Using Linkability Information to Attack Mix-Based Anonymity Services

  • Stefan Schiffner
  • Sebastian Clauß
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5672)


There exist well established models for anonymity focusing on traffic analysis, i. e., analysing properties of single messages as, e. g., timing. However there is only little work done that use linkability information, that is information about the probability that two messages have been sent by the same sender.

In this paper we model information about linkability between messages as a weighted graph. We show lower and upper bounds with regards to the usefulness of linkability information for matching messages to senders. In addition to that we present simulation results, showing to which extent a matching of messages to senders is possible by using linkability information with different grades of noise.


Service Provider Cluster Size Network Layer Linkability Information Anonymity Service 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Clauß, S., Pfitzmann, A., Hansen, M., Van Herreweghen, E.: Privacy-enhancing identity management. The IPTS Report. Special Issue: Identity and Privacy, 8–16 (2002)Google Scholar
  2. 2.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  4. 4.
    Steinbrecher, S., Köpsell, S.: Modelling unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003)Google Scholar
  5. 5.
    Franz, M., Meyer, B., Pashalidis, A.: Attacking unlinkability: The importance of context. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 1–16. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  7. 7.
    Chaum, D.: The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology 1, 65–75 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Berthold, O., Federrath, H., Köpsell, S.: Web MIXes: A system for anonymous and unobservable Internet access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  10. 10.
    Kesdogan, D., Pimenidis, L.: The hitting set attack on anonymity protocols. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 326–339. Springer, Heidelberg (2004)Google Scholar
  11. 11.
    Clauß, S.: A framework for quantification of linkability within a privacy-enhancing identity management system. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 191–205. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Clauß, S., Schiffner, S.: Structuring anonymity metrics. In: Goto, A. (ed.) DIM 2006, Proceedings of the 2006 ACM Workshop on Digital Identity Management, Fairfax, Virgina, USA, pp. 55–62. ACM, New York (2006)CrossRefGoogle Scholar
  13. 13.
    Sweeney, L.: Guaranteeing anonymity when sharing medical data, the datafly system. Journal of the American Medical Informatics Association (1997)Google Scholar
  14. 14.
    Fischer-Hübner, S.: IT-Security and Privacy. LNCS, vol. 1958. Springer, Heidelberg (2001)zbMATHGoogle Scholar
  15. 15.
    Díaz, C., Troncoso, C., Danezis, G.: Does additional information always reduce anonymity? In: Yu, T. (ed.) Proceedings of the Workshop on Privacy in the Electronic Society 2007, Alexandria,VA,USA, pp. 72–75. ACM, New York (2007)CrossRefGoogle Scholar
  16. 16.
    Díaz, C., Troncoso, C., Serjantov, A.: On the impact of social network profiling on anonymity. In: Borisov, N., Goldberg, I. (eds.) PETS 2008. LNCS, vol. 5134, pp. 44–62. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Berthold, S., Böhme, R., Köpsell, S.: Data retention and anonymity services – introducing a new class of realistic adversary models. In: Švenda, P. (ed.) The Future of Identity in the Information Society – Challenges for Privacy and Security. Springer, Heidelberg (2008) (to appear)Google Scholar
  18. 18.
    Kirkpatrick, S., Gelatt Jr., C.D., Vecchi, M.P.: Optimization by simulated annealing. Science (1983)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Stefan Schiffner
    • 1
  • Sebastian Clauß
    • 2
  1. 1.K.U.Leuven, ESAT/SCD/COSIC and IBBTLeuven-HeverleeBelgium
  2. 2.Institute of Systems ArchitectureTechnische Universität DresdenDresdenGermany

Personalised recommendations