[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Giblit Proposal



On Sat, Jan 03, 2004 at 07:16:14PM +0100, Some Guy wrote:
> So a tagged message would only have a 1/16th chance to make it another hop before being
> identified, and raising alarm bells or at least being dropped.

Here are the problems:

1) If this is designed for low-latency systems, then:
   a) Tagging attacks are irrelevant, because timing and counting attacks
      (see http://freehaven.net/anonbib/#SS03) already work great.
   b) Thousands of crypts overhead per cell is an unacceptable performance
      penalty. It will seriously impact throughput.
2) If it's for high-latency systems, then this low chance of detection
   is not good enough. Plus, messages are large enough that you can afford
   to use some more space. Mixminion includes a hash of the header at
   each hop, and includes some more magic to deal with the body; see
   the design paper for details.

Also, note that this integrity-checking you're talking about cannot work
for intermediate nodes in the reverse (reply) direction, because they
don't know the other symmetric keys used in the circuit, so they can't
know what the cells will look like at other hops.

Please carefully reread http://mixminion.net/minion-design.pdf and
http://freehaven.net/tor/tor-design.pdf. Feel free to mail me privately,
but we should take this thread off the or-dev list.

--Roger