[tor-dev] Proposal draft: Better hidden service stats from Tor relays
karsten at torproject.org
Thu Dec 11 14:45:58 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 11/12/14 14:31, A. Johnson wrote:
>> Can you be more explicit with regard to privacy guarantees of the
>> obfuscation schema that is currently implemented: 1) binning,
>> 2) add Laplace noise, 3) no second binning.
> I’ll discuss this in terms of attacks on the stats of the number
> of HS descriptors.
> Binning: Suppose an adversary knows that the number of HS
> descriptors stays constant over a week. He knows when all
> descriptors are being published except for one. By binning he won’t
> know when that one is published unless the number of other
> descriptors exactly fills a bin.
> Laplace noise: To provide cover in the case that all other
> descriptors exactly fill a bin, we add some noise so that
> sometimes an adjacent bin is reported instead, or (less likely) a
> bin two distant, etc. Then the adversary can’t immediately know
> whether an unknown descriptor is indeed published in any given
> period. However, he can eventually figure this out by making enough
> observations and looking at the resulting empirical distribution.
> But it’s better than not protecting it at all.
Sounds good. George, maybe these explanations should go into the
>> If you think 3) should be changed, can you explain why that
>> leads to better privacy guarantees?
> I don’t think that 3 should be changed, but if you removed it, it
> wouldn't affect the privacy argument.
>> I can see how the Laplace distribution doesn't add much noise to
>> the second case. And your suggestion is to change the second
>> delta_f to 8?
Great. Changed the second delta_f to 8 in the code, and I think
George will change it in the proposal.
All the best,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----
More information about the tor-dev