Comments on: Tracking Codes Revised http://anomos.info/wp/2008/06/19/tracking-codes-revised/ The Anomos: Pseudonymous and Encrypted BitTorrent protocol Wed, 07 Jan 2009 09:51:02 +0000 http://wordpress.org/?v=2.7 hourly 1 By: John http://anomos.info/wp/2008/06/19/tracking-codes-revised/comment-page-1/#comment-5 John Wed, 02 Jul 2008 19:40:56 +0000 http://anomos.info/wp/?p=19#comment-5 Thanks for the suggestion bh, although I didn't detail it in the post, we are using a padding scheme very similar to what you described. The encryption function E_peer generates an AES session key and uses that to bulk encrypt the rest of the tracking code. Each layer therefore looks something like this: {Session Key}[checksum, length, data, padding] |-------------------------160 bytes-------------------------------| where {} means that the data is encrypted with the peers RSA public key and [] means that it's encrypted with the AES session key. The [] section is padded so that its length modulo 32 is 0. The completed tracking code is padded out to a predefined size (most likely 1024 bytes), so that, after reading their part of the message, each peer can repad the message with random data to that length. Thanks for the suggestion bh, although I didn’t detail it in the post, we are using a padding scheme very similar to what you described. The encryption function E_peer generates an AES session key and uses that to bulk encrypt the rest of the tracking code. Each layer therefore looks something like this:
{Session Key}[checksum, length, data, padding]
|————————-160 bytes——————————-|
where {} means that the data is encrypted with the peers RSA public key and [] means that it’s encrypted with the AES session key. The [] section is padded so that its length modulo 32 is 0. The completed tracking code is padded out to a predefined size (most likely 1024 bytes), so that, after reading their part of the message, each peer can repad the message with random data to that length.

]]> By: bh http://anomos.info/wp/2008/06/19/tracking-codes-revised/comment-page-1/#comment-4 bh Tue, 24 Jun 2008 19:14:00 +0000 http://anomos.info/wp/?p=19#comment-4 You're still leaking information about the path length since the path string monotonically decreases in length. If you naïvely concatenate a pad, a participant can still infer the remaining length of the path. Instead, I suggest that each participant attach a pseudo-random pad to the message before retransmission. When any recipient other than the last decrypts the message, the pad text will be indistinguishable from ciphertext intended for a subsequent recipient. The terminal recipient will be able to distinguish the original message from the pad text by means of some delimiter string. You’re still leaking information about the path length since the path string monotonically decreases in length. If you naïvely concatenate a pad, a participant can still infer the remaining length of the path.

Instead, I suggest that each participant attach a pseudo-random pad to the message before retransmission. When any recipient other than the last decrypts the message, the pad text will be indistinguishable from ciphertext intended for a subsequent recipient. The terminal recipient will be able to distinguish the original message from the pad text by means of some delimiter string.

]]>