[tor-dev] Proposal draft: Better hidden service stats from Tor relays

Karsten Loesing karsten at torproject.org
Thu Dec 11 14:45:58 UTC 2014

Hash: SHA1

On 11/12/14 14:31, A. Johnson wrote:
>> Can you be more explicit with regard to privacy guarantees of the
>>  obfuscation schema that is currently implemented: 1) binning,
>> 2) add Laplace noise, 3) no second binning.
> I’ll discuss this in terms of attacks on the stats of the number
> of HS descriptors.
> Binning: Suppose an adversary knows that the number of HS
> descriptors stays constant over a week. He knows when all
> descriptors are being published except for one. By binning he won’t
> know when that one is published unless the number of other
> descriptors exactly fills a bin.
> Laplace noise: To provide cover in the case that all other 
> descriptors exactly fill a bin, we add some noise so that
> sometimes an adjacent bin is reported instead, or (less likely) a
> bin two distant, etc. Then the adversary can’t immediately know
> whether an unknown descriptor is indeed published in any given
> period. However, he can eventually figure this out by making enough
> observations and looking at the resulting empirical distribution.
> But it’s better than not protecting it at all.

Sounds good.  George, maybe these explanations should go into the
proposal, too.

>> If you think 3) should be changed, can you explain why that
>> leads to better privacy guarantees?
> I don’t think that 3 should be changed, but if you removed it, it 
> wouldn't affect the privacy argument.
>> I can see how the Laplace distribution doesn't add much noise to 
>> the second case.  And your suggestion is to change the second 
>> delta_f to 8?
> Yes.

Great.  Changed the second delta_f to 8 in the code, and I think
George will change it in the proposal.


All the best,
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org


More information about the tor-dev mailing list