Security BSides London 2017

When using anonymous networks like Tor or I2P, one problem is always how to prevent spam/DoS attacks when you cannot distinguish one entity from another, and hence cannot limit them without either compromising their anonymity by requiring registration of some kind, or requiring captcha-like challenges which are time consuming to implement and usually only a temporary solution at best.

Here I introduce a new kind of authentication system based on homomorphic properties of elliptic curve cryptography and zero knowledge proofs called "Linkable Ring Signatures". It allows one to add their public key to a larger group of existing public keys, called a "ring", and sign using the entire "ring" of keys + private key in such a way that no one can tell which private key has signed the message, but can mathematically verify that it was one private key corresponding to one of the public keys in the ring. On top of that, it allows a verifier that only has access to the public keys in the ring to make sure that for any one [message, ring] pair, a private key has only signed it once - duplicate signatures for the same message are detectable.

This allows for limiting interactions from any party holding one of these access keys (to say, one message per minute per key), without the party losing any anonymity as their signature is indistinguishable from any other party in the ring.

Furthermore, because ring signatures use a cryptographic component called "zero knowledge proofs", signing reveals zero information about the private key - hence no matter how many signatures are generated, it is impossible to use them to try to forge messages or fingerprint/bruteforce the signer key. The proof of this will be shown in the talk.

In this talk I will walk through the cryptographic primitives that make this possible, and show a demo service on Tor/I2P that implements this scheme to make an anti-spam anonymous forum.