It seems to me that we want to defend against (at least) two different attacks here:
Sybil attack:
...
Coercion attack:
Yes, I also am currently thinking about the problem in this way.
Unfortunately, it doesn't really make sense to add two '5 day guards' in a circuit, since a Sybil adversary has equal chances to pop at the guard nearest to the HS.
Yup.
- While more hops are useless for Sybil attacks, they actually help
against coercion attacks. Unfortunately, they only add 5 days per extra hop to the time to deanonymization.
And yes again. In this model, an ultra-mega-secret HS should use a long chain of guards. Of course, at some point, it is easier to do a congestion attack to identify the first guard being used by the HS. That is still a win, though, in that such an attack takes more technical skill and effort.
- It seems that coercion attacks are noisy. At least in this case,
relays got seized (why?) and people got notified that something was going on. It would be nice if we could make coercion attacks even more noisy, so that adversaries can't do them without tipping off the whole network.
I’m not optimistic about this. Surveillance is no good if the target is aware of it, and so it can be expected to be difficult to detect.
- The more I think about this problem, the more I realize that our
solutions are quite hacky. Maybe guards are not the right layer to fix this problem, and we should try to fix the guard discovery problem in circuit establishment as Mike has been suggesting? Unfortunately, the virtual circuits idea seems hard to analyze and do securely.
What do you mean by "the guard discovery problem in circuit establishment”? Do you mean using some level of traffic padding to make it difficult to determine when your relay is directly observing an HS guard? This seems straightforward to do just by making every relay see the same type and number of cells in every non-terminal position in the circuit during circuit creation (some will have no effect, detectable only by the last relay). I do worry about how the cell RTTs could still leak your relative circuit position. Ignoring that, maybe you can make it so that the adversary either (i) has to start surveillance on an observed hop and hope that it is a relatively static guard close to the HS or (ii) has to wait until some relay is observed *multiple* times from the malicious relays to be sure that it is in some layer of guards for the targeted HS.
Cheers, Aaron