Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency - Choose Two

This work investigates the fundamental constraints of anonymous communication (AC) protocols. We analyze the relationship between bandwidth overhead, latency overhead, and sender anonymity or recipient anonymity against the global passive (network-level) adversary. We confirm the trilemma that an AC protocol can only achieve two out of the following three properties: strong anonymity (i.e., anonymity up to a negligible chance), low bandwidth overhead, and low latency overhead. We further study anonymity against a stronger global passive adversary that can additionally passively compromise some of the AC protocol nodes. For a given number of compromised nodes, we derive necessary constraints between bandwidth and latency overhead whose violation make it impossible for an AC protocol to achieve strong anonymity. We analyze prominent AC protocols from the literature and depict to which extent those satisfy our necessary constraints. Our fundamental necessary constraints offer a guideline not only for improving existing AC systems but also for designing novel AC protocols with non-traditional bandwidth and latency overhead choices.

[1]  Carmela Troncoso,et al.  Drac: An Architecture for Anonymous Low-Volume Communications , 2010, Privacy Enhancing Technologies.

[2]  Aniket Kate,et al.  AnoA: A Framework for Analyzing Anonymous Communication Protocols , 2013, 2013 IEEE 26th Computer Security Foundations Symposium.

[3]  Sam Toueg,et al.  Simulating authenticated broadcasts to derive simple fault-tolerant algorithms , 1987, Distributed Computing.

[4]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[5]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[6]  Prateek Mittal,et al.  Pisces: Anonymous Communication Using Social Networks , 2013, NDSS.

[7]  Paul Francis,et al.  Towards efficient traffic-analysis resistant anonymity networks , 2013, SIGCOMM.

[8]  G Danezis,et al.  Statistical disclosure attacks: Traffic confirmation in open environments , 2003 .

[9]  George Danezis,et al.  Statistical Disclosure or Intersection Attacks on Anonymity Systems , 2004, Information Hiding.

[10]  Tal Rabin,et al.  Simplified VSS and fast-track multiparty computations with applications to threshold cryptography , 1998, PODC '98.

[11]  David Wolinsky,et al.  Dissent in Numbers: Making Strong Anonymity Scale , 2012, OSDI.

[12]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[13]  Joan Feigenbaum,et al.  Probabilistic analysis of onion routing in a black-box model , 2007, WPES '07.

[14]  Srinivas Devadas,et al.  Riffle: An Efficient Communication System With Strong Anonymity , 2016, Proc. Priv. Enhancing Technol..

[15]  Ari Juels,et al.  Dining Cryptographers Revisited , 2004, EUROCRYPT.

[16]  Roger Dingledine,et al.  From a Trickle to a Flood: Active Attacks on Several Mix Types , 2002, Information Hiding.

[17]  Danny Dolev,et al.  Early stopping in Byzantine agreement , 1990, JACM.

[18]  David Wolinsky,et al.  Proactively Accountable Anonymous Messaging in Verdict , 2012, USENIX Security Symposium.

[19]  George Danezis,et al.  Low-cost traffic analysis of Tor , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[20]  Nikita Borisov,et al.  Multi-flow Attacks Against Network Flow Watermarking Schemes , 2008, USENIX Security Symposium.

[21]  Nickolai Zeldovich,et al.  Vuvuzela: scalable private messaging resistant to traffic analysis , 2015, SOSP.

[22]  George Danezis,et al.  The Loopix Anonymity System , 2017, USENIX Security Symposium.

[23]  Douglas Wikström,et al.  A Universally Composable Mix-Net , 2004, TCC.

[24]  Michael Backes,et al.  TUC: Time-Sensitive and Modular Analysis of Anonymous Communication , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[25]  Debajyoti Das Anonymity Trilemma: Strong Anonymity, Low Bandwidth, Low Latency—Choose Two , 2017 .

[26]  Zhen Ling,et al.  One Cell is Enough to Break Tor's Anonymity , 2009 .

[27]  Dan Boneh,et al.  Riposte: An Anonymous Messaging System Handling Millions of Users , 2015, 2015 IEEE Symposium on Security and Privacy.

[28]  Pedro Moreno-Sanchez,et al.  P2P Mixing and Unlinkable Bitcoin Transactions , 2017, NDSS.

[29]  Amir Herzberg,et al.  On the limits of provable anonymity , 2013, IACR Cryptol. ePrint Arch..

[30]  Björn Scheuermann,et al.  The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network , 2014, NDSS.

[31]  Benny Pinkas,et al.  Efficient Private Matching and Set Intersection , 2004, EUROCRYPT.

[32]  Angelos D. Keromytis,et al.  On the Effectiveness of Traffic Analysis against Anonymity Networks Using Flow Records , 2014, PAM.

[33]  Stefan Savage,et al.  Herd : A Scalable , Traffic Analysis Resistant Anonymity Network for VoIP Systems , 2015 .

[34]  Amir Herzberg,et al.  Spying in the Dark: TCP and Tor Traffic Analysis , 2012, Privacy Enhancing Technologies.

[35]  Dogan Kesdogan,et al.  Stop-and-Go-MIXes Providing Probabilistic Anonymity in an Open System , 1998, Information Hiding.

[36]  Carmela Troncoso,et al.  Understanding Statistical Disclosure: A Least Squares Approach , 2012, Privacy Enhancing Technologies.

[37]  Dirk Grunwald,et al.  Low-resource routing attacks against tor , 2007, WPES '07.

[38]  Bryan Ford,et al.  Dissent: accountable anonymous group messaging , 2010, CCS '10.

[39]  Jan Camenisch,et al.  A Formal Treatment of Onion Routing , 2005, CRYPTO.

[40]  Micah Sherr,et al.  Users get routed: traffic correlation on tor by realistic adversaries , 2013, CCS.

[41]  Prateek Mittal,et al.  RAPTOR: Routing Attacks on Privacy in Tor , 2015, USENIX Security Symposium.

[42]  Kurt Jensen,et al.  Colored Petri nets (vol. 3) , 1997 .

[43]  George Danezis,et al.  HORNET: High-speed Onion Routing at the Network Layer , 2015, CCS.

[44]  Daniele Micciancio,et al.  An Indistinguishability-Based Characterization of Anonymous Channels , 2008, Privacy Enhancing Technologies.

[45]  Lars Michael Kristensen,et al.  The practitioner’s guide to coloured Petri nets , 1998, International Journal on Software Tools for Technology Transfer.

[46]  Carmela Troncoso,et al.  Do Dummies Pay Off? Limits of Dummy Traffic Protection in Anonymous Communications , 2014, Privacy Enhancing Technologies.