Abstract
We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication in the Universally Composable (UC) framework that abstracts the essential properties of onion routing in the presence of an active adversary who controls a portion of the network and knows all a priori distributions on user choices of destination. Our results quantify how much the adversary can gain in identifying users by exploiting knowledge of their probabilistic behavior. In particular, we show that, in the limit as the network gets large, a user u's anonymity is worst either when the other users always choose the destination u is least likely to visit or when the other users always choose the destination u chooses. This worst-case anonymity with an adversary that controls a fraction b of the routers is shown to be comparable to the best-case anonymity against an adversary that controls a fraction √b.
- Backes, M., Goldberg, I., Kate, A., and Mohammadi, E. 2012. Provably secure and practical onion routing. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF 12). 369--385. Google Scholar
Digital Library
- Bauer, K., McCoy, D., Grunwald, D., Kohno, T., and Sicker, D. 2007. Low-resource routing attacks against Tor. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 07). 11--20. Google Scholar
Digital Library
- Beimel, A. and Dolev, S. 2003. Buses for anonymous message delivery. J. Cryptol. 16, 1, 25--39.Google Scholar
Cross Ref
- Brown, Z. 2002. Cebolla: Pragmatic IP anonymity. In Proceedings of the Ottawa Linux Symposium.Google Scholar
- Camenisch, J. and Lysyanskaya, A. 2005. A formal treatment of onion routing. In Proceedings of CRYPTO Conference. 169--187. Google Scholar
Digital Library
- Canetti, R. 2000. Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067. http://eprint.iacr.org/.Google Scholar
- Chaum, D. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Comm. ACM 4, 2, 84--88. Google Scholar
Digital Library
- Chaum, D. 1988. The dining cryptographers problem: Unconditional sender and recipient untraceability. International Association for Cryptology Research. J. Cryptol. 1, 1, 65--75. Google Scholar
Digital Library
- Corrigan-Gibbs, H. and Ford, B. 2010. Dissent: Accountable anonymous group messaging. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 10). 340--350. Google Scholar
Digital Library
- Danezis, G. 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In Proceedings of Security and Privacy in the Age of Uncertainty Conference (SEC 03). 421--426.Google Scholar
Cross Ref
- Danezis, G. and Serjantov, A. 2004. Statistical disclosure or intersection attacks on anonymity systems. In Proceedings of the 6th Information Hiding Workshop (IH 04). 293--308. Google Scholar
Digital Library
- Díaz, C., Seys, S., Claessens, J., and Preneel, B. 2002. Towards measuring anonymity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop (PET 02). 54--68. Google Scholar
Digital Library
- Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. 303--319. Google Scholar
Digital Library
- Feigenbaum, J., Johnson, A., and Syverson, P. 2007. A model of onion routing with provable anonymity. In Proceedings of the 11th Financial Cryptography and Data Security Conference (FC 07). 57--71. Google Scholar
Digital Library
- Freedman, M. J. and Morris, R. 2002. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 02). 193--206. Google Scholar
Digital Library
- Goldberg, I. and Shostack, A. 1999. Freedom 1.0 security issues and analysis. White paper, Zero Knowledge Systems, Inc.Google Scholar
- Goldberg, I. and Shostack, A. 2001. Freedom network 1.0 architecture and protocols. White paper, Zero Knowledge Systems, Inc.Google Scholar
- Goldschlag, D. M., Reed, M. G., and Syverson, P. F. 1996. Hiding routing information. In Proceedings of the Ist International Workshop on Information Hiding. 137--150. Google Scholar
Digital Library
- Halpern, J. Y. and O'Neill, K. R. 2005. Anonymity and information hiding in multiagent systems. J. Comput. Secur. 13, 3, 483--514. Google Scholar
Digital Library
- Herrmann, D., Wendolsky, R., and Federrath, H. 2009. Website fingerprinting: Attacking popular privacy enhancing technologies with the Multinomial Naïve-Bayes classifier. In Proceedings of the ACM Workshop on Cloud Computing Security (CCSW'09). 31--42. Google Scholar
Digital Library
- Hopper, N., Vasserman, E. Y., and Chan-Tin, E. 2010. How much anonymity does network latency leak? ACM Trans. Inf. Syst. Sec. 13, 2, 1--28. Google Scholar
Digital Library
- Hughes, D. and Shmatikov, V. 2004. Information hiding, anonymity and privacy: A modular approach. J. Comput. Secur. 12, 1, 3--36. Google Scholar
Digital Library
- Kate, A., Zaverucha, G., and Goldberg, I. 2007. Pairing-based onion routing. In Proceedings of the 7th International Symposium on Privacy Enhancing Technologies (PET 07). 95--112. Google Scholar
Digital Library
- Kesdogan, D., Agrawal, D., and Penz, S. 2002. Limits of anonymity in open environments. In Proceedings of the 5th Information Hiding Workshop (IH 02). 53--69. Google Scholar
Digital Library
- Kesdogan, D., Egner, J., and Büschkes, R. 1998. Stop-and-Go MIXes: Providing probabilistic anonymity in an open system. In Proceedings of the 2nd Information Hiding Workshop (IH 98). 83--98.Google Scholar
- Lincoln, P., Porras, P., and Shmatikov, V. 2004. Privacy-Preserving sharing and correlation of security alerts. In Proceedings of the 13th USENIX Security Symposium. 239--254. Google Scholar
Digital Library
- Loesing et al. 2011. Tor metrics portal. https://metrics.torproject.org/.Google Scholar
- Lynch, N. A. 1996. Distributed Algorithms. Morgan Kaufmann Publishers. Google Scholar
Digital Library
- Mathewson, N. and Dingledine, R. 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the 4th Privacy Enhancing Technologies Workshop (PET 04). 17--34. Google Scholar
Digital Library
- Mauw, S., Verschuren, J., and de Vink, E. 2004. A formalization of anonymity and onion routing. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS 04). 109--124.Google Scholar
Cross Ref
- McLachlan, J., Tran, A., and Hopper, N. 2009. Scalable onion routing with Torsk. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, 590--599. Google Scholar
Digital Library
- Mittal, P. and Borisov, N. 2009. ShadowWalker: Peer-to-Peer anonymous communication using redundant structured topologies. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). 161--172. Google Scholar
Digital Library
- Murdoch, S. J. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06). 27--36. Google Scholar
Digital Library
- Murdoch, S. J. and Danezis, G. 2005. Low-Cost traffic analysis of Tor. In Proceedings of the IEEE Symposium on Security and Privacy (S & P 05). 183--195. Google Scholar
Digital Library
- Nambiar, A. and Wright, M. 2006. Salsa: A structured approach to large-scale anonymity. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 06). Google Scholar
Digital Library
- Øverlier, L. and Syverson, P. 2006. Locating hidden servers. In Proceedings of IEEE Symposium on Security and Privacy (S& P 06). 100--114. Google Scholar
Digital Library
- Øverlier, L. and Syverson, P. 2007. Improving efficiency and simplicty of Tor circuit establishment and hidden services. In Proceedings of the 7th International Symposium on Privacy Enhancing Technologies (PET 07). 134--152. Google Scholar
Digital Library
- Pfitzmann, A. and Köhntopp, M. 2000. Anonymity, unobservability, and pseudonymity: A proposal for terminology. In Proceedings of the Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability. 1--9. Google Scholar
Digital Library
- Reed, M. G., Syverson, P. F., and Goldschlag, D. M. 1998. Anonymous connections and onion routing. IEEE J. Select. Areas Comm. 16, 4, 482--494. Google Scholar
Digital Library
- Reiter, M. and Rubin, A. 1998. Crowds: Anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 1, 66--92. Google Scholar
Digital Library
- Schneider, S. and Sidiropoulos, A. 1996. CSP and anonymity. In Proceedings of the 1st European Symposium on Research in Computer Security (ESORICS 96). 198--218. Google Scholar
Digital Library
- Serjantov, A. and Danezis, G. 2002. Towards an information theoretic metric for anonymity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop (PET 02). 41--53. Google Scholar
Digital Library
- Shmatikov, V. 2004. Probabilistic model checking of an anonymity system. J. Comput. Secur. 12, 3-4, 355--377. Google Scholar
Digital Library
- Shmatikov, V. and Wang, M.-H. 2006. Measuring relationship anonymity in mix networks. In Proceedings of the 5th ACM Workshop on Privacy in the Electronic Society (WPES 06). 59--62. Google Scholar
Digital Library
- Syverson, P., Reed, M., and Goldschlag, D. 2000a. Onion routing access configurations. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX 00). 34--40.Google Scholar
- Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. 2000b. Towards an analysis of onion routing security. In Proceedings of the Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability. 96--114. Google Scholar
Digital Library
- Syverson, P. F. and Stubblebine, S. G. 1999. Group principals and the formalization of anonymity. In Proceedings of the 1st World Congress on Formal Methods (FM'99). Vol. 1. 814--833. Google Scholar
Digital Library
- Tóth, G., Hornák, Z., and Vajda, F. 2004. Measuring anonymity revisited. In Proceedings of the 9th Nordic Workshop on Secure IT Systems. 85--90.Google Scholar
- Wikström, D. 2004. A universally composable mix-net. In Proceedings of the Ist Theory of Cryptography Conference (TCC 04). 317--335.Google Scholar
Cross Ref
- Wright, M. K., Adler, M., Levine, B. N., and Shields, C. 2004. The predecessor attack: An analysis of a threat to anonymous communications systems. ACM Trans. Inf. Syst. Secur. 7, 4, 489--522. Google Scholar
Digital Library
Index Terms
Probabilistic analysis of onion routing in a black-box model
Recommendations
Probabilistic analysis of onion routing in a black-box model
WPES '07: Proceedings of the 2007 ACM workshop on Privacy in electronic societyWe perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication that abstracts the essential properties of onion routing in the presence of an active adversary that controls a portion of ...
Fully non-interactive onion routing with forward secrecy
Onion routing is a privacy-enabling protocol that allows users to establish anonymous channels over a public network. In such a protocol, parties send their messages through $$n$$ anonymizing servers (called a circuit ) using several layers of encryption. ...
Path Selection Metrics for Performance-Improved Onion Routing
SAINT '09: Proceedings of the 2009 Ninth Annual International Symposium on Applications and the InternetProviding anonymity for users on the Internet is a very challenging and difficult task. Currently there are only a few systems that are of practical relevance for the provision of low-latency anonymity. One of the most important to mention is Tor which ...






Comments