Researchers at the Dissent Project are building a new kind of anonymity tool that, when used in conjunction with the Tor anonymity network, could significantly improve online anonymity.
Unlike Tor's onion routing architecture, which routes internet traffic through a series of "onion layers" to obscure your identity, Dissent implements a dining cryptographers network, or DC-net, which makes possible cryptographically-provable anonymity.
The dining cryptographers problem was first proposed in 1988 by cryptographer David Chaum, and involves cryptographers trying to anonymously prove to each other whether or not the NSA paid their restaurant bill. (It’s a long story. You can read the paper here.)
DC-nets are harder to conceptualize than onion-routing. The key takeaway is that, unlike onion routing, DC nets offer cryptographically provable anonymity—although at a much slower speed than Tor. For applications that do not require real-time interaction with another person or website, Dissent offers much stronger anonymity than Tor.
This simplified model for the Dissent network highlights how the whole network is used to verify data on that network. Image: Bryan Ford
"One of the most important things to understand about Dissent," project lead Bryan Ford said over a Signal call, "is that it's not going to be a drop-in replacement for Tor, at least not in its current form."
The problem is that achieving provable anonymity in a DC-net is that it's slow—slower than Tor. "DC-nets work because everyone broadcasts all their packets to everyone else," Ford explained. "This ensures that a small number of dishonest actors cannot de-anonymize the channel...but it also slows things down."
Rather, he explained, as a DC-net, Dissent offers a provably anonymous way to publish, well, dissent—broadcast communication such as blogging, microblogging (e.g. Twitter), or IRC.
"If you use DC nets to try to handle 10,000 concurrent point-to-point unicast communication channels, which is what Tor normally does, it's not going to scale very well," Ford said.
Regardless of where bad actors may be in the network, the Dissent network is able to prove anonymity for good actors. Image: Bryan Ford
One potential use for Dissent that would bolster a weakness of Tor, he explained, would be to create a privacy-preserving wifi networking layer.
"Think of it as an enhanced router that has local area anonymity built in," Ford said. "Any time you're using this router, you're using dining cryptographers anonymity, and all the nodes around the base station are indistinguishable from each other."
The anonymous LAN could be a home or a neighborhood or a campus network or even a corporate network.
This would protect users against one of Tor's weaknesses: the entry guard.
"If you're using Tor to get anonymity," Ford said, "you are very sensitive to any failure of the security of your entry guard—the first node that your connection is going to. If that node is compromised or out to get you, there's not much you can do. An attacker is probably going to get you soon, if they don't immediately."
Ford hopes to make Tor entry guards more robust by making them part of a local Dissent DC-net. "So even if the entry guard is compromised," he said, "even if the whole Tor path is compromised, the entry guard would still not be able to de-anonymize you."
Roger Dingledine, co-founder of the Tor Project, is optimistic about the future of Dissent. "Bryan Ford's stuff is good research, well respected in the field," he wrote in an email. "His designs are more amenable to proofs of security than Tor (good), but the tradeoff is that they don't scale as well (bad), and they're not as resilient to real-world things like denial of service attacks. That doesn't make them useless; it just means they're far earlier in the development process than Tor is."
Ford and his team have been working on Dissent for more than four years. He has high confidence that Dissent is solid under the hood, but more application-layer software engineering is needed before it will be ready for public use. "The anonymity engine works, it's available, you can download the code," he said. End users wanting to take it for a spin may have to wait a while, though. He's reluctant to name a date for application release, but hopes to have something for users to play with by early next year.
Tor isn't going away any time soon. But, as Dingledine emphasizes, more research into anonymous communication is needed.
"It is great to have people continuing to explore alternate approaches to Tor. We're not going to be able to solve all problems forever. There needs to be a whole ecosystem of options. Having Bryan and his group care about this problem is good for our field."