[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[freehaven-cvs] more cleanup, particularly in the conclusion
Update of /home2/freehaven/cvsroot/doc/e2e-traffic
In directory moria.mit.edu:/tmp/cvs-serv28174
Modified Files:
e2e-traffic.tex
Log Message:
more cleanup, particularly in the conclusion
Index: e2e-traffic.tex
===================================================================
RCS file: /home2/freehaven/cvsroot/doc/e2e-traffic/e2e-traffic.tex,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -d -r1.49 -r1.50
--- e2e-traffic.tex 2 May 2004 23:02:07 -0000 1.49
+++ e2e-traffic.tex 2 May 2004 23:18:34 -0000 1.50
@@ -944,7 +944,7 @@
$\Pdelay$), padding does not thwart the attack even when Alice is online
$99\%$ of the time.
-For our final dummy traffic simulation, we assumed that Alice performs
+For our final dummy traffic simulation, we assume that Alice performs
threshold padding consistently, but that the attacker has had a chance to
acquire a view of the network's background behavior before Alice first came
online.\footnote{As usual, we assume that the background traffic patterns are
@@ -956,10 +956,10 @@
messages Alice sends, but by preventing the attacker from learning how the
network acts in Alice's absence.
-We present our results in Figure~\ref{fig5d}, which compares the results when
+Figure~\ref{fig5d} compares results when
Alice uses consistent threshold padding and the attacker knows the background
-to results when Alice uses no padding and the background is unknown.
-Clearly, not only can an attacker who knows the background distribution
+to results when Alice does not pad and the background is unknown.
+Not only can an attacker who knows the background distribution
identify Alice's recipients with ease (even in the presence of padding), but
such an attacker is {\it not} delayed by increased variability in message
delays.
@@ -1014,40 +1014,37 @@
suggest several open questions for future work, and offer recommendations
for mix network designs.
-\subsubsection{Towards a more realistic model:}
+\subsubsection{A more realistic model:}
%\label{subsubsec:future-work}
%Many questions remain before the effectiveness of long-term
%intersection attacks can be considered a closed problem.
-Our model differs most from reality in four ways: First, real user behavior
-is more complex than we have assumed. Second, user behavior changes over
-time. Third, real messages often exhibit full or partial linkability, which
-we have not simulated. Fourth, real attackers are not limited to passive
-observation. We consider each of these points below.
-% These need to get re-ordered. -NM
+Our model differs most from reality in four ways.
-Although real social networks behave more like scale-free networks than like
+First,
+although real social networks behave more like scale-free networks than like
the original disclosure attack's model, our models for user behavior still
-have room for improvement. For example, real users probably do not send
+have room for improvement. Real users probably do not send
messages with a time-invariant geometric distribution: most people's email
habits are based on a 24-hour day, and a 7-day week. Early research on
traffic patterns in actual mix-nets \cite{mixvreliable} suggests that this
variation is probably significant.
-In section~\ref{subsec:strenghtening}, we briefly discuss how an attacker can
-try to handle a scenario where the background traffic changes slowly over
+Second, real user behavior changes over
+time. Section~\ref{subsec:strenghtening} discusses how an attacker might
+handle a scenario where the background traffic changes slowly over
time, and perhaps a similar approach would also help against a sender whose
recipients were not constant. In the absence of a model for time-variant
user behavior, however, we have not simulated attacks for these cases.
-It seems clear that systems with message linkability, such as pseudonymous
+Third, it seems clear that systems with message linkability, such as pseudonymous
services, will fall to intersection attacks far faster than anonymizing
services without linkability. How linkable are messages ``in the wild,'' how
much does this linkability help an attacker, and how can it be mitigated?
-The attacks we have discussed here assume a purely passive adversary, but
-they can easily be generalized to incorporate information gained by an active
-attacker. Past work on avoiding blending attacks \cite{trickle02}
-% (flooding, trickle, $n-1$)
+Fourth, real attackers are not limited to passive observation. We should
+generalize our attacks
+to incorporate information gained by an active
+attacker. Past work on avoiding blending attacks~\cite{trickle02}
has concentrated on preventing an attacker from being certain of
Alice's recipients---but in fact, an active attack that only reveals
slight probabilities about Alice's recipients could provide information
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/