Modelling and Analysis of
Privacy-Enhancing Technologies for Anonymity
A Complexity DTC Miniproject Proposal
e-Security Group, Digital Laboratory
Background
It is generally accepted that Privacy-Enhancing Technologies started as a topic for research with David
Chaum’s mix-net paper in 1981 [1], in which he outlined a method for the anonymous delivery of messages
using a network of nodes. The technique outlined used each node within a network to strip off all identifying
information before passing the message on to the next node encrypted with that node’s public key, and so
on, until its final delivery at the intended recipient node.
The simplest method of obscuring a final destination address is to use a Proxy. Proxies simply forward
packets from a single TCP connection they receive to their intended destination, but translate the sender's
address to be their own and vice-versa for the reply. Every additional proxy will require extra effort to
determine the real destination, and proxies can be chained together as often as necessary (although an
increase in latency and decrease in bandwidth is unavoidable whenever routing data through another node).
A group of proxies that distribute multiple connections between themselves (possibly encrypted) until they
are directed to their destination are called mix networks. These are particularly effective in unidirectional
communications, such as emails that do not require a reply (or where the return address is securely
contained in the message body). The email address can be spoofed, and anonymising mix networks can
scrub the originating IP address, so that logs would need to be recovered (if recorded in the first place) from
all the proxies involved in order to determine the origin of a message (for failure to recover logs from a single
proxy would break the associations needed to trace the connection).
An observer with sight of enough of a mix network, possibly only the suspected originator and destination,
can use traffic analysis to attempt to link message transmission to reception; this is to some extent countered
by random padding of messages to disguise their size, and by maintaining pools of messages at each node,
of which only a proportion are periodically sent on. Even so, Bayesian analysis can still link messages with
moderate confidence (this is known as a statistical disclosure attack) [2].
Research Opportunity
Mathewson and Dingledine [2] investigate a number of interesting variants on the statistical disclosure
attack, but their paper identifies a number of areas where their models of user behaviour might be improved:
time-variant user behaviour, using relayed traffic to provide padding, and so on.
Another aspect of the problem that might reward investigation is whether a more dynamic configuration of
the mix network might give improved anonymity protection.
The e-Security Group can make available its cluster of servers for medium-sized network simulations to
provide input data for the analysis.
Another possible interesting angle is whether user profiling based on, for example, social-networking
websites can enhance attacks on the destination-anonymity of messages. Diaz, Troncoso and Serjantov [3]
have conducted some initial studies that suggest that this is the case, but their models contain a number of
rather unrealistic simplifying assumptions, which it might be interesting to relax and see if their results still
stand.
Perhaps beyond the scope of a miniproject, but a potential subject for a follow-on doctorate study, would be
to investigate whether privacy-enhancing mechanisms for social-networking sites, such as NOYB [4] or the
Group’s own (unpublished) scheme, also defend effectively against such profiling attempts.
References
[1] Untraceable electronic mail, return addresses, and digital pseudonyms, David L. Chaum, CACM 24, 2
(Feb. 1981), pp84–90
[2] Practical Traffic Analysis: Extending and Resisting Statistical Disclosure, Nick Mathewson and Roger
Dingledine. In Proceedings of 4th Workshop on Privacy Enhancing Technologies (PET 2004), LNCS
3424, pp. 17–34, 2005.
[3] On the Impact of Social Network Profiling on Anonymity, Claudia Diaz, Carmela Troncoso and Andrei
Serjantov. In Proceedings of the 8th Privacy Enhancing Technologies Symposium (PETS'08), N. Borisov
and I. Goldberg (Eds), Springer LNCS 5134, pp. 44–62, 2008.
[4] NOYB: Privacy in Online Social Networks, Saikat Guha, Kevin Tang and Paul Francis. In Proceedings
of 1st ACM SIGCOMM Workshop on Online Social Networks (WOSN’08), ACM, 2008.