[tor-dev] Proposal xyz : Count Unique IP addresses in an anonymous way

Tue Mar 21 10:36:59 UTC 2017

Hi Andreas,

On Saturday 18 March 2017 10:06 AM, Andreas Krey wrote:
> As an adversary, I wouldn't take down the bridge but either monitor
> the traffic to it ($country can also do this on its border gateways),
> or modify it to tell me the connecting IP addresses.

Absolutely correct. In fact I mentioned this toward the end of the proposal.

>> Or even better, why would the adversary need that random value
>> when she can simply log all network connections coming into the
>> (compromised) system?

But I think that our users don't expect us to profile them. So, I
believe it is bad practice to keep a list of something as important as
IP addresses for any anonymity system.

But there's a thing to be happy about. If we replace the list of IP
addresses with something better, we might be able to prevent adversary
from getting the knowledge of IP addresses that connected in the past.
Suppose an adversary(lets say the government) suspects someone used a
bridge to connect to Tor Network. They would only be able to know that
for sure if they log that activity there and then. Means, they would not
be able to de-anonymize users retrospectively. Of course, if the user
again connects from the same IP and the adversary is monitoring the
relay/bridge, that might cause problem.

> End users tend to be on dynamic IP address, so stored IP addresses
> aren't of much worth when you don't know when they were used; that
> is a reason why $adversary might be more interested in snooping
> than in compromising the bridge.
> 
> (Although I don't know how prevalent changing IP addresses still
> are when you're online permanently. E.g. here in germany telekom
> changes to all-ip, and there no longer disconnects after 24h, and
> thus you don't change IPs every day.)
> 
> ...
>> present in the set. The feature of this bitmap is that collisions could
>> happen. And this collision creates deniability. When collisions happen,
> 
> The problem is that for the accounting purposes you don't want (too
> many) collisions, and also that state agencies don't necessarily
> care for plausible deniability - if an IP address is found by
> enumeration and probing the bloom filter they might still decide
> to put that user on closer watch. (I've heard that a lot of the
> traditional telephone tapping isn't used as evidence in court
> but produces leads to where to investigate next.)
> 
> On the other hand side you can indeed keep the filter rather small
> because one bridge doesn't get that many collisions, and you don't
> need to make it anywhere as big as to avoid collision with 2^32 entries.
> Could also be dynamically sized depending on the number of clients seen
> - you need aging anyway, so the next table can have a different size.
> 
I feel that this isn't a nice solution. Suppose you have 10 cells and 3
hash functions at the beginning. Later when inputs exceed a threshold,
you increase the size of bloom filter to make it to 20 cells. Now those
3 hash functions would map to the whole range which means the inputs
that were mapped to 10 cells would now map to something completely
different. Hence, error rate would be, I guess exactly 100%.

> You can also go and poison the bloom filter with some random addresses,
> even a lot, actually. If we're talking of 2000 users you can easily
> throw in another 2000 random addresses without decreasing the
> precision of the statistics much - only on a size comparable to
> collisions in the bloom filter itself.
> 
> - Andreas
> 

Regards,
Jaskaran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170321/d4e5d471/attachment-0001.sig>