Technical Report UCAM-CL-TR-604 ISSN 1476-2986 Number 604 Computer Laboratory On the anonymity of anonymity systems Andrei Serjantov October 2004 15 JJ Thomson Avenue Cambridge CB3 0FD United Kingdom phone +44 1223 763500 http://www.cl.cam.ac.uk/ (cid:13)c 2004 Andrei Serjantov This technical report is based on a dissertation submitted March 2003 by the author for the degree of Doctor of Philosophy to the University of Cambridge, Queens’ College. Technical reports published by the University of Cambridge Computer Laboratory are freely available via the Internet: http://www.cl.cam.ac.uk/TechReports/ ISSN 1476-2986 On the Anonymity of Anonymity Systems Andrei Serjantov Summary Anonymity on the Internet is a property commonly identi(cid:12)ed with privacy of elec- tronic communications. A number of di(cid:11)erent systems exist which claim to provide anonymous email and web browsing, but their e(cid:11)ectiveness has hardly been evalu- ated in practice. In this thesis we focus on the anonymity properties of such systems. First, we show how the anonymity of anonymity systems can be quanti(cid:12)ed, pointing out (cid:13)aws with existing metrics and proposing our own. In the process we distinguish the anonymity of a message and that of an anonymity system. Secondly, wefocusonthepropertiesofbuildingblocksofmix-based(email)anonym- itysystems,evaluatingtheirresistancetopowerfulblending attacks,theirdelay,their anonymity under normal conditions and other properties. This leads us to methods of computing anonymity for a particular class of mixes { timed mixes { and a new binomial mix. Next, we look at the anonymity of a message going through an entire anonymity system based on a mix network architecture. We construct a semantics of a network with threshold mixes, de(cid:12)ne the information observable by an attacker, and give a principled de(cid:12)nition of the anonymity of a message going through such a network. We then consider low latency connection-based anonymity systems, giving concrete attacks and describing methods of protection against them. In particular, we show that Peer-to-Peer anonymity systems provide less anonymity against the global pas- sive adversary than ones based on a \classic" architecture. Finally, we give an account of how anonymity can be used in censorship resistant systems. Thesearedesignedtoprovideavailabilityofdocuments,whilefacingthreats from a powerful adversary. We show how anonymity can be used to hide the identity of the servers where each of the documents are stored, thus making them harder to remove from the system. 3 4 Contents 1 Introduction 11 1.1 Privacy and Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . 11 1.2 Uses of Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 1.2.1 Web Browsing and Email . . . . . . . . . . . . . . . . . . . . . 14 1.2.2 Electronic Voting . . . . . . . . . . . . . . . . . . . . . . . . . . 15 1.2.3 Censorship Resistance . . . . . . . . . . . . . . . . . . . . . . . 15 1.3 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 1.4 Contributions of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . 17 1.5 Publication History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 2 The Basics of Anonymity Systems 19 2.1 Background and Historical Developments . . . . . . . . . . . . . . . . 19 2.2 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.3 Unlinkability via Mix Systems . . . . . . . . . . . . . . . . . . . . . . . 23 2.3.1 Basic Properties of Chaum’s Construction . . . . . . . . . . . . 25 2.3.2 Threat Models . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 2.3.3 More on Mix Systems . . . . . . . . . . . . . . . . . . . . . . . 27 2.3.4 Cascades vs Networks . . . . . . . . . . . . . . . . . . . . . . . 28 2.3.5 The (n 1) Attack . . . . . . . . . . . . . . . . . . . . . . . . . 29 (cid:0) 2.4 Message-based Systems for Anonymous Email . . . . . . . . . . . . . . 30 2.4.1 Open Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 5 2.5 Anonymous Web Browsing . . . . . . . . . . . . . . . . . . . . . . . . 31 2.5.1 Attacks and Open Problems . . . . . . . . . . . . . . . . . . . . 33 2.6 Other Schemes { Related Work . . . . . . . . . . . . . . . . . . . . . . 34 2.6.1 Crowds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.6.2 Dining Cryptographers Networks . . . . . . . . . . . . . . . . . 35 2.6.3 Buses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.6.4 Location Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . 36 2.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 3 Measuring Anonymity 39 3.1 Previous Work: Anonymity Sets . . . . . . . . . . . . . . . . . . . . . 40 3.1.1 Anonymity Sets in Dining Cryptographers Networks . . . . . . 40 3.1.2 Anonymity Sets in Stop-and-Go Mixes . . . . . . . . . . . . . . 40 3.1.3 Standard Terminology { Anonymity Sets . . . . . . . . . . . . 41 3.2 Di(cid:14)culties with Anonymity Set Size . . . . . . . . . . . . . . . . . . . 42 3.2.1 The Pool Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 3.2.2 Knowledge Vulnerability . . . . . . . . . . . . . . . . . . . . . . 44 3.3 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.4 Analysis of the Pool Mix . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.5 What is Anonymity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.6 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52 4 Active Attack Properties of Single Mixes 53 4.1 Blending Attack Taxonomy . . . . . . . . . . . . . . . . . . . . . . . . 54 4.2 Simple Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 4.2.1 Threshold Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4.2.2 Timed Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 4.2.3 Threshold-Or-Timed Mix . . . . . . . . . . . . . . . . . . . . . 59 6 4.2.4 Threshold-And-Timed Mix . . . . . . . . . . . . . . . . . . . . 60 4.3 Pool Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 4.3.1 Threshold Pool Mix . . . . . . . . . . . . . . . . . . . . . . . . 60 4.3.2 Timed Pool Mix . . . . . . . . . . . . . . . . . . . . . . . . . . 64 4.3.3 Timed Dynamic-Pool Mix (Cottrell Mix) . . . . . . . . . . . . 71 4.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 4.4.1 Limitations of Stop-and-Go Mixes . . . . . . . . . . . . . . . . 73 4.4.2 Other Work on Batching Mixes . . . . . . . . . . . . . . . . . . 74 4.4.3 Deployed Mixes . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 5 Generalising Mixes and the Binomial Mix 77 5.1 Expressing Mixes as Functions . . . . . . . . . . . . . . . . . . . . . . 77 5.2 Extensions Arising Out of the Framework . . . . . . . . . . . . . . . . 78 5.3 Adding Randomization: The Binomial Mix . . . . . . . . . . . . . . . 81 5.3.1 Blending Attack on the Binomial Mix . . . . . . . . . . . . . . 82 5.4 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 6 From Mixes to Mix Networks 87 6.1 The Mix Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 6.2 Formal Representation of the Mix Network . . . . . . . . . . . . . . . 89 6.3 Mix Network State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 6.4 Formal Representation of the Mix Network State . . . . . . . . . . . . 90 6.5 Mix Network Dynamics . . . . . . . . . . . . . . . . . . . . . . . . . . 91 6.6 Formal Representation of the Mix Network Dynamics . . . . . . . . . 92 6.7 Attacker Observations of the Mix Networks . . . . . . . . . . . . . . . 94 6.8 Formal Representation of the Attacker Observations . . . . . . . . . . 95 6.8.1 De(cid:12)ning Labels Observable by the Attacker . . . . . . . . . . . 95 7 6.8.2 De(cid:12)ning Traces . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 6.8.3 Attacker Observations . . . . . . . . . . . . . . . . . . . . . . . 97 6.8.4 Erasing the Trace. . . . . . . . . . . . . . . . . . . . . . . . . . 100 6.9 Calculating the Anonymity Probability Distribution . . . . . . . . . . 100 6.10 Calculating the Anonymity Probability Distribution Formally . . . . . 102 6.10.1 External Receive Events . . . . . . . . . . . . . . . . . . . . . . 102 6.10.2 Scenario Anonymity . . . . . . . . . . . . . . . . . . . . . . . . 104 6.11 Calculating Anonymity { a Simple Example . . . . . . . . . . . . . . . 106 6.12 Commentary and Model Design Choices . . . . . . . . . . . . . . . . . 108 6.13 Related and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 110 6.14 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 7 On the (non)-Anonymity of Connection-based Systems 113 7.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 7.2 Systems and Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 7.3 Threat Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 7.4 Analysis: Lone Connection Tracking . . . . . . . . . . . . . . . . . . . 117 7.4.1 Mean-based analysis . . . . . . . . . . . . . . . . . . . . . . . . 120 7.4.2 De(cid:12)nitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 7.4.3 Simulator Results . . . . . . . . . . . . . . . . . . . . . . . . . 122 7.4.4 Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 7.5 Analysis: Connection-start Tracking . . . . . . . . . . . . . . . . . . . 125 7.5.1 Working with Richer Tra(cid:14)c Features . . . . . . . . . . . . . . . 130 7.6 Discussion and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . 130 7.7 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 7.8 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 8 8 Anonymity and Censorship Resistance 135 8.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 8.2 System Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 8.2.1 Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 8.2.2 Retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141 8.3 Commentary on the Protocol . . . . . . . . . . . . . . . . . . . . . . . 141 8.3.1 Replication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.3.2 Forwarders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.3.3 Encryption of Shares . . . . . . . . . . . . . . . . . . . . . . . . 143 8.3.4 Decrypters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 8.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 8.5 Related and Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 145 8.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 9 Conclusion and Future Work 147 9.1 Future Directions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 9.2 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 A Variable Conventions 151 9 10