<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Nov 7, 2021 at 1:36 AM Scott Bennett <<a href="mailto:bennett@sdf.org">bennett@sdf.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
Because the obvious incentive for cheaters is in the direction of trying<br>
to get clients' route selectors to choose routes through more than a single<br>
relay operated by a given cheater, rather than the other way around, this<br>
looks to me like a "solution" in search of a problem unless I am missing<br>
some special scenario. Can someone enlighten me as to why this mechanism<br>
would be needed? I.e., when and why would a cheater want his relay(s) to be<br>
included in *any* families at all?<br>
<br></blockquote><div><br></div><div><div class="gmail_quote"><div>Hi, Scott!</div><div><br></div><div>You're
right that having your relay in a family means that it is less likely
to be chosen, on the whole. The reason that an attacker would include
their relay in a family is in order to increase the odds that, *when*
they are chosen, they can observe the path. As an attacker, you
wouldn't put all your relays in a given family: you'd put them in
different families.</div><div><br></div><div>As a simplified example,
suppose that all relays have equal bandwidth=1. Suppose that there are N
relays in the network and the attacker controls 2 of them.<br></div><div><br></div><div>If
the attacker does not claim membership in any family, then the
probability of them seeing the first and last hop of a random circuit is
`(2/N) * (1/(N-1))`. That is, one of their relays is selected for the
first hop with probability 2/N, and their other one is selected with
probability `1/(N-1)`.</div><div><br></div><div>Now suppose that one of
their relays claims membership in a family with F honest members, and
the other claims membership in a different family with G honest
members. Now the probability that they will be the first and last hop
on a random circuit becomes:<br></div><div><br></div><div>`(1/N) * (1/(N-1-F)) + (1/N) * (1/(N-1-G))`</div><div><br></div><div>In
other words, whenever a client picks one of the attacker's relays as a
first hop, a whole family's worth of relays will be excluded when the
client is choosing the last hop, which will in turn improve the
attacker's odds of getting both positions.</div></div><div class="gmail_quote"><br></div><div class="gmail_quote"><br></div><div class="gmail_quote">(Things
would get even worse if the attacker could _define_ families or join
multiple families. Suppose that one of the attacker's nodes declares
family membership with every relay in the network except for one other
attacker-controlled node. Then, whenever that first node was chosen,
the attacker would be certain to have its other one chosen as the exit.)</div><div class="gmail_quote"><br></div><div class="gmail_quote">Now
I realize that this attack is somewhat self-limiting, since it is less
helpful the larger the attacker becomes. Still, because of this attack
(and in case there are even better ones) it seems best to authenticate
family membership.</div><div class="gmail_quote"><br></div><div class="gmail_quote">cheers,</div><font color="#888888"><div class="gmail_quote">-- <br></div><div class="gmail_quote">Nick</div></font> <br></div></div></div>