Dagster requires both clients and servers to enforce a randomness predicate rand?(x) on every block before storage or forwarding, ensuring all server-stored data is statistically indistinguishable from uniform random noise. This provides server deniability — the operator can credibly deny knowledge of content — and also closes the attack present in Publius and Freenet where a malicious client could post plaintext, potentially exposing the operator for 'knowingly' hosting illegal content.

The paper derives a closed-form expression for the expected number of later blocks that link to the n-th block: with c=10 cross-links per block, there is a 55% probability that the 10^7th block in the system will have been linked by at least one subsequent legitimate block after 10^5 additional blocks are added. This quantifies the minimum corpus activity required before a publisher can safely announce a document and have plausible censor-resistance.

§5.5 evaluation

Dagster identifies every block by the cryptographic hash of its contents (block ID), making it infeasible for an adversary to pre-empt a name with bogus data — an attack that directly affects Publius, where an attacker who possesses a target document can insert garbage under the same name that the legitimate document would have occupied. Content-addressing also makes the system robust to the naming ambiguity observed in Freenet (where a single document was posted under three distinct capitalizations).

§4.3, §5.2 defense

Dagster achieves censorship resistance on a single server — without geographic replication — by cryptographically intertwining legitimate and illegitimate data into a directed acyclic graph. Each new block XORs the publisher's content with c pre-existing blocks before encrypting with a fresh key, so removing any one block destroys the decodability of every block that later links to it. This creates a legal constraint: a censor cannot excise a censorable block without simultaneously destroying an unknown number of legally protected blocks that depend on it.

§1, §3.1, §5.5 defense

Dagster's randomness predicate cannot distinguish legitimate random-looking blocks from adversarially generated filler, leaving the system vulnerable to storage-exhaustion denial-of-service: an attacker can submit arbitrarily many random blocks that pass the predicate, consuming server disk until legitimate publications are refused. The paper identifies anonymous digital cash (as proposed in the Eternity Service) or hash-cash proof-of-work as candidate mitigations but does not implement either.

§7 defense

Drivel evaluates its design against the GFW's fully-encrypted-traffic detector (documented in Wu et al. 2023). The thesis demonstrates that switching to post-quantum primitives does not by itself change the traffic's appearance to a statistical censor classifier — the fully-encrypted detection problem is independent of the underlying cryptographic algorithm and must be addressed at the traffic-shaping layer regardless of key-exchange choice.

2025-himmelberger-drivel §3, §4 fully-encrypted-detectrandom-payload-detect

Drivel is an obfs4-style fully-encrypted proxy protocol that replaces obfs4's pre-quantum cryptographic primitives with post-quantum alternatives. It is one of the first circumvention protocols explicitly designed to remain secure under a quantum adversary, addressing the forward-secrecy threat to deployed circumvention traffic recorded today for future decryption.

2025-himmelberger-drivel §1, §2 fully-encrypted-detectrandom-payload-detect

State-of-the-art ML-based obfs4 detection (Wang et al. decision tree) achieves 97% precision at equal base rates (λ=1) but precision collapses to 3% at a still-conservative λ=1,000; at λ=10⁶ precision approaches zero for all classifiers tested. This base-rate failure was previously uncharacterized because prior evaluations only considered balanced or near-balanced datasets.

2024-wails-precisely §IV-D (Scalability), Figure 3, Table I ml-classifierrandom-payload-detectdpi

obfs4 and obfs⋆ produce characteristic wire patterns—bursts of roughly MTU-sized payloads followed by a randomly-sized chaff packet—that CNN classifiers detect purely from packet-size sequences without payload inspection. A trivial per-bridge entropy-biasing re-encoding (obfs⋆) completely defeats the hand-tuned decision tree (0% precision, 0% recall) but does not reduce CNN detectability, because the CNN generalizes across size-distribution variants.

2024-wails-precisely §V-E, §IV-D-3, Figure 4 traffic-shapeml-classifierrandom-payload-detect

Despite fully encrypted protocols existing since obfs2 in 2012, the first documented evidence of the GFW passively detecting them purely by randomness appeared only in 2021 — approximately a decade later — and was limited to certain foreign IP address ranges and a subsampled fraction of traffic. Meanwhile, the GFW had been discovering obfs2/obfs3 servers via active probing as early as 2013, indicating censors found active-probing-based address discovery cheaper and more reliable than passive statistical classifiers for this protocol family.

2023-fifield-comments §5 fully-encrypted-detectactive-probingrandom-payload-detect

The GFW detects Shadowsocks by flagging apparently high-entropy connections that are not TLS or HTTP, but this detection is brittle: connections are explicitly allowed if the first 6 bytes of the first packet of a flow are all printable ASCII characters (range 0x20–0x7E). Adding a 6-byte alphanumeric preamble to the Shadowsocks message definition is sufficient to bypass this heuristic and requires only a short patch to the protocol specification file.

2023-wails-proteus §3.2 random-payload-detectfully-encrypted-detectdpi