traffic analysis (was: blackmail / stego)

John S. Denker jsd at
Wed Aug 27 13:12:18 EDT 2003

I changed the Subject: line because most of the
blackmail / stego thread was about traffic
analysis.  It's amusing that traffic analysis could
be used to defeat a steganographic blackmail
attempt, but there are larger issues involved.

It is not true, despite what some people recently
suggested, that traffic analysis destroys any
hope of real-time anonymous communication.

It is true that if you design an "anonymity" system
under the assumption that the opposition doesn't
have enough resources to perform traffic analysis,
you'll be taken to the cleaners if the opposition
does have such resources.

There exist well-known techniques for greatly
reducing the effectiveness of traffic analysis.

A scenario of relevance to the present discussion
goes like this:
  -- There exists a data haven.  (Reiter and Rubin
     called this a "crowd".)
  -- Many subscribers have connections to the haven.
  -- Each subscriber maintains a strictly scheduled
     flow of traffic to and from the haven, padding
     the channel with nulls if necessary.
  -- All the traffic is encrypted, obviously.

Then the opponent can put unlimited effort into
traffic analysis but won't get anything in return,
beyond the _a priori_ obvious fact that some pair
of subscribers *may* have communicated.

As an extension:
  -- The haven may fetch a lot of web pages, some of
them in response to requests from subscribers, and
some not.

Then the opponent can conclude that some subscriber(s)
*may* have looked at some of the fetched pages.

Remark:  I said that each channel must carry (and
only carry) strictly scheduled traffic.  It is
sufficient but not necessary to send a constant
rate.  More complicated schedules, possibly
incorporating a degree of randomness, are allowed.
The point is that the cryptotext traffic must be
independent of the amount (and other characteristics)
of the plaintext traffic.

Additional remarks, having little to do with traffic
analysis, except as a reminder that traffic analysis
isn't the only threat to be considered:

  *) Anonymity means They can't prove you're guilty.
But it also means you can't prove you're innocent.
A sufficiently totalitarian regime will require
everyone to be able to prove their innocence at all
times.  Subscribing to an anonymity service would
therefore be automatically illegal.

  *) Obviously the haven itself must be resistant
to penetration by the opposition.

  *) Obviously if you use this service (or any
other) to communicate with somebody at an endpoint
that is already under surveillance, you have no
privacy.  So you must to some extent trust the
endpoints, no matter how good the channel is.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list