# [or-cvs] Still more edits

Update of /home/or/cvsroot/tor/doc/design-paper
In directory moria.mit.edu:/tmp/cvs-serv2159

Modified Files:
challenges.tex
Log Message:
Still more edits

Index: challenges.tex
===================================================================
RCS file: /home/or/cvsroot/tor/doc/design-paper/challenges.tex,v
retrieving revision 1.59
retrieving revision 1.60
diff -u -d -r1.59 -r1.60
--- challenges.tex	8 Feb 2005 22:26:24 -0000	1.59
+++ challenges.tex	8 Feb 2005 22:58:02 -0000	1.60
@@ -769,8 +769,11 @@
significantly impede abuse if creating new accounts were easily automatable;
this is why services use IP blocking.  In order to deter abuse, pseudonymous
identities need to require a significant switching cost in resources or human
-time.
+time.  Some popular webmail applications
+impose cost with Reverse Turing Tests, but these may not be costly enough to
+deter abusers.  Freedom solved this using blind signatures to limit
+the number of pseudonyms for each paying account, but Tor has neither the
+ability nor the desire to collect payment.

%One approach, similar to that taken by Freedom, would be to bootstrap some
@@ -927,9 +930,11 @@
\subsection{Enclaves and helper nodes}
\label{subsec:helper-nodes}

-It has long been thought that the best anonymity comes from running your
-own node~\cite{tor-design,or-ih96,or-pet00}. This is called using Tor in an
-\emph{enclave} configuration. By running Tor clients only on Tor nodes
+It has long been thought that users can improve their
+anonymity by running their
+own node~\cite{tor-design,or-ih96,or-pet00}, and using it in an
+\emph{enclave} configuration, where all their circuits begin at the node
+under their control.  By running Tor clients only on Tor nodes
at the enclave perimeter, enclave configuration can also permit anonymity
protection even when policy or other requirements prevent individual machines
within the enclave from running Tor clients~\cite{or-jsac98,or-discex00}.
@@ -972,7 +977,7 @@
every $dc/n$ days. Statistically over time this approach only helps
if she is better at choosing honest helper nodes than at choosing
honest nodes.  Worse, an attacker with the ability to DoS nodes could
-force users to switch helper nodes more frequently and/or remove
+force users to switch helper nodes more frequently, or remove
other candidate helpers.

%Do general DoS attacks have anonymity implications? See e.g. Adam
@@ -1003,16 +1008,17 @@

Tor's \emph{rendezvous points}
let users provide TCP services to other Tor users without revealing
-the service's location. Since this feature is relatively recent, we describe here
+the service's location. Since this feature is relatively recent, we describe
+here
a couple of our early observations from its deployment.

First, our implementation of hidden services seems less hidden than we'd
-like, since they are configured on a single client and get used over
-and over---particularly because an external adversary can induce them to
-produce traffic. They seem the ideal use case for our above discussion
-of helper nodes. This insecurity means that they may not be suitable as
+like, since they build a different rendezvous circuit for each user,
+and an external adversary can induce them to
+produce traffic. This insecurity means that they may not be suitable as
-publishing systems that aim to provide long-term security.
+publishing systems that aim to provide long-term security, though helper
+nodes, as discussed above, would seem to help.

\emph{Hot-swap} hidden services, where more than one location can
provide the service and loss of any one location does not imply a
@@ -1035,10 +1041,10 @@
a hidden-service address on their front page. Doing this can provide
increased robustness if they use the dual-IP approach we describe
in~\cite{tor-design},
-but in practice they do it firstly to increase visibility
-of the Tor project and their support for privacy, and secondly to offer
+but in practice they do it first to increase visibility
+of the Tor project and their support for privacy, and second to offer
a way for their users, using unmodified software, to get end-to-end
-encryption and end-to-end authentication to their website.
+encryption and authentication to their website.

\label{subsec:routing-zones}
@@ -1083,7 +1089,9 @@
determine location diversity; but the above paper showed that in practice
many of the Mixmaster nodes that share a single AS have entirely different
IP prefixes. When the network has scaled to thousands of nodes, does IP
-prefix comparison become a more useful approximation?
+prefix comparison become a more useful approximation?  Alternatively, can
+relevant parts of the routing tables be summarized centrally and delivered to
+clients in a less verbose format?
%
Second, we can take advantage of caching certain content at the
exit nodes, to limit the number of requests that need to leave the
@@ -1097,40 +1105,40 @@
of knowing our algorithm?
%
-Lastly, can we use this knowledge to figure out which gaps in our network
-would most improve our robustness to this class of attack, and go recruit
+Fourth, can we use this knowledge to figure out which gaps in our network
+most effect our robustness to this class of attack, and go recruit
new nodes with those ASes in mind?

%Tor's security relies in large part on the dispersal properties of its
%network. We need to be more aware of the anonymity properties of various
%approaches so we can make better design decisions in the future.

-\subsection{The China problem}
+\subsection{The Anti-censorship problem}
\label{subsec:china}

Citizens in a variety of countries, such as most recently China and
-Iran, are periodically blocked from accessing various sites outside
+Iran, are blocked from accessing various sites outside
their country. These users try to find any tools available to allow
them to get-around these firewalls. Some anonymity networks, such as
Six-Four~\cite{six-four}, are designed specifically with this goal in
mind; others like the Anonymizer~\cite{anonymizer} are paid by sponsors
-such as Voice of America to set up a network to encourage Internet
+such as Voice of America to encourage Internet
freedom. Even though Tor wasn't
-users across the world are trying to use it for exactly this purpose.
+users across the world are now using it for exactly this purpose.
% Academic and NGO organizations, peacefire, \cite{berkman}, etc

Anti-censorship networks hoping to bridge country-level blocks face
a variety of challenges. One of these is that they need to find enough
exit nodes---servers on the free' side that are willing to relay
-arbitrary traffic from users to their final destinations. Anonymizing
+traffic from users to their final destinations. Anonymizing
networks including Tor are well-suited to this task, since we have
already gathered a set of exit nodes that are willing to tolerate some
political heat.

The other main challenge is to distribute a list of reachable relays
to the users inside the country, and give them software to use them,
-without letting the authorities also enumerate this list and block each
+without letting the censors also enumerate this list and block each
relay. Anonymizer solves this by buying lots of seemingly-unrelated IP
used up', and telling a few users about the new ones. Distributed
@@ -1144,14 +1152,14 @@
server that gives them out to dissidents who need to get around blocks.

Of course, this still doesn't prevent the adversary
-from enumerating all the volunteer relays and blocking them preemptively.
+from enumerating and preemtively blocking the volunteer relays.
Perhaps a tiered-trust system could be built where a few individuals are
given relays' locations, and they recommend other individuals by telling them
those addresses, thus providing a built-in incentive to avoid letting the
might help to bound the number of IP addresses leaked to the adversary. Groups
like the W3C are looking into using Tor as a component in an overall system to
-help address censorship; we wish them luck.
+help address censorship; we wish them success.

%\cite{infranet}

@@ -1161,17 +1169,15 @@
Tor is running today with hundreds of nodes and tens of thousands of
users, but it will certainly not scale to millions.

-Scaling Tor involves three main challenges.  First is safe node
-discovery, both bootstrapping -- how a Tor client can robustly find an
-initial node list -- and ongoing -- how a Tor client can learn about
-a fair sample of honest nodes and not let the adversary control his
-circuits (see Section~\ref{subsec:trust-and-discovery}).  Second is detecting and handling the speed
-and reliability of the variety of nodes we must use if we want to
-accept many nodes (see Section~\ref{subsec:performance}).
-Since the speed and reliability of a circuit is limited by its worst link,
-we must learn to track and predict performance.  Finally, in order to get
-a large set of nodes in the first place, we must address incentives
-for users to carry traffic for others.
+Scaling Tor involves three main challenges.  First is safe node discovery,
+both while bootstrapping (how does Tor client robustly find an initial node
+list?) and later (how does Tor client can learn about a fair sample of honest
+nodes and not let the adversary control his circuits?)  Second is detecting
+and handling the speed and reliability of the variety of nodes as the network
+becomes increasingly heterogeneous: since the speed and reliability of a
+circuit is limited by its worst link, we must learn to track and predict
+performance.  Third, in order to get a large set of nodes in the first
+place, we must address incentives for users to carry traffic for others.

\subsection{Incentives by Design}

@@ -1179,35 +1185,36 @@
traffic; providing good throughput and reliability while doing it;
and allowing traffic to exit the network from that node.

-We encourage these behaviors through \emph{indirect} incentives, that
-is, designing the system and educating users in such a way that users
+We encourage these behaviors through \emph{indirect} incentives: that
+is, by designing the system and educating users in such a way that users
with certain goals will choose to relay traffic.  One
-main incentive for running a Tor node is social benefit: volunteers
-altruistically donate their bandwidth and time.  We also keep public
-rankings of the throughput and reliability of nodes, much like
-seti@home.  We further explain to users that they can get plausible
+main incentive for running a Tor node is social: volunteers
+altruistically donate their bandwidth and time.  We encourage this with
+public rankings of the throughput and reliability of nodes, much like
+seti@home.  We further explain to users that they can get
deniability for any traffic emerging from the same address as a Tor
exit node, and they can use their own Tor node
-as entry or exit point and be confident it's not run by the adversary.
-Further, users may run a node simply because they need such a network
-to be persistently available and usable.
-And, the value of supporting this exceeds any countervening costs.
-Finally, we can improve the usability and feature set of the software:
+as an entry or exit point and be confident it's not run by an adversary.
+Further, users may run a node simply because they need such a network
+to be persistently available and usable, and the value of supporting this
+exceeds any countervening costs.
+Finally, we can encourage operators by improving the usability and feature
+set of the software:
rate limiting support and easy packaging decrease the hassle of
maintaining a node, and our configurable exit policies allow each
operator to advertise a policy describing the hosts and ports to which
he feels comfortable connecting.

-To date these appear to have been adequate. As the system scales or as
-new issues emerge, however, we may also need to provide
+To date these incentives appear to have been adequate. As the system scales
+or as new issues emerge, however, we may also need to provide
\emph{direct} incentives:
providing payment or other resources in return for high-quality service.
Paying actual money is problematic: decentralized e-cash systems are
not yet practical, and a centralized collection system not only reduces
robustness, but also has failed in the past (the history of commercial
anonymizing networks is littered with failed attempts).  A more promising
-option is to use a tit-for-tat incentive scheme: provide better service
-to nodes that have provided good service to you.
+option is to use a tit-for-tat incentive scheme, where nodes provide better
+service to nodes that have provided good service for them.

Unfortunately, such an approach introduces new anonymity problems.
There are many surprising ways for nodes to game the incentive and
@@ -1217,7 +1224,7 @@
by performing well or can provide targeted differential performance to
individual users to undermine their anonymity. Typically a user who
chooses evenly from all options is most resistant to an adversary
-targeting him, but that approach precludes the efficient use
+targeting him, but that approach hampers the efficient use
of heterogeneous nodes.

%When a node (call him Steve) performs well for Alice, does Steve gain
@@ -1232,14 +1239,13 @@
incentive scheme based on two rules: (1) each node should measure the
to the received service, but (2) when a node is making decisions that
-affect its own security (e.g. when building a circuit for its own
+affect its own security (such as building a circuit for its own
application connections), it should choose evenly from a sufficiently
large set of nodes that meet some minimum service threshold
\cite{casc-rep}.  This approach allows us to discourage bad service
without opening Alice up as much to attacks.  All of this requires
further study.

-
%XXX rewrite the above so it sounds less like a grant proposal and
%more like a "if somebody were to try to solve this, maybe this is a
%good first step".