CACTI: Captcha Avoidance via Client-side TEE Integration
This addresses the issue of bot abuse and user inconvenience in web services, offering a privacy-preserving alternative to CAPTCHAs, though it is incremental as it builds on existing TEE technology.
The paper tackles the problem of CAPTCHAs being ineffective against bots and frustrating for humans by proposing CACTI, a system that uses client-side Trusted Execution Environments (TEEs) to generate unforgeable rate-proofs, allowing legitimate clients to avoid solving CAPTCHAs. The result shows that CACTI reduces latency to less than 0.25 seconds and cuts bandwidth overhead by over 98% compared to current CAPTCHA systems.
Preventing abuse of web services by bots is an increasingly important problem, as abusive activities grow in both volume and variety. CAPTCHAs are the most common way for thwarting bot activities. However, they are often ineffective against bots and frustrating for humans. In addition, some recent CAPTCHA techniques diminish user privacy. Meanwhile, client-side Trusted Execution Environments (TEEs) are becoming increasingly widespread (notably, ARM TrustZone and Intel SGX), allowing establishment of trust in a small part (trust anchor or TCB) of client-side hardware. This prompts the question: can a TEE help reduce (or remove entirely) user burden of solving CAPTCHAs? In this paper, we design CACTI: CAPTCHA Avoidance via Client-side TEE Integration. Using client-side TEEs, CACTI allows legitimate clients to generate unforgeable rate-proofs demonstrating how frequently they have performed specific actions. These rate-proofs can be sent to web servers in lieu of solving CAPTCHAs. CACTI provides strong client privacy guarantees, since the information is only sent to the visited website and authenticated using a group signature scheme. Our evaluations show that overall latency of generating and verifying a CACTI rate-proof is less than 0.25 sec, while CACTI's bandwidth overhead is over 98% lower than that of current CAPTCHA systems.