[Script Info]
Title: 
[Events]
Format: Layer, Start, End, Style, Name, MarginL, MarginR, MarginV, Effect, Text
Dialogue: 0,0:00:00.00,0:00:16.30,Default,,0000,0000,0000,,{\i1}Music{\i0}\NHerald: The next talk coming up is going
Dialogue: 0,0:00:16.30,0:00:20.77,Default,,0000,0000,0000,,to be "Practical mix network designs,\Nstrong metadata protection for
Dialogue: 0,0:00:20.77,0:00:28.99,Default,,0000,0000,0000,,asynchronous messaging", held by by David,\Nwho has done research on mix networks and
Dialogue: 0,0:00:28.99,0:00:35.53,Default,,0000,0000,0000,,is a contributor to Tor network, and by\NJeff, who has done contribution to the GNU
Dialogue: 0,0:00:35.53,0:00:40.42,Default,,0000,0000,0000,,network project, organized a couple of\Nsessions for this on last year's Congress
Dialogue: 0,0:00:40.42,0:00:46.28,Default,,0000,0000,0000,,and is basically a mathematician, trying\Nto get practical. they're going to talk
Dialogue: 0,0:00:46.28,0:00:54.88,Default,,0000,0000,0000,,about components on mix networks and\Ndefenses that basically Tor can't do. And,
Dialogue: 0,0:00:54.88,0:01:03.01,Default,,0000,0000,0000,,yeah. Welcome with a big round of\Napplause, okay.
Dialogue: 0,0:01:03.01,0:01:12.23,Default,,0000,0000,0000,,{\i1}applause{\i0}\NJeff: Okay, so I'm Jeff, this is David,
Dialogue: 0,0:01:12.23,0:01:16.55,Default,,0000,0000,0000,,we're going to be telling you some, we're\Ngoing to be telling you some aspects about
Dialogue: 0,0:01:16.55,0:01:22.52,Default,,0000,0000,0000,,designing mix networks. The, I'm involved\Nwith the I'm an academic involved with the
Dialogue: 0,0:01:22.52,0:01:30.82,Default,,0000,0000,0000,,GNUnet project, he's involved with the\NPanoramix project. Okay, so first of all
Dialogue: 0,0:01:30.82,0:01:37.82,Default,,0000,0000,0000,,we, just to be clear, of course encryption\Nworks, you know, if it's, you know,
Dialogue: 0,0:01:37.82,0:01:42.27,Default,,0000,0000,0000,,properly implemented and then, you know,\Nwe have a huge amount of trust in it, we
Dialogue: 0,0:01:42.27,0:01:46.49,Default,,0000,0000,0000,,we even have, you know, sort of slides\Nshowing that the most powerful adversaries
Dialogue: 0,0:01:46.49,0:01:51.24,Default,,0000,0000,0000,,in the world can't can't can't break these\Nthings, so this is fine.
Dialogue: 0,0:01:51.24,0:01:57.10,Default,,0000,0000,0000,,However we have to worry about sort of\Nabout the metadata leakage or and in this
Dialogue: 0,0:01:57.10,0:02:01.37,Default,,0000,0000,0000,,talk we're specifically going to be\Nworrying about traffic analysis of of
Dialogue: 0,0:02:01.37,0:02:08.65,Default,,0000,0000,0000,,connections. {\i1}inhales{\i0} So, yeah, it's time\Nto, it's time to actually start addressing
Dialogue: 0,0:02:08.65,0:02:14.61,Default,,0000,0000,0000,,these things. Okay. So existing solutions\Nto traffic analysis. So there's this
Dialogue: 0,0:02:14.61,0:02:22.42,Default,,0000,0000,0000,,wonderful Tor Tor program and project and\Nthey we we know as of five years ago they
Dialogue: 0,0:02:22.42,0:02:29.03,Default,,0000,0000,0000,,consider the the even the NSA considered\Nconsidered Tor to be quite effective at
Dialogue: 0,0:02:29.03,0:02:35.51,Default,,0000,0000,0000,,preventing mass location tracking. So this\Nis, so Tor works for what it's designed to
Dialogue: 0,0:02:35.51,0:02:44.84,Default,,0000,0000,0000,,do, Tor does not protect against an\Nadversary who can see both ends of the Tor
Dialogue: 0,0:02:44.84,0:02:51.80,Default,,0000,0000,0000,,circuit, so this this is this is a\Nhandicap in a number of situ- in a number
Dialogue: 0,0:02:51.80,0:02:59.40,Default,,0000,0000,0000,,of situation, so the first situation is if\Nif you have a website that is, if you if
Dialogue: 0,0:02:59.40,0:03:04.63,Default,,0000,0000,0000,,you have a website of course then somebody\Ncan have fingerprinted this website in
Dialogue: 0,0:03:04.63,0:03:10.72,Default,,0000,0000,0000,,advance, have some, you know, description\Nof its of its traffic profile and they can
Dialogue: 0,0:03:10.72,0:03:15.08,Default,,0000,0000,0000,,and they can tell if you're just from\Nlooking at your connection if you're if
Dialogue: 0,0:03:15.08,0:03:18.39,Default,,0000,0000,0000,,you're accessing that that website over\NTor.
Dialogue: 0,0:03:18.39,0:03:22.63,Default,,0000,0000,0000,,So okay, so let's admit defeat for the web\Non the web for now, because we're not
Dialogue: 0,0:03:22.63,0:03:28.57,Default,,0000,0000,0000,,going to, you know, we're not going to be\Nable to provide that kind of, we're not
Dialogue: 0,0:03:28.57,0:03:33.51,Default,,0000,0000,0000,,going to be able to defeat that kind of\Nadversary very quickly. But okay, can we
Dialogue: 0,0:03:33.51,0:03:36.99,Default,,0000,0000,0000,,just message our friends over Tor? So\Nthere's a few programs to do this: There's
Dialogue: 0,0:03:36.99,0:03:42.69,Default,,0000,0000,0000,,Ricochet there's Briar; the problem with\Nusing Tor as a messaging as a messaging
Dialogue: 0,0:03:42.69,0:03:48.89,Default,,0000,0000,0000,,transport layer is that frequently, the\Npeople you want to protect, are in the
Dialogue: 0,0:03:48.89,0:03:54.54,Default,,0000,0000,0000,,same country or even on the same ISP, so\Nthe original property of, you know, the
Dialogue: 0,0:03:54.54,0:03:57.67,Default,,0000,0000,0000,,adversary being able to see both sides of\Nthe connection comes comes through again
Dialogue: 0,0:03:57.67,0:04:01.27,Default,,0000,0000,0000,,and they can very quickly be - that\Nconnection between them can very quickly
Dialogue: 0,0:04:01.27,0:04:07.63,Default,,0000,0000,0000,,be seen. So okay, how can we actually keep\Nour messaging metadata private? And the
Dialogue: 0,0:04:07.63,0:04:11.61,Default,,0000,0000,0000,,answer we're going to say sort of - we're\Ngoing to say the right one is a mixed
Dialogue: 0,0:04:11.61,0:04:13.85,Default,,0000,0000,0000,,network.\NDavid: Oh yeah, so mixed networks are
Dialogue: 0,0:04:13.85,0:04:18.81,Default,,0000,0000,0000,,message oriented, as opposed to stream\Noriented. They are essentially an
Dialogue: 0,0:04:18.81,0:04:27.34,Default,,0000,0000,0000,,unreliable packet switching network. And\Nalso latency is added at each hop. This is
Dialogue: 0,0:04:27.34,0:04:35.06,Default,,0000,0000,0000,,called a mix strategy; there's a bunch of\Ndifferent mix strategies. It's kind of an
Dialogue: 0,0:04:35.06,0:04:40.66,Default,,0000,0000,0000,,architectural diagram. Notice there's no\Nexit nodes, there's no talking to the web
Dialogue: 0,0:04:40.66,0:04:47.91,Default,,0000,0000,0000,,like with Tor, so the security model is\Ndifferent, we do have a PKI, similar to
Dialogue: 0,0:04:47.91,0:04:57.15,Default,,0000,0000,0000,,Tor, we we can call it like a directory\Nauthority system. So there's a bunch of
Dialogue: 0,0:04:57.15,0:05:04.48,Default,,0000,0000,0000,,differences between Tor and mix nets and\None of the important ones is that we can
Dialogue: 0,0:05:04.48,0:05:09.45,Default,,0000,0000,0000,,actually do decoy traffic everywhere in\Nthis diagram, like we can do decoy traffic
Dialogue: 0,0:05:09.45,0:05:13.28,Default,,0000,0000,0000,,all the way to clients or to the\Ndestination.
Dialogue: 0,0:05:13.28,0:05:20.81,Default,,0000,0000,0000,,J.: Yeah so one of the one of the issues\Nwith Tor is of course you can't do you if
Dialogue: 0,0:05:20.81,0:05:26.57,Default,,0000,0000,0000,,even if you wanted to add decoy traffic\Nyou couldn't hide the - you couldn't
Dialogue: 0,0:05:26.57,0:05:30.34,Default,,0000,0000,0000,,protect against this website\Nfingerprinting attack necessarily, because
Dialogue: 0,0:05:30.34,0:05:34.61,Default,,0000,0000,0000,,you're going to be or you're still seeing\Nthe connection coming out the other side,
Dialogue: 0,0:05:34.61,0:05:39.43,Default,,0000,0000,0000,,so you're see there's still a lot of\Nanalysis you can do. Okay so one thing,
Dialogue: 0,0:05:39.43,0:05:43.49,Default,,0000,0000,0000,,just some history here, mixed networks are\Nactually the the oldest anonymity system
Dialogue: 0,0:05:43.49,0:05:50.37,Default,,0000,0000,0000,,as far as far as I know from David Chaum's\N1981 paper, then there's a few other tools
Dialogue: 0,0:05:50.37,0:05:54.75,Default,,0000,0000,0000,,that have been proposed; one of them is\Nprivate information retrieval, usually
Dialogue: 0,0:05:54.75,0:05:57.90,Default,,0000,0000,0000,,written PIR.\NThis works in sort of narrow situations,
Dialogue: 0,0:05:57.90,0:06:02.00,Default,,0000,0000,0000,,when you're trying to retrieve something\Nfrom some kind of database. The scaling
Dialogue: 0,0:06:02.00,0:06:08.38,Default,,0000,0000,0000,,isn't perfect on it but there's cool\Nthings you can do. But there's another the
Dialogue: 0,0:06:08.38,0:06:12.14,Default,,0000,0000,0000,,other the other one that sort of is\Ngenerally proposed is the alternative to
Dialogue: 0,0:06:12.14,0:06:16.77,Default,,0000,0000,0000,,mix networks is dining cryptographers\Nnetworks. And the problem with them is
Dialogue: 0,0:06:16.77,0:06:24.56,Default,,0000,0000,0000,,that the bandwidth is really literally,\Nyou know, each you're paying literally for
Dialogue: 0,0:06:24.56,0:06:31.15,Default,,0000,0000,0000,,the quadratic cost per user, so I mean\Nsomething like cubic. so the your
Dialogue: 0,0:06:31.15,0:06:37.77,Default,,0000,0000,0000,,anonymity set is is is really going to\Nwind up being very small and if you're
Dialogue: 0,0:06:37.77,0:06:42.58,Default,,0000,0000,0000,,talking about building something that has\Ninherently has a small anonymity set then
Dialogue: 0,0:06:42.58,0:06:49.39,Default,,0000,0000,0000,,you have to "ask who are we protecting?"\NAnd, you know, if you're if - you're not
Dialogue: 0,0:06:49.39,0:06:53.22,Default,,0000,0000,0000,,protecting whistleblowers anymore, because\Nof whistle- if a whistleblower talks to,
Dialogue: 0,0:06:53.22,0:06:56.77,Default,,0000,0000,0000,,you know, journalists and it's unclear\Nwhich journalists, you know, Der Spiegel
Dialogue: 0,0:06:56.77,0:07:02.63,Default,,0000,0000,0000,,he's talking to, well he's still some-\Nhe's still the guy with who knew this
Dialogue: 0,0:07:02.63,0:07:06.53,Default,,0000,0000,0000,,thing, who talked to somebody at Der\NSpiegel. So and more as it does protect,
Dialogue: 0,0:07:06.53,0:07:11.73,Default,,0000,0000,0000,,you know, it doesn't, you know, it the\Nperson that it does protect is somebody
Dialogue: 0,0:07:11.73,0:07:15.62,Default,,0000,0000,0000,,who already has a lot of power and who\Nit's gonna be hard to convict anyway be-
Dialogue: 0,0:07:15.62,0:07:20.64,Default,,0000,0000,0000,,so what we want to do, so we really want\Nto blow up the anonymity set as large as
Dialogue: 0,0:07:20.64,0:07:22.79,Default,,0000,0000,0000,,possible and that's why we like mix\Nnetworks.
Dialogue: 0,0:07:22.79,0:07:27.06,Default,,0000,0000,0000,,D.: All right so we're gonna talk about a\Nfew attacks on mix networks and some
Dialogue: 0,0:07:27.06,0:07:33.18,Default,,0000,0000,0000,,defenses. Epistemic attacks are not one of\Nthe attacks we're really going to focus on
Dialogue: 0,0:07:33.18,0:07:37.20,Default,,0000,0000,0000,,because it's it's really a specialized\Narea of research; there's actually a bunch
Dialogue: 0,0:07:37.20,0:07:44.84,Default,,0000,0000,0000,,a few papers, written on breaking\Ndifferent public-key infrastructure
Dialogue: 0,0:07:44.84,0:07:49.68,Default,,0000,0000,0000,,systems for like things like point-to-\Npoint networks and other other things like
Dialogue: 0,0:07:49.68,0:07:51.75,Default,,0000,0000,0000,,that.\NJ.: So, oh, so..
Dialogue: 0,0:07:51.75,0:07:58.96,Default,,0000,0000,0000,,D.: Oh, so, okay, but we can say I guess\Nwe should mention that our PKI generally -
Dialogue: 0,0:07:58.96,0:08:06.20,Default,,0000,0000,0000,,mix literature assumes you have a PKI, it\Nassumes that the all the clients using it
Dialogue: 0,0:08:06.20,0:08:08.83,Default,,0000,0000,0000,,somehow know about the whole network.\NJ.: So
Dialogue: 0,0:08:08.83,0:08:13.11,Default,,0000,0000,0000,,D.: Yeah, g...\NJ.: So so usually when P - anonymity
Dialogue: 0,0:08:13.11,0:08:16.21,Default,,0000,0000,0000,,researchers talk about a PKI, they\Ngenerally assume something like the Tor
Dialogue: 0,0:08:16.21,0:08:19.47,Default,,0000,0000,0000,,directory authority system, where you have\Nsome people, who can be very trusted, who
Dialogue: 0,0:08:19.47,0:08:23.08,Default,,0000,0000,0000,,run the thing. This actually presents a\Nscalability problem- it's what's goin- it's
Dialogue: 0,0:08:23.08,0:08:27.64,Default,,0000,0000,0000,,what's the cuts(?) and post-project(?) and\Nand ever- and Panoramix is doing; it does
Dialogue: 0,0:08:27.64,0:08:33.14,Default,,0000,0000,0000,,present a scalability problem, more\Nserious than the one for Tor. The there
Dialogue: 0,0:08:33.14,0:08:38.08,Default,,0000,0000,0000,,are other ideas you can do, there's there,\Nso on the try, on the idea
Dialogue: 0,0:08:38.08,0:08:42.40,Default,,0000,0000,0000,,of sort of making it more secure beyond\Njust these people, there's projects like
Dialogue: 0,0:08:42.40,0:08:46.97,Default,,0000,0000,0000,,(???)thority and things and on the - but\Non trying to make it more scalable,
Dialogue: 0,0:08:46.97,0:08:50.69,Default,,0000,0000,0000,,there's other things, like we have we have\Nsome people in the GNUnet project that are
Dialogue: 0,0:08:50.69,0:08:55.50,Default,,0000,0000,0000,,researching this. In past generally these\Npeer-to-peer networking projects to try
Dialogue: 0,0:08:55.50,0:09:01.29,Default,,0000,0000,0000,,and come up with, you know, distributed\NPKI, had very serious attacks against
Dialogue: 0,0:09:01.29,0:09:05.37,Default,,0000,0000,0000,,them; these epistemic and especially these\Nepistemic attack types things, so and
Dialogue: 0,0:09:05.37,0:09:09.01,Default,,0000,0000,0000,,you're not gonna completely fix those, so\Nthe way that you would have a distributed
Dialogue: 0,0:09:09.01,0:09:14.30,Default,,0000,0000,0000,,PKI is you would have to prove that you\Nreally know how bad the attack is and then
Dialogue: 0,0:09:14.30,0:09:19.56,Default,,0000,0000,0000,,argue that this is better than some nine\Npeople or whatever possibly being
Dialogue: 0,0:09:19.56,0:09:22.73,Default,,0000,0000,0000,,compromised. But we don't want to talk too\Nmuch about this, because this is not our
Dialogue: 0,0:09:22.73,0:09:26.24,Default,,0000,0000,0000,,area of work but we just want to mention\Nit's intr- it's a lot of interesting stuff
Dialogue: 0,0:09:26.24,0:09:32.38,Default,,0000,0000,0000,,there and right now - so since we were\Nleading from the epistemic attacks David's
Dialogue: 0,0:09:32.38,0:09:36.18,Default,,0000,0000,0000,,gonna tell you about sort of, since this\Nis sort of the sca- well, I'm sorry, he's
Dialogue: 0,0:09:36.18,0:09:39.62,Default,,0000,0000,0000,,gonna tell you about how the scalability\Ncomes in.
Dialogue: 0,0:09:39.62,0:09:46.45,Default,,0000,0000,0000,,D.: Yeah, so Tor, oh, so, sorry, mix nets\Ncan use cascade topologies where everyone
Dialogue: 0,0:09:46.45,0:09:52.01,Default,,0000,0000,0000,,uses the same route and this is quite a\Ndifferent than tor where route
Dialogue: 0,0:09:52.01,0:09:58.66,Default,,0000,0000,0000,,unpredictability is used to achieve some\Nof it's anonymity properties. So in mixed
Dialogue: 0,0:09:58.66,0:10:04.21,Default,,0000,0000,0000,,nets you can use the same route as\Neverybody but this is a scalability
Dialogue: 0,0:10:04.21,0:10:12.95,Default,,0000,0000,0000,,problem. So we have other things like free\Nroute and also stratified topology but
Dialogue: 0,0:10:12.95,0:10:18.14,Default,,0000,0000,0000,,free route actually has slightly worse\Nanonymity. Claudia Diaz has got an
Dialogue: 0,0:10:18.14,0:10:22.01,Default,,0000,0000,0000,,excellent paper and about this.\NJ.: Another kind of point about free route
Dialogue: 0,0:10:22.01,0:10:26.54,Default,,0000,0000,0000,,is that in practice, like the Tor network,\Nyou visualize it as a free network and it
Dialogue: 0,0:10:26.54,0:10:31.51,Default,,0000,0000,0000,,grew away from that. Nodes are authorized\Nto be in specific positions and things
Dialogue: 0,0:10:31.51,0:10:36.34,Default,,0000,0000,0000,,like this. So it may be that free routes\Naren't just... you wouldn't land there
Dialogue: 0,0:10:36.34,0:10:42.61,Default,,0000,0000,0000,,anyway even if you tried\ND.: oh yeah. exit versus guard flags for
Dialogue: 0,0:10:42.61,0:10:50.99,Default,,0000,0000,0000,,tor. This is another diagram of the... any\Nlayer, any mixin layer 0 can connect to
Dialogue: 0,0:10:50.99,0:10:58.61,Default,,0000,0000,0000,,any mix in layer 1 and and send a mix\Npacket. So this comes from the loop picks
Dialogue: 0,0:10:58.61,0:11:05.32,Default,,0000,0000,0000,,design, we're gonna be mentioning some\Nmore designed from loop picks. The cool
Dialogue: 0,0:11:05.32,0:11:10.70,Default,,0000,0000,0000,,thing about this is, it's fairly easy to\Ncalculate the entropy of each mix compared
Dialogue: 0,0:11:10.70,0:11:17.42,Default,,0000,0000,0000,,to say free route, which is pretty\Ncomplicated. This also scales pretty well,
Dialogue: 0,0:11:17.42,0:11:22.32,Default,,0000,0000,0000,,we can add mixes to each layer if we need\Nto scale up for more traffic and more
Dialogue: 0,0:11:22.32,0:11:26.39,Default,,0000,0000,0000,,users.\ND.: So we're gonna mention a couple,
Dialogue: 0,0:11:26.39,0:11:31.05,Default,,0000,0000,0000,,sometimes we'll put some citations on the\Nslide. Don't take them.. they're not too
Dialogue: 0,0:11:31.05,0:11:35.90,Default,,0000,0000,0000,,critical, but the one on this one... yeah,\NClaudia Diaz has a very nice paper for
Dialogue: 0,0:11:35.90,0:11:41.03,Default,,0000,0000,0000,,understanding the different ideologies.\NJ.: And I believe Roger has a paper on
Dialogue: 0,0:11:41.03,0:11:46.76,Default,,0000,0000,0000,,this topic as well.\ND.: Ok, so why isn't this tor? Well, the
Dialogue: 0,0:11:46.76,0:11:50.76,Default,,0000,0000,0000,,main thing that we can say is that tor\Ndoesn't actually mix. if the packets
Dialogue: 0,0:11:50.76,0:11:54.39,Default,,0000,0000,0000,,are... The packets coming in at a\Nparticular point in time are basically the
Dialogue: 0,0:11:54.39,0:12:01.65,Default,,0000,0000,0000,,same packets going out. You pretty much\Nknow within a very small number. So what a
Dialogue: 0,0:12:01.65,0:12:05.65,Default,,0000,0000,0000,,mixed strategy actually does. This is an\Nalgorithm that's part of the software to
Dialogue: 0,0:12:05.65,0:12:10.99,Default,,0000,0000,0000,,do the thing. What a mixed strategy\Nactually does is it adds latency to reduce
Dialogue: 0,0:12:10.99,0:12:18.29,Default,,0000,0000,0000,,the correlation between packets.\NAnd there's yeah ...
Dialogue: 0,0:12:18.29,0:12:25.96,Default,,0000,0000,0000,,J.: So David Chum in 1981 with this first\Nmix net paper describe this threshold mix.
Dialogue: 0,0:12:25.96,0:12:30.14,Default,,0000,0000,0000,,So say this mix had a threshold of four.\NIt would accumulate four input messages
Dialogue: 0,0:12:30.14,0:12:35.93,Default,,0000,0000,0000,,like this. And when it had enough for its\Nthreshold, then it would shuffle them and
Dialogue: 0,0:12:35.93,0:12:40.82,Default,,0000,0000,0000,,send them out. Mixes are also unwrapping a\Nlayer of encryption for each of these
Dialogue: 0,0:12:40.82,0:12:49.27,Default,,0000,0000,0000,,hops. So if I was an attacker and I wanted\Nto break this, what I could do is wait
Dialogue: 0,0:12:49.27,0:12:54.11,Default,,0000,0000,0000,,until the mix is empty, or I could make\Nthat mix empty by sending my own messages
Dialogue: 0,0:12:54.11,0:12:59.11,Default,,0000,0000,0000,,into it. And then when a target message\Nenters this mix I could send my own
Dialogue: 0,0:12:59.11,0:13:03.100,Default,,0000,0000,0000,,messages and cause it to achieve its\Nthreshold and shuffle and send all the
Dialogue: 0,0:13:03.100,0:13:09.11,Default,,0000,0000,0000,,messages out. So then I would recognize\Nall the cipher texts of my own messages
Dialogue: 0,0:13:09.11,0:13:11.36,Default,,0000,0000,0000,,and the one message\NI don't recognize it's the
Dialogue: 0,0:13:11.36,0:13:15.63,Default,,0000,0000,0000,,target message. You can keep doing this\Nfor each hop and this is called a
Dialogue: 0,0:13:15.63,0:13:21.11,Default,,0000,0000,0000,,n-minus-1 attack or blending attack.\NThere's a lot of variations on them. We
Dialogue: 0,0:13:21.11,0:13:26.70,Default,,0000,0000,0000,,have continuous-time mixes like the stop-\Nand-go mix and the poisson-mixed
Dialogue: 0,0:13:26.70,0:13:31.53,Default,,0000,0000,0000,,strategies. These mixed strategies allow\Nthe client to select the delays for each
Dialogue: 0,0:13:31.53,0:13:41.14,Default,,0000,0000,0000,,hop. Usually they're from an exponential\Ndistribution. If an attacker wants to
Dialogue: 0,0:13:41.14,0:13:47.80,Default,,0000,0000,0000,,break this using a blending attack, first\Nthey need to empty the mix queue by
Dialogue: 0,0:13:47.80,0:13:52.39,Default,,0000,0000,0000,,blocking all input messages from the mix\Nand waiting some period of time where it's
Dialogue: 0,0:13:52.39,0:13:57.95,Default,,0000,0000,0000,,highly probable that the mix queue would\Nthen be empty. Then they would allow their
Dialogue: 0,0:13:57.95,0:14:03.20,Default,,0000,0000,0000,,one target message to enter the mix and\Ncontinue to block other input messages and
Dialogue: 0,0:14:03.20,0:14:11.29,Default,,0000,0000,0000,,then simply wait for that message to be\Noutputted. Now these attacks we have some
Dialogue: 0,0:14:11.29,0:14:17.06,Default,,0000,0000,0000,,defense for them, like say a heartbeat\Nprotocol from, George wrote a paper about
Dialogue: 0,0:14:17.06,0:14:22.78,Default,,0000,0000,0000,,ten years ago, George Danezis. It's also\Nin the Loopix paper as well, it's
Dialogue: 0,0:14:22.78,0:14:31.60,Default,,0000,0000,0000,,mentioned. So we would have mixes with a\Nkind of decoy traffic, we refer to him as
Dialogue: 0,0:14:31.60,0:14:35.58,Default,,0000,0000,0000,,mixed loops or heartbeat traffic, where a\Nmix is sending itself a message. It's like
Dialogue: 0,0:14:35.58,0:14:38.92,Default,,0000,0000,0000,,a self-addressed stamped envelope. It's\Ngoing through the mix network and coming
Dialogue: 0,0:14:38.92,0:14:46.30,Default,,0000,0000,0000,,back. And if it doesn't receive its\Nheartbeat in some time out, it knows it
Dialogue: 0,0:14:46.30,0:14:50.04,Default,,0000,0000,0000,,could be under attack or of course there\Ncould be other problems in the network as
Dialogue: 0,0:14:50.04,0:14:57.43,Default,,0000,0000,0000,,well. So you would want to maybe correlate\Na attack with several failures to receive
Dialogue: 0,0:14:57.43,0:15:03.11,Default,,0000,0000,0000,,a heartbeat message.\NThere's other defenses for blending
Dialogue: 0,0:15:03.11,0:15:06.37,Default,,0000,0000,0000,,attacks as well. There was a recent paper\Npublished, but we're not going to talk
Dialogue: 0,0:15:06.37,0:15:14.80,Default,,0000,0000,0000,,about that right now. The next category of\Nattack is statistical disclosure attacks.
Dialogue: 0,0:15:14.80,0:15:20.32,Default,,0000,0000,0000,,This is essentially, I like to think of it\Nas the adversary is abstracting the entire
Dialogue: 0,0:15:20.32,0:15:25.76,Default,,0000,0000,0000,,mix network as if it's one mix. They're\Nlooking at messages go in and messages
Dialogue: 0,0:15:25.76,0:15:31.56,Default,,0000,0000,0000,,come out. A lot of this literature is\Nwritten from the perspective of like
Dialogue: 0,0:15:31.56,0:15:36.36,Default,,0000,0000,0000,,point-to-point networks. Like when Alice\Nand Bob were receiving messages from the
Dialogue: 0,0:15:36.36,0:15:40.30,Default,,0000,0000,0000,,mixed network they're receiving it at\Ntheir home IP addresses, as if we had
Dialogue: 0,0:15:40.30,0:15:45.59,Default,,0000,0000,0000,,publicly routable IP addresses and no NAT\Ndevices to get in the way. Maybe a more
Dialogue: 0,0:15:45.59,0:15:52.67,Default,,0000,0000,0000,,modern sort of architecture might involve\Nqueuing messages. This is a concept used
Dialogue: 0,0:15:52.67,0:15:58.63,Default,,0000,0000,0000,,in Loopix design as well.\NLoopix has got a bunch of different decoy
Dialogue: 0,0:15:58.63,0:16:05.82,Default,,0000,0000,0000,,traffic types in order to add noise to the\Nsignal at various locations in the
Dialogue: 0,0:16:05.82,0:16:13.98,Default,,0000,0000,0000,,network. So there's drop decoy traffic,\Nwhere a client would select a random
Dialogue: 0,0:16:13.98,0:16:18.82,Default,,0000,0000,0000,,destination provider to send a message to.\NSo it traverses the mix net and then gets
Dialogue: 0,0:16:18.82,0:16:26.92,Default,,0000,0000,0000,,dropped by the provider. And there's also\Nclient loops, and actually I should
Dialogue: 0,0:16:26.92,0:16:32.62,Default,,0000,0000,0000,,mention, if we're doing these kind of\Nstatistical disclosure attacks, a lot of
Dialogue: 0,0:16:32.62,0:16:36.98,Default,,0000,0000,0000,,this stuff we don't know how well it will\Nwork in the real world. Because, it really
Dialogue: 0,0:16:36.98,0:16:42.49,Default,,0000,0000,0000,,depends on a specific application and the\Nadversaries ability to predict users
Dialogue: 0,0:16:42.49,0:16:47.99,Default,,0000,0000,0000,,behavior and that behavior should be\Nrepetitive. I mean this depends on how
Dialogue: 0,0:16:47.99,0:16:53.42,Default,,0000,0000,0000,,much information is leaked by the system.\NBut mix networks always leak information,
Dialogue: 0,0:16:53.42,0:16:59.98,Default,,0000,0000,0000,,so it's it's about measuring the leakage\Nand understanding if the user behavior is
Dialogue: 0,0:16:59.98,0:17:06.86,Default,,0000,0000,0000,,dynamic enough.\NThese attacks cannot always converge on
Dialogue: 0,0:17:06.86,0:17:14.31,Default,,0000,0000,0000,,success. So it depends on the particular\Nsystem and how it's tuned. In this
Dialogue: 0,0:17:14.31,0:17:20.36,Default,,0000,0000,0000,,particular case for queuing messages in\Nthis style mixed network the adversary
Dialogue: 0,0:17:20.36,0:17:27.88,Default,,0000,0000,0000,,would have to compromise the destination\Nproviders. So previously here in this
Dialogue: 0,0:17:27.88,0:17:32.21,Default,,0000,0000,0000,,situation it would be, in this point-to-\Npoint network situation where people are
Dialogue: 0,0:17:32.21,0:17:37.57,Default,,0000,0000,0000,,actually receiving messages from the mixed\Nnetwork to their mailbox directly or to
Dialogue: 0,0:17:37.57,0:17:44.74,Default,,0000,0000,0000,,their home IP, the adversary is a passive\Nadversary. In the more modern architecture
Dialogue: 0,0:17:44.74,0:17:50.12,Default,,0000,0000,0000,,where messages are queued, I mean it's not\Nmore modern, but it's the Loopix design
Dialogue: 0,0:17:50.12,0:17:57.06,Default,,0000,0000,0000,,which is a recent paper, so this attack\Nbecomes an active attack. And there's some
Dialogue: 0,0:17:57.06,0:18:01.96,Default,,0000,0000,0000,,padding to the clients so we have some\Namount of receiver unobservability, so
Dialogue: 0,0:18:01.96,0:18:07.42,Default,,0000,0000,0000,,clients received the same amount of\Ninformation when they received messages.
Dialogue: 0,0:18:07.42,0:18:10.76,Default,,0000,0000,0000,,D.: So okay, so there's a question that's\Nnatural. So we've talked about adding
Dialogue: 0,0:18:10.76,0:18:14.56,Default,,0000,0000,0000,,latency and we are also talking about\Nadding cover traffic. So you might ask "Is
Dialogue: 0,0:18:14.56,0:18:21.88,Default,,0000,0000,0000,,this enough?" and "Could I get away with\Nless?". And the answer to "Could I get
Dialogue: 0,0:18:21.88,0:18:32.82,Default,,0000,0000,0000,,away with less?" seems to be no. At least\Nby some artificial measures your anonymity
Dialogue: 0,0:18:32.82,0:18:39.02,Default,,0000,0000,0000,,can't really scale better than the cover\Ntraffic times the latency. So one takeaway
Dialogue: 0,0:18:39.02,0:18:45.67,Default,,0000,0000,0000,,from this is in the Tor, in what is Tor's\Nsituation, so I mean Roger always tells
Dialogue: 0,0:18:45.67,0:18:51.54,Default,,0000,0000,0000,,people that they don't know, if adding\Ncover traffic to Tor would help. And one
Dialogue: 0,0:18:51.54,0:18:55.45,Default,,0000,0000,0000,,sort of extreme version of this is of\Ncourse, whatever cover traffic you add
Dialogue: 0,0:18:55.45,0:19:03.50,Default,,0000,0000,0000,,times something very small is still\Nsomething rather relatively small. Now
Dialogue: 0,0:19:03.50,0:19:07.04,Default,,0000,0000,0000,,you'll notice here of course the anonymity\Nstill looks quadratic in something but
Dialogue: 0,0:19:07.04,0:19:10.91,Default,,0000,0000,0000,,it's still longer in the number of users.\NSo what we're talking about is paying some
Dialogue: 0,0:19:10.91,0:19:15.50,Default,,0000,0000,0000,,sort of fixed upfront cost. It may be\Nsomewhat large, part of it is in terms of
Dialogue: 0,0:19:15.50,0:19:19.58,Default,,0000,0000,0000,,the users experience with the latency and\Npart of it is in terms of the actual sort
Dialogue: 0,0:19:19.58,0:19:27.54,Default,,0000,0000,0000,,of cost of their you know of their network\Nconnection, but you know, it's doable. So
Dialogue: 0,0:19:27.54,0:19:31.44,Default,,0000,0000,0000,,one thing, so sometimes people have made\Nthese just to sort of wrap up this section
Dialogue: 0,0:19:31.44,0:19:36.34,Default,,0000,0000,0000,,about topologies and whatever and\Nstrategies and things, so people have made
Dialogue: 0,0:19:36.34,0:19:40.98,Default,,0000,0000,0000,,these sort of quasi religious statements\Nabout encryption from time to time. To
Dialogue: 0,0:19:40.98,0:19:45.96,Default,,0000,0000,0000,,sort of boil that down to something\Nconcrete encryption is basically free in
Dialogue: 0,0:19:45.96,0:19:50.75,Default,,0000,0000,0000,,general and but for the mixed network\Nwe're going to have to actually pay some
Dialogue: 0,0:19:50.75,0:19:56.16,Default,,0000,0000,0000,,kind of real costs.\NOkay, so one thing about mix networks, you
Dialogue: 0,0:19:56.16,0:20:01.20,Default,,0000,0000,0000,,don't want to roll your own packet format.\NThere's this wonderful, first to know a
Dialogue: 0,0:20:01.20,0:20:05.91,Default,,0000,0000,0000,,very reasonable one, it's sort of the one\Nthat has stopped much of the development
Dialogue: 0,0:20:05.91,0:20:11.46,Default,,0000,0000,0000,,in this area, is Sphinx. It's quite\Ncompact, and it has a very nice security
Dialogue: 0,0:20:11.46,0:20:16.99,Default,,0000,0000,0000,,proof, it's by George Danezis and Ian\NGoldberg. So just to comment on the name,
Dialogue: 0,0:20:16.99,0:20:20.77,Default,,0000,0000,0000,,so the packet format has a header and a\Nbody and at the time that it was
Dialogue: 0,0:20:20.77,0:20:24.82,Default,,0000,0000,0000,,developed, so the body has to be encrypted\Nwith what's called a wide block cipher. At
Dialogue: 0,0:20:24.82,0:20:28.50,Default,,0000,0000,0000,,the time that was developed the only wide\Nblock cipher the people were thinking
Dialogue: 0,0:20:28.50,0:20:35.72,Default,,0000,0000,0000,,about was lioness. There's now some other\Nwide block ciphers like AEZ by Rogaway and
Dialogue: 0,0:20:35.72,0:20:42.35,Default,,0000,0000,0000,,supposedly DJB has one on the way. So I'm\Ngonna say a little few things about the
Dialogue: 0,0:20:42.35,0:20:47.37,Default,,0000,0000,0000,,packet format. So the header has three\Nparts, but one of them, the first part is
Dialogue: 0,0:20:47.37,0:20:53.14,Default,,0000,0000,0000,,a public key this elliptic curve point,\Nand then there's this body, which is
Dialogue: 0,0:20:53.14,0:20:57.51,Default,,0000,0000,0000,,encrypted with a wide box cipher. So the\Nway you think about this mix node n
Dialogue: 0,0:20:57.51,0:21:04.84,Default,,0000,0000,0000,,operating is, Alice, you know there's this\Nkey exchange between the mix node and
Dialogue: 0,0:21:04.84,0:21:10.71,Default,,0000,0000,0000,,Alice, that Alice first does it. She\Nthinks up this is key for her packet and
Dialogue: 0,0:21:10.71,0:21:16.03,Default,,0000,0000,0000,,does the exchange and then the mix node\Ncomputes the other side of the Diffie-
Dialogue: 0,0:21:16.03,0:21:21.14,Default,,0000,0000,0000,,Hellman. From that the mix node extracts\Nthe next hop and he has to mutate all of
Dialogue: 0,0:21:21.14,0:21:27.98,Default,,0000,0000,0000,,the different things. So what Sphinx is,\Nis the rules for how to mutate those. Okay
Dialogue: 0,0:21:27.98,0:21:32.76,Default,,0000,0000,0000,,so let's say one thing, that's kind of\Nimportant is: "Why are we using...", you
Dialogue: 0,0:21:32.76,0:21:37.54,Default,,0000,0000,0000,,know "Why is this Delta...". I didn't make\Na comment on this too much, but the header
Dialogue: 0,0:21:37.54,0:21:42.34,Default,,0000,0000,0000,,part was MACed and Delta was not. So why\Ndo we not put a MAC on Delta?
Dialogue: 0,0:21:42.34,0:21:46.31,Default,,0000,0000,0000,,This seems very very dangerous. Of course\Nif you know, if we had, if we were just
Dialogue: 0,0:21:46.31,0:21:52.59,Default,,0000,0000,0000,,using an unMACed stream cipher than some\Nadversary who controls a mix node next to
Dialogue: 0,0:21:52.59,0:21:58.03,Default,,0000,0000,0000,,the sender and someplace where the message\Nis going, could just XOR an arbitrary
Dialogue: 0,0:21:58.03,0:22:05.12,Default,,0000,0000,0000,,message into the packet and then check for\Nit when it arrives. But we don't use a
Dialogue: 0,0:22:05.12,0:22:10.86,Default,,0000,0000,0000,,stream cipher, we use a wide block cipher.\NSo what this means is, an attacker doing
Dialogue: 0,0:22:10.86,0:22:18.46,Default,,0000,0000,0000,,the same sort of thing will get at most a\None bit tagging attack. Okay, that's still
Dialogue: 0,0:22:18.46,0:22:24.65,Default,,0000,0000,0000,,an attack. Why would we tolerate even a\None bit tagging attack? And the answer is
Dialogue: 0,0:22:24.65,0:22:34.28,Default,,0000,0000,0000,,that anonymous receivers really matter. So\Nthere's a few things, so of course a
Dialogue: 0,0:22:34.28,0:22:38.23,Default,,0000,0000,0000,,journalistic source, some sort of\Nwhistleblower or whatever, but also any
Dialogue: 0,0:22:38.23,0:22:41.97,Default,,0000,0000,0000,,kind of service, like if you want to talk\Nto some crypto currency network, or you
Dialogue: 0,0:22:41.97,0:22:46.07,Default,,0000,0000,0000,,want to talk to or download some file, or\Nanything like this, anything where you
Dialogue: 0,0:22:46.07,0:22:52.14,Default,,0000,0000,0000,,interact with a service or you need some\Nkind of acknowledgment back of it. And in
Dialogue: 0,0:22:52.14,0:22:59.64,Default,,0000,0000,0000,,fact even just the basic protocol acts for\Na messaging system need some sort of
Dialogue: 0,0:22:59.64,0:23:05.26,Default,,0000,0000,0000,,reply. Okay, so what is this? So how do we\Ndo anonymous receivers? We create what's
Dialogue: 0,0:23:05.26,0:23:12.57,Default,,0000,0000,0000,,called a single-use reply block, so that's\Na first node where it goes to, expiration
Dialogue: 0,0:23:12.57,0:23:20.92,Default,,0000,0000,0000,,date, and then the header and one\Ncryptographic key for one layer of it. And
Dialogue: 0,0:23:20.92,0:23:28.71,Default,,0000,0000,0000,,so the recipient makes up this SURB and\Nsupplies it to the sender at some point in
Dialogue: 0,0:23:28.71,0:23:34.33,Default,,0000,0000,0000,,the past. the sender attaches their Delta\Nand they can send to the recipient.
Dialogue: 0,0:23:34.33,0:23:45.43,Default,,0000,0000,0000,,Okay so great, now okay, now let's get\Ninto something tricky. We have these
Dialogue: 0,0:23:45.43,0:23:51.88,Default,,0000,0000,0000,,common... Okay we might worry, so if you\Nlooked at the key exchange that I did,
Dialogue: 0,0:23:51.88,0:23:59.48,Default,,0000,0000,0000,,Alice the sender just made up her alpha on\Nthe spot. So her key is ephemeral but the
Dialogue: 0,0:23:59.48,0:24:07.29,Default,,0000,0000,0000,,mix node he wasn't. It was supplied by\Nthis PKI. So that means, so we want our
Dialogue: 0,0:24:07.29,0:24:10.66,Default,,0000,0000,0000,,protocols to be forward secure and you\Nknow TOR is forward secure. It doesn't
Dialogue: 0,0:24:10.66,0:24:16.48,Default,,0000,0000,0000,,negotiate, live negotiation with the top\Nwhich is great. But we need some kind of
Dialogue: 0,0:24:16.48,0:24:23.51,Default,,0000,0000,0000,,forward security and we don't have it, a\Npriori. So what we have to do is well
Dialogue: 0,0:24:23.51,0:24:30.13,Default,,0000,0000,0000,,first of all a mixed net, we need some\Nkind of replay attack protection anyway.
Dialogue: 0,0:24:30.13,0:24:38.45,Default,,0000,0000,0000,,So what this requires, some sort of data\Nstructure that will eventually fill up or
Dialogue: 0,0:24:38.45,0:24:43.57,Default,,0000,0000,0000,,overflow or something like this. So to\Nprevent that we have to do key rotation
Dialogue: 0,0:24:43.57,0:24:47.87,Default,,0000,0000,0000,,anyway. So one option is to just rotate\Nthe mix node keys faster. The problem with
Dialogue: 0,0:24:47.87,0:24:52.32,Default,,0000,0000,0000,,that is that you don't want to stress the\NPKI too much. Because the PKI is already a
Dialogue: 0,0:24:52.32,0:24:58.60,Default,,0000,0000,0000,,scaling pain. So, okay. But another\Nproblem with that is that these SURB
Dialogue: 0,0:24:58.60,0:25:04.27,Default,,0000,0000,0000,,lifetimes are equal to the node key life,\Nthey can't exceed the node key lifetimes.
Dialogue: 0,0:25:04.27,0:25:09.79,Default,,0000,0000,0000,,So that means that we, if we want to be\Nable to have our forward, have our key
Dialogue: 0,0:25:09.79,0:25:15.09,Default,,0000,0000,0000,,compromise window smaller than the node\Nkey lifetimes or then we have to do, or -
Dialogue: 0,0:25:15.09,0:25:19.56,Default,,0000,0000,0000,,you know smaller than the server lifetimes\N- and we have to do something else. So
Dialogue: 0,0:25:19.56,0:25:25.11,Default,,0000,0000,0000,,there's a couple ideas. So George, back in\Ntwo thousand th- so, okay the idea is;
Dialogue: 0,0:25:25.11,0:25:29.91,Default,,0000,0000,0000,,Okay, maybe we can be like, a little like\NTor and use more packets per for the
Dialogue: 0,0:25:29.91,0:25:35.21,Default,,0000,0000,0000,,packet we want to send but not do it in\Nthe way Tor does it. So George proposed
Dialogue: 0,0:25:35.21,0:25:40.71,Default,,0000,0000,0000,,using two packets in different key epochs.\NThat's pretty good, that that gives you,
Dialogue: 0,0:25:40.71,0:25:46.27,Default,,0000,0000,0000,,that gives you a lot of nice properties.\NSo there's another thing you can do that
Dialogue: 0,0:25:46.27,0:25:51.43,Default,,0000,0000,0000,,I'm sort of, that I've been working on,\Nwhich is you can you can use a loop to the
Dialogue: 0,0:25:51.43,0:25:58.47,Default,,0000,0000,0000,,mix, to a mix node to actually do a key\Nexchange and then on the mix node you can
Dialogue: 0,0:25:58.47,0:26:04.69,Default,,0000,0000,0000,,you can use a double ratchet construction\Nfor some hops. And that the this, problem
Dialogue: 0,0:26:04.69,0:26:11.17,Default,,0000,0000,0000,,with this is it's cheating, these two\Nthese two things. and you wouldn't want to
Dialogue: 0,0:26:11.17,0:26:17.25,Default,,0000,0000,0000,,do them at all hops, because they create\Nsome correlations between packets. So,
Dialogue: 0,0:26:17.25,0:26:23.41,Default,,0000,0000,0000,,okay, so we can so we can, in general we\Ncan ask what is what do we want the key
Dialogue: 0,0:26:23.41,0:26:28.56,Default,,0000,0000,0000,,exchange that our mix node - what do we\Nwant, how do we make this mix node forward
Dialogue: 0,0:26:28.56,0:26:33.36,Default,,0000,0000,0000,,secure, so I don't want to say too much\Nabout this but in general we can talk
Dialogue: 0,0:26:33.36,0:26:39.52,Default,,0000,0000,0000,,about the different stra- different sort\Nof basic technologies for key exchanges
Dialogue: 0,0:26:39.52,0:26:43.96,Default,,0000,0000,0000,,and the properties we can get out of them\Nin the context of Sphinx.
Dialogue: 0,0:26:43.96,0:26:48.14,Default,,0000,0000,0000,,And, you know, anything that's based on\Nelliptic curves is not going to be post
Dialogue: 0,0:26:48.14,0:26:52.81,Default,,0000,0000,0000,,quantum, so if we want something based on,\Nyou know, if we want that then we need to
Dialogue: 0,0:26:52.81,0:26:55.95,Default,,0000,0000,0000,,something else so there was a blinding\Noperations in Sphinx I didn't tell you
Dialogue: 0,0:26:55.95,0:27:00.04,Default,,0000,0000,0000,,about, doing that in the post quantum\Ncontext is tricky. Probably it works for
Dialogue: 0,0:27:00.04,0:27:05.72,Default,,0000,0000,0000,,SIDH. We don't know if it works for LWE.\NWe certainly have no idea how to do it
Dialogue: 0,0:27:05.72,0:27:10.91,Default,,0000,0000,0000,,efficiently, maybe it can be done. Our\Ncheating strategy gives us nice key
Dialogue: 0,0:27:10.91,0:27:16.06,Default,,0000,0000,0000,,erasure properties, it gives us post\Nquantum, if the loop if the loop did a
Dialogue: 0,0:27:16.06,0:27:20.71,Default,,0000,0000,0000,,post quantum key exchange and there's\Nanother nice property that it gives, that
Dialogue: 0,0:27:20.71,0:27:24.70,Default,,0000,0000,0000,,you can't really get any other way, which\Nis that it the the blinding thing is
Dialogue: 0,0:27:24.70,0:27:29.81,Default,,0000,0000,0000,,hybrid - you can actually have a hybrid\Npost quantum property, and that means that
Dialogue: 0,0:27:29.81,0:27:33.76,Default,,0000,0000,0000,,you can use both an elliptic curve and\Nthis post quantum key exchange and if
Dialogue: 0,0:27:33.76,0:27:39.01,Default,,0000,0000,0000,,either one of them is good then you can't\Nbreak then you can't break it. If you try
Dialogue: 0,0:27:39.01,0:27:43.57,Default,,0000,0000,0000,,and do this construction with something\Nlike LWE you're probably not going to be
Dialogue: 0,0:27:43.57,0:27:47.11,Default,,0000,0000,0000,,able to get that hybrid post quantum\Nproperty, 'cause the blinding operation
Dialogue: 0,0:27:47.11,0:27:51.08,Default,,0000,0000,0000,,itself will depend on the LWE\Ncryptographic assumptions.
Dialogue: 0,0:27:51.08,0:27:58.24,Default,,0000,0000,0000,,So nevertheless I want to conjecture that\NLWE (?????????) LWE means "learning with
Dialogue: 0,0:27:58.24,0:28:03.90,Default,,0000,0000,0000,,errors", may be the eventual sort of post\Nquantum key exchange we want to use and so
Dialogue: 0,0:28:03.90,0:28:07.63,Default,,0000,0000,0000,,mathematicians love conjectures, so I\Ndon't think there's one with blinding but
Dialogue: 0,0:28:07.63,0:28:14.59,Default,,0000,0000,0000,,I think we can probably come up with\Nsomething that eventually, where we have
Dialogue: 0,0:28:14.59,0:28:19.75,Default,,0000,0000,0000,,some kind of nice blinding for the an LWE\Nscheme and it even has puncturing.
Dialogue: 0,0:28:19.75,0:28:23.50,Default,,0000,0000,0000,,Punctured encryption is something that you\Ncan currently do with pairing based crypto
Dialogue: 0,0:28:23.50,0:28:30.64,Default,,0000,0000,0000,,and it's excruciatingly slow but I think\Nit could, I suspect it could be done much
Dialogue: 0,0:28:30.64,0:28:37.45,Default,,0000,0000,0000,,faster with LWE. Okay\ND.: Okay, so mix networks: they're
Dialogue: 0,0:28:37.45,0:28:43.77,Default,,0000,0000,0000,,unreliable, they're packet switching, so\Nin that case some classical Network
Dialogue: 0,0:28:43.77,0:28:51.83,Default,,0000,0000,0000,,literature can can be applied. Now an\Nautomatic repeat request protocol scheme
Dialogue: 0,0:28:51.83,0:28:56.82,Default,,0000,0000,0000,,is one of those protocol schemes that has\Nprotocol acknowledgments and retransmits
Dialogue: 0,0:28:56.82,0:29:01.87,Default,,0000,0000,0000,,and we can do this over mix networks but\Nit leaks extra information. Every ACK you
Dialogue: 0,0:29:01.87,0:29:07.70,Default,,0000,0000,0000,,send could potentially be used as in a\Ncorrelation attack, for instance if the
Dialogue: 0,0:29:07.70,0:29:12.91,Default,,0000,0000,0000,,adversary causes the ACK packet to be\Ndropped. And in a stopping way ARQ(?) the
Dialogue: 0,0:29:12.91,0:29:18.37,Default,,0000,0000,0000,,simplest variety of these protocols, would\Nleak the least amount of information, so
Dialogue: 0,0:29:18.37,0:29:26.96,Default,,0000,0000,0000,,that's what we're using and we have three\Ncryptographic layers in our stack right
Dialogue: 0,0:29:26.96,0:29:35.21,Default,,0000,0000,0000,,now in this Loopix Katzenpost project\Nwe're working on. Yawning(?) angel wrote a
Dialogue: 0,0:29:35.21,0:29:42.03,Default,,0000,0000,0000,,cryptographic link layer based on the\Nnoise cryptographic framework. He's mixing
Dialogue: 0,0:29:42.03,0:29:49.51,Default,,0000,0000,0000,,new hope simple(?) with x25509 and the key\Nexchange and we also have a Sphinx
Dialogue: 0,0:29:49.51,0:29:55.90,Default,,0000,0000,0000,,cryptographic layer. Sphinx is what Jeff\Ntalked about earlier, the cryptographic
Dialogue: 0,0:29:55.90,0:30:02.25,Default,,0000,0000,0000,,packet format and we also have an end-to-\Nend cryptographic messaging. And this is
Dialogue: 0,0:30:02.25,0:30:08.52,Default,,0000,0000,0000,,another sort of Loopix style diagram:\NAlice sends message to Bob's provider, so
Dialogue: 0,0:30:08.52,0:30:14.87,Default,,0000,0000,0000,,it goes through the mix network to Bob and\NBob can retrieve his message later and
Dialogue: 0,0:30:14.87,0:30:20.82,Default,,0000,0000,0000,,with some relatively simple changes from\Nthis Loopix design, we can, to have
Dialogue: 0,0:30:20.82,0:30:26.82,Default,,0000,0000,0000,,stronger location hiding properties, where\NAlice and Bob don't talk directly to the
Dialogue: 0,0:30:26.82,0:30:32.01,Default,,0000,0000,0000,,provider that they're retrieving messages\Nfrom. They can send single-use reply
Dialogue: 0,0:30:32.01,0:30:37.52,Default,,0000,0000,0000,,blocks to retrieve messages this would\Nincrease latency.
Dialogue: 0,0:30:37.52,0:30:40.24,Default,,0000,0000,0000,,J.: So one thing that's nice there's a\Ncomment to make here, is that a lot of
Dialogue: 0,0:30:40.24,0:30:46.24,Default,,0000,0000,0000,,time certain schemes in academia tend to\Nuse, want to use PIR for this retrieving,
Dialogue: 0,0:30:46.24,0:30:52.95,Default,,0000,0000,0000,,the the thing I thought from your from\Nyour provider and then the - one of the
Dialogue: 0,0:30:52.95,0:30:58.31,Default,,0000,0000,0000,,problems with using a PIR scheme here is\Nthat you're gonna have very different very
Dialogue: 0,0:30:58.31,0:31:03.07,Default,,0000,0000,0000,,different sort of assumptions at play\Nthere and the way even what you model it
Dialogue: 0,0:31:03.07,0:31:07.86,Default,,0000,0000,0000,,is going to be necessary necessarily quite\Ncomplex. It's probably fun if you're a
Dialogue: 0,0:31:07.86,0:31:11.48,Default,,0000,0000,0000,,graduate student, you know, doing, playing\Nwith all this stuff but it's actually
Dialogue: 0,0:31:11.48,0:31:17.45,Default,,0000,0000,0000,,giving all of everything to match up will\Nbe complicated. So this is why, so in the
Dialogue: 0,0:31:17.45,0:31:21.22,Default,,0000,0000,0000,,scheme they were talking about here you\Nactually, you're your mix net is giving
Dialogue: 0,0:31:21.22,0:31:24.89,Default,,0000,0000,0000,,you your location hiding property so you\Ncan you can extract some similar things.
Dialogue: 0,0:31:24.89,0:31:29.62,Default,,0000,0000,0000,,D.: Well, right and also, whereas in this\Nsituation, with a Loopix design it doesn't
Dialogue: 0,0:31:29.62,0:31:36.33,Default,,0000,0000,0000,,have strong location hiding properties, in\Nparticular if Alice really wanted to
Dialogue: 0,0:31:36.33,0:31:42.43,Default,,0000,0000,0000,,figure figure out where Bob is she would\Nhack his provider and then stake it out
Dialogue: 0,0:31:42.43,0:31:46.78,Default,,0000,0000,0000,,until his IP address showed up again or so\N-
Dialogue: 0,0:31:46.78,0:31:52.07,Default,,0000,0000,0000,,J.: One problem with this, with these\Nprovider models, is that, like David just
Dialogue: 0,0:31:52.07,0:32:00.62,Default,,0000,0000,0000,,said, you can get your provider hacked and\Nthere's a way to fix that. It requires
Dialogue: 0,0:32:00.62,0:32:03.83,Default,,0000,0000,0000,,modifying Sphinx a bit, I said, I know\Nthat we just said don't roll your own
Dialogue: 0,0:32:03.83,0:32:07.99,Default,,0000,0000,0000,,packet format but it's a good idea to go\Nthrough the security proof again anyway
Dialogue: 0,0:32:07.99,0:32:14.59,Default,,0000,0000,0000,,and it's a small change. But, so, the idea\Nis that we have, in this middle, this
Dialogue: 0,0:32:14.59,0:32:21.21,Default,,0000,0000,0000,,harddrive picture, is is some sort of of\Nmailbox server or cumulation thing, that
Dialogue: 0,0:32:21.21,0:32:27.25,Default,,0000,0000,0000,,the receiver here can move whenever he\Nwants without telling his contacts. And
Dialogue: 0,0:32:27.25,0:32:31.58,Default,,0000,0000,0000,,his contacts actually reach him in other\Nways; either he gives them SURBs or he
Dialogue: 0,0:32:31.58,0:32:35.14,Default,,0000,0000,0000,,sub- puts the SURBs at this thing called a\Ncrossover point, which I didn't want to
Dialogue: 0,0:32:35.14,0:32:42.52,Default,,0000,0000,0000,,tell you too much about. So, but the the\Nidea is that this guy can, our receiver
Dialogue: 0,0:32:42.52,0:32:49.43,Default,,0000,0000,0000,,can supply the - he can send some SURBs to\Nthis point in the middle and then the
Dialogue: 0,0:32:49.43,0:32:55.64,Default,,0000,0000,0000,,pack- and when he goes online - and then\Nit will send him messages, so the you can
Dialogue: 0,0:32:55.64,0:33:00.42,Default,,0000,0000,0000,,have this ver- this decoupling and one of\Nthe nice things - so at the end of the day
Dialogue: 0,0:33:00.42,0:33:03.93,Default,,0000,0000,0000,,what the proof, what's your like security\Nresult for the mix net's going to be, is
Dialogue: 0,0:33:03.93,0:33:08.10,Default,,0000,0000,0000,,like, okay well, in three months - you\Nknow they're not going to be able to
Dialogue: 0,0:33:08.10,0:33:12.88,Default,,0000,0000,0000,,deanonymise you in three months. So we may\Nbe able to do a bit more if we can move
Dialogue: 0,0:33:12.88,0:33:19.81,Default,,0000,0000,0000,,this guy in the middle periodically.\NOkay, so but this is work, very much work
Dialogue: 0,0:33:19.81,0:33:22.78,Default,,0000,0000,0000,,in progress, it's not at all in the cuts\Nand post thing and it requires modifying
Dialogue: 0,0:33:22.78,0:33:28.69,Default,,0000,0000,0000,,Sphinx and doing doing some redoing a\Nnumber of proofs. So, okay, we've been
Dialogue: 0,0:33:28.69,0:33:35.69,Default,,0000,0000,0000,,talking about applications with the idea\Nbeing messaging. There's other
Dialogue: 0,0:33:35.69,0:33:41.15,Default,,0000,0000,0000,,applications and - where you're still\Nsending messages but to give you a bit
Dialogue: 0,0:33:41.15,0:33:46.85,Default,,0000,0000,0000,,more, something a bit more concrete:\NThere's a there's a few schemes for doing
Dialogue: 0,0:33:46.85,0:33:49.34,Default,,0000,0000,0000,,anonymous money, well right now there's a\Nlot of schemes for doing anonymous money
Dialogue: 0,0:33:49.34,0:33:52.49,Default,,0000,0000,0000,,and mostly they suck but there's a few\Nthat are actually quite good and have
Dialogue: 0,0:33:52.49,0:33:58.29,Default,,0000,0000,0000,,extremely strong cryptographic assurances\Non their anonymity: Zcash you basically
Dialogue: 0,0:33:58.29,0:34:01.05,Default,,0000,0000,0000,,would have to invert a hash function or\Nsomething to break it, I'm not completely
Dialogue: 0,0:34:01.05,0:34:07.80,Default,,0000,0000,0000,,sure, Taler, well in in the RSA blind\Nsignatures have information theoretically
Dialogue: 0,0:34:07.80,0:34:10.46,Default,,0000,0000,0000,,secure blinding, which means they are\Nabsolutely unbreakable.
Dialogue: 0,0:34:10.46,0:34:11.75,Default,,0000,0000,0000,,There's a point in Taler where it's weaker
Dialogue: 0,0:34:11.75,0:34:18.86,Default,,0000,0000,0000,,than that, but another thing you might ask\Nis, you know, can we do anything web-like.
Dialogue: 0,0:34:18.86,0:34:23.84,Default,,0000,0000,0000,,Well, there's a project that wants to like\Npackage up web pages and ship them over
Dialogue: 0,0:34:23.84,0:34:30.45,Default,,0000,0000,0000,,free nets, so you could use it to ship\Nthings over a mix network. But,
Dialogue: 0,0:34:30.45,0:34:33.98,Default,,0000,0000,0000,,fundamentally, if you imagine what we want\Nto do is like build build some application
Dialogue: 0,0:34:33.98,0:34:36.86,Default,,0000,0000,0000,,that does some collaborative thing like\Nrun something like Google Wave or have a
Dialogue: 0,0:34:36.86,0:34:42.46,Default,,0000,0000,0000,,have just an etherpad over a mix network,\Nyou're gonna have the interesting issues
Dialogue: 0,0:34:42.46,0:34:48.40,Default,,0000,0000,0000,,that pop up with like the merges and other\Nthing and, and anyway the latency is gonna
Dialogue: 0,0:34:48.40,0:34:53.37,Default,,0000,0000,0000,,have other impacts on the users. And one\Nthings we're not really thinking about but
Dialogue: 0,0:34:53.37,0:34:59.23,Default,,0000,0000,0000,,we would really like other people to think\Nabout is sort of how to make how to make
Dialogue: 0,0:34:59.23,0:35:08.42,Default,,0000,0000,0000,,people happy with higher latency\Napplications. And this sounds hard, but
Dialogue: 0,0:35:08.42,0:35:11.67,Default,,0000,0000,0000,,actually a lot of times, like, you know\Nwhen you look at people who are developing
Dialogue: 0,0:35:11.67,0:35:16.44,Default,,0000,0000,0000,,more modern web frameworks, actually they\Nare doing you know more of the abstract
Dialogue: 0,0:35:16.44,0:35:23.00,Default,,0000,0000,0000,,alike something like couch TV is doing;\Nit's not literally, you know, supporting
Dialogue: 0,0:35:23.00,0:35:27.11,Default,,0000,0000,0000,,latency, but it's it's decoupling things\Nin a way that it is quite relevant to what
Dialogue: 0,0:35:27.11,0:35:30.06,Default,,0000,0000,0000,,we want to do.\ND: So, but it wouldn't be fair for us to
Dialogue: 0,0:35:30.06,0:35:35.15,Default,,0000,0000,0000,,say, like, "hey, use this cool messaging\Napp - it's unreliable, so I'm gonna send
Dialogue: 0,0:35:35.15,0:35:40.98,Default,,0000,0000,0000,,you a message, but you might not get it."\NSo we want to definitely build in some
Dialogue: 0,0:35:40.98,0:35:47.23,Default,,0000,0000,0000,,reliability, and and you and you pay for\Nthat in in retransmission some times and
Dialogue: 0,0:35:47.23,0:35:51.29,Default,,0000,0000,0000,,and some extra leaked information for\Nwhich we need to compensate with more
Dialogue: 0,0:35:51.29,0:35:56.05,Default,,0000,0000,0000,,decoy traffic. We can actually -- the\NLoopix paper explores this trade-off where
Dialogue: 0,0:35:56.05,0:36:00.04,Default,,0000,0000,0000,,you can make the latency lower in a mixed\Nnetwork if you are willing to send more
Dialogue: 0,0:36:00.04,0:36:05.76,Default,,0000,0000,0000,,decoy traffic. And so that should help.\NJ: Yeah
Dialogue: 0,0:36:05.76,0:36:11.19,Default,,0000,0000,0000,,D: It's it would still it still doesn't\Nmake mix networks, I don't think as low
Dialogue: 0,0:36:11.19,0:36:18.84,Default,,0000,0000,0000,,latency as tor or even close. But this is\Na matter of tuning, and we can at least
Dialogue: 0,0:36:18.84,0:36:22.66,Default,,0000,0000,0000,,have lower latency mix networks than say,\N10 years ago.
Dialogue: 0,0:36:22.66,0:36:25.30,Default,,0000,0000,0000,,J: One of the nice things about certainly\Nthe nice things about the stuff that
Dialogue: 0,0:36:25.30,0:36:28.59,Default,,0000,0000,0000,,David and Yawning have been doing is that\Nthey're they're active really trying to
Dialogue: 0,0:36:28.59,0:36:39.84,Default,,0000,0000,0000,,make the - the the, sorry, the reliability\Nmeasures work in the mixed work in the --
Dialogue: 0,0:36:39.84,0:36:43.32,Default,,0000,0000,0000,,or just just above the mix network. And\Nthis is really essential if you want to
Dialogue: 0,0:36:43.32,0:36:48.03,Default,,0000,0000,0000,,build something that application\Ndevelopers can use because one it is
Dialogue: 0,0:36:48.03,0:36:53.65,Default,,0000,0000,0000,,actually common in anonymity systems for\Nthe sort of reliability measures to create
Dialogue: 0,0:36:53.65,0:36:59.42,Default,,0000,0000,0000,,to possibly compromise other things. So\Nhaving being able to do the reliability
Dialogue: 0,0:36:59.42,0:37:03.91,Default,,0000,0000,0000,,stuff in a way that you can still have\Nyour security properties for it is
Dialogue: 0,0:37:03.91,0:37:09.10,Default,,0000,0000,0000,,important. Okay.\ND: Oh yeah, we'd like to say thanks to the
Dialogue: 0,0:37:09.10,0:37:14.24,Default,,0000,0000,0000,,researchers we've been working with. And I\Nlike to thank Yawning Angel for all the
Dialogue: 0,0:37:14.24,0:37:19.54,Default,,0000,0000,0000,,good design advice and work on the\Nspecifications. And and for George for his
Dialogue: 0,0:37:19.54,0:37:21.81,Default,,0000,0000,0000,,advice.\NJ: George and Claudia are always one
Dialogue: 0,0:37:21.81,0:37:24.91,Default,,0000,0000,0000,,D: For their excellent paper. Anya for her\NLoopix paper.
Dialogue: 0,0:37:24.91,0:37:27.45,Default,,0000,0000,0000,,J: Christian I've - everything that I've\Nbeen working on our talk to Christian
Dialogue: 0,0:37:27.45,0:37:29.55,Default,,0000,0000,0000,,about all the time\ND: Nick Matheson from the Tor project
Dialogue: 0,0:37:29.55,0:37:35.21,Default,,0000,0000,0000,,helped me out a lot with the with our PKI\Nspecification because, well, I mean he
Dialogue: 0,0:37:35.21,0:37:39.24,Default,,0000,0000,0000,,wrote the directory authority system for\Nmix minion, and for tor, and
Dialogue: 0,0:37:39.24,0:37:43.44,Default,,0000,0000,0000,,J: And also to Trevor Perrin for running\Nthis wonderful mailing list which where we
Dialogue: 0,0:37:43.44,0:37:45.95,Default,,0000,0000,0000,,get all where we get numbers\Nof important ideas.
Dialogue: 0,0:37:45.95,0:37:52.03,Default,,0000,0000,0000,,D: Ah yeah and Trevor also helped with our\NPKI sense so that was really great; with
Dialogue: 0,0:37:52.03,0:37:58.21,Default,,0000,0000,0000,,our wire protocol using noise, I mean.\NAnyway and that's that's the this new sort
Dialogue: 0,0:37:58.21,0:38:03.00,Default,,0000,0000,0000,,of project. Alright, that's it.
Dialogue: 0,0:38:03.00,0:38:12.96,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:38:12.96,0:38:17.59,Default,,0000,0000,0000,,Herald: Thank you so much, if you have any\Nquestions here in the room, please line up
Dialogue: 0,0:38:17.59,0:38:25.47,Default,,0000,0000,0000,,at the microphones. Do we have questions\Nfrom the internet? From the IRC Network?
Dialogue: 0,0:38:25.47,0:38:31.22,Default,,0000,0000,0000,,No questions from the IRC. There's one\Nquestion microphone one
Dialogue: 0,0:38:31.22,0:38:35.72,Default,,0000,0000,0000,,Mic 1: You mentioned latency will be\Nhigher than tor - should we be thinking
Dialogue: 0,0:38:35.72,0:38:41.45,Default,,0000,0000,0000,,sort of seconds, minutes,\Nwhat's the sort of order of
Dialogue: 0,0:38:41.45,0:38:44.00,Default,,0000,0000,0000,,J: We don't know\ND: Oh yes so the question is, the latency
Dialogue: 0,0:38:44.00,0:38:49.26,Default,,0000,0000,0000,,will be higher than tor, how how high will\Nit be? We don't really know until we tune
Dialogue: 0,0:38:49.26,0:38:52.99,Default,,0000,0000,0000,,the mix Network and we're not\NJ: George has claimed seconds so I don't
Dialogue: 0,0:38:52.99,0:38:55.50,Default,,0000,0000,0000,,know if I believe him\ND: I should start off by saying that mix
Dialogue: 0,0:38:55.50,0:38:59.08,Default,,0000,0000,0000,,networks aren't trying to be a general-\Npurpose anonymity system like tor. We're
Dialogue: 0,0:38:59.08,0:39:03.85,Default,,0000,0000,0000,,trying to make customized networks for\Nspecific applications, and so each
Dialogue: 0,0:39:03.85,0:39:09.48,Default,,0000,0000,0000,,application has different traffic patterns\Nin different ways they're used. So the
Dialogue: 0,0:39:09.48,0:39:17.39,Default,,0000,0000,0000,,latency would would necessarily come after\Ntuning. Now, some, we have some idea that
Dialogue: 0,0:39:17.39,0:39:22.70,Default,,0000,0000,0000,,maybe a few minutes, let's say. But it;\Nreally I can't answer the question yet.
Dialogue: 0,0:39:22.70,0:39:27.62,Default,,0000,0000,0000,,Actually the researchers were working with\Nare about to publish a new paper about how
Dialogue: 0,0:39:27.62,0:39:36.47,Default,,0000,0000,0000,,to tune decoy traffic and latency for the\Ndesired entropy you want in each mix,
Dialogue: 0,0:39:36.47,0:39:41.20,Default,,0000,0000,0000,,yeah.\NHerald: Microphone number two, your
Dialogue: 0,0:39:41.20,0:39:45.06,Default,,0000,0000,0000,,question?\NMic 2: You have mentioned that the in
Dialogue: 0,0:39:45.06,0:39:50.51,Default,,0000,0000,0000,,mixed networks PKI's have higher\Nscalability problems than in Tor - why is
Dialogue: 0,0:39:50.51,0:39:54.89,Default,,0000,0000,0000,,that? It looks like the mix Network will\Nhave less nodes because the you don't need
Dialogue: 0,0:39:54.89,0:39:59.40,Default,,0000,0000,0000,,route unpredictability, so\NJ: I mean if you're trying to build a
Dialogue: 0,0:39:59.40,0:40:03.23,Default,,0000,0000,0000,,replacement for email and you want\Neveryone in the world to use it, if you
Dialogue: 0,0:40:03.23,0:40:10.06,Default,,0000,0000,0000,,work through like, a sort of very bullshit\Nback of the envelope computation -
Dialogue: 0,0:40:10.06,0:40:17.81,Default,,0000,0000,0000,,there's an argument that your that if you\Nhave a central that a centralized PKI plus
Dialogue: 0,0:40:17.81,0:40:22.61,Default,,0000,0000,0000,,whatever other anonymity system is only\Nabout 10 million times better than just
Dialogue: 0,0:40:22.61,0:40:27.79,Default,,0000,0000,0000,,sending every message to everybody.\NSomething, you know, that's very back of
Dialogue: 0,0:40:27.79,0:40:37.09,Default,,0000,0000,0000,,the envelope you can try and work. So you\Nneed; yeah well okay so there's that, and
Dialogue: 0,0:40:37.09,0:40:41.60,Default,,0000,0000,0000,,and the the specific seeing when I said\Nit's less of a problem for tor, is that
Dialogue: 0,0:40:41.60,0:40:44.02,Default,,0000,0000,0000,,tor can do certain clever\Nthings like there's a,
Dialogue: 0,0:40:44.02,0:40:47.07,Default,,0000,0000,0000,,there's one of their proposals I think is\Nactually not taking that seriously at the
Dialogue: 0,0:40:47.07,0:40:52.15,Default,,0000,0000,0000,,moment is where they published this big\Nlist - they published the PKI or sorry,
Dialogue: 0,0:40:52.15,0:40:57.89,Default,,0000,0000,0000,,the big the the thing and nodes don't\Nactually download the whole, the the whole
Dialogue: 0,0:40:57.89,0:41:02.29,Default,,0000,0000,0000,,consensus at all. They just point to a\Nplace in the consensus and they get back a
Dialogue: 0,0:41:02.29,0:41:06.17,Default,,0000,0000,0000,,proof that they were given the correct\Nthat they were forwarded to the correct
Dialogue: 0,0:41:06.17,0:41:10.24,Default,,0000,0000,0000,,node. So this might this then gives you\Nanother order of magnitude or two on that
Dialogue: 0,0:41:10.24,0:41:16.37,Default,,0000,0000,0000,,fat on that you know 10 million\NI just quoted you.
Dialogue: 0,0:41:16.37,0:41:22.09,Default,,0000,0000,0000,,Herald: Okay, microphone number three\NMic 3: Hi, this is looks like really good
Dialogue: 0,0:41:22.09,0:41:26.98,Default,,0000,0000,0000,,work and I'm happy to see it - now my\Nquestion is if there are multiple
Dialogue: 0,0:41:26.98,0:41:30.53,Default,,0000,0000,0000,,applications which have different tuning\Nrequirements, can they share the same
Dialogue: 0,0:41:30.53,0:41:34.16,Default,,0000,0000,0000,,network and help each others anonymity\Nset, or do we have to have multiple
Dialogue: 0,0:41:34.16,0:41:38.61,Default,,0000,0000,0000,,networks?\ND: Ah, so we agree it would be best if
Dialogue: 0,0:41:38.61,0:41:43.13,Default,,0000,0000,0000,,they could help each other by increasing\Neach other's anonymity set. But we're
Dialogue: 0,0:41:43.13,0:41:48.72,Default,,0000,0000,0000,,concerned that the specific tuning for the\Ndecoy traffic might prohibit this in some
Dialogue: 0,0:41:48.72,0:41:54.11,Default,,0000,0000,0000,,cases. For -- actually, and there's some\Nother considerations as well, so since
Dialogue: 0,0:41:54.11,0:41:59.51,Default,,0000,0000,0000,,we're not stream oriented, all the data\Nhas to fit in one packet. And so if we
Dialogue: 0,0:41:59.51,0:42:04.49,Default,,0000,0000,0000,,have like an email use case, we probably\Nare gonna get around 50 K average size
Dialogue: 0,0:42:04.49,0:42:10.43,Default,,0000,0000,0000,,emails, let's say. And if we want to make\Nlike mix chat or Katzen chat application,
Dialogue: 0,0:42:10.43,0:42:15.65,Default,,0000,0000,0000,,I might send really short messages like,\N"yo what's up", and now we're sending that
Dialogue: 0,0:42:15.65,0:42:19.57,Default,,0000,0000,0000,,in a big 50 K a packet.\NJ: So, one thing that is clear - if you
Dialogue: 0,0:42:19.57,0:42:23.32,Default,,0000,0000,0000,,wouldn't do it for all, think you wouldn't\Nhave a new thing for every application.
Dialogue: 0,0:42:23.32,0:42:26.21,Default,,0000,0000,0000,,Obviously if you have something that's\Ngonna be quite infrequent like a payment
Dialogue: 0,0:42:26.21,0:42:32.07,Default,,0000,0000,0000,,thing, then it needs then you should be\Nusing a network with with much more
Dialogue: 0,0:42:32.07,0:42:36.48,Default,,0000,0000,0000,,frequent packets and just accept that\Nyou're gonna be you -- accept though the
Dialogue: 0,0:42:36.48,0:42:40.56,Default,,0000,0000,0000,,inefficiency. D: And there's another\Nconsideration too - it, which is,
Dialogue: 0,0:42:40.56,0:42:45.32,Default,,0000,0000,0000,,sometimes in these chat applications,\Ncommunication partnerships might be
Dialogue: 0,0:42:45.32,0:42:48.51,Default,,0000,0000,0000,,symmetrical in that we\Nmight send each other roughly the same
Dialogue: 0,0:42:48.51,0:42:53.56,Default,,0000,0000,0000,,amount of data. And and stuff that, like\Nnot that I don't think mix Nets are good
Dialogue: 0,0:42:53.56,0:42:58.23,Default,,0000,0000,0000,,for web browsing, but in stuff like the\Nweb it's more like "get to page" and then
Dialogue: 0,0:42:58.23,0:43:02.49,Default,,0000,0000,0000,,you get a bunch of information back. So\Nthere's a lot of different; so what would
Dialogue: 0,0:43:02.49,0:43:08.47,Default,,0000,0000,0000,,the decoy traffic look like that versus a\Nsymmetrical communication partnership. So
Dialogue: 0,0:43:08.47,0:43:13.14,Default,,0000,0000,0000,,that's what I meant by some applications\Nmight not be compatible with each other to
Dialogue: 0,0:43:13.14,0:43:17.25,Default,,0000,0000,0000,,tune this decoy traffic\NJ: Yeah we certainly would hope that most
Dialogue: 0,0:43:17.25,0:43:21.55,Default,,0000,0000,0000,,sort of like peer-to-peer, that, you know\Nmost sort of peer-to-peer like all of your
Dialogue: 0,0:43:21.55,0:43:25.63,Default,,0000,0000,0000,,etherpad, your other sort of collaborative\Napplications, your email, your payment
Dialogue: 0,0:43:25.63,0:43:28.61,Default,,0000,0000,0000,,network - we'd certainly hope that all\Nthat stuff could be bundled onto one thing
Dialogue: 0,0:43:28.61,0:43:33.75,Default,,0000,0000,0000,,that was sort of optimized for this email-\Nlike use case. And then whether if you
Dialogue: 0,0:43:33.75,0:43:40.57,Default,,0000,0000,0000,,actually need the instant messaging\Nnetwork at all is another question.
Dialogue: 0,0:43:40.57,0:43:44.58,Default,,0000,0000,0000,,Herald: All right, microphone number one\Nwhat's your question?
Dialogue: 0,0:43:44.58,0:43:49.28,Default,,0000,0000,0000,,Mic 1: Um, can you give well can you give\Nmore concrete examples of software to try
Dialogue: 0,0:43:49.28,0:43:54.61,Default,,0000,0000,0000,,out or like, so like like papers are\Ngreat, like is there anything to touch to
Dialogue: 0,0:43:54.61,0:43:57.85,Default,,0000,0000,0000,,act to, whatever\ND: Well well, I mean, actually right now
Dialogue: 0,0:43:57.85,0:44:03.25,Default,,0000,0000,0000,,we're running a test mix Network on\Nseveral machines that we had lying around,
Dialogue: 0,0:44:03.25,0:44:08.24,Default,,0000,0000,0000,,and it works great - thanks for (meskhi\Noh) and (kali) for their help for that.
Dialogue: 0,0:44:08.24,0:44:14.46,Default,,0000,0000,0000,,But, we don't really have any anything\Nnear production-ready, like
Dialogue: 0,0:44:14.46,0:44:21.30,Default,,0000,0000,0000,,J: Yeah the stuff I was talking about\Ndoesn't even work.
Dialogue: 0,0:44:21.30,0:44:27.59,Default,,0000,0000,0000,,D: So the answer to question is: no, we\Ngot nothing. But but we hope we hope soon.
Dialogue: 0,0:44:27.59,0:44:31.51,Default,,0000,0000,0000,,Like, I'm not sure how soon, but\NJ: Depends on funding, depends on other
Dialogue: 0,0:44:31.51,0:44:37.75,Default,,0000,0000,0000,,things: we're working on it.\NHerald: Thank you, microphone two: what is
Dialogue: 0,0:44:37.75,0:44:41.42,Default,,0000,0000,0000,,your question?\NMic 2: I was thinking about this in the
Dialogue: 0,0:44:41.42,0:44:47.38,Default,,0000,0000,0000,,real world - you're envisioning an app\Nwhere people can communicate, and I worry
Dialogue: 0,0:44:47.38,0:44:54.93,Default,,0000,0000,0000,,about mobile telephones because; let's\Nenvision two users using this app to
Dialogue: 0,0:44:54.93,0:44:58.95,Default,,0000,0000,0000,,communicate with each other. The idea\Nwould be that one person sends a message
Dialogue: 0,0:44:58.95,0:45:02.26,Default,,0000,0000,0000,,and then sometime later this\Nother person takes their phone out
Dialogue: 0,0:45:02.26,0:45:06.18,Default,,0000,0000,0000,,of their pocket. There is so much going\Non when a phone comes out of a pocket and
Dialogue: 0,0:45:06.18,0:45:12.27,Default,,0000,0000,0000,,as the screen is turned on. WhatsApp is\Ntalked to; there's so much that that you
Dialogue: 0,0:45:12.27,0:45:17.19,Default,,0000,0000,0000,,can look at outside of this whole mix\NNetwork that if you, over a month of time,
Dialogue: 0,0:45:17.19,0:45:22.22,Default,,0000,0000,0000,,can correlate who picks their phone out of\Ntheir pockets every time when, when person
Dialogue: 0,0:45:22.22,0:45:25.68,Default,,0000,0000,0000,,sends a message. So can't you correlate\Nthat way and isn't that a huge problem
Dialogue: 0,0:45:25.68,0:45:29.94,Default,,0000,0000,0000,,that, that sort of is completely outside\Nof the world of the of the problems you're
Dialogue: 0,0:45:29.94,0:45:34.78,Default,,0000,0000,0000,,thinking about.\NJ: My, in my ideal; I have no idea. In my
Dialogue: 0,0:45:34.78,0:45:40.48,Default,,0000,0000,0000,,ideal world the part of the solution to\Nmaking the users happier with latency is
Dialogue: 0,0:45:40.48,0:45:45.34,Default,,0000,0000,0000,,the phone doesn't ding anymore. You don't\Nget notifications - you check your phone
Dialogue: 0,0:45:45.34,0:45:51.72,Default,,0000,0000,0000,,when you check your phone.\NMic 2: Sorry, I think that would be an
Dialogue: 0,0:45:51.72,0:45:55.69,Default,,0000,0000,0000,,important security property as well.\NJ: But I would actually like it there's a
Dialogue: 0,0:45:55.69,0:45:59.96,Default,,0000,0000,0000,,question here is: would that make people\Nactually happier with latency? What can
Dialogue: 0,0:45:59.96,0:46:03.33,Default,,0000,0000,0000,,you, I mean, you you know all of these\Nthings that are being built now are being
Dialogue: 0,0:46:03.33,0:46:07.53,Default,,0000,0000,0000,,built to sort of maximize engagement. And\Nyou want to actually, you actually don't
Dialogue: 0,0:46:07.53,0:46:10.67,Default,,0000,0000,0000,,want to do that anymore. You want people\Nto only use it when they want to you know
Dialogue: 0,0:46:10.67,0:46:19.49,Default,,0000,0000,0000,,when they want to use it.\NHerald: All right, thank you. Seems there
Dialogue: 0,0:46:19.49,0:46:24.48,Default,,0000,0000,0000,,are no further questions, so thanks a lot\Nto Jeff, thanks a lot to David
Dialogue: 0,0:46:24.48,0:46:34.66,Default,,0000,0000,0000,,{\i1}Applause{\i0}
Dialogue: 0,0:46:34.66,0:46:39.64,Default,,0000,0000,0000,,{\i1}Music{\i0}
Dialogue: 0,0:46:39.64,0:46:52.00,Default,,0000,0000,0000,,subtitles created by c3subtitles.de\Nin the year 2018. Join, and help us!