2013-winter-scramblesuit
findings extracted from this paper
-
ScrambleSuit's prototype achieves a mean goodput of 148 KB/s (σ=61 KB/s) versus Tor's 286 KB/s (σ=227 KB/s) over a 100 Mbit/s LAN — roughly half Tor's throughput — with 45–50% total protocol overhead compared to Tor's 19.6%. Disabling inter-arrival time obfuscation raises goodput to 321 KB/s (σ=231 KB/s), demonstrating that artificial delays are the dominant cost rather than padding or cryptography.
-
ScrambleSuit achieves polymorphism by seeding each server's PRNG with a randomly generated 256-bit value, which generates server-specific probability distributions over packet lengths (up to 100 bins) and inter-arrival times (bins in [0, 10) ms). The seed is shared with clients after authentication, so both sides shape traffic identically; a censor monitoring two distinct ScrambleSuit servers observes different distributions and cannot build a single universal classifier.
-
Client proof-of-work puzzles are ineffective as an active-probing defense because a state-level censor with parallel hardware can solve multiple puzzles simultaneously, one per CPU core. The authors estimate that the Tor bridge churn rate (rate of new bridge IP addresses) is too low to raise a well-equipped censor's workload beyond practical limits without simultaneously making the scheme impractical for legitimate clients — the same balancing problem as PoW for spam.
-
ScrambleSuit defeats active probing by requiring clients to prove knowledge of an out-of-band shared secret before the server responds; a probing censor receives only silence. Two mechanisms are provided: session tickets (preferred for non-Tor applications) and an authenticated UniformDH handshake (optimized for Tor's shared-secret bridge distribution model), with both producing payloads computationally indistinguishable from random.
-
Tor's traffic contains a characteristic prevalence of 586-byte packets (Tor's 512-byte cells plus TLS header overhead) that form a strong flow-level fingerprint detectable from a few dozen captured packets. ScrambleSuit's packet length morphing eliminates this signature and shifts the distribution toward MTU-sized packets, but the authors note that a censor using the VNG++ classifier — which relies on coarse features like connection duration, total bytes, and burstiness — would still require only a marginal increase in ScrambleSuit's overhead to defeat.