Re: daystamp attacks

[Nick Mathewson <nickm@alum.mit.edu>]

On Tue, 2002-04-02 at 14:11, Roger Dingledine wrote:
> I imagine there are also
> intentional-delaying attacks that will make certain messages expire,
> not expire, etc, all leaking information.

To elaborate:  Suppose Alice sends a message on Tuesday, at 1pm, along a
4-hop cascade.  Mallory controls nodes 1 and 4.  Alice dates her message
"Tuesday", but it will still be valid on Wednesday.  Mallory holds
Alice's message at node 1 until 9pm on Wednesday, when any remaining
Tuesday traffic will have dwindled to a trickle (since it have been in
the network for over 21 hours!).  Mallory then relays Alice's message,
and waits for a 'Tuesday' message to show up at node 4.  Goodbye
anonymity!

The problem above is that a message can be 'very rare' and 'valid' at
the same time. One solution might be to divide time into a series of
overlapping blocks; for example, noon-noon and midnight-midnight.  If
you're not near the end of either of the current blocks, you pick one at
random.  Otherwise, you pick the one you're in the middle of.  I _think_
this beats Roger's attack, but I'm not sure; it would depend on the
mixing delays.

>And reply blocks need to have these daystamps too. If we assume that
>messages are fully delivered within 24 hours, and we allow the one day
>buffer on the daystamp, is it sufficient to just bundle which day it's
>valid for along with the reply block?

Hnn.  I think this is required; A SURB can only be valid within one time
window.

-- 
Nick