So everybody but Andrei and Steven should go read Andrei and Steven's paper before they read the rest of this message. http://www.cl.cam.ac.uk/users/sjm217/papers/pet05msgsplit.pdf Done? Good. So the basic idea is: against a certain kind of adversary, when sending a large number of packets to a recipient, it is better to send them over different paths. Okay, great. We already do that. But another result is that it's better to choose the initial nodes according to a geometric distribution rather than a uniform distribution. Otherwise, an attacker who is watching a single mix and sees you send 10 packets can guess that you are likely to be sending 10M packets total, where M is the number of mixes. [If this makes no sense, read the paper.] The question is, should we do something like this with Mixminion? One reason that the answer isn't a straightforward "yes" is that the paper doesn't (if I understand Andrei correctly) address the case where an attacker is watching the sender. If the attacker *is* watching the sender, then using the paper's recommended splitting algorithm can leak information. For example, suppose Alice sends 10 packets each to 10 recipients, and Bob sends 100 packets to 1 recipient. Suppose they're observed by an attacker. If they choose their entry mixes uniformly, then they look the same. But if they do what the paper suggests, an attacker can tell them apart, and Alice provides less cover for Bob than before -- not more. So, what's the right answer here? yours, -- Nick Mathewson
Attachment:
pgpTtFMxDvewd.pgp
Description: PGP signature