From f6e202307b13efe7618552c7de22bac5a6f01a93 Mon Sep 17 00:00:00 2001 From: Paul Syverson Date: Thu, 16 Oct 2003 21:49:04 +0000 Subject: [PATCH] Several changes to background section, which is still a mess Added bib file svn:r607 --- doc/tor-design.bib | 875 +++++++++++++++++++++++++++++++++++++++++++++ doc/tor-design.tex | 124 +++++-- 2 files changed, 970 insertions(+), 29 deletions(-) create mode 100644 doc/tor-design.bib diff --git a/doc/tor-design.bib b/doc/tor-design.bib new file mode 100644 index 0000000000..d4b11345c9 --- /dev/null +++ b/doc/tor-design.bib @@ -0,0 +1,875 @@ +@Misc{anonymizer, + key = {anonymizer}, + title = {The {Anonymizer}}, + note = {\url{http://www.anonymizer.com}} +} + +@Misc{anonnet, + key = {anonnet}, + title = {{AnonNet}}, + note = {\url{http://www.authnet.org/anonnet/}} +} + +@inproceedings{econymics, + title = {On the Economics of Anonymity}, + author = {Alessandro Acquisti and Roger Dingledine and Paul Syverson}, + booktitle = {Financial Cryptography, FC 2003}, + year = {2003}, + editor = {Rebecca N. Wright}, + publisher = {Springer-Verlag, LNCS 2742}, + note = {\url{http://freehaven.net/doc/fc03/econymics.pdf}}, +} + + +@inproceedings{minion-design, + title = {Mixminion: Design of a Type {III} Anonymous Remailer Protocol}, + author = {George Danezis and Roger Dingledine and Nick Mathewson}, + booktitle = {2003 IEEE Symposium on Security and Privacy}, + year = {2003}, + month = {May}, + publisher = {IEEE CS}, + pages = {2--15}, + note = {\url{http://mixminion.net/minion-design.pdf}}, + www_important = {1}, + www_section = {Anonymous communication}, +} + +@inproceedings{ rao-pseudonymity, + author = "Josyula R. Rao and Pankaj Rohatgi", + title = "Can Pseudonymity Really Guarantee Privacy?", + booktitle = "Proceedings of the Ninth USENIX Security Symposium", + year = {2000}, + month = Aug, + publisher = {USENIX}, + pages = "85--96", + note = {\url{http://www.usenix.org/publications/library/proceedings/sec2000/ +full_papers/rao/rao.pdf}}, +} + +@InProceedings{pfitzmann90how, + author = "Birgit Pfitzmann and Andreas Pfitzmann", + title = "How to Break the Direct {RSA}-Implementation of {MIXes}", + booktitle = {Eurocrypt 89}, + publisher = {Springer-Verlag, LNCS 434}, + year = {1990}, + note = {\url{http://citeseer.nj.nec.com/pfitzmann90how.html}}, +} + +@Misc{mixminion-spec, + author = {Mixminion}, + title = {Type {III} ({M}ixminion) Mix Protocol Specifications}, + note = {\newline \url{http://mixminion.net/minion-spec.txt}}, +} + +@InProceedings{BM:mixencrypt, + author = {M{\"o}ller, Bodo}, + title = {Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes}, + booktitle = {{CT-RSA} 2003}, + publisher = {Springer-Verlag, LNCS 2612}, + year = 2003, +} + +% Would a more recent reference for SPRPs be more useful? +@Article{sprp, + author = {Michael Luby and Charles Rackoff}, + title = {How to Construct Pseudorandom Permutations from + Pseudorandom Functions}, + journal = {SIAM Journal on Computing}, + year = {1988}, + volume = {17}, + number = {2}, + pages = {373--386}, +} + +@InProceedings{back01, + author = {Adam Back and Ulf M\"oller and Anton Stiglic}, + title = {Traffic Analysis Attacks and Trade-Offs in Anonymity Providing Systems}, + booktitle = {Information Hiding (IH 2001)}, + pages = {245--257}, + year = 2001, + editor = {Ira S. Moskowitz}, + publisher = {Springer-Verlag, LNCS 2137}, + note = {\newline \url{http://www.cypherspace.org/adam/pubs/traffic.pdf}}, +} + +@InProceedings{rackoff93cryptographic, + author = {Charles Rackoff and Daniel R. Simon}, + title = {Cryptographic Defense Against Traffic Analysis}, + booktitle = {{ACM} Symposium on Theory of Computing}, + pages = {672--681}, + year = {1993}, + note = {\url{http://research.microsoft.com/crypto/dansimon/me.htm}}, +} + +@InProceedings{freehaven-berk, + author = {Roger Dingledine and Michael J. Freedman and David Molnar}, + title = {The Free Haven Project: Distributed Anonymous Storage Service}, + booktitle = {Designing Privacy Enhancing Technologies: Workshop + on Design Issue in Anonymity and Unobservability}, + year = {2000}, + month = {July}, + editor = {H. Federrath}, + publisher = {Springer-Verlag, LNCS 2009}, + note = {\url{http://freehaven.net/papers.html}}, +} + +@InProceedings{raymond00, + author = {J. F. Raymond}, + title = {{Traffic Analysis: Protocols, Attacks, Design Issues, + and Open Problems}}, + booktitle = {Designing Privacy Enhancing Technologies: Workshop + on Design Issue in Anonymity and Unobservability}, + year = 2000, + month = {July}, + pages = {10-29}, + editor = {H. Federrath}, + publisher = {Springer-Verlag, LNCS 2009}, +} + +@InProceedings{trickle02, + author = {Andrei Serjantov and Roger Dingledine and Paul Syverson}, + title = {From a Trickle to a Flood: Active Attacks on Several + Mix Types}, + booktitle = {Information Hiding (IH 2002)}, + year = {2002}, + editor = {Fabien Petitcolas}, + publisher = {Springer-Verlag, LNCS (forthcoming)}, +} + +@InProceedings{langos02, + author = {Oliver Berthold and Heinrich Langos}, + title = {Dummy Traffic Against Long Term Intersection Attacks}, + booktitle = {Privacy Enhancing Technologies (PET 2002)}, + year = {2002}, + editor = {Roger Dingledine and Paul Syverson}, + publisher = {Springer-Verlag, LNCS 2482} +} + +@InProceedings{or-discex00, + author = {Paul Syverson and Michael Reed and David Goldschlag}, + title = {{O}nion {R}outing Access Configurations}, + booktitle = {DARPA Information Survivability Conference and + Exposition (DISCEX 2000)}, + year = {2000}, + publisher = {IEEE CS Press}, + pages = {34--40}, + volume = {1}, + note = {\newline \url{http://www.onion-router.net/Publications.html}}, +} + +@Inproceedings{or-pet02, + title = {{Towards an Analysis of Onion Routing Security}}, + author = {Paul Syverson and Gene Tsudik and Michael Reed and + Carl Landwehr}, + booktitle = {Designing Privacy Enhancing Technologies: Workshop + on Design Issue in Anonymity and Unobservability}, + year = 2000, + month = {July}, + pages = {96--114}, + editor = {H. Federrath}, + publisher = {Springer-Verlag, LNCS 2009}, + note = {\url{http://www.onion-router.net/Publications/WDIAU-2000.ps.gz}}, +} + +@InProceedings{or-ih96, + author = {David M. Goldschlag and Michael G. Reed and Paul + F. Syverson}, + title = {Hiding Routing Information}, + booktitle = {Information Hiding, First International Workshop}, + pages = {137--150}, + year = 1996, + editor = {R. Anderson}, + month = {May}, + publisher = {Springer-Verlag, LNCS 1174}, + note = {\url{http://www.onion-router.net/Publications/IH-1996.ps.gz}} +} + +@Article{or-jsac98, + author = {Michael G. Reed and Paul F. Syverson and David + M. Goldschlag}, + title = {Anonymous Connections and Onion Routing}, + journal = {IEEE Journal on Selected Areas in Communications}, + year = 1998, + volume = 16, + number = 4, + pages = {482--494}, + month = {May}, + note = {\url{http://www.onion-router.net/Publications/JSAC-1998.ps.gz}} +} + +@Misc{TLS, + author = {T. Dierks and C. Allen}, + title = {The {TLS} {P}rotocol --- {V}ersion 1.0}, + howpublished = {IETF RFC 2246}, + month = {January}, + year = {1999}, + note = {\url{http://www.rfc-editor.org/rfc/rfc2246.txt}}, +} + +@Misc{SMTP, + author = {J. Postel}, + title = {Simple {M}ail {T}ransfer {P}rotocol}, + howpublished = {IETF RFC 2821 (also STD0010)}, + month = {April}, + year = {2001}, + note = {\url{http://www.rfc-editor.org/rfc/rfc2821.txt}}, +} + +@Misc{IMAP, + author = {M. Crispin}, + title = {Internet {M}essage {A}ccess {P}rotocol --- {V}ersion 4rev1}, + howpublished = {IETF RFC 2060}, + month = {December}, + year = {1996}, + note = {\url{http://www.rfc-editor.org/rfc/rfc2060.txt}}, +} + +@Misc{POP3, + author = {J. Myers and M. Rose}, + title = {Post {O}ffice {P}rotocol --- {V}ersion 3}, + howpublished = {IETF RFC 1939 (also STD0053)}, + month = {May}, + year = {1996}, + note = {\url{http://www.rfc-editor.org/rfc/rfc1939.txt}}, +} + + +@InProceedings{shuffle, + author = {C. Andrew Neff}, + title = {A Verifiable Secret Shuffle and its Application to E-Voting}, + booktitle = {8th ACM Conference on Computer and Communications + Security (CCS-8)}, + pages = {116--125}, + year = 2001, + editor = {P. Samarati}, + month = {November}, + publisher = {ACM Press}, + note = {\url{http://www.votehere.net/ada_compliant/ourtechnology/ + technicaldocs/shuffle.pdf}}, +} + +@InProceedings{dolev91, + author = {Danny Dolev and Cynthia Dwork and Moni Naor}, + title = {Non-Malleable Cryptography}, + booktitle = {23rd ACM Symposium on the Theory of Computing (STOC)}, + pages = {542--552}, + year = 1991, + note = {Updated version at + \url{http://citeseer.nj.nec.com/dolev00nonmalleable.html}}, +} + +@TechReport{rsw96, + author = {Ronald L. Rivest and Adi Shamir and David A. Wagner}, + title = {Time-lock puzzles and timed-release Crypto}, + year = 1996, + type = {MIT LCS technical memo}, + number = {MIT/LCS/TR-684}, + month = {February}, + note = {\newline \url{http://citeseer.nj.nec.com/rivest96timelock.html}}, +} + +@InProceedings{web-mix, + author = {Oliver Berthold and Hannes Federrath and Stefan K\"opsell}, + title = {Web {MIX}es: A system for anonymous and unobservable + {I}nternet access}, + booktitle = {Designing Privacy Enhancing Technologies: Workshop + on Design Issue in Anonymity and Unobservability}, + editor = {H. Federrath}, + publisher = {Springer-Verlag, LNCS 2009}, + pages = {115--129}, + year = 2000, +} + +@InProceedings{disad-free-routes, + author = {Oliver Berthold and Andreas Pfitzmann and Ronny Standtke}, + title = {The disadvantages of free {MIX} routes and how to overcome + them}, + booktitle = {Designing Privacy Enhancing Technologies: Workshop + on Design Issue in Anonymity and Unobservability}, + pages = {30--45}, + year = 2000, + editor = {H. Federrath}, + publisher = {Springer-Verlag, LNCS 2009}, + note = {\url{http://www.tik.ee.ethz.ch/~weiler/lehre/netsec/Unterlagen/anon/ + disadvantages_berthold.pdf}}, +} + +@InProceedings{boneh00, + author = {Dan Boneh and Moni Naor}, + title = {Timed Commitments}, + booktitle = {Advances in Cryptology -- {CRYPTO} 2000}, + pages = {236--254}, + year = 2000, + publisher = {Springer-Verlag, LNCS 1880}, + note = {\newline \url{http://crypto.stanford.edu/~dabo/abstracts/timedcommit.html}}, +} + +@InProceedings{goldschlag98, + author = {David M. Goldschlag and Stuart G. Stubblebine}, + title = {Publicly Verifiable Lotteries: Applications of + Delaying Functions}, + booktitle = {Financial Cryptography, FC'98}, + pages = {214--226}, + year = 1998, + publisher = {Springer-Verlag, LNCS 1465}, + note = {\newline \url{http://citeseer.nj.nec.com/goldschlag98publicly.html}}, +} + +@InProceedings{syverson98, + author = {Paul Syverson}, + title = {Weakly Secret Bit Commitment: Applications to + Lotteries and Fair Exchange}, + booktitle = {Computer Security Foundations Workshop (CSFW11)}, + pages = {2--13}, + year = 1998, + address = {Rockport Massachusetts}, + month = {June}, + publisher = {IEEE CS Press}, + note = {\newline \url{http://chacs.nrl.navy.mil/publications/CHACS/1998/}}, +} + +@Misc{shoup-iso, + author = {Victor Shoup}, + title = {A Proposal for an {ISO} {S}tandard for Public Key Encryption (version 2.1)}, + note = {Revised December 20, 2001. \url{http://www.shoup.net/papers/}}, +} + +@Misc{shoup-oaep, + author = {Victor Shoup}, + title = {{OAEP} Reconsidered}, + howpublished = {{IACR} e-print 2000/060}, + note = {\newline \url{http://eprint.iacr.org/2000/060/}}, +} + +@Misc{oaep-still-alive, + author = {E. Fujisaki and D. Pointcheval and T. Okamoto and J. Stern}, + title = {{RSA}-{OAEP} is Still Alive!}, + howpublished = {{IACR} e-print 2000/061}, + note = {\newline \url{http://eprint.iacr.org/2000/061/}}, +} + +@misc{echolot, + author = {Peter Palfrader}, + title = {Echolot: a pinger for anonymous remailers}, + note = {\url{http://www.palfrader.org/echolot/}}, +} + +@Misc{mixmaster-attacks, + author = {Lance Cottrell}, + title = {Mixmaster and Remailer Attacks}, + note = {\url{http://www.obscura.com/~loki/remailer/remailer-essay.html}}, +} + +@Misc{mixmaster-spec, + author = {Ulf M{\"o}ller and Lance Cottrell and Peter + Palfrader and Len Sassaman}, + title = {Mixmaster {P}rotocol --- {V}ersion 2}, + year = {2003}, + month = {July}, + howpublished = {Draft}, + note = {\url{http://www.abditum.com/mixmaster-spec.txt}}, +} + +@Article{mitzenm-loss, + author = {G. Louth and M. Mitzenmacher and F.P. Kelly}, + title = {Computational Complexity of Loss Networks}, + journal = {Theoretical Computer Science}, + year = {1994}, + volume = {125}, + pages = {45-59}, + note = {\newline \url{http://citeseer.nj.nec.com/louth94computational.html}}, +} + +@Misc{hashcash, + author = {Adam Back}, + title = {Hash cash}, + note = {\newline \url{http://www.cypherspace.org/~adam/hashcash/}}, +} + +@InProceedings{oreilly-acc, + author = {Roger Dingledine and Michael J. Freedman and David Molnar}, + title = {Accountability}, + booktitle = {Peer-to-peer: Harnessing the Benefits of a Disruptive + Technology}, + year = {2001}, + publisher = {O'Reilly and Associates}, +} + + +@InProceedings{han, + author = {Yongfei Han}, + title = {Investigation of non-repudiation protocols}, + booktitle = {ACISP '96}, + year = 1996, + publisher = {Springer-Verlag}, +} + + +@Misc{socks5, + key = {socks5}, + title = {{SOCKS} {P}rotocol {V}ersion 5}, + howpublished= {IETF RFC 1928}, + month = {March}, + year = 1996, + note = {\url{http://www.ietf.org/rfc/rfc1928.txt}} +} + +@InProceedings{abe, + author = {Masayuki Abe}, + title = {Universally Verifiable {MIX} With Verification Work Independent of + The Number of {MIX} Servers}, + booktitle = {{EUROCRYPT} 1998}, + year = {1998}, + publisher = {Springer-Verlag, LNCS 1403}, +} + +@InProceedings{desmedt, + author = {Yvo Desmedt and Kaoru Kurosawa}, + title = {How To Break a Practical {MIX} and Design a New One}, + booktitle = {{EUROCRYPT} 2000}, + year = {2000}, + publisher = {Springer-Verlag, LNCS 1803}, + note = {\url{http://citeseer.nj.nec.com/447709.html}}, +} + +@InProceedings{mitkuro, + author = {M. Mitomo and K. Kurosawa}, + title = {{Attack for Flash MIX}}, + booktitle = {{ASIACRYPT} 2000}, + year = {2000}, + publisher = {Springer-Verlag, LNCS 1976}, + note = {\newline \url{http://citeseer.nj.nec.com/450148.html}}, +} + +@InProceedings{hybrid-mix, + author = {M. Ohkubo and M. Abe}, + title = {A {L}ength-{I}nvariant {H}ybrid {MIX}}, + booktitle = {Advances in Cryptology - {ASIACRYPT} 2000}, + year = {2000}, + publisher = {Springer-Verlag, LNCS 1976}, +} + +@InProceedings{PShuffle, + author = {Jun Furukawa and Kazue Sako}, + title = {An Efficient Scheme for Proving a Shuffle}, + editor = {Joe Kilian}, + booktitle = {CRYPTO 2001}, + year = {2001}, + publisher = {Springer-Verlag, LNCS 2139}, +} + + +@InProceedings{jakobsson-optimally, + author = "Markus Jakobsson and Ari Juels", + title = "An Optimally Robust Hybrid Mix Network (Extended Abstract)", + booktitle = {Principles of Distributed Computing - {PODC} '01}, + year = "2001", + publisher = {ACM Press}, + note = {\url{http://citeseer.nj.nec.com/492015.html}}, +} + +@InProceedings{kesdogan, + author = {D. Kesdogan and M. Egner and T. B\"uschkes}, + title = {Stop-and-Go {MIX}es Providing Probabilistic Anonymity in an Open + System}, + booktitle = {Information Hiding (IH 1998)}, + year = {1998}, + publisher = {Springer-Verlag, LNCS 1525}, + note = {\url{http://www.cl.cam.ac.uk/~fapp2/ihw98/ihw98-sgmix.pdf}}, +} + + + +@InProceedings{socks4, + author = {David Koblas and Michelle R. Koblas}, + title = {{SOCKS}}, + booktitle = {UNIX Security III Symposium (1992 USENIX Security + Symposium)}, + pages = {77--83}, + year = 1992, + publisher = {USENIX}, +} + +@InProceedings{flash-mix, + author = {Markus Jakobsson}, + title = {Flash {M}ixing}, + booktitle = {Principles of Distributed Computing - {PODC} '99}, + year = {1999}, + publisher = {ACM Press}, + note = {\newline \url{http://citeseer.nj.nec.com/jakobsson99flash.html}}, +} + +@InProceedings{SK, + author = {Joe Kilian and Kazue Sako}, + title = {Receipt-Free {MIX}-Type Voting Scheme - A Practical Solution to + the Implementation of a Voting Booth}, + booktitle = {EUROCRYPT '95}, + year = {1995}, + publisher = {Springer-Verlag}, +} + +@InProceedings{OAEP, + author = {M. Bellare and P. Rogaway}, + year = {1994}, + booktitle = {EUROCRYPT '94}, + title = {Optimal {A}symmetric {E}ncryption {P}adding : How To Encrypt With + {RSA}}, + publisher = {Springer-Verlag}, + note = {\newline \url{http://www-cse.ucsd.edu/users/mihir/papers/oaep.html}}, +} +@inproceedings{babel, + title = {Mixing {E}-mail With {B}abel}, + author = {Ceki G\"ulc\"u and Gene Tsudik}, + booktitle = {Proceedings of the Network and Distributed Security Symposium - {NDSS} '96}, + year = 1996, + month = {February}, + pages = {2--16}, + publisher = {IEEE}, + www_important = 1, + note = {\url{http://citeseer.nj.nec.com/2254.html}}, + www_section = {Anonymous communication}, +} + +@InProceedings{freenet, + author = {Ian Clarke and Oskar Sandberg and Brandon Wiley and Theodore W. Hong}, + title = {Freenet: {A} Distributed Anonymous Information Storage and Retrieval + System}, + booktitle = {Workshop on Design Issues in Anonymity and Unobservability}, + pages = {46--66}, + year = {2000}, + note = {\newline \url{http://citeseer.nj.nec.com/clarke00freenet.html}}, +} + +@Misc{rprocess, + author = {RProcess}, + title = {Selective Denial of Service Attacks}, + note = {\newline \url{http://www.eff.org/pub/Privacy/Anonymity/1999\_09\_DoS\_remail\_vuln.html}}, +} + +@Article{remailer-history, + author = {Sameer Parekh}, + title = {Prospects for Remailers}, + journal = {First Monday}, + volume = {1}, + number = {2}, + month = {August}, + year = {1996}, + note = {\url{http://www.firstmonday.dk/issues/issue2/remailers/}}, +} + +@Misc{remailer-history-old, + author = {Tim May}, + title = {Description of early remailer history}, + howpublished = {E-mail archived at + \url{http://www.inet-one.com/cypherpunks/dir.1996.08.29-1996.09.04/ + msg00431.html}}, +} + +@Article{chaum-mix, + author = {David Chaum}, + title = {Untraceable electronic mail, return addresses, and digital pseudo-nyms}, + journal = {Communications of the ACM}, + year = {1981}, + volume = {4}, + number = {2}, + month = {February}, + note = {\url{http://www.eskimo.com/~weidai/mix-net.txt}}, +} + +@InProceedings{nym-alias-net, + author = {David Mazi\`{e}res and M. Frans Kaashoek}, + title = {{The Design, Implementation and Operation of an Email + Pseudonym Server}}, + booktitle = {$5^{th}$ ACM Conference on Computer and + Communications Security (CCS'98)}, + year = 1998, + publisher = {ACM Press}, + note = {\newline \url{http://www.scs.cs.nyu.edu/~dm/}}, +} + +@Misc{timmay, + author = {Tim May}, + title = {Cyphernomicon}, + note = {\newline \url{http://www2.pro-ns.net/~crypto/cyphernomicon.html}}, +} + +@misc{neochaum, + author = {Tim May}, + title = {Payment mixes for anonymity}, + howpublished = {E-mail archived at + \url{http://\newline www.inet-one.com/cypherpunks/dir.2000.02.28-2000.03.05/msg00334.html}}, +} + +@misc{pidaho, + author = {Joel McNamara}, + title = {{P}rivate {I}daho}, + note = {\newline \url{http://www.eskimo.com/~joelm/pi.html}}, +} + +@misc{potato, + author = {RProcess}, + title = {{P}otato {S}oftware}, + note = {\newline \url{http://www.skuz.net/potatoware/}}, +} + +@misc{helsingius, + author = {J. Helsingius}, + title = {{\tt anon.penet.fi} press release}, + note = {\newline \url{http://www.penet.fi/press-english.html}}, +} + +@misc{mix-stats, + author = {Christian Mock}, + title = {Mixmaster Stats ({A}ustria)}, + note = {\newline \url{http://www.tahina.priv.at/~cm/stats/mlist2.html}}, +} + +@InProceedings{garay97secure, + author = {J. Garay and R. Gennaro and C. Jutla and T. Rabin}, + title = {Secure distributed storage and retrieval}, + booktitle = {11th International Workshop, WDAG '97}, + pages = {275--289}, + year = {1997}, + publisher = {Springer-Verlag, LNCS 1320}, + note = {\newline \url{http://citeseer.nj.nec.com/garay97secure.html}}, +} + +@InProceedings{PIK, + author = {C. Park and K. Itoh and K. Kurosawa}, + title = {Efficient anonymous channel and all/nothing election scheme}, + booktitle = {Advances in Cryptology -- {EUROCRYPT} '93}, + pages = {248--259}, + publisher = {Springer-Verlag, LNCS 765}, +} + +@Misc{pgpfaq, + key = {PGP}, + title = {{PGP} {FAQ}}, + note = {\newline \url{http://www.faqs.org/faqs/pgp-faq/}}, +} + +@Article{riordan-schneier, + author = {James Riordan and Bruce Schneier}, + title = {A Certified E-mail Protocol with No Trusted Third Party}, + journal = {13th Annual Computer Security Applications Conference}, + month = {December}, + year = {1998}, + note = {\newline \url{http://www.counterpane.com/certified-email.html}}, +} + + +@Article{crowds-tissec, + author = {Michael K. Reiter and Aviel D. Rubin}, + title = {Crowds: Anonymity for Web Transactions}, + journal = {ACM TISSEC}, + year = 1998, + volume = 1, + number = 1, + pages = {66--92}, + month = {November}, + note = {\url{http://citeseer.nj.nec.com/284739.html}} +} + +@Article{crowds-dimacs, + author = {Michael K. Reiter and Aviel D. Rubin}, + title = {Crowds: Anonymity for Web Transactions}, + journal = {{DIMACS} Technical Report (Revised)}, + volume = {97}, + number = {15}, + month = {August}, + year = {1997}, +} + +@Misc{freedom, + author = {Zero Knowledge Systems}, + title = {Freedom Version 2 White Papers}, + note = {\newline \url{http://www.freedom.net/info/whitepapers/}}, +} + + +@Misc{recovery, + author = {Miguel Castro and Barbara Liskov}, + title = {Proactive Recovery in a Byzantine-Fault-Tolerant System}, + note = {\newline \url{http://www.pmg.lcs.mit.edu/~castro/application/recovery.pdf}}, +} + +@Misc{advogato, + author = {Raph Levien}, + title = {Advogato's Trust Metric}, + note = {\newline \url{http://www.advogato.org/trust-metric.html}}, +} + +@Misc{rabin-ida, + author = {Michael O. Rabin}, + title = {Efficient Dispersal of Information for security, load balancing, + and fault tolerance}, + booktitle = {Journal of the ACM}, + year = {1989}, + volume = {36}, + number = {2}, + series = {335--348}, + month = {April}, +} + +@PhdThesis{malkin-thesis, + author = {Tal Malkin}, + school = {{MIT}}, + title = {Private {I}nformation {R}etrieval}, + year = {2000}, + note = {\newline \url{http://toc.lcs.mit.edu/~tal/pubs.html}} +} + +@Misc{zks, + title = {Zero {K}nowledge {S}ystems}, + note = {\newline \url{http://www.freedom.net/}}, +} + +@InProceedings{publius, + author = {Marc Waldman and Aviel Rubin and Lorrie Cranor}, + title = {Publius: {A} robust, tamper-evident, censorship-resistant and + source-anonymous web publishing system}, + booktitle = {Proc. 9th USENIX Security Symposium}, + pages = {59--72}, + year = {2000}, + month = {August}, + note = {\newline \url{http://citeseer.nj.nec.com/waldman00publius.html}}, +} + +@Misc{freedom-nyms, + author = {Russell Samuels}, + title = {Untraceable Nym Creation on the {F}reedom {N}etwork}, + year = {1999}, + month = {November}, + day = {21}, + note = {\newline \url{http://www.freedom.net/products/whitepapers/white11.html}}, +} + +@Article{raghavan87randomized, + author = {P. Raghavan and C. Thompson}, + title = {Randomized rounding: A technique for provably good algorithms and algorithmic proofs}, + journal = {Combinatorica}, + volume = {7}, + pages = {365--374}, + year = {1987}, +} + +@InProceedings{leighton91fast, + author = {Frank Thomson Leighton and Fillia Makedon and Serge A. Plotkin and + Clifford Stein and Eva Tardos and Spyros Tragoudas}, + title = {Fast Approximation Algorithms for Multicommodity Flow Problems}, + booktitle = {{ACM} Symposium on Theory of Computing}, + pages = {101-111}, + year = {1991}, + note = {\newline \url{http://citeseer.nj.nec.com/91073.html}}, +} + +@Misc{pk-relations, + author = {M. Bellare and A. Desai and D. Pointcheval and P. Rogaway}, + title = {Relations Among Notions of Security for Public-Key Encryption + Schemes}, + howpublished = { + Extended abstract in {\em Advances in Cryptology - CRYPTO '98}, LNCS Vol. 1462. + Springer-Verlag, 1998. + Full version available from \newline \url{http://www-cse.ucsd.edu/users/mihir/}}, +} + + +@InProceedings{mix-acc, + author = {Roger Dingledine and Michael J. Freedman and David + Hopwood and David Molnar}, + title = {{A Reputation System to Increase MIX-net + Reliability}}, + booktitle = {Information Hiding (IH 2001)}, + pages = {126--141}, + year = 2001, + editor = {Ira S. Moskowitz}, + publisher = {Springer-Verlag, LNCS 2137}, + note = {\url{http://www.freehaven.net/papers.html}}, +} + +@InProceedings{casc-rep, + author = {Roger Dingledine and Paul Syverson}, + title = {{Reliable MIX Cascade Networks through Reputation}}, + booktitle = {Financial Cryptography (FC '02)}, + year = 2002, + editor = {Matt Blaze}, + publisher = {Springer-Verlag, LNCS (forthcoming)}, + note = {\newline \url{http://www.freehaven.net/papers.html}}, +} + +@InProceedings{zhou96certified, + author = {Zhou and Gollmann}, + title = {Certified Electronic Mail}, + booktitle = {{ESORICS: European Symposium on Research in Computer + Security}}, + publisher = {Springer-Verlag, LNCS 1146}, + year = {1996}, + note = {\newline \url{http://citeseer.nj.nec.com/zhou96certified.html}}, +} + +@Misc{realtime-mix, + author = {Anja Jerichow and Jan M\"uller and Andreas Pfitzmann and + Birgit Pfitzmann and Michael Waidner}, + title = {{Real-Time MIXes: A Bandwidth-Efficient Anonymity Protocol}}, + howpublished = {IEEE Journal on Selected Areas in Communications, 1998.}, + note = {\url{http://www.zurich.ibm.com/security/publications/1998.html}}, +} + +@InProceedings{BEAR-LIONESS, + author = {Ross Anderson and Eli Biham}, + title = {Two Practical and Provably Secure Block Ciphers: {BEAR} and {LION}}, + booktitle = {International Workshop on Fast Software Encryption}, + year = {1996}, + publisher = {Springer-Verlag}, + note = {\url{http://citeseer.nj.nec.com/anderson96two.html}}, +} + +@Misc{SPC, + author = {Daniel Bleichenbacher and Anand Desai}, + title = {A Construction of a Super-Pseudorandom Cipher}, + howpublished = {Manuscript}, +} + + +@InProceedings{gap-pets03, + author = {Krista Bennett and Christian Grothoff}, + title = {{GAP} -- practical anonymous networking}, + booktitle = {Privacy Enhancing Technologies (PET 2003)}, + year = 2003, + editor = {Roger Dingledine}, + publisher = {Springer-Verlag LNCS (forthcoming)} +} + +@Article{hordes-jcs, + author = {Brian Neal Levine and Clay Shields}, + title = {Hordes: A Multicast-Based Protocol for Anonymity}, + journal = {Journal of Computer Security}, + year = 2002, + volume = 10, + number = 3, + pages = {213--240} +} + +@TechReport{herbivore, + author = {Sharad Goel and Mark Robson and Milo Polte and Emin G\"{u}n Sirer}, + title = {Herbivore: A Scalable and Efficient Protocol for Anonymous Communication}, + institution = {Cornell University Computing and Information Science}, + year = 2003, + type = {Technical Report}, + number = {TR2003-1890}, + month = {February} +} + +@InProceedings{p5, + author = {Rob Sherwood and Bobby Bhattacharjee and Aravind Srinivasan}, + title = {$P^5$: A Protocol for Scalable Anonymous Communication}, + booktitle = {2002 IEEE Symposium on Security and Privacy}, + pages = {58--70}, + year = 2002, + publisher = {IEEE CS} +} + +%%% Local Variables: +%%% mode: latex +%%% TeX-master: "tor-design" +%%% End: diff --git a/doc/tor-design.tex b/doc/tor-design.tex index 7805c46a2b..3d7a5ccdbd 100644 --- a/doc/tor-design.tex +++ b/doc/tor-design.tex @@ -1,8 +1,6 @@ \documentclass[times,10pt,twocolumn]{article} -%\usepackage{/home/syverson/papers/latex8} -%\usepackage{/home/syverson/papers/times} \usepackage{latex8} -\usepackage{times} +%\usepackage{times} \usepackage{url} \usepackage{graphics} \usepackage{amsmath} @@ -69,7 +67,7 @@ predecessor and successor, but no others. Traffic flowing down the circuit is sent in fixed-size \emph{cells}, which are unwrapped by a symmetric key at each node, revealing the downstream node. The original onion routing project published several design and analysis papers -\cite{or-journal,or-discex,or-ih,or-pet}. While there was briefly +\cite{or-jsac98,or-discex00,or-ih96,or-pet02}. While there was briefly a network of about a dozen nodes at three widely distributed sites, the only long-running and publicly accessible implementation was a fragile proof-of-concept that ran on a single @@ -102,19 +100,25 @@ program without modification. onion routing design built one circuit for each request. Aside from the performance issues of doing public key operations for every request, it also turns out that regular communications patterns mean building lots -of circuits can endanger anonymity \cite{wright03}. Tor multiplexes many +of circuits, which can endanger anonymity \cite{wright03}. [XXX Was this +supposed to be Wright02 or Wright03. In any case I am hesitant to cite +that work in this context. While the point is valid in general, that +work is predicated on assumptions that I don't think typically apply +to onion routing (whether old or new design).] +Tor multiplexes many connections down each circuit, but still rotates the circuit periodically to avoid too much linkability. \item \textbf{No mixing or traffic shaping:} The original onion routing design called for full link padding both between onion routers and between -onion proxies (that is, users) and onion routers \cite{or-journal}. The -later analysis paper \cite{or-pet} suggested \emph{traffic shaping} +onion proxies (that is, users) and onion routers \cite{or-jsac98}. The +later analysis paper \cite{or-pet02} suggested \emph{traffic shaping} to provide similar protection but use less bandwidth, but did not go into detail. However, recent research \cite{econymics} and deployment -experience \cite{freedom2-arch} indicate that this level of resource +experience \cite{freedom} indicate that this level of resource use is not practical or economical; and even full link padding is still -vulnerable to active attacks \cite{defensive-dropping}. +vulnerable to active attacks \cite{defensive-dropping}. [XXX what is being +referenced here, Dogan?] \item \textbf{Leaky pipes:} Through in-band signalling within the circuit, Tor initiators can direct traffic to nodes partway down the circuit. This @@ -179,27 +183,40 @@ through a path composed of Mix servers. Mix servers in turn decrypt, delay, and re-order messages, before relay them along the path towards their destinations. -Subsequent relay-based anonymity designs have diverged in two principal -directions. Some have, such as Babel\cite{babel}, Mixmaster\cite{mixmaster}, -and Mixminion\cite{minion-design}, attempt to maximize anonymity at the cost -of introducing comparatively large and variable latencies. Because of this +Subsequent relay-based anonymity designs have diverged in two +principal directions. Some have attempted to maximize anonymity at +the cost of introducing comparatively large and variable latencies, +for example, Babel\cite{babel}, Mixmaster\cite{mixmaster-spec}, and +Mixminion\cite{minion-design}. Because of this decision, such \emph{high-latency} networks are well-suited for anonymous email, but introduce too much lag for interactive tasks such as web browsing, internet chat, or SSH connections. -Tor belongs to the second category: \emph{low-latency} designs that attempt -to anonymize interactive network traffic. Because such traffic tends to -involve a relatively large numbers of packets, it is difficult to prevent an -attacker who can eavesdrop entry and exit points from correlating packets -entering the anonymity network with packets leaving it. Although some -work has been done to frustrate these attacks, they still... +Tor belongs to the second category: \emph{low-latency} designs that +attempt to anonymize interactive network traffic. Because such +traffic tends to involve a relatively large numbers of packets, it is +difficult to prevent an attacker who can eavesdrop entry and exit +points from correlating packets entering the anonymity network with +packets leaving it. Although some work has been done to frustrate +these attacks, most designs protect primarily against traffic analysis +rather than traffic confirmation \cite{or-jsac98}. One can pad and +limit communication to a constant rate or at least to control the +variation in traffic shape. This can have prohibitive bandwidth costs +and/or performance limitations. One can also use a cascade (fixed +shared route) with a relatively fixed set of users. This assumes a +degree of agreement and provides an easier target for an active +attacker since the endpoints are generally known. However, a practical +network with both of these features has been run for many years +\cite{web-mix}. + +they still... [XXX go on to explain how the design choices implied in low-latency result in significantly different designs.] The simplest low-latency designs are single-hop proxies such as the -Anonymizer, wherein a single trusted server removes identifying users' data -before relaying it. These designs are easy to analyze, but require end-users -to trust the anonymizing proxy. +Anonymizer \cite{anonymizer}, wherein a single trusted server removes +identifying users' data before relaying it. These designs are easy to +analyze, but require end-users to trust the anonymizing proxy. More complex are distributed-trust, channel-based anonymizing systems. In these designs, a user establishes one or more medium-term bidirectional @@ -209,13 +226,32 @@ tunnel. Establishing tunnels is comparatively expensive and typically requires public-key cryptography, whereas relaying packets along a tunnel is comparatively inexpensive. Because a tunnel crosses several servers, no single server can learn the user's communication partners. -[XXX give examples.] -[XXX Everybody I know except Crowds and gnunet is in this category. Am I -right?] -[XXX Should we add a paragraph dividing servers by all-at-once approach to - tunnel-building (OR1,Freedom1) versus piecemeal approach - (OR2,Anonnet?,Freedom2) ?] +Systems such as earlier versions of Freedom and onion routing +build the anonymous channel all at once (using an onion). Later +designs of each of these build the channel in stages as does AnonNet +\cite{anonnet}. Amongst other things, this makes perfect forward +secrecy feasible. + +Some systems, such as Crowds \cite{crowds-tissec}, do not rely on the +changing appearance of packets to hide the path; rather they employ +mechanisms so that an intermediary cannot be sure when it is +receiving/sending to the ultimate initiator. There is no public-key +encryption needed for Crowds, but the responder and all data are +visible to all nodes on the path so that anonymity of connection +initiator depends on filtering all identifying information from the +data stream. Crowds is also designed only for HTTP traffic. + +Hordes \cite{hordes-jcs} is based on Crowds but also uses multicast +responses to hide the initiator. Some systems go even further +requiring broadcast \cite{herbivore,p5} although tradeoffs are made to +make this more practical. Both Herbivore and P5 are designed primarily +for communication between communicating peers, although Herbivore +permits external connections by requesting a peer to serve as a proxy. +Allowing easy connections to nonparticipating responders or recipients +is a practical requirement for many users, e.g., to visit +nonparticipating Web sites or to send mail to nonparticipating +recipients. Distributed-trust anonymizing systems differ in how they prevent attackers from controlling too many servers and thus compromising too many user paths. @@ -225,6 +261,26 @@ servers, while using a limited resource (DHT space for Tarzan; IP space for MorphMix) to prevent an attacker from owning too much of the network. [XXX what else? What does (say) crowds do?] +All of the above systems Several systems with varying design goals +and capabilities but all of which require that communicants be +intentionally participating are mentioned here. + +Some involve multicast or more to work +herbivore + +There are also many systems which are intended for anonymous +and/or censorship resistant file sharing. [XXX Should we list all these +or just say it's out of scope for the paper? +eternity, gnunet, freenet, freehaven, publius, tangler, taz/rewebber] + + + +[XXX Should we add a paragraph dividing servers by all-at-once approach to + tunnel-building (OR1,Freedom1) versus piecemeal approach + (OR2,Anonnet?,Freedom2) ?] + + + Channel-based anonymizing systems also differ in their use of dummy traffic. [XXX] @@ -233,6 +289,16 @@ communication. Crowds and [XXX] provide anonymity for HTTP requests; [...] [XXX Mention error recovery?] +Web-MIXes \cite{web-mix} (also known as the Java Anon Proxy or JAP) +use a cascade architecture with relatively constant groups of users +sending and receiving at a constant rate. + +Some, such as Crowds \cite{crowds-tissec}, do nothing against such +confirmation but still make it difficult for nodes along a connection to +perform timing confirmations that would more easily identify when +the immediate predecessor is the initiator of a connection, which in +Crowds would reveal both initiator and responder to the attacker. + anonymizer pipenet @@ -338,7 +404,7 @@ issues remaining to be ironed out. In particular: %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \bibliographystyle{latex8} -\bibliography{minion-design} +\bibliography{tor-design} \end{document}