2011-bachrach-h00t
findings extracted from this paper
-
On a 2011 MacBook Air (1.86 GHz Core 2 Duo), #h00t achieves 3,610 encryptions/second and 15,590 decryptions/second (Table 2). Twitter's peak load at the time was 6,939 tweets/second, meaning full-service encryption at peak would require at most two commodity machines. The authors conclude that computational overhead is negligible and bandwidth is the binding constraint.
-
#h00t achieves censorship resistance by truncating a key-derivation-function output to k bits to produce a 'short tag', deliberately inducing collisions across unrelated groups. A censor cannot block a targeted group's short tag without simultaneously blocking all colliding groups — including innocuous, high-traffic ones — forcing heavy-handed censorship that creates domestic blowback. The design provides plausible deniability: subscribers can claim they follow a foreign pop star rather than a dissident group.
-
Against an attacker with 2^10 CPU cores running ~2^17–18 decryptions/second per core, plain tags require at least 47 bits of entropy to survive one week of brute force. A single dictionary word plus 7 decimal digits yields only 38.5 bits and can be cracked in ~20 minutes; two dictionary words plus 7 digits yields ~53.8 bits, requiring over two years. The authors note that SHA-1 was used in the prototype for performance reasons and recommend scrypt for production deployments.
-
Even with end-to-end encrypted messages, a censor observing subscription queries can detect anomalous interest in a short tag (e.g., a sudden domestic surge in followers of a foreign pop star's hashtag) and use timing/size traffic analysis to distinguish #h00t subscriptions from ordinary hashtag follows. The paper flags this as an open threat and proposes two mitigations: (1) push cover traffic for randomly selected short tags to all clients regardless of their actual subscriptions, or (2) silently redirect normal clients' hashtag follows to the corresponding #h00t short tags.