Pseudonym Parties: An Offline Foundation for Online Accountability (PRELIMINARY DRAFT)

Preprints and early-stage research may not have been peer reviewed yet.
To read the file of this research, you can request a copy directly from the author.


Many unsolved Internet security vulnerabilities reduce to a lack of user accountability: any user who misbehaves— e.g., by spamming from a free E-mail account or stuffing an online ballot box—can simply open other anonymous accounts or connect from other IP addresses. The obvious solution of requiring all users to identify and authenticat e themselves to online services, through a universal public- key infrastructure (PKI) for example, is inconvenient and impractical to deploy universally, and raises serious pri- vacy concerns. Ensuring accountability does not in gen- eral require identifying users, however: it only requires enforcing a principle of one person, one persona for a given online service. This paper proposes pseudonym par- ties, a decentralized scheme that combines technical tools (pseudonymous online accounts) with in-person social oc- casions (parties) to provide online accountability while preserving the ability of users to participate anonymously in online services. This approach is fully decentralized, can be deployed incrementally at minimal cost, and may even be fun to participate in.

No file available

Request Full-text Paper PDF

To read the file of this research,
you can request a copy directly from the author.

... These encointer meetups are at the same time the basis of a self-sovereign identity claim called proof-of-personhood (PoP) [2] [3], proving a one-to-one relationship between a person and her digital identity. One person can only maintain one individuality claim because ceremonies are designed to make it impossible to attend two meetups physically as they happen in different places concurrently. ...
Full-text available
encointer proposes a new blockchain based cryptocurrency with an ecological consensus mechanism using trusted execution environments and an egalitarian money supply policy. Money issuance is done through a universal basic income subject to a proof-of-personhood. Only individuals attending randomized pseudonym key signing events obtain such proofs. encointer also features private transactions and scalable, trustless off-chain smart contracts.
Full-text available
In most systems without a centralised authority, users are free to create as many accounts as they please, without any harmful effect on the system. However, in the case of e-voting, for instance, proof of identity is crucial, as sybil identities can be used to breach the intended role of the system. We explore the conditions under which a decentralised proof of identity system can exist. We also propose such a scheme, called Get-your-ID (GYID), and prove its security. Our system allows a user to generate and revoke keys, via an endorsement mechanism, and we prove that under some conditions which we discuss, no user can have more than one active key. We then show how voting protocols can be adapted on top of our system, thus ensuring that no user is able to cast a valid vote more than once.
Conference Paper
Full-text available
Human interaction proofs (HIPs) have become commonplace on the internet for protecting free online services from abuse by automated scripts/bots. They are challenges designed to be easily solved by humans, while remaining too hard for computers to solve. Reading based HIPs comprise a segmentation problem and one or more recognition problems. Recent studies have shown that computers are better at solving the recognition problem than the segmentation problem (Chellapilla and Simard, 2004; Chellapilla et al, 2005a). In this paper we compare human and computer single character recognition abilities through a sequence of human user studies and computer experiments using convolutional neural networks. In these experiments, we assume that segmentation has been solved and the approximate locations of individual HIP characters are known. Results show that computers are as good as or better than humans at single character recognition under all commonly used distortion and clutter scenarios used in todays HIPs.
Full-text available
Hashcash was originally proposed as a mechanism to throttle systematic abuse of un-metered internet resources such as email, and anonymous remailers in May 1997. Five years on, this paper captures in one place the various applications, improvements suggested and related subsequent publications, and describes initial experience from experiments using hashcash.
Conference Paper
We introduce captcha, an automated test that humans can pass, but current computer programs can't pass: any program that has high success over a captcha can be used to solve an unsolved Arti- cial Intelligence (AI) problem. We provide several novel constructions of captchas. Since captchas have many applications in practical secu- rity, our approach introduces a new class of hard problems that can be exploited for security purposes. Much like research in cryptography has had a positive impact on algorithms for factoring and discrete log, we hope that the use of hard AI problems for security purposes allows us to advance the eld of Articial Intelligence. We introduce two families of AI problems that can be used to construct captchas and we show that solutions to such problems can be used for steganographic commu- nication. captchas based on these AI problem families, then, imply a win-win situation: either the problems remain unsolved and there is a way to dieren tiate humans from computers, or the problems are solved and there is a way to communicate covertly on some channels.
Conference Paper
Large-scale peer-to-peer systems face security threats from faulty or hostile remote computing elements. To resist these threats, many such systems employ redundancy. However, if a single faulty entity can present multiple identities, it can control a substantial fraction of the system, thereby undermining this redundancy. One approach to preventing these “Sybil attacks” is to have a trusted agency certify identities. This paper shows that, without a logically centralized authority, Sybil attacks are always possible except under extreme and unrealistic assumptions of resource parity and coordination among entities.
Conference Paper
Online services often use IP addresses as client identifiers when enforcing access-control decisions. The academic community has typically eschewed this approach, however, due to the effect that NATs, proxies, and dynamic addressing have on a server's ability to identify individual clients. Yet, it is unclear to what extent these edge technologies actually impact the utility of using IP addresses as client identifiers. This paper provides some insights into this phenomenon. We do so by mapping out the size and extent of NATs and proxies, as well as characterizing the behavior of dynamic addressing. Using novel measurement techniques based on active web content, we present results gathered from 7 million clients over seven months. We find that most NATs are small, consisting of only a few hosts, while proxies are much more likely to serve many geographically-distributed clients. Further, we find that a server can generally detect if a client is connecting through a NAT or proxy, or from a prefix using rapid DHCP reallocation. From our measurement experiences, we have developed and implemented a methodology by which a server can make a more informed decision on whether to rely on IP addresses for client identification or to use more heavyweight forms of client authentication.
The Internet offers new opportunities for anonymous and pseudonymous communications. Users can, for example, engage in political advocacy, receive counseling, and perform commercial transactions without disclosing their identities. The cloak of anonymity can also facilitate socially unacceptable or criminal activities because of the difficulty in holding anonymous users accountable. This article reports the results of a conference on anonymous communication organized by the American Association for the Advancement of Science. Among the findings were that online anonymous communication is morally neutral; that it should be considered a strong human and constitutional right; that online communities should be allowed to set their own policies on the use of anonymous communication; and that individuals should be informed about the extent to which their identity is disclosed online. The article discusses how anonymous communications can be shaped by the law, education, and public awareness, and highlights the importance of involving all affected interests in policy development.
Peer-to-peer and other decentralized, distributed systems are known to be particularly vulnerable to sybil attacks . In a sybil attack, a malicious user obtains multiple fake identities and pretends to be multiple, distinct nodes in the system. By controlling a large fraction of the nodes in the system, the malicious user is able to “out vote” the honest users in collaborative tasks such as Byzantine failure defenses. This paper presents SybilGuard , a novel protocol for limiting the corruptive influences of sybil attacks. Our protocol is based on the “social network” among user identities, where an edge between two identities indicates a human-established trust relationship. Malicious users can create many identities but few trust relationships. Thus, there is a disproportionately small “cut” in the graph between the sybil nodes and the honest nodes. SybilGuard exploits this property to bound the number of identities a malicious user can create. We show the effectiveness of SybilGuard both analytically and experimentally.
Inaccessibility of CAPTCHA: alternatives to visual turing tests on the web
  • Matt May
Matt May. Inaccessibility of CAPTCHA: alternatives to visual turing tests on the web, November 2005. W3C Working Group Note 23.
Not as wiki as it used to be
  • Bill Thompson
Bill Thompson. Not as wiki as it used to be. BBC News, August 2006.
SybilGuard: defending 6
  • Haifeng Yu
  • Michael Kaminsky
  • B Phillip
  • Abraham Gibbons
  • Flaxman
Haifeng Yu, Michael Kaminsky, Phillip B. Gibbons, and Abraham Flaxman. againstsybilattacksviasocialnetworks. SIGCOMM Computer Communications Review, 36(4):267–278, 2006. SybilGuard: defending 6
Why IP banning is useless
  • Adam Kalsey
Adam Kalsey. Why IP banning is useless, February 2004. ip banning is useless.
Sybil: the true story of a woman possessed by sixteen separate personalities
  • Rheta Flora
  • Schreiber
Flora Rheta Schreiber. Sybil: the true story of a woman possessed by sixteen separate personalities. Warner Books, 1973.
Growing Wikipedia refines its 'anyone can edit' policy
  • Katie Hafner
Katie Hafner. Growing Wikipedia refines its 'anyone can edit' policy. New York Times, June 2006.
CAPTCHA: using hard AI problems for security
  • Manuel Luis Von Ahn
  • Nicholas J Blum
  • John Hopper
  • Langford
Luis von Ahn, Manuel Blum, Nicholas J. Hopper, and John Langford. CAPTCHA: using hard AI problems for security. In Eurocrypt, 2003.
Personal spam statistics
  • Paul Wouters
Paul Wouters. Personal spam statistics 1997-2004, January 2005.