because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
Granted. But since we're speaking idealizations, I say take that the expected-value over the distributions weighted by the probability of each adversary. In application this would be a distribution that although unlikely to be optimal against any specific adversary, it's has robust hardness across a wide variety of adversaries.
Or, if that distribution is unclear, pick the distribution of exit-relay with the highest minimum hardness. This reminds me of the average-entropy vs min-entropy question for quantifying anonymity. I'd be content with either solution, and in regards to Roster I'm not sure the difference will matter much. I am simply asking the more knowledgeable for their opinion and recommendation. Is there one?
-V
On Wed, Sep 23, 2015 at 2:47 PM Roger Dingledine arma@mit.edu wrote:
On Wed, Sep 23, 2015 at 06:26:47AM +0000, Yawning Angel wrote:
On Wed, 23 Sep 2015 06:18:58 +0000 Virgil Griffith i@virgil.gr wrote:
- Would the number of exit nodes constitute exactly 1/3 of all Tor
nodes? Would the total exit node bandwidth constitute 1/3 of all Tor bandwidth?
No. There needs to be more interior bandwidth than externally facing bandwidth since not all Tor traffic traverses through an Exit (Directory queries, anything to do with HSes).
The total Exit bandwidth required is always <= the total amount of Guard
- Bridge bandwidth, but I do not have HS utilization or Directory query
overhead figures to give an accurate representation of how much less.
On the flip side, in *my* idealized Tor network, all of the relays are exit relays.
If only 1/3 of all Tor relays are exit relays, then the diversity of possible exit points is much lower than if you could exit from all the relays. That lack of diversity would mean that it's easier for a relay adversary to operate or compromise relays to attack traffic, and it's easier for a network adversary to see more of the network than we'd like.
(In an idealized Tor network, the claim about the network adversary might not actually be true. If you have exit relays in just the right locations, and capacity is infinite compared to demand, then the network adversary will learn the same amount whether the other relays are exit relays are not. But I think it is a stronger assumption to assume that we have exactly the right distribution of exit relay locations -- especially because "the right distribution" is a function of which adversary you're considering, and once you consider k adversaries at once, no single distribution will be optimal for all of them.)
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev