[tor-dev] New Paper: Cloud-based Onion Routing

Fri Jul 15 20:40:27 UTC 2011

On Fri, Jul 15, 2011 at 3:16 PM, Nick Jones <najones at cs.princeton.edu>wrote:

>
>
> On Wednesday, July 13, 2011 at 8:02 PM, Brandon Wiley wrote:
>
> >
> > Cool stuff. I like how the system can be automated and self-funding.
> >
> > With regards to bootstrapping, giving out one node at a time is not a
> useful defense because requests can be parallelized. [1] Moving nodes is
> similarly useless because the attacker can continually map the network using
> free parallelized requests. Therefore, requesting a node address needs to
> cost something. [2] Since you already have tokens, you can just make it cost
> a token to request a node address.
>
> I agree with most of your points, but if we make users redeem a token to in
> order to access bootstrapping, they have to already have tokens, which is
> another bootstrapping problem in itself. Also, a determined adversary could
> just purchase enough tokens to perform the same attacks. Admittedly, we
> might make a lot of money from the censors in the process, which would be
> cool.
>

You have hit upon the two main challenges of censorship-resistant
bootstrapping. Most solutions add a layer which is itself vulnerable to the
same attacks and is therefore not helpful. Through recursive analysis you
eventually come to the initial introduction problem, which you must solve
anyway because the users must obtain the software in the first place. You
therefore need an out-of-band (from the perspective of the censor)
introduction channel. As long as you have such a channel, you might as well
use it to do the rest of the communication necessary for bootstrapping. See
for example my Dust <http://blanu.net/Dust.pdf> paper on using out-of-band
channels to establish secure communication over censored channels.

The second challenge is that, given a method of introduction, the attacker
can map and block the entire network easily. Therefore introductions must
have a non-parallelizable cost. However, if your attacker has enough
resources to pay the cost then you're out of luck. So there is an ongoing
search for a resource which is sufficiently plentiful for normal users to
spend for the purpose of normal introduction, but which is difficult to
obtain in large amounts. Alternatives to money have been suggested such as
computing power, human labor or attention, storage space, etc.. Ultimately,
though, all resources are convertible to and from money. I know of no ideal
solutions to this problem, but the best I've seen limit the damage the
attacker can do by requiring continual expenditure of resources in order to
maintain an ongoing attack.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20110715/bd2d8fc5/attachment.htm>