1996-anderson-eternity
findings extracted from this paper
-
Anderson establishes that anonymity and physical redundancy are substitutes: 'Anonymity enables us to reduce diversity.' Tamper-resistant hardware security modules controlling anonymized file servers ensure no identifiable group of people — including sysadmins — can locate or delete a specific file without breaking a quorum of hardware modules distributed across jurisdictions.
-
Using Byzantine-fault-tolerant protocols (specifically Rampart), seven replicas suffice to resist a conspiracy of any two malicious administrators or the accidental destruction of four systems with guaranteed complete recovery. Signing all files with a system key further ensures that a full recovery is possible as long as a single valid copy and an uncompromised public key survive.
-
Effective censorship of a distributed service requires simultaneous enforcement across every jurisdiction hosting nodes. With no head office to coerce, a legal attack requires coordination across multiple independent legal systems — making successful suppression 'very expensive indeed — hopefully beyond even the resources of governments.' Local bans (e.g., country-level) do not affect nodes in other jurisdictions.
-
The Eternity Service's core design stores a file on 100 servers worldwide but retains records of only 10 for auditing, destroying the remaining 90 records. Even if a user is legally compelled to disclose all 10 known server locations and those copies are seized, 90 copies survive at unknown locations and can be retrieved via anonymous broadcast once the user leaves the jurisdiction.
-
Traffic analysis is identified as the primary threat to location secrecy in a distributed anonymous storage system: if an adversary can correlate inter-server communications or link requests to stored file locations, it can target physical seizure. The paper proposes mix-nets (Chaum 1981) for user-facing file delivery and dining-cryptographers ring protocols for inter-server communications, supplemented by traffic padding, so that even traffic analysis yields no actionable location information.