Comprehensive Anonymity Trilemma: User Coordination is not enough

Abstract For anonymous communication networks (ACNs), Das et al. recently confirmed a long-suspected trilemma result that ACNs cannot achieve strong anonymity, low latency overhead and low bandwidth overhead at the same time. Our paper emanates from the careful observation that their analysis does not include a relevant class of ACNs with what we call user coordination where users proactively work together towards improving their anonymity. We show that such protocols can achieve better anonymity than predicted by the above trilemma result. As the main contribution, we present a stronger impossibility result that includes all ACNs we are aware of. Along with our formal analysis, we provide intuitive interpretations and lessons learned. Finally, we demonstrate qualitatively stricter requirements for the Anytrust assumption (all but one protocol party is compromised) prevalent across ACNs.

[1]  Eli Upfal,et al.  Practical and Provably Secure Onion Routing , 2017, ICALP.

[2]  George Danezis,et al.  The Loopix Anonymity System , 2017, USENIX Security Symposium.

[3]  Aggelos Kiayias,et al.  MCMix: Anonymous Messaging via Secure Multiparty Computation , 2017, USENIX Security Symposium.

[4]  Nickolai Zeldovich,et al.  This Paper Is Included in the Proceedings of the 12th Usenix Symposium on Operating Systems Design and Implementation (osdi '16). Alpenhorn: Bootstrapping Secure Communication without Leaking Metadata Alpenhorn: Bootstrapping Secure Communication without Leaking Metadata , 2022 .

[5]  Stefan Savage,et al.  Herd : A Scalable , Traffic Analysis Resistant Anonymity Network for VoIP Systems , 2015 .

[6]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[7]  Paul F. Syverson,et al.  Anonymous connections and onion routing , 1998, IEEE J. Sel. Areas Commun..

[8]  George Danezis,et al.  HORNET: High-speed Onion Routing at the Network Layer , 2015, CCS.

[9]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[10]  Prateek Mittal,et al.  Pisces: Anonymous Communication Using Social Networks , 2013, NDSS.

[11]  Daniele Micciancio,et al.  An Indistinguishability-Based Characterization of Anonymous Channels , 2008, Privacy Enhancing Technologies.

[12]  Lars Michael Kristensen,et al.  The practitioner’s guide to coloured Petri nets , 1998, International Journal on Software Tools for Technology Transfer.

[13]  Ari Juels,et al.  Dining Cryptographers Revisited , 2004, EUROCRYPT.

[14]  Srinivas Devadas,et al.  Riffle: An Efficient Communication System With Strong Anonymity , 2016, Proc. Priv. Enhancing Technol..

[15]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[16]  Carmela Troncoso,et al.  Drac: An Architecture for Anonymous Low-Volume Communications , 2010, Privacy Enhancing Technologies.

[17]  Amir Herzberg,et al.  On the limits of provable anonymity , 2013, IACR Cryptol. ePrint Arch..

[18]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Aniket Kate,et al.  Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency - Choose Two , 2017, 2018 IEEE Symposium on Security and Privacy (SP).

[20]  Carmela Troncoso,et al.  Do Dummies Pay Off? Limits of Dummy Traffic Protection in Anonymous Communications , 2014, Privacy Enhancing Technologies.

[21]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[22]  Wolfgang Reisig,et al.  A Primer in Petri Net Design , 1992, Springer Compass International.

[23]  Aniket Kate,et al.  AnoA: A Framework for Analyzing Anonymous Communication Protocols , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[24]  Nickolai Zeldovich,et al.  Vuvuzela: scalable private messaging resistant to traffic analysis , 2015, SOSP.

[25]  Srinath T. V. Setty,et al.  Unobservable Communication over Fully Untrusted Infrastructure , 2016, OSDI.

[26]  Eli Upfal,et al.  On the Complexity of Anonymous Communication Through Public Networks , 2019, ArXiv.

[27]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[28]  Emin Gün Sirer,et al.  Herbivore: A Scalable and Efficient Protocol for Anonymous Communication , 2003 .