Optimizing the design parameters of threshold pool mixes for anonymity and delay

Abstract The provision of content confidentiality via message encryption is by no means sufficient when facing the significant privacy risks present in online communications. Indeed, the privacy literature abounds with examples of traffic analysis techniques aimed to reveal a great deal of information, merely from the knowledge, even if probabilistic, of who is communicating with whom, when, and how frequently. Anonymous-communication systems emerge as a response against such traffic analysis threats. Mixes, and in particular threshold pool mixes, are a building block of anonymous communications systems. These are nodes that receive, store, reorder and delay messages in batches. However, the anonymity gained from the statistical difficulty to link incoming and outgoing messages comes at the expense of introducing a potentially costly delay in the delivery of those messages. In this paper we address the design of such mixes in a systematic fashion, by defining quantitative measures of both anonymity and delay, and by mathematically formalizing practical design decisions as a multiobjective optimization problem. Our extensive theoretical analysis finds the optimal mix parametrization and characterizes the optimal trade-off between the contrasting aspects of anonymity and delay, for two information-theoretic measures of anonymity. Experimental results show that mix optimization may lead to substantial delay reductions for a desirable level of anonymity.

[1]  Paul F. Syverson,et al.  Proxies for anonymous routing , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[2]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[3]  Riccardo Bettati,et al.  On Flow Correlation Attacks and Countermeasures in Mix Networks , 2004, Privacy Enhancing Technologies.

[4]  George Danezis,et al.  Heartbeat traffic to counter (n-1) attacks: red-green-black mixes , 2003, WPES '03.

[5]  Imre Csiszár,et al.  Broadcast channels with confidential messages , 1978, IEEE Trans. Inf. Theory.

[6]  Bart Preneel,et al.  Towards Measuring Anonymity , 2002, Privacy Enhancing Technologies.

[7]  Jordi Forné,et al.  On the measurement of privacy as an attacker’s estimation error , 2012, International Journal of Information Security.

[8]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[9]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[10]  Andrei Serjantov,et al.  On the anonymity of anonymity systems , 2004 .

[11]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[12]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[13]  Ashwin Machanavajjhala,et al.  l-Diversity: Privacy Beyond k-Anonymity , 2006, ICDE.

[14]  Claude E. Shannon,et al.  Communication theory of secrecy systems , 1949, Bell Syst. Tech. J..

[15]  Vitaly Shmatikov,et al.  The cost of privacy: destruction of data-mining utility in anonymized data publishing , 2008, KDD.

[16]  Pierangela Samarati,et al.  Protecting Respondents' Identities in Microdata Release , 2001, IEEE Trans. Knowl. Data Eng..

[17]  Andreas Pfitzmann,et al.  The Disadvantages of Free MIX Routes and how to Overcome Them , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[18]  Riccardo Bettati,et al.  On Flow Marking Attacks in Wireless Anonymous Communication Networks , 2005, 25th IEEE International Conference on Distributed Computing Systems (ICDCS'05).

[19]  Josep Domingo-Ferrer,et al.  From t-Closeness-Like Privacy to Postrandomization via Information Theory , 2010, IEEE Transactions on Knowledge and Data Engineering.

[20]  Joan Feigenbaum,et al.  A Model of Onion Routing with Provable Anonymity , 2007, Financial Cryptography.

[21]  Carmela Troncoso,et al.  The Wisdom of Crowds: Attacks and Optimal Constructions , 2009, ESORICS.

[22]  Richard E. Newman,et al.  On the Anonymity of Timed Pool Mixes , 2003, SEC.

[23]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[24]  Carmela Troncoso,et al.  Revisiting a combinatorial approach toward measuring anonymity , 2008, WPES '08.

[25]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[26]  Yi Wang,et al.  Design for configurability: rethinking interdomain routing policies from the ground up , 2009, IEEE Journal on Selected Areas in Communications.

[27]  Riccardo Bettati,et al.  An optimal strategy for anonymous communication protocols , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[28]  Sami Zhioua Anonymity Attacks on Mix Systems: A Formal Analysis , 2011, Information Hiding.

[29]  Stephen T. Kent,et al.  Secure Border Gateway Protocol (S-BGP) , 2000, IEEE Journal on Selected Areas in Communications.

[30]  G. Turin,et al.  An introduction to matched filters , 1960, IRE Trans. Inf. Theory.

[31]  U Moeller,et al.  Mixmaster Protocol Version 2 , 2004 .

[32]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[33]  Fikret Sivrikaya,et al.  A Combinatorial Approach to Measuring Anonymity , 2007, 2007 IEEE Intelligence and Security Informatics.

[34]  Paul F. Syverson,et al.  Group Principals and the Formalization of Anonymity , 1999, World Congress on Formal Methods.

[35]  Vitaly Shmatikov,et al.  Measuring relationship anonymity in mix networks , 2006, WPES '06.

[36]  Patrick D. McDaniel,et al.  Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing , 2003, NDSS.

[37]  Zoltán Hornák,et al.  Measuring Anonymity in a Non-adaptive, Real-Time System , 2004, Privacy Enhancing Technologies.

[38]  George Danezis,et al.  Statistical Disclosure Attacks , 2003, SEC.

[39]  George Danezis,et al.  On the PET Workshop Panel "Mix Cascades Versus Peer-to-Peer: Is One Concept Superior?" , 2004, Privacy Enhancing Technologies.

[40]  A. Rényi On Measures of Entropy and Information , 1961 .

[41]  A. D. Wyner,et al.  The wire-tap channel , 1975, The Bell System Technical Journal.

[42]  Giuseppe Di Battista,et al.  26 Computer Networks , 2004 .

[43]  Ninghui Li,et al.  t-Closeness: Privacy Beyond k-Anonymity and l-Diversity , 2007, 2007 IEEE 23rd International Conference on Data Engineering.

[44]  George Danezis,et al.  Systems for Anonymous Communication , 2010, FC 2010.

[45]  Yih-Chun Hu,et al.  Efficient Security Mechanisms for Routing Protocolsa , 2003, NDSS.

[46]  George Danezis,et al.  The Traffic Analysis of Continuous-Time Mixes , 2004, Privacy Enhancing Technologies.

[47]  Michalis Faloutsos,et al.  A nonstationary Poisson view of Internet traffic , 2004, IEEE INFOCOM 2004.

[48]  David Walker,et al.  Composing Software Defined Networks , 2013, NSDI.

[49]  Huajun Chen,et al.  The Semantic Web , 2011, Lecture Notes in Computer Science.

[50]  Peter Sewell,et al.  Passive Attack Analysis for Connection-Based Anonymity Systems , 2003, ESORICS.

[51]  Micah Adler,et al.  An Analysis of the Degradation of Anonymous Protocols , 2002, NDSS.

[52]  Patrick D. McDaniel,et al.  Optimizing BGP security by exploiting path stability , 2006, CCS '06.

[53]  G. Tóth,et al.  Measuring Anonymity Revisited , 2004 .

[54]  George Danezis Mix-Networks with Restricted Routes , 2003, Privacy Enhancing Technologies.

[55]  Bernhard Plattner,et al.  Practical anonymity for the masses with mix-networks , 2003, WET ICE 2003. Proceedings. Twelfth IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, 2003..

[56]  Cynthia Dwork,et al.  Differential Privacy , 2006, ICALP.

[57]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[58]  Bart Preneel,et al.  Taxonomy of Mixes and Dummy Traffic , 2004, International Information Security Workshops.

[59]  ASHWIN MACHANAVAJJHALA,et al.  L-diversity: privacy beyond k-anonymity , 2006, 22nd International Conference on Data Engineering (ICDE'06).

[60]  Patrick D. McDaniel,et al.  Origin authentication in interdomain routing , 2003, CCS '03.

[61]  Jean-François Raymond,et al.  Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[62]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[63]  George Danezis,et al.  Towards an Information Theoretic Metric for Anonymity , 2002, Privacy Enhancing Technologies.

[64]  Carmela Troncoso,et al.  You cannot hide for long: de-anonymization of real-world dynamic behaviour , 2013, WPES.

[65]  Traian Marius Truta,et al.  Protection : p-Sensitive k-Anonymity Property , 2006 .

[66]  Erik P. de Vink,et al.  A Formalization of Anonymity and Onion Routing , 2004, ESORICS.

[67]  Claudia Díaz,et al.  Comparison Between Two Practical Mix Designs , 2004, ESORICS.

[68]  Michael K. Reiter,et al.  Crowds: anonymity for Web transactions , 1998, TSEC.

[69]  Jaudelice Cavalcante de Oliveira,et al.  Decoupling Policy from Routing with Software Defined Interdomain Management: Interdomain Routing for SDN-Based Networks , 2013, 2013 22nd International Conference on Computer Communication and Networks (ICCCN).

[70]  Jin Cao,et al.  Internet Traffic Tends Toward Poisson and Independent as the Load Increases , 2003 .

[71]  Yih-Chun Hu Efficient Security Mechanisms for Routing Protocols , 2003 .

[72]  Yakov Rekhter,et al.  A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.

[73]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.

[74]  Matthew K. Wright,et al.  Timing Attacks in Low-Latency Mix Systems (Extended Abstract) , 2004, Financial Cryptography.

[75]  Burton Rosenberg,et al.  Handbook of Financial Cryptography and Security , 2010 .

[76]  Sebastian Clauß,et al.  Structuring anonymity metrics , 2006, DIM '06.