[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal draft: Better hidden service stats from Tor relays

> Can you be more explicit with regard to privacy guarantees of the
> obfuscation schema that is currently implemented: 1) binning, 2) add
> Laplace noise, 3) no second binning.

Iâll discuss this in terms of attacks on the stats of the number of HS descriptors.

Binning: Suppose an adversary knows that the number of HS descriptors stays constant over a week. He knows when all descriptors are being published except for one. By binning he wonât know when that one is published unless the number of other descriptors exactly fills a bin.

Laplace noise: To provide cover in the case that all other descriptors exactly fill a bin, we add some noise so that sometimes an adjacent bin is reported instead, or (less likely) a bin two distant, etc. Then the adversary canât immediately know whether an unknown descriptor is indeed published in any given period. However, he can eventually figure this out by making enough observations and looking at the resulting empirical distribution. But itâs better than not protecting it at all.

> If you think 3) should be changed, can you explain why that leads to
> better privacy guarantees?

I donât think that 3 should be changed, but if you removed it, it wouldn't affect the privacy argument.

> I can see how the Laplace distribution doesn't add much noise to the
> second case.  And your suggestion is to change the second delta_f to 8?


tor-dev mailing list