[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] patches on sec 3.2
Update of /home/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/home2/arma/work/freehaven/doc/e2e-traffic
Modified Files:
e2e-traffic.tex
Log Message:
patches on sec 3.2
Index: e2e-traffic.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- e2e-traffic.tex 24 Jan 2004 22:53:55 -0000 1.26
+++ e2e-traffic.tex 25 Jan 2004 09:47:30 -0000 1.27
@@ -607,35 +607,34 @@
\subsection{Strengthening the attack}
\label{subsec:strenghtening}
-Our previous extensions to the original statistical disclosure attack
-have shown how to reveal sender--recipient links in a broader range of
-circumstances.
-In order to compensate for these circumstances (as will be shown below in
-section \ref{sec:simulation}) the attacker has been
-forced to observe an increasingly large number of rounds of traffic.
+Section \ref{subsec:broadening} showed how to extend the original
+statistical disclosure attack to reveal sender--recipient links in a
+broader range of circumstances. In Section \ref{sec:simulation} we will
+show that these extensions force the attacker to observe an increasingly
+large number of rounds of traffic.
-In this section, rather than broadening the attack at the expense of needing
-increased traffic, we discuss ways to reduce the amount of traffic required
-for the attack by incorporating additional information.
+In this section, rather than talking about how to broaden the attack so it
+works in new situations (at the expensive of needing increased traffic),
+we discuss ways to reduce the amount of traffic required for the attack
+by incorporating additional information.
\subsubsection{Exploiting message partitioning:}
%\label{subsubsec:full-linkability}
-The attacker's work can be greatly simplified if some messages leaving
-the system are
-{\it linkable}. Two messages are said to be {\it linkable} if they are
+The attacker's work can be greatly simplified if some output messages are
+{\it linkable}. Two messages are said to be linkable if they are
likelier to originate from the same sender than are two randomly chosen
messages. We consider a special case of linkability, in which we discover
linkage by {\it partitioning} messages into separate classes such that
messages in the same class are likelier to come from the same sender than two
messages chosen at random.
-The easiest case is of partitioning is pseudonymity: in a typical
+The easiest case of partitioning is pseudonymity: in a typical
pseudonym service, each sender has one or more pseudonyms and all
delivered messages are associated with a pseudonym.
-Clearly, an eavesdropper attacker who can connect senders to their pseudonyms
+An eavesdropper who can connect senders to their pseudonyms
could trivially use this information to connect senders and recipients.
-One way to do this
-is by treating classes of fully linkable messages as virtual message
+For example, he might treat
+classes of fully linkable messages as virtual message
destinations. Instead of collecting observations $\V{o_i}$ of
recipients who receive messages in round $i$, the attacker now
collects observations $\V{o_i}$ of linkable classes
@@ -653,8 +652,8 @@
keywords and try to link messages based on their textual content.
To exploit these scenarios, the attacker begins as above by
-choosing a set of $c$ `partitioning classes' (such as languages,
-patterns of usage, or so on), and assigning to each observed output
+choosing a set of $c$ `partitioning classes' (such as languages or
+patterns of usage), and assigning to each observed output
message a probability of belonging to each class. The attacker then
proceeds as before, but instead of collecting observation
vectors with elements corresponding the recipients, the attacker now
@@ -683,7 +682,7 @@
about astrophysics.
To exploit this knowledge, an attacker can (as suggested in the
-original Statistical Disclosure paper \cite{statistical-disclosure})
+original statistical disclosure paper)
modify the estimated probabilities in $\V{o_i}$ of Alice having sent
each delivered message. For example, if 100 messages are sent in a
round, and the attacker judges that 50 of them are twice as likely to
@@ -695,7 +694,8 @@
%======================================================================
\section{Simulation results}
\label{sec:simulation}
-Above, we've repeatedly said that each complication of the sender or the
+In Section \ref{subsec:broadening}, we repeatedly claimed that each
+complication of the sender or the
network forces the attacker to gather more information. But how much?
To find out, we ran a series of simulations of our attacks, first against the
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/