commit f0365f4feb85ef66a55c308d3b46baea32e241b5 Author: Mike Perry <mikeperry-git@fscked.org> Date: Sat Jun 16 15:06:51 2012 -0700 Analyze a multidimensional surface? No problem! I rollerskate on that shit. This commit provides analysis to guide parameter choices for the path bias defense. It contains a standalone attack and defense simulation script, a results.txt with example output, and an observations.txt with comments to help work towards an answer for #6135. --- CircuitAnalysis/PathBias/observations.txt | 40 ++ CircuitAnalysis/PathBias/path_bias.py | 554 +++++++++++++++++++++++++++++ CircuitAnalysis/PathBias/results.txt | 152 ++++++++ 3 files changed, 746 insertions(+), 0 deletions(-) diff --git a/CircuitAnalysis/PathBias/observations.txt b/CircuitAnalysis/PathBias/observations.txt new file mode 100644 index 0000000..c283bbd --- /dev/null +++ b/CircuitAnalysis/PathBias/observations.txt @@ -0,0 +1,40 @@ +Analysis summary: + +1. Simulation confirms the raccoon's proof: Under a path bias attack with a + 100% accurate correlator, P(compromise) = c/n, where c is the amount of + capacity the path bias adversary *actually* carries. (This may be difficult + to achieve in practice, since you're actively rejecting capacity during the + attack, but PID feedback with the bw auths would fix that for you). + +3. With or without the defense, simply trying to fail less than PATH_BIAS_PCT + of your circuits is not substantially different than failing everything you + want. With the defense, your overall network-wide rate of compromise + doesn't change. The only thing that changes is the likelihood of getting + caught, and the number of circuits you get to observe per client. + +4. Against the defense, an adversary with full knowledge of the client's + current path bias parameter values can expect to evade detection, yet + still achieve: + P(compromise) <= (c/n)^2 * (100/PATH_BIAS_PCT) + circs_per_client <= circuit_attempts*(c/n) + +5. An adversary conducting a probabilistic attack of failing less than + PATH_BIAS_PCT of circuits in the long run can achieve similar, but + slightly lower bounds. + + +Optimization problem: +Tradeoff a large spread between PATH_BIAS_PCT and the ambient success rate vs +a large MIN_CIRCS rate. Need to measure ambient success rate to do this. + +Other Questions: +Can the adversary really track a client's current count values? Can we +prevent this with randomization? + +Action items/Conclusions: +Parameter choice seems to be blocked on getting a good measure of the ambient +success rate, however the following immediate conclusions seem clear: + +1. We should transform SCALE_FACTOR into a percent, and make it high. Like 95. +2. We might want to use a separate, lower PATH_BIAS_PCT before SCALE_THRESHOLD. +3. After SCALE_THRESHOLD, PATH_BIAS_PCT can be pretty high for notice and warn diff --git a/CircuitAnalysis/PathBias/path_bias.py b/CircuitAnalysis/PathBias/path_bias.py new file mode 100755 index 0000000..621e2c1 --- /dev/null +++ b/CircuitAnalysis/PathBias/path_bias.py @@ -0,0 +1,554 @@ +#!/usr/bin/python + +import random + +# TODO: +# Q: What quantity of middle bandwidth do you need to kill guards? +# A: Intuitively, you need the disable rate % of bandwidth, but you +# might have some edge cases to exploit with min_circs. + +PATH_BIAS_PCT = 70 + +# XXX: Min_circs only actives the "notice" level logs +PATH_BIAS_MIN_CIRCS = 20 + +# XXX: An int divisor was wrong here. Fix that in Tor. We might +# even want a weighted moving average, but that will be trickier +# to analyze. +PATH_BIAS_SCALE_FACTOR = 95 +PATH_BIAS_SCALE_THRESHOLD = 250 + +# XXX: We should only emit warnings if we are above the scaling threshhold.. +PATH_BIAS_WARN_CIRCS = PATH_BIAS_SCALE_THRESHOLD*(PATH_BIAS_SCALE_FACTOR/100.0) + +############################################################# + +# FIXME: haxxx. Who cares, though? +def reset_globals(): + global PATH_BIAS_PCT + global PATH_BIAS_MIN_CIRCS + global PATH_BIAS_SCALE_FACTOR + global PATH_BIAS_SCALE_THRESHOLD + global PATH_BIAS_WARN_CIRCS + + PATH_BIAS_PCT = 70 + PATH_BIAS_MIN_CIRCS = 20 + PATH_BIAS_SCALE_FACTOR = 95 + PATH_BIAS_SCALE_THRESHOLD = 250 + PATH_BIAS_WARN_CIRCS = PATH_BIAS_SCALE_THRESHOLD*(PATH_BIAS_SCALE_FACTOR/100.0) + + +####################### Guard Types ######################### + +# Normal Guard experiences the average circuit failure rate +# of the network as a whole +class Guard: + def __init__(self, succeed_rate): + self.first_hops_total = 0 + self.success_total = 0 + + self._first_hops = 0 + self._success = 0 + self.succeed_rate = succeed_rate + self.rejected_count = 0 + + def reset(self): + self._success = 0 + self._first_hops = 0 + + def reject_if_bad(self): + if self.is_bad(): + self.reset() + self.rejected_count += 1 + + def reject_rate(self): + return self.rejected_count/float(self.first_hops_total) + + def _get_rate(self): + return self._success/float(self._first_hops) + + def is_bad(self): + return self._first_hops >= PATH_BIAS_MIN_CIRCS and \ + (self._get_rate() < (PATH_BIAS_PCT/100.0)) + + def build_circuit(self): + self._inc_first_hop() + if random.random() < self.succeed_rate: + self._inc_success() + + # Client may give up on us after this circuit + self.reject_if_bad() + + def circ_fail_count(self): + return self._first_hops - self._success + + def _inc_first_hop(self): + self._first_hops += 1 + self.first_hops_total += 1 + if self._first_hops > PATH_BIAS_SCALE_THRESHOLD: + self._first_hops *= PATH_BIAS_SCALE_FACTOR/100.0 + self._success *= PATH_BIAS_SCALE_FACTOR/100.0 + + def _inc_success(self): + self._success += 1 + self.success_total += 1 + +# EvilGuard collects statistics on how evil he is, but doesn't +# actually implement any evilness +class EvilGuard(Guard): + def __init__(self, succeed_rate, adversary_capacity): + Guard.__init__(self, succeed_rate) + self.adversary_capacity = adversary_capacity # c/n probability of malicious exit + self.capture_count = 0 + + def pwnt_per_client(self): + return self.capture_count/float(self.rejected_count+1) + + def capture_rate(self): + return self.capture_count/float(self.first_hops_total) + + def compromise_rate(self): + return self.capture_count/float(self.success_total) + +# PassiveEvilGuard uses a non-destructive long-term timing-based +# tagging attack to fully correlate circuits end-to-end with 100% +# accuracy. PassiveEvilGuard does not kill any circuits. +class PassiveEvilGuard(EvilGuard): + def __init__(self, succeed_rate, adversary_capacity): + EvilGuard.__init__(self, succeed_rate, adversary_capacity) + + def build_circuit(self): + self._inc_first_hop() + + # The presence of a malicious exit is a prior probability governed by the + # client. Decide it now. + got_malicious_exit = False + if random.random() < self.adversary_capacity: + got_malicious_exit = True + + if random.random() < self.succeed_rate: + if got_malicious_exit: # via timing-based tagging attack + self._inc_success() + self.capture_count += 1 + else: + self._inc_success() # "Better luck next time :/" + + # Client may give up on us after this circuit + self.reject_if_bad() + +# UnrepentantEvilGuard uses a destructive tagging attack to +# fully correlate circuits end-to-end with 100% +# accuracy, as well as to kill uncorrelated circuits. +# +# UnrepentantEvilGuard doesn't care if there is a defense or +# not. +class UnrepentantEvilGuard(EvilGuard): + def __init__(self, succeed_rate, adversary_capacity): + EvilGuard.__init__(self, succeed_rate, adversary_capacity) + + def build_circuit(self): + self._inc_first_hop() + + # The presence of a malicious exit is a prior probability governed by the + # client. Decide it now. + got_malicious_exit = False + if random.random() < self.adversary_capacity: + got_malicious_exit = True + + if random.random() < self.succeed_rate: + if got_malicious_exit: # via tagging attack + self._inc_success() + self.capture_count += 1 + else: + pass # "We can't deanon it? Who cares then?" + + # Client may give up on us after this circuit + self.reject_if_bad() + +# OmniscientEvilGuard is the worst-case adversary against +# the path bias counters implemented in Tor 0.2.3.17. +# +# OmniscientEvilGuard knows client path counts, when they are about to +# think it's bad, and when they scale, and tries to use all of these +# to fail what it can to bias client paths without appearing bad to +# them. +# +# Further in favor of the adversary, we assume that their circuit +# failure rate is actually less than the network average by +# the fraction of the network that they control (because the rest +# of the network experiences this circuit failure as part of the +# average failure). +# +# Further still, OmnscientEvilGuard is *so* omnsicient, it even knows +# when circuits will fail due to ambient noise, so it never gets +# killed by chance. (It is debatable how much this helps.. a +# smart adversary could play the stats close enough to the line +# to approach this omniscience asymptotically). +# +# Note: These omniscience assumptions all favor the attacker, +# but they also simplify analysis to get worst-case bounds easily. +# +# XXX: Introducing some fuzz into our scaling count and/or rate might +# help remove this exact omniscience in practice? +class OmniscientEvilGuard(EvilGuard): + def __init__(self, succeed_rate, adversary_capacity): + EvilGuard.__init__(self, succeed_rate, adversary_capacity) + + def look_ahead(self, n): + self.prev_first_hops = self._first_hops + self.prev_success = self._success + self.prev_first_hops_total = self.first_hops_total + self.prev_success_total = self.success_total + for i in xrange(n): + self._inc_first_hop() + + def stop_looking(self): + self._first_hops = self.prev_first_hops + self._success = self.prev_success + self.first_hops_total = self.prev_first_hops_total + self.success_total = self.prev_success_total + + # This guard should never get caught + def reject_if_bad(self): + assert not self.is_bad() + + def build_circuit(self): + self._inc_first_hop() + + # The presence of a malicious exit is a prior probability governed by the + # client. Decide it now. + got_malicious_exit = False + if random.random() < self.adversary_capacity: + got_malicious_exit = True + + # In reality, OmniscientEvilGuard sees less failure because some + # of the failure in the network is due to other colluding nodes. + #if random.random() < self.succeed_rate + self.adversary_capacity: + # + # Note: We cut this out, because it favors the attacker to do so. + # It removes the risk of elimination by chance (which they could mitigate + # for an unknown but possibly small cost). + if True: + if got_malicious_exit: # via tagging attack + self.capture_count += 1 + self._inc_success() # "We built a circuit! Yay!" + else: + # Look-ahead only needs to be non-zero to mitigate risk of random rejection + self.look_ahead(0) + if (self._get_rate() <= (PATH_BIAS_PCT/100.0)): + self.stop_looking() + self._inc_success() # "I better be good! don't want to get caught.." + else: + pass # Fail the circuit by doing nothing. It's not useful + + # Client may give up on us after this circuit + self.reject_if_bad() + +# ProbabalisticEvilGuard only fails untagged circuits pct_below_path_bias +# below the warning rate +class ProbabalisticEvilGuard(EvilGuard): + def __init__(self, succeed_rate, adversary_capacity, pct_below_path_bias): + EvilGuard.__init__(self, succeed_rate, adversary_capacity) + # FIXME: There may be an optimal point where pct_below_path_bias + # is the lowest possible value that the adversary expects to control? + # Doesn't seem to be worth probing, though + self.path_bias_rate = (PATH_BIAS_PCT - pct_below_path_bias)/100.0 + assert self.path_bias_rate <= 1.0 + + def build_circuit(self): + self._inc_first_hop() + + # The presence of a malicious exit is a prior probability governed by the + # client. Decide it now. + got_malicious_exit = False + if random.random() < self.adversary_capacity: + got_malicious_exit = True + + # ProbabalisticGamingGuard sees less failure because some + # of the failure in the network is due to other colluding nodes. + if random.random() < self.succeed_rate + self.adversary_capacity: + if got_malicious_exit: # via tagging attack + self._inc_success() + self.capture_count += 1 + elif not self.success_total or \ + self.success_total/float(self.first_hops_total) <= self.path_bias_rate: + # "Uh oh, we're failing too much, better let some through" + self._inc_success() + else: + pass # Fail the circuit by doing nothing. It's not useful + + # Client may give up on us after this circuit + self.reject_if_bad() + +####################### Testing and Simulation ######################### + +def simulate_circs_until(g, circ_count, say_when): + for i in xrange(circ_count): + g.build_circuit() + if say_when(g): + return True + + return say_when(g) + +# Variables: +# success_rate +# PATH_BIAS_MIN_CIRCS = 20 +# PATH_BIAS_PCT = 70 +def notice_false_positive_test(trials, success_rate, min_circs, path_bias_pct): + # FIXME: Look it's just easier this way, ok? Get off my back already + global PATH_BIAS_MIN_CIRCS + global PATH_BIAS_PCT + PATH_BIAS_MIN_CIRCS = min_circs + PATH_BIAS_PCT = path_bias_pct + + g = Guard(success_rate) + + for i in xrange(1+trials/min_circs): + simulate_circs_until(g, PATH_BIAS_SCALE_THRESHOLD, lambda g: False) + g.reset() + + #print g._get_rate() + + return g.reject_rate() + +def reject_false_positive_test(trials, success_rate, scale_circs, path_bias_pct): + # FIXME: Look it's just easier this way, ok? Get off my back already + global PATH_BIAS_MIN_CIRCS + global PATH_BIAS_SCALE_THRESHOLD + global PATH_BIAS_PCT + PATH_BIAS_SCALE_THRESHOLD = scale_circs + PATH_BIAS_PCT = path_bias_pct + + g = Guard(success_rate) + + # Ignore startup. We don't reject then. + simulate_circs_until(g, PATH_BIAS_SCALE_THRESHOLD, lambda g: False) + g.rejected_count = 0 + + simulate_circs_until(g, trials, lambda g: False) + + #print g._get_rate() + + return g.reject_rate() + +def generic_rate_test(g, trials, success_rate, adversary_capacity, path_bias_pct, rate_fcn): + # FIXME: Look it's just easier this way, ok? Get off my back already + global PATH_BIAS_PCT + PATH_BIAS_PCT = path_bias_pct + + simulate_circs_until(g, trials, lambda g: False) + + if not isinstance(g, UnrepentantEvilGuard): + assert not g.is_bad() + + return rate_fcn(g) + +################ Multi-Dementianal Analysis ##################### + +# If brute force doesn't work, you're not using enough +def brute_force(cmptr, functor, ranges, increment): + testpoint = map(lambda p: p[0], ranges) + maxpoint = testpoint + maxval = functor(*testpoint) + + print "New extrema at "+str(maxpoint)+": "+str(maxval) + + for dementia in xrange(len(ranges)): + if increment[dementia] > 0: + cmpr = lambda x, y: x<y + else: + cmpr = lambda x, y: x>y + + value = ranges[dementia][0] + while cmpr(value, ranges[dementia][1]): + value += increment[dementia] + testpoint[dementia] = value + val = functor(*testpoint) + if cmptr(val, maxval): + maxval = val + maxpoint = testpoint + print "New extrema at "+str(maxpoint)+": "+str(maxval) + + # FIXME: Haxx + reset_globals() + + return maxpoint + + +def surface_plot(functor, startpoint, ranges, increment): + pass + +def gradient_descent(functor, startpoint, ranges, increment): + # Warning, mentat: If brute force doesn't work, you're not using enough + # It might be wise to try to get a 3d color plot/heatmap/some other + # visualization before attempting this? + pass + +def main(): + #random.seed(23) + + if True: + print "==================== P(Compromise|Guard) ==========================" + + print "\nPassiveEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]:" + print "(As expected, P(CompromisedExit|PassiveEvilGuard) ~= c/n)" + print brute_force(lambda x,y: x>y, + lambda t, a,b,c: + generic_rate_test(PassiveEvilGuard(a,b), t, a,b,c, + lambda g: + g.compromise_rate()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(10000,10000), (0.75,0.75), (0.05,0.85), (70, 70)], + [0, 0, 0.2, 5]) + + + print "\nUnrepentantEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]:" + print "(As expected, P(CompromisedExit|UnrepentantEvilGuard) = 1.0)" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(UnrepentantEvilGuard(a,b), t,a,b,c, + lambda g: + g.compromise_rate()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(10000,10000), (0.75,0.75), (0.05,0.85), (70, 70)], + [0, 0, 0.2, 5]) + + print "\nProbabalisticEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]:" + print "P(CompromisedExit|ProbabalisticEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT)" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(ProbabalisticEvilGuard(a,b,5), + t,a,b,c, + lambda g: + g.compromise_rate()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(10000,10000), (0.75,0.75), (0.05,0.85), (70, 70)], + [0, 0, 0.2, 5]) + + print "\nOmniscientEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]:" + print "P(CompromisedExit|OmniscientEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT)" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(OmniscientEvilGuard(a,b), t,a,b,c, + lambda g: + g.compromise_rate()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(10000,10000), (0.75,0.75), (0.05,0.85), (70, 70)], + [0, 0, 0.2, 5]) + + print "\nOmniscientEvilGuard compromise at [success_rate, adversary_capacity, path_bias_pct]:" + print "P(CompromisedExit|OmniscientEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT)" + print brute_force(lambda x,y: x<y, + lambda t,a,b,c: + generic_rate_test(OmniscientEvilGuard(a,b), t,a,b,c, + lambda g: + g.compromise_rate()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(10000,10000), (0.75,0.75), (0.20,0.20), (20, 80)], + [0, 0, 0.05, 20]) + + if True: + print "\n\n==================== Circuits pwnt per client =========================" + + print "\nUnrepentantEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]:" + print "circs_per_client ~= success_rate*c/n*MIN_CIRCS for c/n < PATH_BIAS_PCT || c/n < success_rate" + print " ~= success_rate*circ_attempts*c/n for c/n > PATH_BIAS_PCT && c/n > success_rate" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(UnrepentantEvilGuard(a,b), t,a,b,c, + lambda g: + g.pwnt_per_client()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(100000,100000), (0.75,0.75), (0.05,0.85), (50, 50)], + [0, 0, 0.2, 5]) + + print "\nPassiveEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]:" + print "circs_per_client ~= success_rate * circ_attempts * c/n" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(PassiveEvilGuard(a,b), + t,a,b,c, + lambda g: + g.pwnt_per_client()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(100000,100000), (0.75,0.75), (0.05,0.85), (50, 50)], + [0, 0, 0.2, 5]) + + print "\nProbabalisticEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]:" + print "circs_per_client ~= success_rate * circ_attempts * c/n" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(ProbabalisticEvilGuard(a,b,5), + t,a,b,c, + lambda g: + g.pwnt_per_client()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(100000,100000), (0.75,0.75), (0.05,0.85), (50, 50)], + [0, 0, 0.2, 5]) + + print "\nOmniscientEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]:" + print "circs_per_client ~= circ_attempts * c/n" + print brute_force(lambda x,y: x>y, + lambda t,a,b,c: + generic_rate_test(OmniscientEvilGuard(a,b), t,a,b,c, + lambda g: + g.pwnt_per_client()), + #generic_rate_test(trials, success_rate, adversary_capacity, path_bias_pct): + [(100000,100000), (0.75,0.75), (0.05,0.85), (50, 50)], + [0, 0, 0.2, 5]) + + + if True: + print "\n\n===================== FALSE POSITIVES ============================" + + print "\nNotice false positive rates at [trials, success_rate, min_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs min_circs)" + print brute_force(lambda x,y: x<y, + notice_false_positive_test, + #false_positive_test(trials, success_rate, min_circs, path_bias_pct): + [(100000,100000), (0.65, 0.65), (50,250), (70, 70)], + [0, -0.1, 50, 5]) + + print "\nNotice false positive rates at [trials, success_rate, min_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs min_circs)" + print brute_force(lambda x,y: x<y, + notice_false_positive_test, + #false_positive_test(trials, success_rate, min_circs, path_bias_pct): + [(100000,100000), (0.70, 0.70), (50,500), (70, 70)], + [0, -0.1, 50, 5]) + + print "\nNotice false positives at [trials, success_rate, min_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs min_circs)" + print brute_force(lambda x,y: x<y, + notice_false_positive_test, + #false_positive_test(trials, success_rate, min_circs, path_bias_pct): + [(100000,100000), (0.75, 0.75), (20,400), (70, 70)], + [0, -0.1, 20, 5]) + + print "\nReject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs scale_circs)" + print brute_force(lambda x,y: x<y, + reject_false_positive_test, + #false_positive_test(trials, success_rate, scale_circs, path_bias_pct): + [(1000000,1000000), (0.65, 0.65), (50,250), (70, 70)], + [0, -0.1, 50, 5]) + + print "\nReject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs scale_circs)" + print brute_force(lambda x,y: x<y, + reject_false_positive_test, + #false_positive_test(trials, success_rate, scale_circs, path_bias_pct): + [(1000000,1000000), (0.70, 0.70), (50,500), (70, 70)], + [0, -0.1, 50, 5]) + + print "\nReject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]:" + print "(Results are some function of success_rate - path_bias_pct vs scale_circs)" + print brute_force(lambda x,y: x<y, + reject_false_positive_test, + #false_positive_test(trials, success_rate, scale_circs, path_bias_pct): + [(1000000,1000000), (0.75, 0.75), (50,500), (70, 70)], + [0, -0.1, 50, 5]) + + +if __name__ == "__main__": + main() #sys.argv) diff --git a/CircuitAnalysis/PathBias/results.txt b/CircuitAnalysis/PathBias/results.txt new file mode 100644 index 0000000..4293851 --- /dev/null +++ b/CircuitAnalysis/PathBias/results.txt @@ -0,0 +1,152 @@ +==================== P(Compromise|Guard) ========================== + +PassiveEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]: +(As expected, P(CompromisedExit|PassiveEvilGuard) ~= c/n) +New extrema at [10000, 0.75, 0.05, 70]: 0.052610548748 +New extrema at [10000, 0.75, 0.25, 70]: 0.250574712644 +New extrema at [10000, 0.75, 0.45, 70]: 0.455518836748 +New extrema at [10000, 0.75, 0.65, 70]: 0.64692513369 +New extrema at [10000, 0.75, 0.8500000000000001, 70]: 0.851249664069 +[10000, 0.75, 0.8500000000000001, 70] + +UnrepentantEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]: +(As expected, P(CompromisedExit|UnrepentantEvilGuard) = 1.0) +New extrema at [10000, 0.75, 0.05, 70]: 1.0 +[10000, 0.75, 0.8500000000000001, 70] + +ProbabalisticEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]: +P(CompromisedExit|ProbabalisticEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT) +New extrema at [10000, 0.75, 0.05, 70]: 0.0615289955391 +New extrema at [10000, 0.75, 0.25, 70]: 0.381941239809 +New extrema at [10000, 0.75, 0.45, 70]: 0.686913732124 +New extrema at [10000, 0.75, 0.65, 70]: 0.993549377976 +New extrema at [10000, 0.75, 0.8500000000000001, 70]: 1.0 +[10000, 0.75, 0.8500000000000001, 70] + +OmniscientEvilGuard compromise rate at [success_rate, adversary_capacity, path_bias_pct]: +P(CompromisedExit|OmniscientEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT) +New extrema at [10000, 0.75, 0.05, 70]: 0.0680291553523 +New extrema at [10000, 0.75, 0.25, 70]: 0.356724310419 +New extrema at [10000, 0.75, 0.45, 70]: 0.646151649293 +New extrema at [10000, 0.75, 0.65, 70]: 0.917728688757 +New extrema at [10000, 0.75, 0.8500000000000001, 70]: 1.0 +[10000, 0.75, 0.8500000000000001, 70] + +OmniscientEvilGuard compromise at [success_rate, adversary_capacity, path_bias_pct]: +P(CompromisedExit|OmniscientEvilGuard) <= (c/n)*(100/PATH_BIAS_PCT) +New extrema at [10000, 0.75, 0.2, 20]: 0.927127409497 +New extrema at [10000, 0.75, 0.2, 40]: 0.497260956175 +New extrema at [10000, 0.75, 0.2, 60]: 0.328728362184 +New extrema at [10000, 0.75, 0.2, 80]: 0.257664872982 +[10000, 0.75, 0.2, 80] + + +==================== Circuits pwnt per client ========================= + +UnrepentantEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]: +circs_per_client ~= success_rate*c/n*MIN_CIRCS for c/n < PATH_BIAS_PCT || c/n < success_rate + ~= success_rate*circ_attempts*c/n for c/n > PATH_BIAS_PCT && c/n > success_rate +New extrema at [100000, 0.75, 0.05, 50]: 0.742451509698 +New extrema at [100000, 0.75, 0.25, 50]: 3.73414682937 +New extrema at [100000, 0.75, 0.45, 50]: 6.91443298969 +New extrema at [100000, 0.75, 0.65, 50]: 30.9604339502 +New extrema at [100000, 0.75, 0.8500000000000001, 50]: 63741.0 +[100000, 0.75, 0.8500000000000001, 50] + +PassiveEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]: +circs_per_client ~= success_rate * circ_attempts * c/n +New extrema at [100000, 0.75, 0.05, 50]: 3657.0 +New extrema at [100000, 0.75, 0.25, 50]: 18619.0 +New extrema at [100000, 0.75, 0.45, 50]: 33849.0 +New extrema at [100000, 0.75, 0.65, 50]: 49115.0 +New extrema at [100000, 0.75, 0.8500000000000001, 50]: 63625.0 +[100000, 0.75, 0.8500000000000001, 50] + +ProbabalisticEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]: +circs_per_client ~= success_rate * circ_attempts * c/n +New extrema at [100000, 0.75, 0.05, 50]: 4036.0 +New extrema at [100000, 0.75, 0.65, 50]: 65053.0 +New extrema at [100000, 0.75, 0.8500000000000001, 50]: 85187.0 +[100000, 0.75, 0.8500000000000001, 50] + +OmniscientEvilGuard compromised circs at [success_rate, adversary_capacity, path_bias_pct]: +circs_per_client ~= circ_attempts * c/n +New extrema at [100000, 0.75, 0.05, 50]: 4936.0 +New extrema at [100000, 0.75, 0.25, 50]: 25097.0 +New extrema at [100000, 0.75, 0.45, 50]: 44944.0 +New extrema at [100000, 0.75, 0.65, 50]: 65078.0 +New extrema at [100000, 0.75, 0.8500000000000001, 50]: 84984.0 +[100000, 0.75, 0.8500000000000001, 50] + + +===================== FALSE POSITIVES ============================ + +Notice false positive rates at [trials, success_rate, min_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs min_circs) +New extrema at [100000, 0.65, 50, 70]: 0.0151544227886 +New extrema at [100000, 0.65, 100, 70]: 0.00748851148851 +New extrema at [100000, 0.65, 150, 70]: 0.00394002998501 +New extrema at [100000, 0.65, 250, 70]: 0.00385037406484 +[100000, 0.65, 250, 70] + +Notice false positive rates at [trials, success_rate, min_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs min_circs) +New extrema at [100000, 0.7, 50, 70]: 0.0087836081959 +New extrema at [100000, 0.7, 100, 70]: 0.00484715284715 +New extrema at [100000, 0.7, 150, 70]: 0.00275262368816 +New extrema at [100000, 0.7, 200, 70]: 0.00241916167665 +New extrema at [100000, 0.7, 250, 70]: 0.00180548628429 +New extrema at [100000, 0.7, 300, 70]: 0.0 +[100000, 0.7, 500, 70] + +Notice false positives at [trials, success_rate, min_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs min_circs) +New extrema at [100000, 0.75, 20, 70]: 0.00484143171366 +New extrema at [100000, 0.75, 40, 70]: 0.00279088364654 +New extrema at [100000, 0.75, 60, 70]: 0.00188602279544 +New extrema at [100000, 0.75, 80, 70]: 0.00137170263789 +New extrema at [100000, 0.75, 100, 70]: 0.000995004995005 +New extrema at [100000, 0.75, 120, 70]: 0.000834532374101 +New extrema at [100000, 0.75, 140, 70]: 0.000581818181818 +New extrema at [100000, 0.75, 160, 70]: 0.000472843450479 +New extrema at [100000, 0.75, 200, 70]: 0.000287425149701 +New extrema at [100000, 0.75, 240, 70]: 0.000143884892086 +New extrema at [100000, 0.75, 260, 70]: 0.0 +[100000, 0.75, 400, 70] + +Reject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs scale_circs) +New extrema at [1000000, 0.65, 50, 70]: 0.0346242687866 +New extrema at [1000000, 0.65, 100, 70]: 0.0328767123288 +New extrema at [1000000, 0.65, 150, 70]: 0.0322721591761 +New extrema at [1000000, 0.65, 200, 70]: 0.0318086382723 +New extrema at [1000000, 0.65, 250, 70]: 0.0317770557361 +[1000000, 0.65, 250, 70] + +Reject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs scale_circs) +New extrema at [1000000, 0.7, 50, 70]: 0.019617019149 +New extrema at [1000000, 0.7, 100, 70]: 0.014500549945 +New extrema at [1000000, 0.7, 150, 70]: 0.0125621156826 +New extrema at [1000000, 0.7, 200, 70]: 0.0109148170366 +New extrema at [1000000, 0.7, 250, 70]: 0.00958460384904 +New extrema at [1000000, 0.7, 300, 70]: 0.00869939018295 +New extrema at [1000000, 0.7, 350, 70]: 0.00858299595142 +New extrema at [1000000, 0.7, 400, 70]: 0.00795681727309 +New extrema at [1000000, 0.7, 450, 70]: 0.00731071018042 +New extrema at [1000000, 0.7, 500, 70]: 0.00690254872564 +[1000000, 0.7, 500, 70] + +Reject false positive rates at [trials, success_rate, scale_circs, path_bias_pct]: +(Results are some function of success_rate - path_bias_pct vs scale_circs) +New extrema at [1000000, 0.75, 50, 70]: 0.00594470276486 +New extrema at [1000000, 0.75, 100, 70]: 0.00212178782122 +New extrema at [1000000, 0.75, 150, 70]: 0.000978853172024 +New extrema at [1000000, 0.75, 200, 70]: 0.000467906418716 +New extrema at [1000000, 0.75, 250, 70]: 0.000266933266683 +New extrema at [1000000, 0.75, 300, 70]: 0.000119964010797 +New extrema at [1000000, 0.75, 350, 70]: 7.99720097966e-05 +New extrema at [1000000, 0.75, 400, 70]: 3.59856057577e-05 +New extrema at [1000000, 0.75, 450, 70]: 1.99910040482e-05 +New extrema at [1000000, 0.75, 500, 70]: 2.99850074963e-06 +[1000000, 0.75, 500, 70]