Matthew Toseland wrote: >> There's a tradeoff here: large cells provide a large anonymity set if >> the attacker's outside the cell, but they make it more likely that >> there's an attacker inside the cell who can attack key distribution etc. > > Sure, but inside the cell it's harder to attack than outside it, surely that > is the whole point? Tor, I2P, Mixmaster and other traditional onion routers > (apart from spanning tree impl's) use a whole-network cell.
Right, but they all fudge the key distribution problem. Tor and Mixminion use central directory servers; I2P uses a DHT made of untrusted nodes; Tarzan uses an insecure and unscalable gossip protocol; MorphMix uses an insecure collusion detection mechanism [1]. I understand why premix routing is preferable to tunnels but you have to solve the key distribution problem - your credibility score proposal sounds promising but I'm not sure it's possible to make it Sybilproof and still ensure that all nodes agree about the topology. Cheers, Michael [1] http://www.crhc.uiuc.edu/~nikita/papers/pet2006-morphmix.pdf
