skip to main content
research-article

Probabilistic analysis of onion routing in a black-box model

Published:30 November 2012Publication History
Skip Abstract Section

Abstract

We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication in the Universally Composable (UC) framework that abstracts the essential properties of onion routing in the presence of an active adversary who controls a portion of the network and knows all a priori distributions on user choices of destination. Our results quantify how much the adversary can gain in identifying users by exploiting knowledge of their probabilistic behavior. In particular, we show that, in the limit as the network gets large, a user u's anonymity is worst either when the other users always choose the destination u is least likely to visit or when the other users always choose the destination u chooses. This worst-case anonymity with an adversary that controls a fraction b of the routers is shown to be comparable to the best-case anonymity against an adversary that controls a fraction √b.

References

  1. Backes, M., Goldberg, I., Kate, A., and Mohammadi, E. 2012. Provably secure and practical onion routing. In Proceedings of the 25th IEEE Computer Security Foundations Symposium (CSF 12). 369--385. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Bauer, K., McCoy, D., Grunwald, D., Kohno, T., and Sicker, D. 2007. Low-resource routing attacks against Tor. In Proceedings of the Workshop on Privacy in the Electronic Society (WPES 07). 11--20. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Beimel, A. and Dolev, S. 2003. Buses for anonymous message delivery. J. Cryptol. 16, 1, 25--39.Google ScholarGoogle ScholarCross RefCross Ref
  4. Brown, Z. 2002. Cebolla: Pragmatic IP anonymity. In Proceedings of the Ottawa Linux Symposium.Google ScholarGoogle Scholar
  5. Camenisch, J. and Lysyanskaya, A. 2005. A formal treatment of onion routing. In Proceedings of CRYPTO Conference. 169--187. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Canetti, R. 2000. Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067. http://eprint.iacr.org/.Google ScholarGoogle Scholar
  7. Chaum, D. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Comm. ACM 4, 2, 84--88. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. Chaum, D. 1988. The dining cryptographers problem: Unconditional sender and recipient untraceability. International Association for Cryptology Research. J. Cryptol. 1, 1, 65--75. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Corrigan-Gibbs, H. and Ford, B. 2010. Dissent: Accountable anonymous group messaging. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 10). 340--350. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Danezis, G. 2003. Statistical disclosure attacks: Traffic confirmation in open environments. In Proceedings of Security and Privacy in the Age of Uncertainty Conference (SEC 03). 421--426.Google ScholarGoogle ScholarCross RefCross Ref
  11. Danezis, G. and Serjantov, A. 2004. Statistical disclosure or intersection attacks on anonymity systems. In Proceedings of the 6th Information Hiding Workshop (IH 04). 293--308. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Díaz, C., Seys, S., Claessens, J., and Preneel, B. 2002. Towards measuring anonymity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop (PET 02). 54--68. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Dingledine, R., Mathewson, N., and Syverson, P. 2004. Tor: The second-generation onion router. In Proceedings of the 13th USENIX Security Symposium. 303--319. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Feigenbaum, J., Johnson, A., and Syverson, P. 2007. A model of onion routing with provable anonymity. In Proceedings of the 11th Financial Cryptography and Data Security Conference (FC 07). 57--71. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Freedman, M. J. and Morris, R. 2002. Tarzan: A peer-to-peer anonymizing network layer. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 02). 193--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Goldberg, I. and Shostack, A. 1999. Freedom 1.0 security issues and analysis. White paper, Zero Knowledge Systems, Inc.Google ScholarGoogle Scholar
  17. Goldberg, I. and Shostack, A. 2001. Freedom network 1.0 architecture and protocols. White paper, Zero Knowledge Systems, Inc.Google ScholarGoogle Scholar
  18. Goldschlag, D. M., Reed, M. G., and Syverson, P. F. 1996. Hiding routing information. In Proceedings of the Ist International Workshop on Information Hiding. 137--150. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Halpern, J. Y. and O'Neill, K. R. 2005. Anonymity and information hiding in multiagent systems. J. Comput. Secur. 13, 3, 483--514. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Herrmann, D., Wendolsky, R., and Federrath, H. 2009. Website fingerprinting: Attacking popular privacy enhancing technologies with the Multinomial Naïve-Bayes classifier. In Proceedings of the ACM Workshop on Cloud Computing Security (CCSW'09). 31--42. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Hopper, N., Vasserman, E. Y., and Chan-Tin, E. 2010. How much anonymity does network latency leak? ACM Trans. Inf. Syst. Sec. 13, 2, 1--28. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Hughes, D. and Shmatikov, V. 2004. Information hiding, anonymity and privacy: A modular approach. J. Comput. Secur. 12, 1, 3--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kate, A., Zaverucha, G., and Goldberg, I. 2007. Pairing-based onion routing. In Proceedings of the 7th International Symposium on Privacy Enhancing Technologies (PET 07). 95--112. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Kesdogan, D., Agrawal, D., and Penz, S. 2002. Limits of anonymity in open environments. In Proceedings of the 5th Information Hiding Workshop (IH 02). 53--69. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. Kesdogan, D., Egner, J., and Büschkes, R. 1998. Stop-and-Go MIXes: Providing probabilistic anonymity in an open system. In Proceedings of the 2nd Information Hiding Workshop (IH 98). 83--98.Google ScholarGoogle Scholar
  26. Lincoln, P., Porras, P., and Shmatikov, V. 2004. Privacy-Preserving sharing and correlation of security alerts. In Proceedings of the 13th USENIX Security Symposium. 239--254. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Loesing et al. 2011. Tor metrics portal. https://metrics.torproject.org/.Google ScholarGoogle Scholar
  28. Lynch, N. A. 1996. Distributed Algorithms. Morgan Kaufmann Publishers. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Mathewson, N. and Dingledine, R. 2004. Practical traffic analysis: Extending and resisting statistical disclosure. In Proceedings of the 4th Privacy Enhancing Technologies Workshop (PET 04). 17--34. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Mauw, S., Verschuren, J., and de Vink, E. 2004. A formalization of anonymity and onion routing. In Proceedings of the 9th European Symposium on Research in Computer Security (ESORICS 04). 109--124.Google ScholarGoogle ScholarCross RefCross Ref
  31. McLachlan, J., Tran, A., and Hopper, N. 2009. Scalable onion routing with Torsk. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). ACM Press, 590--599. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. Mittal, P. and Borisov, N. 2009. ShadowWalker: Peer-to-Peer anonymous communication using redundant structured topologies. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09). 161--172. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Murdoch, S. J. 2006. Hot or not: Revealing hidden services by their clock skew. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS'06). 27--36. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Murdoch, S. J. and Danezis, G. 2005. Low-Cost traffic analysis of Tor. In Proceedings of the IEEE Symposium on Security and Privacy (S & P 05). 183--195. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Nambiar, A. and Wright, M. 2006. Salsa: A structured approach to large-scale anonymity. In Proceedings of the 13th ACM Conference on Computer and Communications Security (CCS 06). Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Øverlier, L. and Syverson, P. 2006. Locating hidden servers. In Proceedings of IEEE Symposium on Security and Privacy (S& P 06). 100--114. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Øverlier, L. and Syverson, P. 2007. Improving efficiency and simplicty of Tor circuit establishment and hidden services. In Proceedings of the 7th International Symposium on Privacy Enhancing Technologies (PET 07). 134--152. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Pfitzmann, A. and Köhntopp, M. 2000. Anonymity, unobservability, and pseudonymity: A proposal for terminology. In Proceedings of the Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability. 1--9. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Reed, M. G., Syverson, P. F., and Goldschlag, D. M. 1998. Anonymous connections and onion routing. IEEE J. Select. Areas Comm. 16, 4, 482--494. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. Reiter, M. and Rubin, A. 1998. Crowds: Anonymity for web transactions. ACM Trans. Inf. Syst. Secur. 1, 1, 66--92. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Schneider, S. and Sidiropoulos, A. 1996. CSP and anonymity. In Proceedings of the 1st European Symposium on Research in Computer Security (ESORICS 96). 198--218. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Serjantov, A. and Danezis, G. 2002. Towards an information theoretic metric for anonymity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop (PET 02). 41--53. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Shmatikov, V. 2004. Probabilistic model checking of an anonymity system. J. Comput. Secur. 12, 3-4, 355--377. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Shmatikov, V. and Wang, M.-H. 2006. Measuring relationship anonymity in mix networks. In Proceedings of the 5th ACM Workshop on Privacy in the Electronic Society (WPES 06). 59--62. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Syverson, P., Reed, M., and Goldschlag, D. 2000a. Onion routing access configurations. In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX 00). 34--40.Google ScholarGoogle Scholar
  46. Syverson, P., Tsudik, G., Reed, M., and Landwehr, C. 2000b. Towards an analysis of onion routing security. In Proceedings of the Designing Privacy Enhancing Technologies: International Workshop on Design Issues in Anonymity and Unobservability. 96--114. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Syverson, P. F. and Stubblebine, S. G. 1999. Group principals and the formalization of anonymity. In Proceedings of the 1st World Congress on Formal Methods (FM'99). Vol. 1. 814--833. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Tóth, G., Hornák, Z., and Vajda, F. 2004. Measuring anonymity revisited. In Proceedings of the 9th Nordic Workshop on Secure IT Systems. 85--90.Google ScholarGoogle Scholar
  49. Wikström, D. 2004. A universally composable mix-net. In Proceedings of the Ist Theory of Cryptography Conference (TCC 04). 317--335.Google ScholarGoogle ScholarCross RefCross Ref
  50. Wright, M. K., Adler, M., Levine, B. N., and Shields, C. 2004. The predecessor attack: An analysis of a threat to anonymous communications systems. ACM Trans. Inf. Syst. Secur. 7, 4, 489--522. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Probabilistic analysis of onion routing in a black-box model

              Recommendations

              Comments

              Login options

              Check if you have access through your login credentials or your institution to get full access on this article.

              Sign in

              Full Access

              • Published in

                cover image ACM Transactions on Information and System Security
                ACM Transactions on Information and System Security  Volume 15, Issue 3
                November 2012
                105 pages
                ISSN:1094-9224
                EISSN:1557-7406
                DOI:10.1145/2382448
                Issue’s Table of Contents

                Copyright © 2012 ACM

                Publisher

                Association for Computing Machinery

                New York, NY, United States

                Publication History

                • Published: 30 November 2012
                • Accepted: 1 May 2012
                • Revised: 1 March 2012
                • Received: 1 January 2011
                Published in tissec Volume 15, Issue 3

                Permissions

                Request permissions about this article.

                Request Permissions

                Check for updates

                Qualifiers

                • research-article
                • Research
                • Refereed

              PDF Format

              View or Download as a PDF file.

              PDF

              eReader

              View online with eReader.

              eReader
              About Cookies On This Site

              We use cookies to ensure that we give you the best experience on our website.

              Learn more

              Got it!