[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[freehaven-cvs] Add some writing.

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] Add some writing.
From: nickm@seul.org (Nick Mathewson)
Date: Sun, 2 May 2004 17:58:59 -0400 (EDT)
Delivered-to: archiver@seul.org
Delivered-to: freehaven-cvs-outgoing@seul.org
Delivered-to: freehaven-cvs@seul.org
Delivery-date: Sun, 02 May 2004 17:59:24 -0400
Reply-to: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net

Update of /home/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/tmp/cvs-serv24093

Modified Files:
	e2e-traffic.tex e2e-traffic.bib 
Log Message:
Add some writing.

Index: e2e-traffic.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.44
retrieving revision 1.45
diff -u -d -r1.44 -r1.45
--- e2e-traffic.tex	2 May 2004 21:56:22 -0000	1.44
+++ e2e-traffic.tex	2 May 2004 21:58:57 -0000	1.45
@@ -957,12 +957,13 @@
 messages Alice sends, but by preventing the attacker from learning how the
 network acts in Alice's absence.
 
-We present our results in Figure~\ref{fig5d}, which compares the results
-when Alice uses consistent threshold padding and the attacker knows the
-background to results when Alice uses no padding and the background is
-unknown.
-\XXXX{Describe these when more data is in.  Basically, delay just doesn't
-  help when background is known. NMNM}
+We present our results in Figure~\ref{fig5d}, which compares the results when
+Alice uses consistent threshold padding and the attacker knows the background
+to results when Alice uses no padding and the background is unknown.
+Clearly, not only can an attacker who knows the background distribution
+identify Alice's recipients with ease (even in the presence of padding), but
+such an attacker is {\it not} delayed by increased variability in message
+delays.
 
 \subsubsection{The impact of partial observation:}
 %\label{subsec:sim-partial}
@@ -1006,8 +1007,6 @@
 harder. Finally, as $\Pobserve$ approaches $0$, the required number of
 rounds approaches infinity.
 
-\XXXX{Pseudonyms--can I say anything?}
-
 %======================================================================
 \section{Conclusions}
 \label{sec:conclusion}
@@ -1017,16 +1016,36 @@
 suggest several open questions for future work, and offer recommendations
 for mix network designs.
 
-\subsubsection{Questions for future research:}
+\subsubsection{Towards a more realistic model:}
 %\label{subsubsec:future-work}
-Many questions remain before the effectiveness of long-term
-intersection attacks can be considered a closed problem.
-
+%Many questions remain before the effectiveness of long-term
+%intersection attacks can be considered a closed problem.
+Our model differs most from reality in four ways: First, real user behavior
+is more complex than we have assumed. Second, user behavior changes over
+time.  Third, real messages often exhibit full or partial linkability (as
+described in section~\ref{subsec:strengthening}), which we have not
+simulated.  Fourth, real attackers are not limited to passive observation.
+We each of these points before.
 % These need to get re-ordered. -NM
 
-It would be beneficial to find closed-form equations for expected number of
-rounds required to mount these attacks, as Danezis does for statistical
-disclosure.
+Although real social networks behave more like scale-free networks than like
+the original disclosure attack's model, our models for user behavior still
+have room for improvement.  For example, real users probably do not send
+messages with a time-invariant geometric distribution: most people's email
+habits are based on a 24-hour day, and a 7-day week.  Early research on
+traffic patterns in actual mix-nets \cite{mixvreliable} suggests that this
+variation is probably significant.
+
+In section~\ref{subsec:strengthening}, we briefly discuss how an attacker can
+try to handle a scenario where the background traffic changes slowly over
+time, and perhaps a similar approach would also help against a sender whose
+recipients were not constant.  In the absence of a model for time-variant
+user behavior, however, we have not simulated attacks for these cases.
+
+It seems clear that systems with message linkability, such as pseudonymous
+services, will fall to intersection attacks far faster than anonymizing
+services without linkability.  How linkable are messages ``in the wild,'' how
+much does this linkability help an attacker, and how can it be mitigated?
 
 The attacks we have discussed here assume a purely passive adversary, but
 they can easily be generalized to incorporate information gained by an active
@@ -1045,10 +1064,7 @@
 %
 %   Should we explain this someplace? -NM
 
-%It seems clear that pseudonymous services will fall to intersection attacks
-%far faster than anonymizing services.  How strong is this effect, and can it
-%be prevented? (We are currently simulating scenarios related to pseudonyms.)
-
+\subsubsection{Other questions for future research:}
 Our analysis has focused on the impact of Alice's actions on Alice alone.
 How do Alice's actions (for example, choice of padding method) affect other
 users in the system? Are there incentive-compatible strategies that provide
@@ -1058,13 +1074,9 @@
 %alternative padding regimes (as mentioned above in the discussion for
 %Figure~\ref{fig5a}).  These should be investigated.
 
-Although real social networks behave more like scale-free networks than like
-the original disclosure attack's model, our models for user behavior
-still have room for improvement.  For example, real users
-probably do not send messages with a time-invariant geometric distribution:
-most people's email habits are based on a 24-hour day, and a 7-day week.
-Early research on traffic patterns in actual mix-nets \cite{mixvreliable}
-suggests that this variation is probably significant.
+It would be beneficial to find closed-form equations for expected number of
+rounds required to mount these attacks, as Danezis does for statistical
+disclosure.
 
 Many of our simulations found ``sweet spots'' for settings such as mix pool
 delay, message volume, padding volume, and so on.  Identifying those points

Index: e2e-traffic.bib
===================================================================
RCS file: /home/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.bib,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- e2e-traffic.bib	2 May 2004 21:56:22 -0000	1.12
+++ e2e-traffic.bib	2 May 2004 21:58:57 -0000	1.13
@@ -285,7 +285,7 @@
 @InProceedings{back01,
   author =       {Adam Back and Ulf M\"oller and Anton Stiglic},
   title =        {Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems},
-  booktitle =    {Information Hiding (IH 2001)},
+  booktitle =    {Proceedings of Information Hiding Workshop (IH 2001)},
   pages =        {245--257},
   year =         2001,
   editor =       {Ira S. Moskowitz},

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/

Prev by Author: [freehaven-cvs] Make points in fig5d more visible
Next by Author: [freehaven-cvs] Updated graph 5d to add a little margin space
Previous by thread: [freehaven-cvs] Make points in fig5d more visible
Next by thread: [freehaven-cvs] Updated graph 5d to add a little margin space
Index(es):
- Author
- Thread