This was my keynote talk for FOCI 2024.1. link

Against the “arms race”

David Fifield

Censorship and circumvention are often characterized as an “arms race” or “cat-and-mouse game”.

Examples from CensorBib

The global escalation of Internet censorship by nation-state actors has led to an ongoing arms race between censors and obfuscated circumvention proxies.

The arms race between Internet freedom advocates and censors has catalyzed the emergence of sophisticated blocking techniques…

Censorship circumvention is an arms race between covert communication systems and nation-state adversaries…

This has led to an ongoing arms race between adversaries and free speech activists…

The ongoing arms-race between the GFW and Tor has been extensively studied…

…a promising way forward in the cat-and-mouse game between censors and censorship resistors.

These terms, while having some basis in fact, are overly reductive—they don’t tell the whole story. Not false, but incomplete. They risk limiting the way we practitioners model problems, and how others think of the research field.

Let’s thoughtfully examine what assumptions we bring into research. Is the facet we’re studying well-characterized as an arms race? Maybe it is—or maybe it should get a more precise description.

The following characters were rudely traced, in a red tint, between the death’s head and the goat:


“But,” said I, returning him the slip, “I am as much in the dark as ever. Were all the jewels of Golconda awaiting me upon my solution of

“The Gold-Bug”, 1843.

…it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.

“A few words on secret writing”, 1841.

2. The Basics of Provable Security

Edgar Allan Poe was not only an author, but also a cryptography enthusiast. He once wrote, in a discussion on the state of the art in cryptography:

“Human ingenuity cannot concoct a cipher which human ingenuity cannot resolve.”

This was an accurate assessment of the cryptography that existed in 1841. Whenever someone would come up with an encryption method, someone else would inevitably find a way to break it, and the cat-and-mouse game would repeat again and again.

The Joy of Cryptography, .

Early-ish examples of cat-and-mouse games / arms races:

I hope to change the perception that the circumvention problem is a cat-and-mouse game that affords only incremental and temporary advancements. Rather, let us state the assumptions about censor behavior atop which we build circumvention designs, and let those assumptions be based on an informed understanding of censor behavior.

“Threat modeling and circumvention of Internet censorship”, .

Any system, even a fundamentally broken one, will work to circumvent most censors, as long as it is used only by one or only a few clients. The true test arises only after the system has begun to scale and the censor to fight back. This phenomenon may have contributed to the unfortunate characterization of censorship and circumvention as a cat-and-mouse game: deploying a flawed circumvention system, watching it become more popular and then get blocked, then starting over again with another similarly flawed system. In my opinion, the cat-and-mouse game is not inevitable, but is a consequence of inadequate understanding of censors. It is possible to develop systems that resist blocking—not absolutely, but quantifiably, in terms of costs to the censor—even after they have become popular.

“Threat modeling and circumvention of Internet censorship”, .

and tools for circumvention
that are sound in theory
and effective in practice.

% censorship is an evil to be destroyed.


\index{border firewall|(}

Censorship is a big topic,

Thesis statement: Whereas existing systems that aim to hide censorship-resistant traffic from a censor decline in usefulness over time as assumptions limiting the censor’s ability to detect circumvention tools collapse with improvements to traffic analysis technologies, we can design and deploy usable Internet freedom tools that stand the test of time, despite open knowledge of their operation and use, and despite technological improvements that enhance the traffic analysis abilities of the censor.

“Recipes for Resistance: A Censorship Circumvention Cookbook”, .
Kerckhoffs’s principle
The cipher should not require secrecy, and it should not be a problem if it falls into enemy hands.
Shannon’s maxim
The enemy knows the system being used.
Thought-terminating cliché
A commonly used phrase or piece of folk wisdom used to quell cognitive dissonance.
An arcade game which involves quickly and repeatedly hitting the heads of mechanical moles with a mallet as they pop up from holes.
Nesnad, CC BY 4.0, via Wikimedia Commons

Who is the cat and who is the mouse?

Alternatives to arms race modeling: costs and tradeoffs

This forces the censor to make a tradeoff between gaining trust in order to cause greater damage (i.e., learning more trusted bridges to block, inviting more censors to bridges, etc., depending on the constraints of the specific reputation system), and keeping bridges unblocked for longer periods of time, which is necessary to build trust.
“Lox: Protecting the Social Graph in Bridge Distribution”,
Snowflake is blockable by any censor that is willing to block WebRTC. We would not try to argue otherwise. Indeed, we believe that the way to present a circumvention system is not to argue for its absolute unblockability, but to lay out what actions by a censor would be necessary to block it—or more to the point, what sacrifices a censor would have to make in order to block it. Advancing the state of the art of censorship circumvention consists in pushing blocking out of reach of more and more censors.
“Snowflake, a censorship circumvention system using temporary WebRTC proxies”,

Research specifically on arms race aspects remains legitimate

We play out one iteration of this hypothetical arms race, and design a tweaked obfs protocol which we call obfs⋆.
“On Precisely Detecting Censorship Circumvention in Real-World Networks”,
Any reasonable threat model would assume that default bridges are immediately blocked. And yet in practice we find that they are often not blocked, even by censors that otherwise block Tor relays. We face a paradox: why is it that censors do not take blocking steps that we find obvious? There must be some quality of censors’ internal dynamics that we do not understand adequately.
“Threat modeling and circumvention of Internet censorship”,

Jumping out of the system

Diagram of a censorship model, with a ‘client’ node in the middle of a censor-controlled network, connected by network links to an outside ‘destination’ node.
The “border firewall” abstract model.
Censors are more capable, more determined, and have more resources and more human hours than any legitimate user. They can solve CAPTCHAs, purchase scarce resources, or solve proofs-of-work. But legitimate users have friends.
“Hyphae: Social Secret Sharing”,
The goal of our work is to move censorship research in new directions that will lead to the development of stronger circumvention systems.
“On Precisely Detecting Censorship Circumvention in Real-World Networks”,

David Fifield