1994-08-07 - Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))

Header Data

From: hughes@ah.com (Eric Hughes)
To: cypherpunks@toad.com
Message Hash: 0aee4fb3b6fc3a490420d55fee3d02d10cae8a3279d868f6e5ff6b32eeb4a546
Message ID: <9408071643.AA18197@ah.com>
Reply To: <4191@aiki.demon.co.uk>
UTC Datetime: 1994-08-07 17:11:33 UTC
Raw Date: Sun, 7 Aug 94 10:11:33 PDT

Raw message

From: hughes@ah.com (Eric Hughes)
Date: Sun, 7 Aug 94 10:11:33 PDT
To: cypherpunks@toad.com
Subject: Latency vs. Reordering (Was: Remailer ideas (Was: Re: Latency vs. Reordering))
In-Reply-To: <4191@aiki.demon.co.uk>
Message-ID: <9408071643.AA18197@ah.com>
MIME-Version: 1.0
Content-Type: text/plain


   Sigh.  I say "A implies B".  You say, "not A, and so proposition is
   incorrect".  

No, I say that messages distributions are not continuous, so the model
which assumes they are is not the right model.

   IF the traffic is
   continuous, THEN random delays introduce reordering.  

I've never said they didn't induce some reordering.  That's not my
point, which is about known and not merely suspected properties of
systems.

Cryptography is about assurances as well as actual security.
Information security is a negative property; it works when nothing bad
happens, and something bad may happen without it being directly
observed.  Since one can't always see an actual cryptosystem failure,
unlike, say, a robbery, the way to extend the security is by
understanding what is possible.  And for understanding, proof is
always better than intuition, guessing, or supposition.

I'll reiterate again.  Reordering is what yields privacy, directly.
Adding latency adds privacy ONLY insofar as it adds reordering.  If
you feel like you have to have a latency based system, fine, but the
understanding of just how much reordering such systems actually induce
is still lacking.  It does not suffice to wave hands and say it
induces 'enough' reordering.  You need to know how much, and that
takes a calculation, which has not been done yet.

Furthermore, I demonstrated two reasons why latency-based systems are
less efficient in implementation than reordering-based systems.  

So, in upshot, latency based reordering is not only less efficient,
but also less well understood.  Until someone comes up with a
latency-based scheme which can't be algorithmically modified to make a
more efficient reordering system, and has similar memory usage, and
until someone does some calculations on just how much reordering is
induced by various latency schemes, I will continue to call latency
based mixing by the name snake oil.

   > Fourth, the problem is incompletely specified, since the distribution
   > of random added latencies is not made specific.

   Correct.  You assume details that have not been specified, and then
   critique them at length.

By not specifying exactly what distribution of latencies you're
talking about, I assume that you are making a universal claim about
latency-adding systems with _any_ distribution.  I do not see you
claiming that there exists some special distribution that makes
latency systems work, because for implementation you actually have to
exhibit one.

Therefore, I point out that this is another lack of understanding.

And I _know_ that if you haven't thought before about the issue of the
distributions of the added latencies that you haven't thought very
hard about the cryptanalysis of such systems.

   His arguments also ignore the fact that reordering messages of different
   lengths is useless as a defense against traffic analysis, suggesting that
   this is polemic rather than a serious argument.

Oh, really?  You even quoted me explicitly not ignoring the issue:

   > Encyphering is necessary.  Reordering of quanta is necessary.

The phrase "reordering of quanta" seems perfectly clear to me.

Eric








Thread