[tor-dev] high latency hidden services

[Michael Rogers]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/01/15 06:03, grarpamp wrote:
>> If that's what you're suggesting, then what happens if a client
>> wants to extend a circuit from relay A to relay B, but A and B
>> aren't exchanging chaff with each other?
> 
> This doesn't happen. You have a lower layer of nodes doing fill 
> guided by knowledge of who their own guards are (in this model 
> relays must have notions of their own guards / first hops).
> Circuits are then strung unaffected and unaware over that as usual.
> Relays know the difference between their own action doing p2p for
> fill, and non fill (circuit) data trying to leave them... so they
> can make room in their existing first hop links, or negotiate new
> ones with where that data is trying to go.

Thanks for the explanation.

If relays A and B negotiate a new link between them when a client
wants to extend a circuit from A to B, then A and B must each subtract
some bandwidth from their existing links to allocate to the new link
(since they're already using their full bandwidth allowance, by design).

I suspect the details of how that reallocation is done will be
important for anonymity. If bandwidth is subtracted from existing
links without taking into account how much wheat the existing links
are carrying, then any circuits using those links will feel the
squeeze - the adversary will be able to tell when a relay's opening a
new link by building a circuit through the relay, filling the circuit
with wheat, and waiting for its throughput to get squeezed.

On the other hand, if bandwidth is subtracted from existing links in
such a way that existing wheat is never affected - in other words, if
you only reallocate the spare bandwidth - then it's possible for an
adversary observing a relay to find out how much wheat each link is
carrying by asking the relay to negotiate new links until it says no
because it can't reallocate any more spare bandwidth, at which point
any links that weren't requested by the adversary are now carrying
nothing but wheat.

> If anyone knows of networks (whether active, defunct or
> discredited) that have used link filling, I'd like a reference.
> Someone out there has to have at least coded one for fun.

PipeNet was a proposal for an onion-routing-like network with
constant-rate traffic:
http://cypherpunks.venona.com/date/1998/01/msg00878.html

Tarzan was an onion-routing-like network in which each relay exchanged
constant-rate traffic with a fixed set of other relays called its
mimics, and circuits could only be constructed over links between mimics:
http://pdos.csail.mit.edu/tarzan/docs/tarzan-ccs02.pdf
http://pdos.csail.mit.edu/tarzan/docs/tarzan-thesis.pdf

George Danezis looked at the anonymity properties of paths chosen from
a restricted graph rather than a complete graph (this was in the
context of mix networks, but the findings may also be relevant to
onion routing):
http://www.freehaven.net/anonbib/cache/danezis:pet2003.pdf

Cheers,
Michael
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUvY5eAAoJEBEET9GfxSfMRxMH/RbjCt0hVitb8dHcSaKNLzoS
Jz6M9hX71RWO7wDbRpcoKwOKAG9WnlMYbbLrPzRaORrfzetiQRiQ9P4lhZojXXSc
fXr3YmDHxrfDxjGI2pzw+jt9hBH1XKG/CdPZLUmnYTdsdgNa6WJBhz9346QzHOdq
ifPE1IQ9u6ExoRuRYvy9jiEXGnrYa8LC+cD6+dmyMVqBcD6chNFuUY+lqEh7D10m
te2x7wRvV+23wqghM8rKkTy7VKnYGnjDzA5zKIybvMf9TqPGI6t+zRIRsHj8xNnK
RDSV+dGs3AGvz0ysNumlqvdcP3/Nm6PYdMCIGBq8WgqwYSXIrVnToiPRezlPdY0=
=Hzc6
-----END PGP SIGNATURE-----