[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] Edit sections 1...3.1, tweaks throughout
Update of /home/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/tmp/cvs-serv27861
Modified Files:
e2e-traffic.tex
Log Message:
Edit sections 1...3.1, tweaks throughout
Index: e2e-traffic.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.28
retrieving revision 1.29
diff -u -d -r1.28 -r1.29
--- e2e-traffic.tex 25 Jan 2004 10:49:24 -0000 1.28
+++ e2e-traffic.tex 25 Jan 2004 10:59:05 -0000 1.29
@@ -109,11 +109,10 @@
asynchronous batching) to relay her messages through a succession of
mixes, instead of using just a single mix.
\item Alice disguises when she is sending real messages by sending
- traffic padding to % be dropped by
- some mix node in the network.
+ traffic padding to mix nodes in the network.
\item The attacker can only view a subset of the messages entering and
- leaving the network, so long as this subset includes some messages
- from Alice and some messages to Alice's recipients.
+ leaving the network (so long as this subset includes some messages
+ from Alice and some messages to Alice's recipients).
\item The cover traffic generated by other senders changes
slowly over time. (We do not address this case completely).
\end{tightlist}
@@ -139,26 +138,27 @@
%%We will quantify what `enough' means below.
% if it's true that we will, we should probably shout it louder
% in the abstract. guess we'll wait to see if we do. -RD
-\item The attacker cannot observe how the network behaves when Alice isn't
- sending messages. If Alice always sends the same number of messages, in
+\item The attacker cannot observe how the network behaves in Alice's
+ absence. If Alice always sends the same number of messages, in
every round, forever, the attacker may not be able to learn who receives
- messages in Alice's absence. (Our preliminary results suggest that this
- effect can be achieved with far less padding.) XXXX
-\item The attacker cannot tell when the sender is originating
- messages.
+ messages in Alice's absence.
+ %% Our preliminary results suggest that this effect can be achieved with
+ %% significantly less padding.
+ % (Yes, but not unequivocally. `more research is needed'. -NM)
+\item The attacker cannot tell when the sender is originating messages.
%% For example, the sender may be running her own mix
%% node and injecting messages into it directly.
% why leave this out? it sounds important. -RD
\end{tightlist}
We begin in Section~\ref{sec:previous-work} by presenting a brief
-background overview on mix-nets, traffic analysis, the disclosure
+background overview on mix networks, traffic analysis, the disclosure
attack, and the statistical disclosure attack. In
Section~\ref{sec:extending} we present our enhancements to the statistical
disclosure attack. We present simulated experimental results
in Section~\ref{sec:simulation}, and close in Section~\ref{sec:conclusion}
with recommendations for resisting this class of attacks, implications
-for mix-net design, and a set of open questions for future work.
+for mix network design, and a set of open questions for future work.
%======================================================================
\section{Previous work}
@@ -170,27 +170,24 @@
decrypts, delays, and re-orders messages, before relaying them toward their
destinations. Chaum proved the security of a mix against a \emph{passive
adversary} who eavesdrops on all communications but is unable to observe
-the reordering inside the mix. Because some mixes might be controlled by an
+the reordering inside the mix.
+% This above statement is misleading, no? The proof only holds when
+% Alice sends always/only once, IIRC. -NM
+Because some mixes might be controlled by an
adversary, Alice may direct her messages through a sequence or `chain' of
mixes in a network, so that no single mix can link her to her recipient.
Many subsequent designs have been proposed, including Babel \cite{babel},
Mixmaster \cite{mixmaster-spec}, and Mixminion \cite{minion-design}.
-% also \cite{shuffle} and \cite{abe}
-% No, we shouldn't mention either of these. The long-term intersection
-% attack is not part of their threat model. -RD
We will not address the differences between these systems in any detail: from
the point of view of a long-term intersection attack, the internals of the
network are irrelevant so long as the attacker can observe messages entering
and leaving the network, and can guess when a message entering the network is
likely to leave.
-%%(Some designs, such as DC-nets \cite{chaum-dc}, Herbivore \cite{herbivore},
-%%and whats-this-called \cite{k-anonymous}, seek prevent eavesdroppers from
-%%learning when participannts are sending and receiving.)
-
-Another class of anonymity designs is aimed at web browsing and other
-low latency activities \cite{web-mix:pet2000,freedom2-arch,tor-design,or-jsac98},
+Another class of anonymity designs aims to provide low-latency
+connections for web browsing and other interactive activities
+\cite{web-mix:pet2000,freedom2-arch,tor-design,or-jsac98},
but we do not address them in this paper because short-term timing and packet
counting attacks seem sufficient against them \cite{SS03}.
@@ -204,7 +201,7 @@
so they stand out from other traffic, or altering messages
in transit. They can learn a given message's destination
by flooding the network with messages, replaying multiple copies
-of a message, or shaping traffic to isolate the target message from
+of a message, or shaping traffic to isolate a target message from
other unknown traffic \cite{trickle02}. Attackers can
discourage users from using honest mixes by making them unreliable
\cite{back01,casc-rep}. They can analyze intercepted message text to
@@ -212,22 +209,21 @@
\cite{rao-pseudonymity}.
\subsection{The intersection attack}
-
Even if all the above attacks are foiled, an adversary can
-mount a \emph{long-term intersection attack} to correlate the times at
+mount a \emph{long-term intersection attack} by correlating the times at
which senders and receivers are active \cite{disad-free-routes}.
-A variety of countermeasures increase
-the difficulty of the intersection attack. Kesdogan's Stop-and-go mix
-\cite{stop-and-go} provides probabilistic anonymity by letting users
-specify message latencies -- essentially broadening the range of times
+A variety of countermeasures make intersection attacks harder:
+Kesdogan's Stop-and-go mixes
+\cite{stop-and-go} provide probabilistic anonymity by letting users
+specify message latencies, thereby broadening the range of times
messages might emerge from the mix network. Similarly, batching strategies
\cite{trickle02} as in Mixmaster and Mixminion use message
pools to spread out the possible exit times for messages.
Rather than expanding the set of messages that might have
been sent by a suspect sender, other designs expand the set of
-senders that might have sent a suspect message. A sender who
+senders that might have sent a target message. A sender who
also runs a node in the mix network can conceal whether a
given message originated at her node or was relayed from another node
\cite{bennett:pet2003,tarzan:ccs02,crowds:tissec}. But even with this
@@ -238,7 +234,7 @@
A sender can also conceal whether she is currently active by consistently
sending decoy (dummy) traffic. Pipenet \cite{pipenet} conceals
traffic patterns by constant padding on every link. Unfortunately, a
-single user can shut down the network simply by not sending.
+single user can shut down the network simply by not sending.
%%Backing
%%off even a little bit from this constant-padding scheme has been thought to
%%allow the
@@ -261,7 +257,7 @@
him reduce the set of suspects at each round.
%For example, performing
%blending attacks \cite{trickle02} against a suspected sender can greatly
-%speed the attack.
+%speed the attack.
%Danezis and Sassaman propose a ``heartbeat'' dummy
%scheme \cite{danezis:wpes2003} where dummies are sent from a node in
%the network back to itself, creating an early warning system to detect
@@ -269,7 +265,6 @@
\subsection{The disclosure attack}
\label{subsec:disclosure-attack}
-
In 2002, Kesdogan, Agrawal, and Penz presented the disclosure
attack \cite{limits-open}, an intersection attack against a single
sender on a single batch mix.
@@ -286,7 +281,7 @@
The attacker then performs an NP-complete computation to identify $m$
mutually disjoint recipient sets $R_i$, so that each of Alice's
recipients is necessarily contained in exactly one of the sets.
-Intersecting these sets with future recipient sets reveals Alice's
+Intersecting these sets with subsequent recipient sets reveals Alice's
recipients.
% \XXXX{Give the result formulas in the disclosure paper.}
@@ -295,10 +290,9 @@
\subsection{The statistical disclosure attack}
\label{subsec:statistical-disclosure}
-
In 2003, Danezis presented the statistical disclosure
attack\cite{statistical-disclosure}, which makes the same operational
-assumptions as the original disclosure attack, but is far easier to
+assumptions as the original disclosure attack but is far easier to
implement in terms of storage, speed, and algorithmic complexity.
In the statistical disclosure attack, we model Alice's behavior as an
@@ -311,9 +305,10 @@
The attacker derives from each output round $i$ an observation vector
$\V{o_i}$, each of whose elements corresponds to the probability of
-Alice's having sent a message to each particular recipient in that round. In
-a round $i$ where Alice has sent a message, each element of $\V{o_i}$ will
-have value $1/b$ if it corresponds to a recipient who has received a message,
+Alice's having sent a message to each particular recipient in that round.
+That is, in
+a round $i$ where Alice has sent a message, each element of $\V{o_i}$ is
+$1/b$ if it corresponds to a recipient who has received a message,
and $0$ if it does not.
Taking the arithmetic mean $\B{O}$ of a large set of these observation
vectors gives (by the law of large numbers):
@@ -326,7 +321,6 @@
\( m < \frac{N}{b-1} \), and calculates the expected number of rounds to
succeed (with $95\%$ confidence for security parameter $\l=2$ and $99\%$
confidence for $l=3$):
-
\[t > \left[ ml \left(\sqrt{\frac{m-1}{m}} +
\sqrt{\frac{N-1}{N^2}(b-1)} \right) \right]^2 \]
@@ -336,9 +330,10 @@
\subsection{Broadening the attack}
\label{subsec:broadening}
Here we examine ways to extend Danezis's statistical
-disclosure attack to systems more closely resembling real-world mix-nets. In
-Section~\ref{sec:simulation}, we examine the time and information
-requirements for these attacks against simulated networks.
+disclosure attack to systems more closely resembling real-world mix networks.
+We will examine the time and information requirements for several of these
+attacks in Section~\ref{sec:simulation} below, by running them against
+simulated networks.
\subsubsection{Complex senders, unknown background traffic:}
% \label{subsubsec:complex-senders}
@@ -348,13 +343,14 @@
remove the assumption that the attacker has full knowledge of the
distribution $\V{u}$ of cover traffic sent by users other than Alice.
-To model Alice's varying number of messages, we use a probability function
+To model Alice's varying number of messages, we use a probability function
$P_m$ such
-that in every round Alice sends $n$ messages with a probability
-$P_m(n)$. We still use a behavior vector $\V{v}$ of the recipients to
-which Alice sends, but we no longer require Alice's recipients to have a
+that in every round Alice sends $n$ messages with probability
+$P_m(n)$. We still use a behavior vector $\V{v}$ to represent the
+probability of Alice sending to each recipient,
+but we no longer require Alice's recipients to have a
uniform $1/m$ probability. Alice's expected contribution to each round
-is now $\V{v} \sum_{n=0}^{\infty} n P_m(n)$.
+is thus $\V{v} \sum_{n=0}^{\infty} n P_m(n)$.
To mount the attack, the attacker first obtains an
estimate of the background distribution $\V{u}$ by observing a large number
@@ -362,7 +358,7 @@
which Alice has {\it not} contributed any messages.\footnote{The attack can
still proceed if few such Alice-free batches exist, so long as Alice
contributes more to some batches than to others. Specifically, the
- approach described on the next page (against pool mixes and mix-nets)
+ approach described below (against pool mixes and mix networks)
can exploit differences
between low-Alice and high-Alice batches to infer background behavior.}
For each such
@@ -374,7 +370,7 @@
The attacker then observes, for each round $i$ in which Alice {\it does}
send a message, the number of messages $m_i$ sent by Alice, and
-computes $\V{o_i}$ as before. Computing the arithmetic mean of these
+computes observations $\V{o_i}$ as before. Taking the arithmetic mean of these
$\V{o_i}$ gives us
\[\B{O} = \frac{1}{t}\sum_{i=1}^{t}{\V{o_i}}
\approx
@@ -385,9 +381,9 @@
\[\V{v} \approx \frac{1}{\B{m}}
\left[ b\B{O} - (b-\B{m})\B{U} \right] \]
-\subsubsection{Attacking pool mixes and mix-nets:}
+\subsubsection{Attacking pool mixes and mix networks:}
% \label{subsubsec:complex-mix} can't usefully label subsubsections.
-Most mix-net designs have already abandoned fixed-batch mixes in
+Most designs have already abandoned fixed-batch mixes in
favor of other algorithms that better hide the relation
between senders and recipients. Such improved algorithms include
timed dynamic-pool mixes, generalized mixes, and randomized versions of
@@ -441,9 +437,9 @@
$i$, the attacker observes rounds $i$ through some later round $i+k$,
choosing $k$ so that $\sum_{j=k+1}^{\infty} P_R^i(j)$ is negligible.
The attacker then uses $P_R$ to
-compute $\B{O_w}$, the mean of the observations from all of these rounds
-weighted by the expected number of messages from Alice that will exit
-that round:
+compute $\B{O_w}$, the mean of the observations from all of these rounds,
+weighted by the expected number of messages from Alice exiting in each
+round:
\[ \B{O_w} = \sum_i \sum_{r=0}^k P_R^i(r) m_i \V{o_{i+r}}
\approx \frac{\B{m}\V{v} + (\B{n}-\B{m})\V{u}}{\B{n}} \]
@@ -453,24 +449,23 @@
including messages from Alice. Such batches, however, are not
essential: If the attacker chooses a set of $\V{u_i}$ such that each
round contains (on average) a small number $\delta_a>0$ of messages from
-Alice, the attacker will obtain
+Alice, averaging them gives:
\[\B{U'} \approx \frac{\delta_a}{\B{n}} \V{v} +
\frac{1-\delta_a}{\B{n}} \V{u} \]
-and can thus solve again for $\V{v}$ in the earlier equation for
+and the attacker can thus solve again for $\V{v}$ in the earlier equation for
$\B{O_w}$, now using
\[\V{u} \approx \frac{1}{1-\delta_a}
\left[ \B{n} \B{U'} - \delta_a \V{v} \right] \]
-Senders can also behave differently from the original model
-by directing their messages through a chosen path
-in a network of mixes. While using a mix-net increases the effort an
+Senders can also deviate from the original model
+by directing their messages through multi-hop paths
+in a network of mixes. While using a mix network increases the effort an
attacker must spend to observe all messages leaving the system, it
has no additional effect on intersection attacks beyond changing the
-delaying characteristics $P_R$ of the anonymity system as introduced
-above.
+delaying characteristics $P_R$ of the anonymity system.
Assume for the sake of simplicity that all mixes have the same
-expected delay $P_R$, and that Alice chooses a path of length $\ell_0$.
+delay distribution $P_R$, and that Alice chooses a path of length $\ell_0$.
The chance of
the message being delayed by a further $d$ rounds is now
\[ P_R'(\ell_0+d) = \binom{\ell_0+d-1}{d} (1-P_D)^{\ell_0} P_D^d \]
@@ -488,14 +483,12 @@
%\label{subsubsec:dummy-traffic}
Alice can also reduce the impact of traffic analysis by
periodically sending messages into the network that are dropped inside
-the network, or by periodically sending messages into the network that
-arrive at recipients other than those with whom she wants to
-communicate.
+the network.
-Although these methods can succeed in slowing or stopping the attacker (as
+Although these methods can slow or stop the attacker (as
discussed below in Section \ref{sec:simulation}), the change in the attack
itself is trivial: Alice's behavior
-vector $\V{v}$ no longer adds to $1$, since there is now a probability that a
+vector $\V{v}$ no longer adds to $1$, since there is now a chance that a
message from Alice will not reach any recipient. Aside from this, the
attacker can proceed as before, so long as Alice sends more messages
(including dummies) in some rounds than in others.
@@ -513,7 +506,7 @@
%% %% the other hand, if all messages in the mix-net are encrypted, Alice
%% %% can easily give her dummy messages junk padding, encrypted so that
%% %% only the recipient of each dummy message can distinguish it from a
-%% %% real message.}.
+%% %% real message.}.
%% Suppose that every message Alice sends has a
%% probability $P_c$ of being a cover message, and that recipients for
%% cover messages are chosen from a distribution vector $\V{v_c}$.
@@ -544,13 +537,13 @@
that deliver messages to recipients. (Typically, not all mixes do
so.)
-Depending on which points of the network the attacker can observe, a
-non-global attacker has different characteristics. If an attacker
-eavesdrops on a fraction of the {\it mixes} in the system, the
-attacker receives a random sample\footnote{But possibly a biased
+A non-global attacker's characteristics depending on which parts of the
+network he can observe. If the attacker
+eavesdrops on a fraction of the {\it mixes} in the system, he
+ receives a sample\footnote{But possibly a biased
sample, depending on Alice's path selection algorithm.} of the
messages entering or leaving the system. If such an attacker can see some
-messages from Alice and some messages to her recipients, he will still
+messages from Alice and some messages to her recipients, he can still
converge on the same $\B{O}$ and thus the same estimation of Alice's
behavior, but the attack will require more rounds of observation.
@@ -566,9 +559,9 @@
\subsubsection{Time-variant background traffic:}
%\label{subsubsec:time-variant}
-If Alice's behavior changes completely and radically over time, a long-term
-intersection attack cannot proceed: the attacker cannot make enough
-observations of any version of Alice's behavior to converge
+If Alice's behavior changes completely and radically over time, long-term
+intersection attacks cannot proceed: the attacker cannot make enough
+observations of any version or subset of Alice's behavior to converge
on a $\B{v}$ for any of them.
On the other hand, if Alice's behavior $\V{v}$ remains consistent
@@ -576,8 +569,8 @@
attacker still has some hope. Rather than estimating a single $\B{U}$
from observations to which Alice does not contribute, the attacker
estimates a series of successive $\B{U_i}$ values based on the
-average behavior of the network during a comparatively shorter
-duration of time. Now the attacker observes $\V{o_i}$ as before and
+average behavior of the network during comparatively shorter
+durations of time. Now the attacker observes $\V{o_i}$ as before and
computes the average of $\V{o_i} - \B{U_i}$, as before. Now,
\[ \V{v} \propto \frac{1}{t}\sum_{i=1}^t \V{o_i} - \B{U_i}
\]
@@ -586,15 +579,10 @@
\subsubsection{Attacking recipients:}
%\label{subsubsec:recipients}
-%As a final (and somewhat anticlimactic) extension to the original
-%attack,
-Finally,
-we note that an attacker can % mount attacks against
-find recipients
-as well as senders with slightly higher storage and the same %no increase in
-computational cost.
+Finally, we note that an attacker can find recipients as well as senders by
+using slightly more storage and the same computational cost.
-The attacker wishes to know which senders are sending
+Suppose the attacker wishes to know which senders are sending
anonymous messages to a given recipient Bob. The analysis remains the
same: the attacker compares sender behavior in rounds from which Bob
probably receives messages with behavior in rounds from which Bob
@@ -609,9 +597,10 @@
\label{subsec:strenghtening}
Section \ref{subsec:broadening} showed how to extend the original
statistical disclosure attack to reveal sender--recipient links in a
-broader range of circumstances. In Section \ref{sec:simulation} we will
-show that these extensions force the attacker to observe an increasingly
-large number of rounds of traffic.
+broader range of circumstances.
+%In Section~\ref{sec:simulation} we will
+%show that these extensions force the attacker to observe an increasingly
+%large number of rounds of traffic.
In this section, rather than talking about how to broaden the attack so it
works in new situations (at the expensive of needing increased traffic),
@@ -651,8 +640,8 @@
sophisticated attacker could check for the presence of certain
keywords and try to link messages based on their textual content.
-To exploit these scenarios, the attacker begins as above by
-choosing a set of $c$ `partitioning classes' (such as languages or
+To exploit these scenarios, the attacker
+chooses a set of $c$ `partitioning classes' (such as languages or
patterns of usage), and assigning to each observed output
message a probability of belonging to each class. The attacker then
proceeds as before, but instead of collecting observation
@@ -684,12 +673,13 @@
To exploit this knowledge, an attacker can (as suggested in the
original statistical disclosure paper)
modify the estimated probabilities in $\V{o_i}$ of Alice having sent
-each delivered message. For example, if 100 messages are sent in a
-round, and the attacker judges that 50 of them are twice as likely to
-have been sent by Alice than the other 50, the attacker assigns
-$2/150$ to each element of $\V{o_i}$ corresponding to a likely
-message, and $1/150$ to each element corresponding to an unlikely
-message.
+each delivered message.
+% For example, if 100 messages are sent in a
+%round, and the attacker judges that 50 of them are twice as likely to
+%have been sent by Alice than the other 50, the attacker assigns
+%$2/150$ to each element of $\V{o_i}$ corresponding to a likely
+%message, and $1/150$ to each element corresponding to an unlikely
+%message.
%======================================================================
\section{Simulation results}
@@ -809,12 +799,12 @@
more. %than they did before.
%XXX say more? -NM
-\subsubsection{Attacking pool mixes and mix-nets:}
+\subsubsection{Attacking pool mixes and mix network:}
\label{subsec:sim-complex-mixes}
%trials 3,4
Pooling slows an attacker by increasing the number of output messages
that can correspond to each input message. To simulate an attack against
-pool mixes and mix-nets, we abstract away the actual pooling rule used by the
+pool mixes and mix networks, we abstract away the actual pooling rule used by the
network, and instead assume that the network has reached a steady state, so
that each mix retains the messages in its pool with the same probability
($\Pdelay$) every
@@ -826,18 +816,20 @@
interval of time. Thus, the number of messages sent by the background is no
longer a fixed $b-n_a$ (where $n_a$ is the number of messages Alice sends),
but now follows a normal distribution with mean $BG$ (and standard deviation
-set arbitrarily to $BG/10$).\footnote{It's hard to determine actual
- standard deviation of message volumes on the currently deployed remailer
+set arbitrarily to $BG/10$).\footnote{It's hard to determine
+ standard deviations for actual message volumes on the currently deployed
+ remailer
network: automatic reliability checkers that send messages to themselves
(``pingers'') contribute to a false sense of uniformity, while other users
generate volume spikes by sending enormous fragmented files, or maliciously
- flooding discussion groups. Neither group blends with the bulk
+ flooding discussion groups and remailer nodes. Neither group blends with
+ the bulk
of the senders on the network.}
-\begin{figure}[ht]
+\Begin{figure}[ht]
\centering
\mbox{\epsfig{angle=0,figure=graphs/fig34,width=4in}}
-\caption{Pool mixes and mix-nets: Median rounds to guess all recipients}
+\caption{Pool mixes and mix networks: Median rounds to guess all recipients}
\label{fig34}
\end{figure}
@@ -869,7 +861,8 @@
%hm. tense switches between present and past. -rd
First, we chose to restrict our examination (due to time constraints) to the
-effects of dummy messages in several cases of the pool-mix/mix-net simulation
+effects of dummy messages in several cases of the pool-mix/mix network
+simulation
above. Because we are interested in learning how well dummies thwart
analysis, we chose cases where, in the absence of dummies, the attacker had
little trouble in learning Alice's recipients.
@@ -902,9 +895,9 @@
Padding slows the attack, but does not necessarily stop it. As shown in
Figure~\ref{fig5a}, geometric padding is most helpful when the underlying
-mix-net has a higher variability in message delay to `spread' the padding
+mix network has a higher variability in message delay to `spread' the padding
between rounds. With lower variability, Alice needs to send far more padding
-messages in order to confuse the attacker.
+messages to confuse the attacker.
We are currently running our simulations on other padding models, including
``imperfect threshold padding'' (Alice always tries to pad up to a threshold
@@ -915,7 +908,7 @@
%trial 6
Finally, we examine the degree to which a non-global passive adversary can
mount the statistical disclosure attack. Again, we base our simulation on
-the mix-net simulation where the attacker can only observe a few mixes, and
+the mix network simulation where the attacker can only observe a few mixes, and
try to see whether a non-global observer can do so also.
% (have we defined 'entry'?) -NM
@@ -949,14 +942,14 @@
\section{Conclusions}
\label{sec:conclusion}
Our results demonstrate that long-term end-to-end intersection attacks can
-succeed under a variety of mix-net designs and complicating factors. In
-closing, we offer suggestions for mix-net designs, and suggest several open
+succeed under a variety of complicating factors. In
+closing, we offer suggestions for mix network designs, and suggest several open
questions for future work.
-\subsubsection{Implications for mix-net design:}
+\subsubsection{Implications for mix network design:}
%\label{subsubsec:implications}
If we were to design a mix network based on our findings here, what steps
-should we take in order to frustrate intersection attack?
+should we take to frustrate intersection attack?
The first lesson is this: {\bf high variability} in message delays is
essential. By `spreading' the effects of each incoming message over several
@@ -968,7 +961,7 @@
drowning out the signal.
Users should be educated about the effects of their chosen {\bf message
-volume}: sending very infrequently is safe, especially if the user doesn't
+volume}: sending infrequently is safe, especially if the user doesn't
repeat the same traffic pattern long enough for the attacker to identify
it. Conversely, sending ``almost always'' is comparatively safe. But users
who send messages to the same group of recipients intermittently but
@@ -976,11 +969,11 @@
intersection attacks.
The threat of non-global observers must not be ignored. Much threat analysis
-for high-latency mix-net assumes that a passive adversary must watch the
-entire network in order to threaten anonymity. We have shown this to be
+for high-latency mix networks assumes that a passive adversary must watch the
+entire network to threaten senders' anonymity. We have shown this to be
false---any attacker who can watch the bulk of the servers Alice chooses as
entry and exit points can run an intersection attack to learn her recipients.
-Thus, mix-nets should take steps to {\bf minimize the number of messages}
+Thus, mix networks should take steps to {\bf minimize the number of messages}
that a limited attacker can see entering and exiting the network. Possible
approaches include encouraging users to run their own mixes; choosing
messages' entry and exit points to cross geographical and organization
@@ -1068,3 +1061,6 @@
\end{document}
+% 'In order to' -> 'to'
+% very -> damn -> ''
+%
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/