Dagster requires both clients and servers to enforce a randomness predicate rand?(x) on every block before storage or forwarding, ensuring all server-stored data is statistically indistinguishable from uniform random noise. This provides server deniability — the operator can credibly deny knowledge of content — and also closes the attack present in Publius and Freenet where a malicious client could post plaintext, potentially exposing the operator for 'knowingly' hosting illegal content.

The paper derives a closed-form expression for the expected number of later blocks that link to the n-th block: with c=10 cross-links per block, there is a 55% probability that the 10^7th block in the system will have been linked by at least one subsequent legitimate block after 10^5 additional blocks are added. This quantifies the minimum corpus activity required before a publisher can safely announce a document and have plausible censor-resistance.

§5.5 evaluation

Dagster identifies every block by the cryptographic hash of its contents (block ID), making it infeasible for an adversary to pre-empt a name with bogus data — an attack that directly affects Publius, where an attacker who possesses a target document can insert garbage under the same name that the legitimate document would have occupied. Content-addressing also makes the system robust to the naming ambiguity observed in Freenet (where a single document was posted under three distinct capitalizations).

§4.3, §5.2 defense

Dagster achieves censorship resistance on a single server — without geographic replication — by cryptographically intertwining legitimate and illegitimate data into a directed acyclic graph. Each new block XORs the publisher's content with c pre-existing blocks before encrypting with a fresh key, so removing any one block destroys the decodability of every block that later links to it. This creates a legal constraint: a censor cannot excise a censorable block without simultaneously destroying an unknown number of legally protected blocks that depend on it.

§1, §3.1, §5.5 defense

Dagster's randomness predicate cannot distinguish legitimate random-looking blocks from adversarially generated filler, leaving the system vulnerable to storage-exhaustion denial-of-service: an attacker can submit arbitrarily many random blocks that pass the predicate, consuming server disk until legitimate publications are refused. The paper identifies anonymous digital cash (as proposed in the Eternity Service) or hash-cash proof-of-work as candidate mitigations but does not implement either.

§7 defense

An uncertainty-aware filtering (UF) mechanism quantifies per-token reliability via Shannon entropy of the cross-modal header–payload attention matrix, finding that encrypted payloads still contain low-entropy tokens with stable cross-modal alignment that serve as reliable classification anchors — demonstrating that nominally randomized byte streams retain exploitable low-entropy structure.

2026-he-trafficmoe-heterogeneity-aware-mixture §III-D ml-classifierrandom-payload-detect

Encrypted traffic exhibits a 'full-frequency' spectral property where both low- and high-frequency components are highly active with comparable intensity, unlike natural images which are dominated by low-frequency components. Fourier Transform analysis across CIC-IoT2023, DoHBrw2020, and ISCX-Tor2016 confirms this distinction is pervasive. This signature is an inherent consequence of encryption disrupting byte-level semantics into a visually disordered, noise-like spatial pattern.

2026-lian-decompose-understand-fuse §II ml-classifiertraffic-shaperandom-payload-detectfully-encrypted-detect

Ablation experiments show that removing the high-frequency branch from FreeUp degrades AUC from 86.68% to 77.09% on CIC-IoT2023 (−9.6 pp) and from 95.53% to 95.10% on ISCX-Tor2016. Removing the entire frequency-decoupled framework causes the largest degradation, dropping to 82.10% AUC on CIC-IoT2023 and 81.26% on DoHBrw2020, confirming that high-frequency components are the primary discriminative signal in encrypted traffic anomaly detection.

2026-lian-decompose-understand-fuse §V-C, Table II ml-classifiertraffic-shaperandom-payload-detect

I2P payload entropy is close to 8 bits per packet (Figure 9), confirming strong encryption that renders payload content analytically unusable. Across all CNN experiments, models trained on payload data alone achieved 72.5–76.5% accuracy versus 95.17–99.5% for metadata-only variants; encrypted payload acted as 'noise that confused the model' rather than as a signal.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §IV-A, §V Experiment 2, Table IV ml-classifierrandom-payload-detect

I2P payload entropy was measured at close to 8 bits per byte across sampled packets (Figure 9), confirming that payload content is cryptographically indistinguishable from random noise and provides no usable signal for classification. All experimental variants using raw payload alone achieved poor and high-variance accuracy (72.5–76.5%), while excluding payload improved accuracy to 99.5% in lab conditions.

2026-rohrer-convolutional-neural-networks-deanonymisation-i2p §IV-A / §V Discussions random-payload-detectfully-encrypted-detect

Drivel evaluates its design against the GFW's fully-encrypted-traffic detector (documented in Wu et al. 2023). The thesis demonstrates that switching to post-quantum primitives does not by itself change the traffic's appearance to a statistical censor classifier — the fully-encrypted detection problem is independent of the underlying cryptographic algorithm and must be addressed at the traffic-shaping layer regardless of key-exchange choice.

2025-himmelberger-drivel §3, §4 fully-encrypted-detectrandom-payload-detect