Do Dummies Pay Off? Limits of Dummy Traffic Protection in Anonymous Communications

  • Simon Oya
  • Carmela Troncoso
  • Fernando Pérez-González
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8555)


Anonymous communication systems ensure that correspondence between senders and receivers cannot be inferred with certainty. However, when patterns are persistent, observations from anonymous communication systems enable the reconstruction of user behavioral profiles. Protection against profiling can be enhanced by adding dummy messages, generated by users or by the anonymity provider, to the communication. In this paper we study the limits of the protection provided by this countermeasure. We propose an analysis methodology based on solving a least squares problem that permits to characterize the adversary’s profiling error with respect to the user behavior, the anonymity provider behavior, and the dummy strategy. Focusing on the particular case of a timed pool mix we show how, given a privacy target, the performance analysis can be used to design optimal dummy strategies to protect this objective.


anonymous communications disclosure attacks dummies 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Danezis, G., Diaz, C., Syverson, P.: Systems for anonymous communication. In: Rosenberg, B. (ed.) Handbook of Financial Cryptography and Security. Cryptography and Network Security Series, pp. 341–389. Chapman & Hall/CRC (2009)Google Scholar
  2. 2.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  3. 3.
    Agrawal, D., Kesdogan, D.: Measuring anonymity: The disclosure attack. IEEE Security and Privacy 1(6), 27–34 (2003)CrossRefGoogle Scholar
  4. 4.
    Danezis, G., Troncoso, C.: Vida: How to use bayesian inference to de-anonymize persistent communications. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 56–72. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  5. 5.
    Mathewson, N., Dingledine, R.: Practical traffic analysis: Extending and resisting statistical disclosure. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 17–34. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Pérez-González, F., Troncoso, C.: Understanding statistical disclosure: A least squares approach. In: Fischer-Hübner, S., Wright, M. (eds.) PETS 2012. LNCS, vol. 7384, pp. 38–57. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  7. 7.
    Berthold, O., Langos, H.: Dummy traffic against long term intersection attacks. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 110–128. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Diaz, C., Preneel, B.: Taxonomy of mixes and dummy traffic. In: Working Conference on Privacy and Anonymity in Networked and Distributed Systems, pp. 215–230. Kluwer Academic Publishers (2004)Google Scholar
  9. 9.
    Díaz, C., Preneel, B.: Reasoning about the anonymity provided by pool mixes that generate dummy traffic. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 309–325. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Mallesh, N., Wright, M.: Countering statistical disclosure with receiver-bound cover traffic. In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 547–562. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  11. 11.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a type iii anonymous remailer protocol. In: IEEE Symposium on Security and Privacy, pp. 2–15. IEEE Computer Society (2003)Google Scholar
  12. 12.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol — Version 2. IETF Internet Draft (July 2003)Google Scholar
  13. 13.
    Pérez-González, F., Troncoso, C., Oya, S.: A least squares approach to the traffic analysis of high-latency anonymous communication systems,
  14. 14.
    Oya, S., Troncoso, C., Pérez-González, F.: Meet the family of statistical disclosure attacks. In: IEEE Global Conference on Signal and Information Processing, 4p. (2013)Google Scholar
  15. 15.
    Díaz, C., Serjantov, A.: Generalising mixes. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 18–31. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  16. 16.
    Oya, S., Troncoso, C., Pérez-González, F.: Technical report tsc/so/02052014: Derivation of the mean squared error of the least squares estimator in a timed pool mix with dummy traffic,
  17. 17.
    Haykin, S.: Adaptive Filter Theory, 4th edn. Prentice Hall (2002)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Simon Oya
    • 1
  • Carmela Troncoso
    • 2
  • Fernando Pérez-González
    • 1
    • 2
  1. 1.Signal Theory and Communications Dept.University of VigoSpain
  2. 2.Gradiant (Galician R&D Center in Advanced Telecommunications)Spain

Personalised recommendations