[messaging] Panoramix decryption mixnet messaging spec and design documents

dawuud dawuud at riseup.net
Wed Nov 1 12:52:23 PDT 2017

> Directory authorities perform a different job, so I prefer to not call these also "PKI". "Consensus service" would be less confusing - for me as a security person but not specialised in anonymity research.

Ah yes, I see your point.

> > I've heard that I2p uses a completely different kind of PKI... involving a
> > gossip protocol. I suspect it is highly vulnerable to epistemic attacks which
> > is supposed to be one of the main reasons to use a design like Nick's.
> > 
> After a quick web search on "epistemic attacks", the main paper I can find [1] has the result that attacks are very strong if each node only knows about a small fraction (n nodes) of the whole network (N nodes).
> They lay the motivation for this assumption (n << N), by describing a discovery-based p2p network where each node "samples" (i.e. directly contacts) a small fraction of the network. This is equating with mere "knowledge" of a node, so that the act of "sampling" an attacker-controlled node, gives them (or a GPA) the ability to know exactly which nodes "know" the target node.
> The paper does not seem to consider the possibility that nodes could discover more of the network without directly sampling every node, e.g. via gossip with their neighbours on "which other nodes exist".
> This does not invalidate the mathematics nor the proofs, but it does invalidate the assumption that n << N, that is required to make the attacks be practical. So if I2P has some convincing argument that n ~= N for their gossip system, then AFAIU they can claim a reasonable level of defense against the attack(s) described in this particular paper.
> Furthermore, the assumption that nodes must "sample" other nodes in order to "know" them, is required for some of the mentioned attacks to work, e.g. in 3.1 "The adversary need only know the knowledge set of the target S0 for the lower bound we have stated to hold". This assumption would also be false for systems that involve indirect discovery. (A modified attack could still work, by attempting to infer the knowledge-set of S0, but I assume it would cost more and be less effective, especially if n ~= N).
> (Indirect discovery could arguably be said to make it easier to spoof fake identities but your ISP can do that anyway, even in a system that only supports "direct" discovery.)
> Therefore, I'm not sure if it's correct to discredit fully-decentralised systems, based solely or primarily on those attacks. I could be interpreting it wrong, and I'm also not well-read in this topic at all. I'd love for further expansion upon this point, by anyone that does have more expertise.

This is a very thoughtful reply. Thanks for the paper link. Interesting.

> X
> [1] https://www.freehaven.net/anonbib/cache/danezis-pet2008.pdf
> Bridging and Fingerprinting: Epistemic Attacks on Route Selection. George Danezis and Paul Syverson.
> -- 
> GPG: ed25519/56034877E1F87C35
> GPG: rsa4096/1318EFAC5FBBDBCE
> https://github.com/infinity0/pubkeys.git
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20171101/f7c218b7/attachment.sig>

More information about the Messaging mailing list