> > If my understanding is correct, the answer is No. No we cannot prevent > > longterm intersection attacks by using decoy traffic in the > > katzenpost/loopix system because users will go offline and come back > > online later which changes the anonymity set size and thus leaks > > information to a global network observer. > > > > I suspect that there are mixnet use cases which are not vulnerable or > > less vulnerable to this... such that user or application behavior does not > > form a "session" where users send multiple messages over long periods which > > can be linked by a passive observer. > > > > What about a store-and-retrieve design? You don't send "to" the receiver (not > even indirectly), you send to a mailbox at an unpredictable address (or > addresses) in a DHT-like distributed storage system, which is always online. > Later, the receiver logs on and retrieves their own messages from their > mailbox.
(none of that prevents longterm intersection attacks) oh yes i love these ideas... and i was previously discussing them with str4d in the context of i2p bote mail which is described here: https://github.com/i2p/i2p.i2p-bote/blob/master/doc/techdoc.txt This spec is a bit encumbered by crypto packet format details whereas I would just use Sphinx. > Storage nodes only store stuff for a fixed amount of time and then they drop > it, to save space / prevent storage DoS attacks. Participants rely on > end-to-end acks to guarantee reliability. If the recipient doesn't ack your > message, you assume the network dropped it, and resend it, perhaps to a > newly-generated unpredictable address. Yeah that sounds good... although having client to client ACKs means they both have to be online at the same time which is a constraint that is probably inconvenient unless it's treated like a real-time chat application. I like that this prevents some storage DoS attacks. > Wasn't Jeff Burdges exploring designs in this area at some point? I vaguely > remember him talking about it at various events a few years ago. Yeah Jeff Burdges has been doing some very interesting mixnet research. Some of his designs are here: https://github.com/burdges/lake/tree/master/Xolotl/papers One of the things he's done is expand on George Danezis's previous work: Forward Secure Mixes https://www.freehaven.net/anonbib/cache/Dan:SFMix03.pdf Jeff has got a PQ ratchet design for forward secure mixes. He also has a bunch of different designs for mixnet messaging systems but so far none of them have an ARQ protocol scheme and therefore no reliability. It might be possible to add an ARQ scheme to some of his designs. In my opinion reliability is super important... because "hey there's this new messaging app, but if you send a message it might not make it to it's destination" does not sound appealing to use at all. Also Jeff's designs seem to require SURBs with longish lifetimes whereas our katzenpost/loopix thing uses SURBs with lifetimes of 3 hours... since 3 hours in our key rotation duration for mix keys. (it's good to have MLAT aware path selection) Having SURBs with long lifetimes increases vulnerability to compulsion attacks. Although it might possibly be somewhat mitigated with the PQ forward secure mixes if the ratchet state changes before "the man" compels the mix operator to give them the private key material. Which reminds me that there are some cool designs in this paper that might help mitigate these kinds of attacks: Compulsion Resistant Anonymous Communications https://www.freehaven.net/anonbib/cache/ih05-danezisclulow.pdf cheers, David
signature.asc
Description: PGP signature
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
