving file f at time t if it has the corresponding payment keyskS. This is locked withrs, which may be sent by the auditor at timet. This value is locked with the same key asskA. This reduces the attack to performing attack (2).

While the security of the protocol itself guarantees that an auditor or server is unable to receive payment without faithfully implementing the protocol, there are a number of attacks that a malicious adversary willing to forego personal gains could employ to drop content from the system. We will now describe these attacks and their defenses.

Denial-of-Service (DoS) Attacks: As mentioned, a document that is frequently accessed will have a higher associated bandwidth cost for the hosting server. An adversary could flood the storage system with lookups in order to make content costly, incentivizing servers to stop serving certain files. There are defenses that servers could deploy individually, such as rate limiting by IP or requiring the performance of a small computational task, to limit the number of lookups by a single user. How-ever, these techniques are useless against distributed at-tacks. In any case, we argue that a short-lived DoS attack will not result in content being dropped from system, but rather that servers will refuse to serve content only un-til the number of requests drop back to normal levels. A long-term DoS attack may be discoverable or too costly even for a state-level censor. Even the DDoS attack on Github by the Chinese government [2], which lasted five days, is still short term in the context of a document with a life span of multiple years.

Auditor-Server Collusion: An integral part of our protocol is that an audit must look no different from a regular request, forcing a server to deliver content at ev-ery request in return for possible payment. We show that an auditor lacks a sufficient amount of proof to reveal her status to the server without forfeiting her own pay-ment. The only way for an auditor to prove her status before faithfully collecting the file f during the audit is to provide the server with kw(H(fkskAprev),rs)and lookup(f), allowing the server to retrieveskS. However, the server cannot validate that this signing key is correct without the other signing keyskA, and the only way for the server to validate it without serving the file to any auditor or reader that claims to possessskAis for the au-ditor to give the serverkw(H(fkskAprev),skA), forfeiting her payment.

Join-and-Leave Attacks: In an effort to inherit con-tent from existing nodes and drop it from the system en-tirely, an adversary can employ a join-and-leave attack. By repeatedly joining the network, an adversary will in-herit a subset of documents from existing nodes in the system. If the adversary leaves the system without repli-cating or moving these documents, the content will be lost. We argue that the existence of mirrored content and the profit motive will result in multiple redundant copies of each document, and that these copies may be found with minimal investigation.

False Payment Attacks:An adversary can attempt to trick servers or auditors into dropping a document from the system by issuing false payment contracts, forcing the server-auditor pairs to undergo the audit and payment protocol before they realize that there are no funds asso-ciated with the provided payment keys. We argue that a document will still remain in the system as long as the original payments provided by Alice cover the marginal cost of participating in the additional malicious audits, which would be very small. Furthermore, the adversary is required to put some amount of funds in escrow and is unable to receive their funds until the audit timethas passed, allowing an auditor and server pair to race the adversary to complete the protocol and receive the addi-tional payment. The real danger is if an adversary tries to overwhelm Alice’s real contract by flooding her with thousands of worthless ones. We note that such an attack is quite costly, in both computing resources and capital, to the adversary as it requires a large amount of transac-tions in which the adversary must submit real payment contracts.

8

Conclusion

We have proposed Lavinia, a novel audit and payment protocol that incentivizes the continued availability of published content by remunerating server participation

(14)

in a privacy-preserving manner. Lavinia provides a pub-lisher with the means to specify an arbitrary storage time for her documents. She pays for these services in a model akin to the digital printing press first proposed by Ander-son in 1996 [1]. The continued availability of stored doc-uments is ensured by an audit and payment protocol, in which servers and auditors are compensated for ensuring that the document stays in the system until its expiration date. We provide a game-theoretic analysis that shows servers in the storage system acting on behalf of self-interest to maximize profits will participate honestly in the Lavinia protocol. With these requirements met, the Lavinia protocol provides the final pieces for a compre-hensive realization of Anderson’s Eternity Service: a true digital printing press for the Internet age.

References

[1] R. Anderson. The Eternity Service. InPragocrypt 1996, pages 242–252, 1996.

[2] S. Anthony. GitHub Battles “Largest DDoS” in Site’s History, Targeted at Anti-Censorship Tools. Ars Technica, http://arstechnica.com/security/ 2015/03/github-battles-largest- ddos-in-sites-history-targeted-at-anti-censorship-tools/, Mar. 30 2015. [Online; accessed June 2016].

[3] B. Awerbuch and C. Scheideler. Towards a Scalable and Robust DHT. InProceedings of the Eighteenth Annual ACM Symposium on Parallelism in Algo-rithms and Architectures, SPAA ’06, pages 318– 327, New York, NY, USA, 2006. ACM.

[4] E. Ben Sasson, A. Chiesa, C. Garman, M. Green, I. Miers, E. Tromer, and M. Virza. Zerocash: De-centralized Anonymous Payments from Bitcoin. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 459–474, May 2014.

[5] M. Castro, P. Druschel, A. Ganesh, A. Rowstron, and D. S. Wallach. Secure Routing for Structured Peer-to-peer Overlay Networks. SIGOPS Oper. Syst. Rev., 36(SI):299–314, Dec. 2002.

[6] I. Clarke, O. Sandberg, M. Toseland, and V. Veren-del. Private Communication Through a Net-work of Trusted Connections: The Dark Freenet. [Online]. https://freenetproject.org /papers/freenet-0.7.5-paper.pdf, 2010.

[7] I. Clarke, O. Sandberg, B. Wiley, and T. W. Hong. Freenet: A Distributed Anonymous Infor-mation Storage and Retrieval System. In

Design-ing Privacy EnhancDesign-ing Technologies, pages 46–66. Springer, 2001.

[8] X. Dai, K. Chaudhary, and J. Grundy. Comparing and Contrasting Micro-payment Models for Con-tent Sharing in P2P networks. In Signal-Image Technologies and Internet-Based System, 2007. Third International IEEE Conference on, pages 347–354. IEEE, 2007.

[9] R. Dingledine, M. J. Freedman, and D. Molnar. The Free Haven Project: Distributed Anonymous Stor-age Service. InIn Proceedings of the Workshop on Design Issues in Anonymity and Unobservability, pages 67–95, 2000.

[10] J. R. Douceur. The Sybil Attack. InRevised Papers from the First International Workshop on Peer-to-Peer Systems, IPTPS ’01, pages 251–260, London, UK, 2002. Springer-Verlag.

[11] E. L. Eisenstein. The printing press as an agent of change, volume 1. Cambridge University Press, 1980.

[12] I. Eyal and E. Sirer. Majority Is Not Enough: Bit-coin Mining Is Vulnerable. In N. Christin and R. Safavi-Naini, editors, Financial Cryptography and Data Security, volume 8437 ofLecture Notes in Computer Science, pages 436–454. Springer Berlin Heidelberg, 2014.

[13] M. Gramaglia, M. Urue˜na, and I. Martinez-Yelmo. Off-line incentive mechanism for long-term P2P backup storage. Computer Communications, 35(12):1516–1526, 2012.

[14] A. Hern. Missing: Hard Drive Containing Bit-coins Worth £4m in Newport Landfill Site. The Guardian, 2013.

[15] W. A. Massey, G. A. Parker, and W. Whitt. Estimat-ing the Parameters of a Nonhomogeneous Poisson Process with Linear Rate. Telecommunication Sys-tems, 5(2):361–388, 1996.

[16] P. Maymounkov and D. Mazi`eres. Kademlia: A peer-to-peer information system based on the xor metric. In Revised Papers from the First International Workshop on Peer-to-Peer Systems, IPTPS ’01, pages 53–65, London, UK, UK, 2002. Springer-Verlag.

[17] S. Nakamoto. Bitcoin: A Peer-to-Peer Electronic Cash System. http://bitcoin.org/bitcoin.pdf, 2008. [Online; accessed June 2016].

(15)

[18] N. Oualha and Y. Roudier. Securing P2P stor-age with a self-organizing payment scheme. In Data Privacy Management and Autonomous Spon-taneous Security, pages 155–169. Springer, 2011. [19] A. I. T. Rowstron and P. Druschel. Pastry: Scalable,

decentralized object location, and routing for large-scale peer-to-peer systems. InProceedings of the IFIP/ACM International Conference on Distributed Systems Platforms Heidelberg, Middleware ’01, pages 329–350, London, UK, UK, 2001. Springer-Verlag.

[20] S. Seuken, D. Charles, M. Chickering, and S. Puri. Market Design & Analysis for a P2P Backup Sys-tem. InProceedings of the 11th ACM conference on Electronic commerce, pages 97–108. ACM, 2010. [21] A. Shamir. How to Share a Secret.Communications

of the ACM, 22(11):612–613, 1979.

[22] A. Singh, T.-W. Ngan, P. Druschel, and D. Wallach. Eclipse Attacks on Overlay Networks: Threats and Defenses. InINFOCOM 2006. 25th IEEE Interna-tional Conference on Computer Communications. Proceedings, pages 1–12, April 2006.

[23] I. Stoica, R. Morris, D. Karger, M. F. Kaashoek, and H. Balakrishnan. Chord: A Scalable Peer-to-Peer Lookup Service for Internet Applications. InProceedings of the 2001 conference on Applica-tions, technologies, architectures, and protocols for computer communications, SIGCOMM ’01, pages 149–160, New York, NY, USA, 2001. ACM. [24] A. Stubblefield and D. S. Wallach. Dagster:

Censorship-Resistant Publishing Without Replica-tion. Technical Report TR01-380, Houston, TX, USA, 2001.

[25] D. R. Thompson, O. Lev, K. Leyton-Brown, and J. Rosenschein. Empirical analysis of plurality election equilibria. InProceedings of the 2013 in-ternational conference on Autonomous agents and multi-agent systems, pages 391–398, 2013. [26] J. M. Urban and L. Quilter. Efficient Process or

Chilling Effects—Takedown Notices Under Sec-tion 512 of the Digital Millennium Copyright Act. Santa Clara Computer & High Tech. LJ, 22:621, 2005.

[27] E. Y. Vasserman, V. Heorhiadi, N. Hopper, and Y. Kim. One-Way Indexing for Plausible Deni-ability in Censorship Resistant Storage. In 2nd USENIX Workshop on Free and Open Communi-cations on the Internet. USENIX, 2012.

[28] M. Waldman and D. Mazieres. Tangler: A Censorship-Resistant Publishing System Based on Document Entanglements. In Proceedings of the 8th ACM conference on Computer and Communi-cations Security, pages 126–135. ACM, 2001. [29] P. Winter and S. Lindskog. How the Great Firewall

of China is Blocking Tor. InProceedings of the 2nd USENIX Workshop on Free and Open Communica-tions on the Internet, 2012.

A

Game Theory Proofs

A.1

Proof of Theorem 1

Proof. We can now describe the utility (profit) functions for server operators in this game. The utility of an opera-tor is given by the sum of the utilities of the servers they operate:

Uopp(Ai) =

Si,j∈Si

User(Si,j) while the utility of a server is given by:

User(Si,j) =

f

Πstore(f)Πroute(s,sel f)Πsend(f)Γsend(f)

×(gtransmit(f)−λBR(f)ctransmit(f))

−Πstore(f)cstore(f)−Πroute(s,any)crouteΓroute(s)ΓhopT

That is, the utility function of the server is equal to the total expected profit from the policy adopted to serve and store each filef(or not), less the fixed costs imposed by the routing policy (i.e. the costs of sending routing information to those who ask for it).

Several facts are immediately apparent from this util-ity function:

1. Servers cannot benefit from adopting a policy Πroute(s,others)that sends incorrect routing infor-mation, because their utility function is indepen-dent of the routing information sent. Similarly, adopting a policy forΠroute(s,sel f)that incorrectly reports the keyspace for s is pointless, because Πroute(s,sel f) affects all files, but Πstore(f) pro-vides a finer grained control over the same set, al-lowing servers to selectively serve only profitable files instead. Therefore, policies in which rout-ing information is reported correctly (or not at all) dominate policies where routing information is re-ported incorrectly. Reporting truncated routing in-formation is also not profitable, because its rela-tively small size in most distributed storage systems

References

Related documents

Updates (ctd.) Delete tuples delete Student where Semester &gt; 13; Update tuples update Student.. set Semester= Semester

RNC UL/DL Code Congestion Counters VS.RRC.Rej.Code.Cong VS.RAB.FailEstabCS.Code.Cong VS.RAB.FailEstabPS.Code.Cong Scenario (OR function) Aggregated Measurement Counter

To see what sum of money the Town will vote to raise and appropriate to be used with income, if any, for the election and registration expenses, municipal court expenses, Public

The FEDERAL REGISTER (ISSN 0097–6326) is published daily, Monday through Friday, except official holidays, by the Office of the Federal Register, National Archives and

Trade conditions are associated with an increase in trade volume, but the positive effect comes from program countries with high degrees of ownership.. The treatment group so far

• Fire chief responded by demoting her to FF position because of lack of medical.. Legal Case Study No. 12. • Defense: gender not

Green Building Council’s (USGBC) Leadership in Energy and Environmental Design (LEED) certification. Act also requires that all applicants for construction of privately owned

J = D + λ × R (1) In block-based video compression standards like H.264/AVC [3] and High Efficiency Video Coding (HEVC) [4], the RDO technique is applied sequentially to groups