Dishonest Tor relay math question - tor-talk is to lazy

Peter Fairbrother peter at tsto.co.uk
Fri Oct 15 06:09:43 PDT 2021 

On 15/10/2021 11:07, grarpamp wrote:
>> Anonymity is hard, and low-latency anonymity is almost impossible.
> 
> People keep throwing this "low latency" term around as if it's
> some kind of distinction, a proven generality, lesser capable to
> anonymity, than any other particular "latency" level. This is bogus.

There is a smigdin of truth in that, but there's probably more in the 
simple use of the term low-latency, or perhaps I should have said 
low-latency browsing.

You might perhaps do a reasonably low latency anonymous twitter for 
instance, but not low-latency anonymous browsing.

> Latency is just a timing measure, whether your traffic events,
> sessions, and characteristics occur over milliseconds, or days,
> traffic analysis doesn't give a shit. 

It can matter if traffic is aggregated and an adversary can only see the 
aggregated traffic. It can matter if the adversary uses timing 
information to correlate the input and output traffic to a network 
(which he almost inevitably does).

You could drop a 1 year
> store and forward packet buffer delay on every interface in
> the entire tor cloud and the NSA could still analyze it.

Not if it was a randomly-variable one year delay they couldn't. Or if 
you took the timing data away.

If it was like that, Tor could (and probably would) add a little bit of 
packet size restriction, and that would probably be enough to make it TA 
resistant.

> That's because tor's design is hardly TA resistant,
> not because it's "low-latency".

It's not TA-resistant because the design requirement for low latency 
buggered the design. You could add lots of covertraffic but it wouldn't 
help much - the lack of aggregation kills it as far as TA goes.

And the reason for the lack of aggregation (and no fixed packet sizes) 
is because they wanted low latency.

> They also use it as apology and to avoid doing dynamic
> base of chaff, because they are application layer7 people
> who don't understand how raw packet networks work at <=L3
> and how to use them to run a base layer of dynamically
> yielding chaff to ride your wheat over on demand.

I think you are being overly optimistic/simplistic here.

That is not the only way to go, though it was famously used in eg the 
US-USSR hotline. It is expensive.

And a simple base layer wastes bandwidth. Techniques like 
randomly-variable base rates, traffic aggregation, end-user sharing 
(which among other things blurs the edges of the network), directed 
covertraffic (where the covertraffic looks "guilty"), route splitting, 
latency jittering and so on are available to defeat TA at lesser 
bandwidth cost.

> Fixed sizes of cells, etc.

Yeah, that's almost a requirement. Certainly makes life easier.

> "Low latency" really just defines the point at which users
> switch from thinking "Hey this is fast enough to surf the web
> (or whatever their use case)", to "This shit's too damn slow
> to do anything, I'm out."

Which is about 4 seconds for web browsing today (a few studies have been 
published),

.. though in the days of acoustic modems it was longer ..

> 
>> Anonymous remailers could work
> 
> They're a bit harder since a "message" gets injected into a
> proper random mix/cloud/buffer, and is not an e2e stream tacked
> up across it. Yet without chaff on every link, message size
> controls, etc... they can still fall to TA the same way tor does.

Iirc Mixmaster has message size control. It doesn't have or need 
specific per-link chaff, but it does have chaff - nobody knows/knew how 
much, it was added by individual users.

Per-link chaff might help against some injected traffic attacks, but it 
is not strictly necessary.

> 
>> but they are pretty much moribund now.
> 
> Still useful if you want to use "E-Mail" addresses over "E-Mail" networks,
> and should continue to be developed and deployed for that legacy purpose.
> But for the general purpose of "messaging" they are largely now rightly
> replaced by dedicated p2p message network apps that don't have to
> compromise themselves to "E-Mail"s old protocol restrictions and trust model.
> 

I don't know of any strict anonymity p2p apps.


Peter Fairbrother

More information about the cypherpunks mailing list