Perfect Matching Disclosure Attacks
Traffic analysis is the best known approach to uncover relationships amongst users of anonymous communication systems, such as mix networks. Surprisingly, all previously published techniques require very specific user behavior to break the anonymity provided by mixes. At the same time, it is also well known that none of the considered user models reflects realistic behavior which casts some doubt on previous work with respect to real-life scenarios. We first present a user behavior model that, to the best of our knowledge, is the least restrictive scheme considered so far. Second, we develop the Perfect Matching Disclosure Attack, an efficient attack based on graph theory that operates without any assumption on user behavior. The attack is highly effective when de-anonymizing mixing rounds because it considers all users in a round at once, rather than single users iteratively. Furthermore, the extracted sender-receiver relationships can be used to enhance user profile estimations. We extensively study the effectiveness and efficiency of our attack and previous work when de-anonymizing users communicating through a threshold mix. Empirical results show the advantage of our proposal. We also show how the attack can be refined and adapted to different scenarios including pool mixes, and how precision can be traded in for speed, which might be desirable in certain cases.
KeywordsBipartite Graph Perfect Match User Behavior Single User Linear Assignment Problem
Unable to display preview. Download preview PDF.
- 4.Danezis, G.: Statistical disclosure attacks: Traffic confirmation in open environments. In: Gritzalis, Vimercati, Samarati, Katsikas (eds.) Proceedings of Security and Privacy in the Age of Uncertainty (SEC 2003), Athens, May 2003, IFIP TC11 pp. 421–426. Kluwer, Dordrecht (2003)Google Scholar
- 6.Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III Anonymous Remailer Protocol. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, pp. 2–15 (May 2003)Google Scholar
- 7.Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200. Springer, Heidelberg (2004)Google Scholar
- 9.Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. In: ISI, pp. 356–363. IEEE, Los Alamitos (2007)Google Scholar
- 10.Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: A modular approach. Journal of Computer Security 12(1), 3–36 (2004)Google Scholar
- 11.Jakobsson, M., Juels, A., Rivest, R.L.: Making mix nets robust for electronic voting by randomized partial checking. In: Proceedings of the 11th USENIX Security Symposium (August 2002)Google Scholar
- 13.Kesdogan, D., Pimenidis, L.: The hitting set attack on anonymity protocols. In: Fridrich, J.J. (ed.) IH 2004. LNCS, vol. 3200, pp. 326–339. Springer, Heidelberg (2004)Google Scholar
- 14.Kilian, J., Sako, K.: Receipt-free MIX-type voting scheme - a practical solution to the implementation of a voting booth. In: EUROCRYPT 1995. Springer, Heidelberg (1995)Google Scholar
- 16.Mathewson, N., Dingledine, R.: Practical traffic analysis: Extending and resisting statistical disclosure. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 17–34. Springer, Heidelberg (2005)Google Scholar
- 17.Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol — Version 2. IETF Internet Draft (July 2003)Google Scholar