[tech-reports/master] adding section on obfuscation techniques - tor-commits

17 Jun 2015

commit f586165e9f9e0f5e1c2b62c85c1ac776248837b6
Author: A. Johnson aaron.m.johnson@nrl.navy.mil
Date:   Tue Dec 23 10:00:21 2014 -0600
adding section on obfuscation techniques
---
 2015/hidden-service-stats/hidden-service-stats.tex |   60 +++++++++++++++++++-
 1 file changed, 59 insertions(+), 1 deletion(-)

diff --git a/2015/hidden-service-stats/hidden-service-stats.tex b/2015/hidden-service-stats/hidden-service-stats.tex
index 7760e83..d4b586e 100644
--- a/2015/hidden-service-stats/hidden-service-stats.tex
+++ b/2015/hidden-service-stats/hidden-service-stats.tex
@@ -353,7 +353,8 @@ for the future that says \emph{why} they are a bad idea.
 We start with statistics that are not specific to the three roles of
 relays in the hidden-service protocol, but that apply to all of them.
-\subsubsection{Time from circuit extension to circuit purpose change}
+\subsubsection{Time from circuit extension to circuit purpose change} 
+\label{subsubsec:time_circ_ext_to_purpose_change}
% (the following distinction cannot be made, AFAIK.  here's what happens:
 % we receive a CREATE (?) cell from another relay that establishes the
@@ -489,6 +490,7 @@ We would learn what fraction of clients and what fraction of services run
 older tor versions (0.2.3.x or older).
\subsubsection{Time from circuit purpose change to tearing down circuit}
+\label{subsubsec:time_circ_purpose_change_to_teardown}
\textbf{Details:}
 %
@@ -527,6 +529,7 @@ relay got chosen X times instead of the measured average Y.
\subsubsection{Time from establishing introduction point to tearing down
 circuit (1.1.4.)}
+\label{subsubsec:time_intro_to_teardown}
\textbf{Details:}
 %
@@ -545,6 +548,7 @@ available for a short time only, and what fraction is available most of
 the time.
\subsubsection{Number of descriptor publish request (3.1.1.)}
+\label{subsubsec:num_descriptor_publish}
\textbf{Details:}
 %
@@ -589,6 +593,7 @@ This is a bit related to differential privacy as we understand it, but
 much more basic.
\subsubsection{Number of descriptor updates per service (3.1.2.)}
+\label{subsubsec:num_decriptor_updates}
\textbf{Details:}
 %
@@ -1076,6 +1081,59 @@ The benefit gained from this statistic is not huge though.
 %
 No obvious risks.
+\section{Obfuscation methodology}
+The published statistics shouldn't reveal private information to an
+adversary when combined with plausible background knowledge. We will use
+techniques to provide uncertainty about any specific hidden service,
+client, or connection, while maintaining good accuracy in the aggregate
+statistics. These techniques include
+\begin{itemize}
+\item Releasing aggregate statistics over time, such as total counts or
+averages in a given period
+\item Adding noise (i.e. random inaccuracy)
+\item Limiting accuracy to a certain granularity via rounding (aka
+``binning'')
+\item Adding time-delay to the release of statistics such that the output
+doesn't reveal information about ongoing activity
+\item Using cryptographic techniques to hide the source of information,
+such as anonymizing reports from individual relays
+\end{itemize}
+
+
+\subsection{Adversary knowledge}
+We can expect that the adversary may know things such as
+\begin{itemize}
+\item The addresses of a large number of publicly-available services
+(e.g. by crawling the Web)
+\item A minimum amount of traffic received by a given hidden service
+(e.g. due to sending that traffic himself)
+\item The introduction points of a service (by obtaining the descriptor)
+\item The availability of the service (by attempting to connect
+periodically)
+\item Roughly the number of client connections and amount of client
+traffic (possibly leaked by the service itself, e.g. a web forum)
+\end{itemize}
+
+\subsection{Counts}
+
+\subsection{Distributions}
+For many statistics, it would be very helpful to understand the
+distribution of values. For example, such information about descriptor
+fetches could reveal if most hidden services are never used or if
+there are a few hidden services that constitute most HS activity.
+Releasing information about the distribution of statistics could be useful
+for the following statistics:
+\begin{itemize}
+\item Time from circuit extension to circuit purpose change
+(Sec.~\ref{subsubsec:time_circ_ext_to_purpose_change})
+\item Time from circuit purpose change to tearing down circuit
+(Sec.~\ref{subsubsec:time_circ_purpose_change_to_teardown}
+\item Time from establishing introduction point to tearing down
+circuit (Sec.~\ref{subsubsec:time_intro_to_teardown})
+\item Number of descriptor updates per service
+(Sec.~\ref{subsubsec:num_decriptor_updates})
+\end{itemize}
+
 \section{Recommendation}
 \label{sec:recommendation}

    