> Directory authorities perform a different job, so I prefer to not call these > also "PKI". "Consensus service" would be less confusing - for me as a > security person but not specialised in anonymity research.
Ah yes, I see your point. > > I've heard that I2p uses a completely different kind of PKI... involving a > > gossip protocol. I suspect it is highly vulnerable to epistemic attacks > > which > > is supposed to be one of the main reasons to use a design like Nick's. > > > > After a quick web search on "epistemic attacks", the main paper I can find > [1] has the result that attacks are very strong if each node only knows about > a small fraction (n nodes) of the whole network (N nodes). > > They lay the motivation for this assumption (n << N), by describing a > discovery-based p2p network where each node "samples" (i.e. directly > contacts) a small fraction of the network. This is equating with mere > "knowledge" of a node, so that the act of "sampling" an attacker-controlled > node, gives them (or a GPA) the ability to know exactly which nodes "know" > the target node. > > The paper does not seem to consider the possibility that nodes could discover > more of the network without directly sampling every node, e.g. via gossip > with their neighbours on "which other nodes exist". > > This does not invalidate the mathematics nor the proofs, but it does > invalidate the assumption that n << N, that is required to make the attacks > be practical. So if I2P has some convincing argument that n ~= N for their > gossip system, then AFAIU they can claim a reasonable level of defense > against the attack(s) described in this particular paper. > > Furthermore, the assumption that nodes must "sample" other nodes in order to > "know" them, is required for some of the mentioned attacks to work, e.g. in > 3.1 "The adversary need only know the knowledge set of the target S0 for the > lower bound we have stated to hold". This assumption would also be false for > systems that involve indirect discovery. (A modified attack could still work, > by attempting to infer the knowledge-set of S0, but I assume it would cost > more and be less effective, especially if n ~= N). > > (Indirect discovery could arguably be said to make it easier to spoof fake > identities but your ISP can do that anyway, even in a system that only > supports "direct" discovery.) > > Therefore, I'm not sure if it's correct to discredit fully-decentralised > systems, based solely or primarily on those attacks. I could be interpreting > it wrong, and I'm also not well-read in this topic at all. I'd love for > further expansion upon this point, by anyone that does have more expertise. This is a very thoughtful reply. Thanks for the paper link. Interesting. > > X > > [1] https://www.freehaven.net/anonbib/cache/danezis-pet2008.pdf > Bridging and Fingerprinting: Epistemic Attacks on Route Selection. George > Danezis and Paul Syverson. > > -- > GPG: ed25519/56034877E1F87C35 > GPG: rsa4096/1318EFAC5FBBDBCE > https://github.com/infinity0/pubkeys.git
signature.asc
Description: PGP signature
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging