Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A new token type: SeCure Rate Assuring Protocol With PrivacY (Scrappy) #292

Open
akakou opened this issue Mar 6, 2024 · 2 comments
Open

Comments

@akakou
Copy link

akakou commented Mar 6, 2024

This proposal is making Scrappy(SeCure Rate Assuring Protocol with PrivacY),
a new scheme with strong privacy for Privacy State Token.

Scrappy is a rate-limiter the same as Privacy Pass, but this restants to the timing correlation attack.
Also, Scrappy works as E2E (between users and web service) in the hot paths (i.e., sign and verify),
so that the issuer does not need to receive high access from users.

Note

  • Although Scrappy mainly assumes the user has a unique resource in the hardware device (in particular, the TPM),
    we can use other unique resources, the same as the Trust Token API.
  • TODO

Reference

Scrappy:
https://www.ndss-symposium.org/ndss-paper/scrappy-secure-rate-assuring-protocol-with-privacy/

Privacy State Token:
https://developers.google.com/privacy-sandbox/protections/private-state-tokens?hl=en

@akakou
Copy link
Author

akakou commented Mar 6, 2024

This is Abstracts of Scrappy

Preventing abusive activities caused by adversaries accessing online services at a rate exceeding that expected by websites has become an ever-increasing problem. CAPTCHAs and SMS authentication are widely used to provide a solution by implementing rate limiting, although they are becoming less effective, and some are considered privacy-invasive. In light of this, many studies have proposed better rate-limiting systems that protect the privacy of legitimate users while blocking malicious actors. However, they suffer from one or more shortcomings: (1) assume trust in the underlying hardware and (2) are vulnerable to side-channel attacks.
Motivated by the aforementioned issues, this paper proposes Scrappy: SeCure Rate Assuring Protocol with PrivacY. Scrappy allows clients to generate unforgeable yet unlinkable rate-assuring proofs, which provides the server with cryptographic guarantees that the client is not misbehaving. We design Scrappy using a combination of DAA and hardware security devices. Scrappy is implemented over three types of devices, including one that can immediately be deployed in the real world. Our baseline evaluation shows that the end-to-end latency of Scrappy is minimal, taking only 0.32 seconds, and uses only 679 bytes of bandwidth when transferring necessary data. We also conduct an extensive security evaluation, showing that the rate-limiting capability of Scrappy is unaffected even if the hardware security device is compromised.

@akakou
Copy link
Author

akakou commented Mar 6, 2024

This proposal came from the issue in AFCG Repo.

Thank you for the helpful advice. @dvorak42 🙏

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant