[tor-bugs] #22422 [Core Tor/Tor]: Add noise to PaddingStatistics

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Jun 6 01:16:58 UTC 2017


#22422: Add noise to PaddingStatistics
--------------------------+------------------------------------
 Reporter:  teor          |          Owner:
     Type:  defect        |         Status:  new
 Priority:  High          |      Milestone:  Tor: 0.3.1.x-final
Component:  Core Tor/Tor  |        Version:  Tor: 0.3.1.1-alpha
 Severity:  Normal        |     Resolution:
 Keywords:                |  Actual Points:
Parent ID:                |         Points:  0.5
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by teor):

 Replying to [comment:2 mikeperry]:
 > Karsten and I discussed this about a year ago, and came to the
 conclusion that rounding to 10k cells was sufficient, especially since
 these counts are accumulated over a full 24 hour period. Relays are
 already reporting higher resolution for BW read and write history, and
 relays that opt in have higher resolution for cell statistics too.

 Then we should (eventually) fix these higher resolution statistics by
 adding noise to them too.

 > Is there a specific thing we're worried about with the current numbers?

 We are not adding noise, so we are relying on the other user activity
 being variable enough to hide an individual user's activity. There's no
 guarantee that will happen.

 Here's one possible attack:

 1. I want to detect the padding being used by a particular client, to see
 if it is connecting to a particular guard. I know the likely padding
 amount for this client.

 2. I have some high-resolution non-noisy data figures available (for
 example, BW read and write history). I use these to estimate the final
 padding totals.

 3. I manipulate the final padding totals for the guard to be just below a
 rounding threshold.

 4. If the client connects, the guard reports a figure above the threshold.
 If the client does not, the guard reports a figure below the threshold.

 5. I repeat steps 2-4 until I know with enough certainty whether the
 client is connecting. (This takes time that depends on the variability in
 the system.)

 If I want to enhance this attack, I can use multiple statistics, or reduce
 the amount of variability in the system.

 > Can we quantify the additional privacy we'd get from noise vs just
 making the rounding larger? Should we do one, or the other, or both?

 Rounding does not guarantee you any privacy. The larger the rounding
 amount, and the more variability in the system, the less likely any
 particular total will expose a user's activity, but there is always a
 chance that it will.

 (But rounding is really good for grouping similar noisy figures, and
 helping people understand the precision of the data. That's why we should
 do it.)

 You get guaranteed privacy from noise. The larger the noise, the larger
 the amount of user activity that is guaranteed to be hidden over a larger
 amount of time. You don't have to round to get this guarantee: adding
 noise is enough. You also don't have to rely on any other activity in the
 system to get this guarantee.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22422#comment:3>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list