Aplicabilidad del modelo público-privado en el sector de la vialidad en el

Parameters: t, the period; pmin the minimum pool; frac, the fraction of messages

to be sent; n, the threshold

Flushing Algorithm: The mix fires every t seconds, provided there are n + pmin

messages in the mix. We call the actual number of messages in the mix at the time of firing m,(m_−pmin ≥ n). Instead of sending m−pmin messages (as in a timed-and-

threshold constant-pool mix), the mix sends the greater of 1 and_{b(m − p}min)∗ fracc

messages, and retains the rest in the pool.

If n = 1, this is the mix that has been used in the Mixmaster remailer system for years [Cot02, Cot94].

When messages arrive at a constant rate of one per t, Cottrell mixes are equivalent to both timed pool mixes and threshold-1 constant-pool mixes. Specifically, if the rate r of message arrival is 1/t, the mix will forward 1 message in every period and retain pmin in the pool. For a general Cottrell mix, if the messages arrive at a constant rate

of n∗ frac/t and dn ∗ frace = n ∗ frac, then this is equivalent to a constant-pool mix with a pool of pmin+ n(1− frac) (and threshold n ∗ frac).

Message Delay: As with the other pool mixes, the minimum delay is , and there is no upper limit on the delay. The mean delay depends on the future rate of arrival of messages into the mix; it is at least as big as that of a timed constant-pool mix with the same pool size.

Anonymity: The dynamic-pool mix has identical minimum and maximum ano- nymity properties to a timed constant-pool mix. We could similarly use a record of the mix’s activity to calculate the anonymity of a message passing through it (al- though the calculation would be slightly different). Qualitatively, we may note that the anonymity provided by the mix would be higher than that provided by a timed constant-pool mix: As the number of messages in the mix goes up, frac keeps the chance of the message remaining in the mix constant, whereas it decreases in the case of the timed constant-pool mix. Naturally, the extra anonymity comes from the extra message delay.

Blending Attack Behaviour: The introduction of the dynamic parameter frac has several new consequences compared to the timed constant-pool mix.

Firstly, the maximum probability of a particular message exiting the mix in a single round does not asymptotically approach 1 as the number of messages goes up, instead it approaches frac. Hence, even if the attacker sends in a large number of his messages to the mix, the probability of flushing G good messages out of it in one round is fracG. Therefore there is no possibility of flushing the mix with high probability in one flush: the first of the two blending attacks on timed constant-pool mixes is blocked. As already noted, it is similarly more resistant to flooding than a constant-pool threshold mix.

Secondly, the attacker has to find out how many messages are in the mix. Of course, the number of good messages in the mix is easy to calculate from the number of messages that come out.

Finally, the number of messages inside the pool mix may be arbitrarily high and cannot be reduced to below pmin in one round. Therefore, if we wish to send a

message that is harder for the active attacker to track, we should send it at a time of higher traffic – thereby increasing the cost (in terms of messages or time) of attempted attacks on it.6

Thus timed dynamic-pool mixes require the attacker to delay all the traffic to the mix for a substantial number of rounds, and therefore for a substantial time. Again, our Haskell program allows us to compute the probability of the attacker emptying the mix in a variety of scenarios:

This example shows that the protection this mix provides against blending attacks is still not very strong. Indeed, as the number of messages inserted by the attacker at each round goes up, the probability of a successful attack tends to ((1_{− frac)}k₎G

where k is the number of rounds. Ideally we would like a mix for which the anonymity

6_{Unfortunately, an attacker capable of arbitrary message insertions, as we have been assuming,}

Messages Rounds Probability of Success 30 3 0.14 60 3 0.28 300 3 0.46 600 3 0.48 30 5 0.474 60 5 0.66 300 5 0.82 600 5 0.84 30 7 0.73 60 7 0.87 300 7 0.95 600 7 0.95

Table 4.1: Emptying the Cottrell Mix

does not go to 0 even as the cost of the attack goes up. We would also be happier with a mix where the probability of a successful attack is proportional to _{P (k)}1 where P is a polynomial of a small degree.

4.4

Related Work

There are relatively few attempts to deal with active attacks in the literature. First and foremost, Kesdogan proposes two schemes for dealing with such attacks in [KEB98]. We look at these in more detail.