PERM: Practical Reputation-Based Blacklisting without TTPs Man Ho Au School of Computer Science and Software Engineering University of Wollongong Wollongong, NSW, Australia aau@uow.edu.au Apu Kapadia School of Informatics and Computing Indiana University Bloomington, IN, USA kapadia@indiana.edu ABSTRACT Some users may misbehave under the cover of anonymity by, e.g., defacing webpages on Wikipedia or posting vul- gar comments on YouTube. To prevent such abuse, a few anonymous credential schemes have been proposed that re- voke access for misbehaving users while maintaining their anonymity such that no trusted third party (TTP) is in- volved in the revocation process. Recently we proposed BLACR, a TTP-free scheme that supports ‘reputation-based blacklisting’ — the service provider can score users’ anony- mous sessions (e.g., good vs. inappropriate comments) and users with insufficient reputation are denied access. The major drawback of BLACR is the linear computa- tional overhead in the size of the reputation list, which allows it to support reputation for only a few thousand user ses- sions in practical settings. We propose PERM, a revocation- window-based scheme (misbehaviors must be caught within a window of time), which makes computation independent of the size of the reputation list. PERM thus supports mil- lions of user sessions and makes reputation-based blacklist- ing practical for large-scale deployments. Categories and Subject Descriptors K.6.5 [Operating Systems]: Security and Protection— Authentication ; E.3 [Data Encryption]: Public key cryp- tosystems Keywords accountable anonymity, anonymous blacklisting, revocation 1. INTRODUCTION Anonymous access to services can be of great value in many circumstances. For example, journalists and activists can avoid censorship and persecution while posting con- tent to Wikipedia and YouTube anonymously. Nevertheless, Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. CCS’12, October 16–18, 2012, Raleigh, North Carolina, USA. Copyright 2012 ACM 978-1-4503-1651-4/12/10 ...$15.00. users can and do abuse their anonymity by defacing web- pages and posting inappropriate material. Repeated abuse has led service providers (SPs) like Wikipedia to ban access though anonymizing networks such as Tor [15]. Anonymous blacklisting and subjective judging. To en- able a less drastic reaction than banning anonymous access, several credential schemes for accountable anonymity have been proposed recently. These schemes support the subjec- tive judging of misbehaviors [19, 27], allowing SPs to ar- bitrarily flag behaviors as inappropriate. Subjective judg- ing is useful in applications in which a mathematical or algorithmic formulation of misbehaviors such as ‘inappro- priate edits’ is unlikely. 1 It has been recognized that since the subjective judging of users’ behaviors is arbitrary, it is desirable for such schemes to support anonymous blacklist- ing [19, 27] such that users can be blocked from returning while maintaining their anonymity. 2 Thus users are held accountable, but they are not worried about arbitrary, sub- jective deanonymization. TTP vs. TTP-Free schemes. Several approaches to pro- viding anonymous blacklisting with subjective judging in- clude some kind of trusted third party (TTP). Group signature-based schemes feature a group manager who can revoke access for users [1, 8, 13, 20]. ‘Nymble’ schemes make authentication at the SP efficient, but they also feature some kind of TTP [19, 27, 21, 18]. Since users must still rely on the judgment of the TTP, users can never be certain of their anonymity. Thus, several TTP-free schemes have been proposed re- cently to eliminate this point of trust. BLAC was the first such scheme [24, 26]. In BLAC users must prove in zero knowledge that each entry on the blacklist does not cor- respond to an authentication made earlier using their cre- dential, resulting in authentication times linear in the size of the blacklist. PEREA removed this linear dependence on the size of the blacklist by requiring misbehaviors to be ‘caught’, i.e., identified, within a revocation window of the past K authentications [25, 4]. Authentication times are now linear in the size of K, and thus K cannot be too large; typically K = 10 provides much better performance than BLAC. When combined with rate limiting, PEREA would 1 In contrast, schemes supporting digital cash can easily characterize misbehavior such as the “double spending” of a coin. 2 In contrast many existing schemes for subjective judging deanonymize or reduce the privacy of users. © ACM, 2012. This is the author's version of the work. It is posted here by permission of ACM for your personal use. Not for redistribution. The definitive version was published in Proceedings of The 19th ACM Conference on Computer and Communication Security (CCS '12), pp. 929–940, Raleigh, NC, October 16–18, 2012. http://doi.acm.org/10.1145/2382196.2382294