hughes@ah.com (Eric Hughes) writes, quoting Jim Dixon:
Imagine a RemailerNet (v0.2) that maintained a fixed level of traffic between gateways.
This is exactly what I was talking about when I posted earlier about link encryptors, and effective collapse of nodes for traffic analysis purposes. Traffic analysis of mixes and remailers assumes, as an abstraction, that all the messages going into and coming out of a particular node are visible. As soon as you remove this condition, the analytical situation changes completely.
So, I guess what you are saying is, two remailer nodes connected by a fully-encrypted link which carries dummy traffic so the data rate is constant (and hence effectively invisible) can be thought of as one node for some purposes. So let me ask: how does a network which contains these two nodes compare with one which has only a single node in their place? I can see three models to compare. The first is a single node network. The second is a tightly-coupled two-node network with link encryption so no information is available on the traffic between them. Messages will be sent into and out of this pair of nodes in such a way as to maximize entropy of distribution. The third is a loosely-coupled two-node network where the nodes are used as a Chaum-style cascade, but with half the messages going in each direction. For the first network, if the bandwidth into (and hence out of) the single node is N, we get the maximal possible confusion, as I suggested before. If the total bandwidth into the remailer network is N, then the tightly-coupled two-node network might average N/2 into each of the nodes, with N/2 out of each of them. For maximal confusion, half of the incoming data would be sent over to come out of the other node, so we have N/4 going in each direction on the link. The net result is that the two-node net has each node with a bandwidth of 3/4 N coming in (and going out) to attain the confusion level of an ideal one-node system. This is superior in per-node bandwidth but greater in total network bandwidth. As for security against corrupt operators, this gives some improvement over a one-node system, but not as much as with two independent nodes. In this model, only half the messages go through both nodes, so only half get the benefit of a two-node chain. (Also, as I suggested before, we might question whether two node operators who were able to cooperate and trust each other well enough to set up this kind of link would be truly independent.) For the third model, two nodes connected by an ordinary link and used as two-node chains, each node now has an input bandwidth of N: N/2 from users (who choose each node at random as the first of the chain), and N/2 from the other remailer (where the node is acting as the second of the chain). So we have paid a price in bandwidth, with each node carrying N, and a total net bandwidth of 2N. But we have gained in security against operator malfeasance: all messages now go through both remailers and if either one is hiding the mapping then it is lost. So, there appears to be some tradeoffs between bandwidth savings and security against dishonest operators. It will be interesting to see how these results extend to larger numbers of nodes. Hal