[tor-bugs] #9273 [Tor]: Brainstorm tradeoffs from moving to 2 (or even 1) guards

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 17 13:42:50 UTC 2013

#9273: Brainstorm tradeoffs from moving to 2 (or even 1) guards
 Reporter:  arma                                       |          Owner:                    
     Type:  project                                    |         Status:  new               
 Priority:  major                                      |      Milestone:  Tor: 0.2.5.x-final
Component:  Tor                                        |        Version:                    
 Keywords:  tor-client design analysis needs-proposal  |         Parent:                    
   Points:                                             |   Actualpoints:                    
Changes (by nickm):

  * keywords:  tor-client design analysis => tor-client design analysis


 I think that when Paul and Mike and Roger all agree, it's probably a good
 idea to move this way in 0.2.5.

 This needs a proposal.

 So, here are some tradeoffs to consider:
   * We need to make sure that the probability of choosing any given guard
 has a lower bound.  If there are some guards that people pick with very
 small probability, that guard's users are going to stand out!
   * In practice, no guard's uptime is going to be 100%.  So in reality,
 even in a 1-guard scenario people will have a primary guard, and a
 fallback guard that they use whenever that guard's down, and a fallback
 fallback guard, and so on.  This means that fingerprinting based on
 complex guard sets will still be possible in the long term.
   * One idea we floated a while ago was deterministic guard grouping.
 Under this idea, you could ''still'' have k guards out of N possible guard
 nodes, but instead of there being N-choose-k possible groups of three to
 choose, there would only be N/k possible choices.
      * The guards would be put into groups by the authorities as part of
 the voting algorithm.  These groups would probably want to be persistent
      * The advantages of this approach are:
         * You'd still get the reliability boost of multiple guards.
         * You'd avoid the "Fallback guard" problem noted above.
         * The fingerprinting opportunity would be limited, even more so
 than in the case where every user picks a node at random.
      * Intuitively, you might think that an attacker would want to
 manipulate the group-assignment process to get there to be groups full of
 completely attacker-controlled nodes.  But I think that the rational
 behavior for the attacker would be to try to spread their nodes out among
 as many groups as possible.
         * It seems hard to prevent an attacker from manipulating a group
 assignment process, especially if groups are persistent over time and the
 attacker can take down old nodes and bring them back up with new
         * So we should probably try to design a solid group assignment
 process, but we probably want to do our analysis here under the assumption
 that the attacker can manipulate the node selection process, and limit our
 worst-case scenario there.
      * On superficial analysis, I still like this "guard group" idea.
    * Probably we will need equations to analyze specific proposals here.

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9273#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list