Many modern network services have seemingly contradictory goals. On one hand, users are concerned about privacy and wish to remain anonymous for fear of their identities being misused. Service providers, on the other hand, need to have at least some form of accountability to stymie malicious and abusive users. Our work is focused on providing practical, inexpensive anonymous authentication so that both the user and the service providers know under exactly what conditions a user's identity will be revealed. We want our system to be easily applicable to general protocols and have a small trusted computing base (TCB).

Our system is based around the notion of contracts. When a user accepts a contract, their identity is placed in escrow on a server running Flicker to execute code with access to the identity in isolation on the server. Flicker allows the server to prove to both the user and service provider that the user's identity will be revealed by the server if and only if the client breaks the client. Due to the design of our system, our system can be adapted to protocols that send messages at high rates. In addition, because the accountability server uses Flicker to attest to the conditions upon which identities will be revealed, the TCB contains only the small trusted code that runs in isolation on the accountability server.


Our system, RECAP, has two advantages over similar works. First, our system is designed to be fast -- it can support protocols that have high throughputs. Note that these comparisons are not apples to oranges; you should read our paper to fully understand the experiment.

Throughput at service provider Throughput at user
Our system is fair. Unlike related systems, a well behaved user cannot be discriminated against in our system. In contrast, competing systems allow a well behaved user can be banned for no reason.

Find out more!

Download our NDSS 2010 paper or look at our CyLab partner's conference poster.