Based on a received attestation, the mobile device verifies the integrity of the host platform and application, provies a trusted display through which the user selects the application to which her inputs should be directed, and encrypts those inputs so that only the expected application can decrypt them.

A paper on this work was presented at the 2006 USENIX Annual Technical Conference.

Quorum systems underlie numerous approaches for implementing intrusion-tolerant distributed services. A quorum system over a universe of logical elements is a collection of subsets (quorums) of elements, any two of which intersect. In implementations of intrusion-tolerant distributed services, the elements of the universe reside on the nodes of a physical network and the participants access the system by contacting every element in some quorum.

We have initiated a research program to study the network-centric costs that these quorum accesses induce. Specifically, this year we studied algorithms to place universe elements on the nodes of a physical network so as to minimize the network congestion that results from quorum accesses, while also ensuring that no physical node is overloaded by access requests from clients. We considered two models, one in which communication routes can be chosen arbitrarily and one in which they are fixed in advance. We showed that in either model, the optimal congestion (with respect to the load constraints) cannot be approximated to any factor (unless P = NP). However, we showed that at most doubling the load on nodes allows us to achieve a congestion that is close to this optimal value. We also provided initial steps to elucidate the extent to which element migration can reduce congestion in this context.

A paper on this work was presented to the 2006 ACM Symposium on Principles of Distributed Computing.