[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] initial tweaks throughout
Update of /home/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/e2e-traffic
Modified Files:
e2e-traffic.tex
Log Message:
initial tweaks throughout
Index: e2e-traffic.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -d -r1.23 -r1.24
--- e2e-traffic.tex 24 Jan 2004 14:44:32 -0000 1.23
+++ e2e-traffic.tex 24 Jan 2004 21:29:13 -0000 1.24
@@ -44,13 +44,11 @@
long-term end-to-end traffic analysis attacks against anonymous message
systems.
We relax the assumptions of earlier attacks by describing how an
-%Our
eavesdropper can learn sender-receiver connections even when the substrate
is a network of pool mixes, the attacker is non-global, and senders have
complex behavior including generating padding messages.
-Additionally, we describe how an attacker can use extra information about
+We describe how an attacker can use extra information about
message distinguishability to speed the attack.
-%to reduce the amount of traffic needed to link senders to recipients.
Finally, we simulate our attacks for a variety of
scenarios, focusing on the amount of information needed to link senders and
recipients.
@@ -95,8 +93,8 @@
Here we extend a version of the long-term intersection attack called the
statistical disclosure attack \cite{statistical-disclosure} to work in
real-world circumstances. Specifically, whereas the original model for
-this attack makes strong assumptions about sender behavior and works
-against only a single batch mix, we show how an attacker can learn
+this attack makes strong assumptions about sender behavior and only
+works against a single batch mix, we show how an attacker can learn
Alice's regular recipients even when:
\begin{tightlist}
@@ -105,7 +103,7 @@
\item The attacker lacks {\it a priori} knowledge of the network's
average behavior when Alice is not sending messages.
\item Mixes use a different batching algorithm, such as Mixmaster's
- dynamic-pool algorithm \cite{trickle02,mixmaster-spec} or its
+ dynamic-pool algorithm \cite{mixmaster-spec,trickle02} or its
generalization \cite{pet2003-diaz}.
\item Alice uses a mix network (of any topology, with synchronous or
asynchronous batching) to relay her messages through a succession of
@@ -119,15 +117,15 @@
\item The cover traffic generated by other senders changes
slowly over time. (We do not address this case completely).
\end{tightlist}
-Each of these deviations from the original
+Each deviation from the original
model reduces the rate at which the attacker learns Alice's recipients, and
-increases the amount of traffic the attacker must observe.
+increases the amount of traffic he must observe.
Additionally, we show how an attacker can exploit additional knowledge, such
-as distinguishability between messages, to speed up these attacks. (For
+as distinguishability between messages, to speed up these attacks. For
example, the attacker can take into account whether messages are written in
the same language or signed by the same pseudonym to partition them into
-different classes and analyze the classes independently.)
+different classes and analyze the classes independently.
%\item {\it A priori} suspicion of certain messages having originated
% or not originated from Alice. For example, messages written in a
% language Alice doesn't speak are unlikely to have been written
@@ -145,7 +143,7 @@
sending messages. If Alice always sends the same number of messages, in
every round, forever, the attacker may not be able to learn who receives
messages in Alice's absence. (Our preliminary results suggest that this
- effect can be achieved with far less padding.)
+ effect can be achieved with far less padding.) XXXX
\item The attacker cannot tell when the sender is originating
messages.
%% For example, the sender may be running her own mix
@@ -232,8 +230,8 @@
senders that might have sent a suspect message. A sender who
also runs a node in the mix network can conceal whether a
given message originated at her node or was relayed from another node
-\cite{bennett:pet2003,tarzan:ccs02,crowds:tissec}. But even in these
-designs, the adversary can observe whether certain traffic patterns are
+\cite{bennett:pet2003,tarzan:ccs02,crowds:tissec}. But even with this
+approach, the adversary can observe whether certain traffic patterns are
present when a user is online (sending) and absent when a user is offline
(not sending) \cite{wright02,wright03}.
@@ -258,10 +256,13 @@
\cite{langos02}, but their design has many practical problems.
Finally, note that while the adversary can perform this long-term
-intersection attack entirely passively, active attacks can help him
-reduce the set of suspects at each round. For example, performing
-blending attacks \cite{trickle02} against a suspected sender can greatly
-speed the attack. %Danezis and Sassaman propose a ``heartbeat'' dummy
+intersection attack entirely passively, active attacks (such as
+blending attacks \cite{trickle02} against a suspected sender) can help
+him reduce the set of suspects at each round.
+%For example, performing
+%blending attacks \cite{trickle02} against a suspected sender can greatly
+%speed the attack.
+%Danezis and Sassaman propose a ``heartbeat'' dummy
%scheme \cite{danezis:wpes2003} where dummies are sent from a node in
%the network back to itself, creating an early warning system to detect
%if the adversary is launching such a blending attack.
@@ -273,24 +274,24 @@
attack \cite{limits-open}, an intersection attack against a single
sender on a single batch mix.
-The disclosure attack assumes that the attacker is a global passive
-eavesdropper who is interested in learning the recipients of a single
-targeted sender (``Alice''); that Alice sends messages to $m$ recipients;
-that Alice sends a single message to one of them chosen at random per batch
-of $b$ messages; and that the other $b-1$ messages in each batch are chosen
-at random from the set of $N$ possible recipients.
+The disclosure attack assumes a global passive eavesdropper interested in
+learning the recipients of a single sender Alice. It assumes that Alice
+sends messages to $m$ recipients; that Alice sends a single message
+(recipient chosen at random from $m$) in each batch of $b$ messages;
+and that the recipients of the other $b-1$ messages are chosen at random
+from the set of $N$ possible recipients.
-The attacker observes the messages leaving the mix in each batch and
+The attacker observes the messages leaving the mix and
constructs sets $R_i$ of recipients receiving messages in batch $i$.
The attacker then performs an NP-complete computation to identify $m$
mutually disjoint recipient sets $R_i$, so that each of Alice's
-recipients is necessarily contained in exactly one of sets.
+recipients is necessarily contained in exactly one of the sets.
Intersecting these sets with future recipient sets reveals Alice's
recipients.
-\XXXX{Give the result formulas in the disclosure paper.}
+% \XXXX{Give the result formulas in the disclosure paper.}
-\XXXX{The above may not be 100\% accurate; must re-read the paper.}
+% \XXXX{The above may not be 100\% accurate; must re-read the paper.}
\subsection{The statistical disclosure attack}
\label{subsec:statistical-disclosure}
@@ -310,8 +311,8 @@
The attacker derives from each output round $i$ an observation vector
$\V{o_i}$, each of whose elements corresponds to the probability of
-Alice's having sent a message to each particular recipient in that round. (In
-a round $i$ where Alice has send a message, each element of $\V{o_i}$ will
+Alice's having sent a message to each particular recipient in that round. In
+a round $i$ where Alice has sent a message, each element of $\V{o_i}$ will
have value $1/b$ if it corresponds to a recipient who has received a message,
and $0$ if it does not.
Taking the arithmetic mean $\B{O}$ of a large set of these observation
@@ -613,7 +614,8 @@
\subsubsection{Exploiting message partitioning}
\label{subsubsec:full-linkability}
-The attacker's work can be greatly simplified if some leaving the system are
+The attacker's work can be greatly simplified if some messages leaving
+the system are
{\it linkable}. Two messages are said to be {\it linkable} if they are
likelier to originate from the same sender than are two randomly chosen
messages. We consider a special case of linkability, in which we discover
@@ -807,12 +809,12 @@
interval of time. Thus, the number of messages sent by the background is no
longer a fixed $b-n_a$ (where $n_a$ is the number of messages Alice sends),
but now follows a normal distribution with mean $BG$ (and standard deviation
-set arbitrarily to $BG/10$).\footnote{It's hard to determine the actual
+set arbitrarily to $BG/10$).\footnote{It's hard to determine actual
standard deviation of message volumes on the currently deployed remailer
network: automatic reliability checkers that send messages to themselves
(``pingers'') contribute to a false sense of uniformity, while other users
generate volume spikes by sending enormous fragmented files, or maliciously
- flooding discussion groups. Neither of these groups blends with the bulk
+ flooding discussion groups. Neither group blends with the bulk
of the senders on the network.}
\begin{figure}[ht]
@@ -922,7 +924,7 @@
long-term intersection attack even when he is only observing part of the
network. When most of the network is observed ($\Pobserve>70\%$ in our
results), the attack is hardly impaired at all. As more of the network is
-concealed (.4<$\Pobserve$<.7) the attack becomes progressively
+concealed ($.4<\Pobserve<.7$) the attack becomes progressively
harder. Finally, as as $\Pobserve$ approaches $0$, the required number of
rounds needed approaches infinity.
@@ -941,11 +943,11 @@
The first lesson is this: {\bf high variability} in message delays is
essential. By `spreading' the effects of each incoming message over several
-output rounds, delay variability increase each message's anonymity set, and
+output rounds, variability in delay increases each message's anonymity set, and
amplifies the effect of padding.
{\bf Padding} seems to slow traffic analysis, especially as the volume of
-padding begins to approach the the volume of the sender's actual messages,
+padding approaches the volume of the sender's actual messages,
drowning out the signal.
Users should be educated about the effects of their chosen {\bf message
@@ -953,7 +955,7 @@
repeat the same traffic pattern long enough for the attacker to identify
it. Conversely, sending ``almost always'' is comparatively safe. But users
who send messages to the same group of recipients intermittently but
-frequently, over a long period of time, are increasing their vulnerability to
+frequently, over a long period of time, have increased vulnerability to
intersection attacks.
The threat of non-global observers must not be ignored. Much threat analysis
@@ -1014,8 +1016,8 @@
be prevented? (We are currently simulating scenarios related to pseudonyms.)
Our analysis has focused on the impact of Alice's actions on Alice alone.
-How do Alice's actions (for example, choice of padding method) effect other
-users in the system?
+How do Alice's actions (for example, choice of padding method) affect other
+users in the system?
There are other possible approaches to thwarting traffic analysis, including
alternative padding regimes (as mentioned above in the discussion for
@@ -1028,7 +1030,7 @@
time: most people's email habits are based on a 24-hour sleep schedule. The
effects of this variation may be significant.
-Many of our simulations found ``sweet spots'' for setting such as mix pool
+Many of our simulations found ``sweet spots'' for settings such as mix pool
delay, message volume, padding volume, and so on. Identifying those points
of optimality in the wild would be of great practical help for users.
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/