Re: Keeping anonymity when sending/receiving large messages

[Nick Mathewson <nickm@alum.mit.edu>]

On Mon, 2002-04-08 at 01:21, Roger Dingledine wrote:
 [A really interesting message on generating reply blocks for large
messages.]
 [...]
> By using the same path for all 20 reply blocks, Johnny is more likely
> to maintain his unlinkability. On the other hand, an adversary able
> to watch quite a bit of the mix-net can still use flooding and timing
> attacks to watch the pile of reply messages traverse that path; we must
> hope the honest nodes will rearrange and obfuscate streams of messages
> enough to foil these attacks.
> 
> The basic heuristic here is:
> * If you want to prevent people from learning your identity, use the
> same path over and over until it breaks, then use a second one, etc.
> * If you want to prevent people from profiling your behavior, use a
> new path for each transaction.

I question the either/or heuristic here.  Perhaps there are
middle-ground choices that offer some of the good properties of each
choice.  What about choosing a fixed path, but varying the entry and
exit nodes?  This needs real analysis.

Also, though I agree that it should not be _necessary_ for recipients to
be running Mix nodes, it could be possible to increase your anonymity by
running a relay on the same node you use to receive your messages.

 [...]
>                                                       Then Johnny can
> observe Bob's exit point to see how much traffic he's putting out (exactly
> 20 messages to a node means he's serving that same file to somebody else).
> Perhaps this is ok; it's definitely something to keep in mind.

Keep in mind that if many people are using FreeHaven, then many people
will be sending 20-message chunks to one another, and so this will
probably be okay.  Also, FreeHaven nodes can   A takeaway lesson here
seems to be:
	1) Protocols that use an underlying mix-net should try to use it in as
few distinguishable ways as possible, and
	2) If you're the only person using a protocol with a signature, you're
in trouble.

[...]
>                                                       If they want
> to get redundancy, they should get it at a higher level -- say, breaking
> their file into more chunks, and sending more mixminion messages so not
> all of them have to get through. And realistically, if people use the
> same path for all of the chunks, then usually either all of them will
> get through or none of them will.

Yep; this is the end-to-end argument.  In this case, it seems to hold.

With any luck, we'll make Mixminion reliable enough on its own. :)

> And another nasty point -- what about when Johnny wants a file that's
> larger than 5.5 megs? That's the point where he can't fit enough reply
> blocks in a single mixminion message. One approach is to limit the size
> of large messages, and declare that anything larger should be thought
> of as separate transactions (eg, separate files at the Free Haven
> level). Another idea is to use a "self-addressed stamped envelope"
> approach to get more reply blocks from somebody. Hm.
> 
> Anyway, I'm out of steam here. Am I on crack? Is this all there is to say
> on the subject?

Others with greater crypto acument should take a look at Roger's
original message -- it's important stuff.
-- 
Nick