2011-bonneau-scrambling
findings extracted from this paper
-
If a large site such as Google or Wikipedia scrambled all served content using a publicly known de-scrambling algorithm, the censor faces a strict all-or-nothing blocking decision: it cannot selectively filter banned scrambled content without blocking the entire site, since scrambled legitimate and banned content are computationally indistinguishable prior to running S⁻¹. This property scales the political cost of blocking proportionally to the size of the co-scrambling platform.
-
Scrambling without secret key management can frustrate DPI-based censors if the de-scrambling function satisfies 'high-inertia' — meaning an adversary computing S⁻¹ on n inputs cannot use less than Θ(n) times the resources of a single commodity-PC user, including electricity, memory, and computation time. This forces bulk censorship to become computationally infeasible without over-censoring all scrambled content.
-
Transmitting the de-scrambling algorithm S⁻¹ as in-page JavaScript alongside AJAX-fetched scrambled content eliminates the need for special client software installation or trusted public-key distribution, removing the primary bootstrapping vulnerability that cryptographic censorship-resistance schemes (including Tor) share — a vulnerability exploited when Iran blocked Tor by filtering its Diffie-Hellman parameter bit sequence.
-
The proposed multi-stage scrambling composes four orthogonal layers: (a) 128-bit AES with 20 bits stripped, requiring brute-force search; (b) an AES key derived from a CAPTCHA solution; (c) a memory-bound function key; and (d) blocks whose de-scrambling exploits JavaScript floating-point and string-processing quirks. Each layer independently forces a censor to build or emulate a distinct acceleration environment, multiplying total reverse-engineering cost.
-
Applying a BEAR all-or-nothing package transform (using a zero key) to message blocks forces any censor attempting to scan content to cache all blocks from all active concurrent transfers simultaneously, since no individual block reveals any information about the original message until all blocks are received. Artificially delaying block transmission amplifies censor state requirements proportionally.