This is a brief overview of the user facing functions and attributes of Lox. For more details, see the academic paper by Tulloch and Goldberg .
Lox in a nutshell
Lox is a privacy-preserving, reputation-based bridge distribution system. Lox uses anonymous credentials to preserve a user's reputation while maintaining their anonymity throughout their interactions with the Lox bridge distributor.
Using Lox
There are two ways to join Lox. The first way is through an open invitation. Open invitations are available to any user who can access the Lox bridge distributor through the Tor Browser and is the default way to join Lox. The second way is through an invitations from another trusted Lox user. This requires receiving an invitation from a friend or acquaintance who has already been using Lox for some time. Once a user has joined Lox, their state is reflected in a signed anonymous credential issued by the Lox Bridge Authority (server) and stored locally on the client side (in Tor browser). Many details of how Lox operates are hidden for the user to improve usability. However, some details (outlined below) are important for users to know.
Anonymity provided by Lox
Lox uses anonymous credentials to preserve a user's reputation as well as their anonymity, while interacting with Lox. If the number of Lox users is very small, it may be possible to track an individual user through their transactions through timing based attacks. For example, if only a single user joined Lox 30 days prior to any other user, it would be apparent that it was that user requesting to level up after 30 days. This issue is only relevant for extremely small user bases and is not anticipated to cause problems for Tor's implementation. <TODO: what about the initial open invitation? Will that be tied to a user's IP>
Bridge Buckets
Lox sorts bridges into buckets for distribution to users and their social networks. There are two types of buckets that users should be aware of:
Open-entry buckets:
- contain a single bridge
- pre-grouped in a super-set bucket with 2 other bridges
- handed out to anyone that joins Lox without an invitation
- can become invite-only buckets once the bucket has remained unblocked for 30 days
Invite-only buckets:
- contain 3 bridges that are no longer open-entry buckets
- are only distributed to users with an invitation from a trusted Lox user with knowledge of the same bucket
- are less suceptible to blocking as long as invitees are not bad actors
Trust levels
Each Lox user is assigned a trust level. This level can increase over time while a user's bridges are not blocked. As a user's trust level increases, they gain new privileges.
| Trust level | Requirements | Features |
|---|---|---|
| L0 | none | 1-bridge bucket |
| L1 | 30 days @ L0 w/ no blocks OR invited by a user with L2+ OR migrated from L3
|
3-bridge super-bucket |
| L2 | 14 days @ L1 w/ no blocks OR migrated from L4
|
3-bridge bucket, can invite 2 users |
| L3 | 28 days @ L2 w/ no blocks AND < 4 blocks total) |
3-bridge bucket, +4 invites, migrate bucket L1 |
| L4 | 56 days @ L3 w/ no blocks AND < 3 blocks total |
3-bridge bucket, +6 invites, migrate bucket to L2, +8 invites after every 56 days |
Open-invitation users join at trust level L0. Invited users join at a trust level of L1 and gain access to the same 3-bridge bucket as the user that invited them.
Invitations
<TODO: How are invitations distributed entered into the browser?>
Bucket migration
Users with a trust level of L3+ may migrate to a new invite-only bucket if the bridges in their current bucket have been blocked. A bucket is considered "blocked" if 2 or more of the bridges in the bucket are determined to be blocked(Link on this process TBD for now: rdsys#36 (closed)). In this situation, if a user chooses to migrate buckets, their trust drops 2 levels and they lose any unused invitations they had collected. Additionally, having witnessed a blockage event is recorded in the user's credential and carried forward as the user regains trust and invites new users. See more on this below. Users regain trust by following the level requirements detailed above. Users with a trust level of L2 or lower that experience a blockage event must rejoin Lox as an open-entry user.
Bridge Blockages
When bridges are confirmed as blocked and eligible users (i.e., with a trust level of L3+), migrate to new buckets, these events are reflected in the user's credential. The number of blockages a user has witnessed is carried forward into invitations issued by the user as well. This prevents users from inviting themselves to Lox in order to erase the number of blockages they've witnessed. Once a user has witnessed 3 blockage events, they will be unable to reach a trust level of L4. Once a user has witnessed 4 blockage events, they will be unable to reach a trust level of L3, preventing them from migrating after the next blockage. One thing to note is that the specific blocking event is never recorded, only that a user has successfully migrated to new buckets.
Reporting Blocked Bridges
<TODO: maybe there is a way for users to report blockages? If so, we should outline it here>