[tor-bugs] #9273 [Tor]: Brainstorm tradeoffs from moving to 2 (or even 1) guards

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jul 16 21:54:57 UTC 2013 

#9273: Brainstorm tradeoffs from moving to 2 (or even 1) guards
----------------------------------------+-----------------------------------
 Reporter:  arma                        |          Owner:                    
     Type:  project                     |         Status:  new               
 Priority:  major                       |      Milestone:  Tor: 0.2.5.x-final
Component:  Tor                         |        Version:                    
 Keywords:  tor-client design analysis  |         Parent:                    
   Points:                              |   Actualpoints:                    
----------------------------------------+-----------------------------------
Changes (by mikeperry):

 * cc: mikeperry (added)


Comment:

 FTR: I am in favor of both Conflux and reduced guards. Also note that
 Conflux will naturally compensate for the performance downsides of reduced
 guards. 2 seems a good choice for this reason.

 I also did some back-of-the-envelope math for guard fingerprinting when we
 were discussing directory guards being separate or shared in
 https://trac.torproject.org/projects/tor/ticket/6526#comment:8. Basically,
 if we have 9 bits of guard entropy, that is equivalent to 512 uniform
 guard choices, and then you can use combinatorics from there. For two
 guards, https://www.wolframalpha.com/input/?i=512+choose+2 = 130,816
 combinations, or about 17 bits of identifying entropy, versus 3 guards at
 512 choose 3 = 22 million/25 bits. You could also compute the Shannon
 entropy directly the long way, but I think it should be the same.

 Of course, my mental model of Paul Syverson just said "But that entropy
 metric doesn't reflect the fact that users will be more likely to have
 popular fast guards than unpopular slow guards, and this becomes even more
 pronounced with two guards rather than three. Tracking users with popular
 fast guards is harder than tracking users who get unlucky and pick one or
 more unpopular slow guards because the anonymity sets are larger for the
 fast guard users."

 Usually when Paul gets inside my head like this, I just start thinking
 about something that would jeopardize his security clearance and he goes
 away. But in this case, I think he's right. It would be an even larger
 improvement than pure entropy metrics indicate.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9273#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list