[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[tor-talk] Tor scaling and the distributed consensus



Hi Tor-Talk,

This is a long one, but the main point is in the first paragraphs...

I was in contact previously (Aug 2014) where [you] gave assistance with the above subject for research I was doing for my dissertation.  Dissertation now complete I wanted to pass back a proposal for the distribution of a limited size consensus document.  This is by no means tested and validated, but remains an idea and concept of how this could be addressed.  I would be interested in your view as Tor developer(s) whether this is a viable concept to develop.

For ease I take an extraction of the “Suggestion for further work” which is the essence, "A proposed alternative to the current format of the consensus document and relay descriptors would be to limit the size of the set of available relays. The anonymity of users of the Tor network has been achieved since the set size of the participating users was in the tens of thousands. Beyond a point of provable anonymity, increasing the size of the set would not increase the amount of anonymity. Therefore, if a sample subset r were chosen from the entire set R of all the available members, r∈R, to be of efficient size and provide provable anonymity, this could limit the file size of the consensus document that is distributed to Directory Caches and ultimately to OPs and ORs. (For the remainder of this description OPs will refer to OPs and ORs)

The proportion of the member characteristics of r should be such that the circuit construction algorithm objectives can be efficiently maintained, for example stable relays for long-lived circuits, high and low bandwidth relays, and a range of Exit Relays with a selection of exit policies.

The “consensus vote” would be formed in the same manner as is currently done, to create the set R; however the Directory Authorities would then make the selection r from R. The selection of members of r should be continuously and evenly random (in the proportions mentioned above, as subsets) such that ri∈R where i = ∞. The different subsets ri of R should be chosen by the Directory Authorities, signed and disseminated to the Directory Caches in a continuous and periodic manner. The OPs would then download the ri consensus as is currently done. The relay descriptors could be updated as is currently done by selectively downloading only the descriptors not currently known. This can be qualified by only downloading the descriptors not known in the current consensus ri and further limiting the overall cached-descriptor file maintained by the OP to an upper limit by discarding the oldest or least valuable data."

Below I quote from my dissertation “Conclusions" and “Suggestion for further work” and include the link to the full dissertation FYI.  There is also a Prezi presentation related to the dissertation (in full) and for simplicity the graphical representation of the concept.
https://www.dropbox.com/s/4vctk8bi7aqw29n/Suggestions%20FFW.png?dl=0 <https://www.dropbox.com/s/4vctk8bi7aqw29n/Suggestions%20FFW.png?dl=0>

"8. Conclusions

Tor’s strength of anonymity is in its large and diverse anonymity set spread around the world. The range of users covers those with a fundamental belief in the right to their own private communications, to users that are dependent on their communications not being intercepted or knowledge that they are communicating with certain other people or organisations. For that latter set of users, the safety and security and freedom from persecution are dependent on the certainty of anonymity offered by the Tor network. Trade- offs against this tenet are unacceptable and would render the network irrelevant and ultimately obsolete. Numerous other networks [19],[40],[41] have been spawned from the robustness of the Tor protocol, to offer users scalable P2P communications or file sharing or remailer services, but have not been able to maintain the level of trust required to ensure anonymity under attack.

One may be prepared to take a calculated risk of prosecution for copyright infringement for sharing or downloading a film for entertainment by using a P2P-based BitTorrent-like network, but if one’s life, security or freedom is at stake, one needs to have full trust in the technology one uses. The Tor network is growing at an exponential rate and is adapting to meet the demand, while at the same time not compromising on the security and anonymity of communications. Betraying the trust of the millions of daily users by improving scalability or performance at the expense of those tenets would immediately render it obsolete.

The conventional client/server model offers trust at the expense of scalability, and the current P2P implementations using DHT and similar unauthenticated peer lookup mechanism offer scalability at the expense of trust. Tor has grown and developed organically to overcome the scaling pinch points, as they manifested to become obstacles to performance and growth. Maintaining this ethos will ensure that research will continue to be conducted into alternative network structures whilst not jeopardising network trust.

Tor’s robustness can be attributed to its distributed trust model. The trust that is established and controlled at the Directory Authority level is manifested in the consensus and relay descriptor documents. These are signed and distributed to OPs and ORs that make their own decisions based on these trusted documents without needing to evaluate the trust of the individual members.

There are currently proposals that will streamline the consensus vote amongst the Directory Authorities; however, the larger question of whether all OPs need to know about all ORs in the system has yet to be addressed.

The organic growth of Tor and incremental improvement to the efficiency of the directory protocol and network performance, while adhering to tenets of security and anonymity, appear to offer a viable way forward. This conservative progress has continued to attract new users and keeps Tor current and relevant until a paradigm shift takes place in how the trust can be distributed between segregated subsets of the entire system.

9. Suggestions for further work

Bearing in mind the conclusions expressed above, the robustness of the Tor network should be maintained by preserving the trusted Directory Authorities, albeit that they present a centralised focus for attack. The primary issue for limitations to scaling is the need for all members to know all other members in the network, and consequently the size of the related directory documents.

A proposed alternative to the current format of the consensus document and relay descriptors would be to limit the size of the set of available relays. The anonymity of users of the Tor network has been achieved since the set size of the participating users was in the tens of thousands. Beyond a point of provable anonymity, increasing the size of the set would not increase the amount of anonymity. Therefore, if a sample subset r were chosen from the entire set R of all the available members, r∈R, to be of efficient size and

provide provable anonymity, this could limit the file size of the consensus document that is distributed to Directory Caches and ultimately to OPs and ORs. (For the remainder of this description OPs will refer to OPs and ORs)

The proportion of the member characteristics of r should be such that the circuit construction algorithm objectives can be efficiently maintained, for example stable relays for long-lived circuits, high and low bandwidth relays, and a range of Exit Relays with a selection of exit policies.

The “consensus vote” would be formed in the same manner as is currently done, to create the set R; however the Directory Authorities would then make the selection r from R. The selection of members of r should be continuously and evenly random (in the proportions mentioned above) such that ri∈R

where i = ∞. The different subsets ri of R should be chosen by the Directory Authorities, signed and disseminated to the Directory Caches in a continuous and periodic manner. The OPs would then download the ri consensus as is currently done. The relay descriptors could be updated as is currently done by selectively downloading only the descriptors not currently known. This can be qualified by only downloading the descriptors not known in the current consensus ri and further limiting the overall cached-descriptor file maintained by the OP to an upper limit by discarding the oldest or least valuable data.

The threat model that this creates is to segregate the set R such that the OP does not see R but only a continuously random sample subset ri; however this can be militated against by enabling the OP to validate ri against R at any time. Also, protection needs to be ensured that the selection process by the Directory Authorities cannot be corrupted to bias to malicious and colluding relays.

By keeping the selection process of ri within the control of the Directory Authority and the relay selection for circuit construction within the control of the OP, this maintains the current distributed trust model.”

https://www.dropbox.com/s/ccej5cqcb4kjtm0/Dissertation%20document%20v2.0.pdf?dl=0 <https://www.dropbox.com/s/ccej5cqcb4kjtm0/Dissertation%20document%20v2.0.pdf?dl=0>
http://prezi.com/kbugd2mmdipb/?utm_campaign=share&utm_medium=copy&rc=ex0share <http://prezi.com/kbugd2mmdipb/?utm_campaign=share&utm_medium=copy&rc=ex0share> Slide 15/16
https://www.dropbox.com/s/4vctk8bi7aqw29n/Suggestions%20FFW.png?dl=0 <https://www.dropbox.com/s/4vctk8bi7aqw29n/Suggestions%20FFW.png?dl=0>


Yours sincerely

Mike Fikuart  MSc IEng MIET

Twitter: mikefikuart <https://twitter.com/#!/MikeFikuart>
LinkedIn: mikefikuart <http://www.linkedin.com/in/mikefikuart>

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk