1994-08-08 - Re: Improved remailer reordering

Header Data

From: Hal <hfinney@shell.portal.com>
To: cypherpunks@toad.com
Message Hash: a2b1dbca4f53be078c8db65a8365fbfd0f3c7363ac884d7f203b9bb753dd1b7b
Message ID: <199408080314.UAA26470@jobe.shell.portal.com>
Reply To: <9408072325.AA18643@ah.com>
UTC Datetime: 1994-08-08 03:13:53 UTC
Raw Date: Sun, 7 Aug 94 20:13:53 PDT

Raw message

From: Hal <hfinney@shell.portal.com>
Date: Sun, 7 Aug 94 20:13:53 PDT
To: cypherpunks@toad.com
Subject: Re: Improved remailer reordering
In-Reply-To: <9408072325.AA18643@ah.com>
Message-ID: <199408080314.UAA26470@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


hughes@ah.com (Eric Hughes) writes, quoting Jim Dixon:

>   Imagine a RemailerNet (v0.2) that maintained a fixed level of
>   traffic between gateways.

>This is exactly what I was talking about when I posted earlier about
>link encryptors, and effective collapse of nodes for traffic analysis
>purposes.  Traffic analysis of mixes and remailers assumes, as an
>abstraction, that all the messages going into and coming out of a
>particular node are visible.  As soon as you remove this condition,
>the analytical situation changes completely.

So, I guess what you are saying is, two remailer nodes connected by a
fully-encrypted link which carries dummy traffic so the data rate is
constant (and hence effectively invisible) can be thought of as one node
for some purposes.  So let me ask: how does a network which contains these
two nodes compare with one which has only a single node in their place?

I can see three models to compare.  The first is a single node network.
The second is a tightly-coupled two-node network with link encryption so
no information is available on the traffic between them.  Messages will be
sent into and out of this pair of nodes in such a way as to maximize
entropy of distribution.  The third is a loosely-coupled two-node network
where the nodes are used as a Chaum-style cascade, but with half the
messages going in each direction.

For the first network, if the bandwidth into (and hence out of) the single
node is N, we get the maximal possible confusion, as I suggested before.

If the total bandwidth into the remailer network is N, then the
tightly-coupled two-node network might average N/2 into each of the
nodes, with N/2 out of each of them.  For maximal confusion, half of
the incoming data would be sent over to come out of the other node, so
we have N/4 going in each direction on the link.  The net result is
that the two-node net has each node with a bandwidth of 3/4 N coming in
(and going out) to attain the confusion level of an ideal one-node
system.  This is superior in per-node bandwidth but greater in total
network bandwidth.

As for security against corrupt operators, this gives some improvement
over a one-node system, but not as much as with two independent nodes.
In this model, only half the messages go through both nodes, so only half
get the benefit of a two-node chain.  (Also, as I suggested before, we
might question whether two node operators who were able to cooperate and
trust each other well enough to set up this kind of link would be truly
independent.)

For the third model, two nodes connected by an ordinary link and used as
two-node chains, each node now has an input bandwidth of N: N/2 from
users (who choose each node at random as the first of the chain), and
N/2 from the other remailer (where the node is acting as the second of the
chain).  So we have paid a price in bandwidth, with each node carrying N,
and a total net bandwidth of 2N.  But we have gained in security against
operator malfeasance: all messages now go through both remailers and
if either one is hiding the mapping then it is lost.

So, there appears to be some tradeoffs between bandwidth savings and
security against dishonest operators.  It will be interesting to see how
these results extend to larger numbers of nodes.

Hal






Thread