[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[minion-cvs] a new subsec on batching strategy

To: mixminion-cvs@freehaven.net
Subject: [minion-cvs] a new subsec on batching strategy
From: arma@seul.org (Roger Dingledine)
Date: Sat, 2 Nov 2002 21:15:50 -0500 (EST)
Delivered-To: archiver@seul.org
Delivered-To: mixminion-cvs-outgoing@seul.org
Delivered-To: mixminion-cvs@seul.org
Delivery-Date: Sat, 02 Nov 2002 21:15:50 -0500
Reply-To: mixminion-cvs@freehaven.net
Sender: owner-mixminion-cvs@freehaven.net

Update of /home/minion/cvsroot/doc
In directory moria.seul.org:/home/arma/work/minion/doc

Modified Files:
	minion-design.tex 
Log Message:
a new subsec on batching strategy
in progress (but please go fix it)


Index: minion-design.tex
===================================================================
RCS file: /home/minion/cvsroot/doc/minion-design.tex,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -d -r1.63 -r1.64
--- minion-design.tex	3 Nov 2002 00:26:46 -0000	1.63
+++ minion-design.tex	3 Nov 2002 02:15:47 -0000	1.64
@@ -1255,20 +1255,75 @@
 \section{Maintaining anonymity sets}
 \label{sec:maintaining-anonymity}
 
-\subsection{Transmitting large files with Mixminion}
+\subsection{Batching Strategy}
+\label{subsec:batching}
 
-We would like to use Mixminion as a transport layer for higher-level
-applications such as anonymous publication systems
-\cite{freehaven-berk}, but much research remains before we can
-provide security for users transferring large files over Mixminion.
+Low-latency systems like Onion Routing aim to provide anonymity against an
+adversary who is not watching both Alice and Bob \cite{onion-routing}. If
+the adversary watches both, he can for instance count packets and observe
+packet timing to become confident that they are communicating. Because
+Mixminion aims to defeat even a global passive adversary, we must address
+this end-to-end timing vulnerability.
 
-Alice wants to send a large file to Bob; thus she must send many Mixminion
-messages. Conventional wisdom suggests that she should pick a different
+Further, because we have allowed our adversary to send and delay messages,
+he can manipulate the batch of messages entering a mix so the only message
+unknown to him in the batch is the target message. This approach is
+known as the \emph{blending attack} because the adversary blends his
+own messages with the batch \cite{batching-taxonomy}. By repeatedly
+attacking each mix in the path, the adversary will link Alice and Bob.
+
+Mixminion nodes use the \emph{timed dynamic-pool} batching strategy as
+outlined in \cite{batching-taxonomy}, and as adapted from Mixmaster. A
+mix fires every... [insert Cottrell mix description here. Perhaps put
+the algorithm itself from the spec into a side box, or an appendix?]
+
+Timed dynamic-pool mixes offer several benefits. Firstly, they increase
+the cost of the blending attack: because the number of messages coming
+out at each flush is always a fraction of the number waiting, it is
+impossible to arrange to completely flush the mix with high probability
+in one flush. Thus an adversary is forced to spend multiple intervals
+(and thus delay other messages for considerable time) both in flushing
+the original honest messages from the mix, and again in flushing the
+target message from the mix. This delay will be noticed by the other
+mixes, because [nick? clarify here] they talk to each other over tcp so
+they know when something's up.
+
+This batching strategy also increases the cost of intersection attacks by
+providing large anonymity sets for each message in the network. Because
+a message could plausibly have been held in a pool for several rounds
+at each mix, the set of possible senders when Bob receives the target
+message is large.
+
+\subsection{Dummy policy}
+
+...will write this soon
+\cite{langos02}.
+
+We could gain stronger protection by letting mixes address dummies
+to actual users. But each mix must know all the users in the system:
+if a mix only delivers dummies to a subset of the users, an adversary
+can distinguish with better than even probability between a dummy and
+a legitimate message.
+
+
+\subsection{Transmitting many messages}
+
+When Alice (the owner of a pseudonym) is downloading her mail from a
+nymserver, she will likely receive many separate messages.
+%
+%We would like to use Mixminion as a transport layer for higher-level
+%applications such as anonymous publication systems
+%\cite{freehaven-berk}, but much research remains before we can
+%provide security for users transferring large files over Mixminion.
+%
+%Alice wants to send a large file to Bob; thus she must send many Mixminion
+%messages.
+Conventional wisdom suggests that she should pick a different
 % can I get a \cite here? -RRD
 path for every message, but an adversary that owns all the nodes in
 \emph{any} of the paths could learn her identity --- without any work
-at all. (Even an adversary owning a very small fraction of the network
-can perform this attack, since the Mixminion message size is small.)
+at all. Even an adversary owning a small fraction of the network
+can perform this attack, since each Mixminion payload is so small.
 
 % Assuming Alice picks five nodes at random for
 %each path, at 28k of data per packet (assuming no redundancy or overhead)
@@ -1277,21 +1332,21 @@
 %time she sends message 92 (meaning her file is roughly 2.5 megabytes),
 %Alice has a less than 1\% chance of keeping her anonymity.
 
-Alice seems more likely to maintain her unlinkability by sending all the
+Alice thus seems most likely to maintain her unlinkability by sending all the
 messages over the same path. On the other hand, a passive adversary can
-still watch the flood of messages traverse that path. We must hope the
-honest nodes will hide message streams enough to
-foil these attacks. The multiple-message tagging attacks described in
-Section \ref{subsec:multi-tagging} make the situation even more dangerous.
+watch the flood of messages traverse that path.
 
-A compromise approach is to pick a small number of paths and use them
-together. Still, if the messages are sent all at once, it seems clear
-we're going to need some really good cover traffic schemes before we
-can offer security. The same problem, of maintaining anonymity when
-sending many messages, comes up when the owner of a pseudonym
-is downloading his mail from a nymserver.
+% We must make sure the
+%honest nodes will hide message streams enough to
+%foil these attacks.% The multiple-message tagging attacks described in
+%Section \ref{subsec:multi-tagging} make the situation even more dangerous.
 
-\subsection{Batching Strategy and Network Structure}
+%A compromise approach is to pick a small number of paths and use them
+%together. Still, if the messages are sent all at once, it seems clear
+%we're going to need some really good cover traffic schemes before we
+%can offer security.
+
+\subsection{Batching Strategy and Dummy Policy}
 \label{subsec:batching}
 
 %[This subsection is draft/experimental/controversial. Don't pay much
@@ -1459,7 +1514,7 @@
 
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 
-\section{Future Directions}
+\section{Future Directions and Open Problems}
 \label{sec:conclusion}
 
 This design document represents the first step in peer review of the

Prev by Date: [minion-cvs] s/MIX/mix/
Next by Date: [minion-cvs] mixminion now does dummies.
Prev by thread: [minion-cvs] s/MIX/mix/
Next by thread: [minion-cvs] mixminion now does dummies.
Index(es):
- Date
- Thread