Local View Attack on Anonymous Communication

  • Marcin Gogolewski
  • Marek Klonowski
  • Mirosław Kutyłowski
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


We consider anonymous communication protocols based on onions: each message is sent in an encrypted form through a path chosen at random by its sender, and the message is re-coded by each server on the path. Recently, it has been shown that if the anonymous paths are long enough, then the protocols provide provable security for some adversary models. However, it was assumed that all users choose intermediate servers uniformly at random from the same set of servers.

We show that if a single user chooses only from a constrained subset of possible intermediate servers, anonymity level may dramatically decrease. A thumb rule is that if Alice is aware of much less than 50% of possible intermediate servers, then the anonymity set for her message becomes surprisingly small with high probability. Moreover, for each location in the anonymity set an adversary may compute probability that it gets a message of Alice. Since there are big differences in these probabilities, in most cases the true destination of the message from Alice is in a small group of locations with the highest probabilities.

Our results contradict some beliefs that the protocols mentioned guarantee anonymity provided that the set of possible intermediate servers for each user is large.


Additional Server Adversary Model Total Variation Distance Anonymous Communication True Destination 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Agrawal, D., Kesdogan, D., Penz, S.: Probabilistic Treatment of MIXes to Hamper Traffic Analysis. In: Proceedings of the IEEE Symposium on Security and Privacy (2003)Google Scholar
  2. 2.
    Berman, R., Fiat, A., Ta-Shma, A.: Provable unlinkability against traffic analysis. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 266–280. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Chaum, D.: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communication of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  4. 4.
    Chaum, D.: Secret-Ballot Receipts and Transparent Integrity. Better and less-costly electronic voting and polling places, Available at
  5. 5.
    Czumaj, A., Kanarek, P., Kutyłowski, M., Loryś, K.: Distributed Stochastic Processes for Generating Random Permutations. In: ACM-SIAM Symposium on Discrete Algorithms SODA 99, 271–280 (1999)Google Scholar
  6. 6.
    Danezis, G.: Designing and Attacking Anonymous Communication Systems. CAM-CL-TR-594, University of Cambridge, Computer Laboratory (2004)Google Scholar
  7. 7.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the Second Generation Onion Router. USENIX Security (2004)Google Scholar
  10. 10.
    Gogolewski, M., Kutyłowski, M., Łuczak, T.: Mobile mixing. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 380–393. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Gülcü, C., Tsudik, G.: Mixing E-mail with BABEL. In: ISOC Symposium on Network and Distributed System Security, pp. 2–16. IEEE, Los Alamitos (1996)CrossRefGoogle Scholar
  12. 12.
    Goldschlag, D.M., Reed, M.G., Syverson, P.: Private Web Browsing. Journal of Computer Security, Special Issue on Web Security 5, 237–248 (1997)Google Scholar
  13. 13.
    Gomułkiewicz, M., Klonowski, M., Kutyłowski, M.: Provable Unlinkability Against Traffic Analysis Already After O(log(n)). In: Steps! Information Security Conference 2004. LNCS, vol. 3381, pp. 229–238. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Jakobsson, M., Juels, A.: Mix and Match: Secure Function Evaluation via Ciphertexts. In: Advances in Cryptology - Asiacrypt 2000. LNCS, vol. 1976, pp. 162–177 (2000)Google Scholar
  15. 15.
    Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-go-mIXes providing probabilistic anonymity in an open system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 83–98. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  16. 16.
    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity - A proposal for terminology. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 1–9. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  17. 17.
    Klonowski, M., Kutyłowski, M., Zagórski, F.: Anonymous communication with on-line and off-line onion encoding. In: Vojtáš, P., Bieliková, M., Charron-Bost, B., Sýkora, O. (eds.) SOFSEM 2005. LNCS, vol. 3381, pp. 229–238. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Kurosawa, K., Ogata, W.: Bit-slice auction circuit. In: Gollmann, D., Karjoth, G., Waidner, M. (eds.) ESORICS 2002. LNCS, vol. 2502, pp. 24–38. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  19. 19.
    Rackoff, C., Simon, D.R.: Cryptographic Defense Against Traffic Analysis. In: ACM Symposium on Theory of Computing(STOC), vol. 25, pp. 672–681 (1993)Google Scholar
  20. 20.
    Serjantov, A., Dingledine, R., Syverson, P.: From a trickle to a flood: Active attacks on several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Syverson, P., Reed, M.G., Goldschlag, D.M.: Anonymous Connections and Onion Routing. IEEE Journal on Selected Areas in Communication 16(4), 482–494 (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Marcin Gogolewski
    • 1
  • Marek Klonowski
    • 1
  • Mirosław Kutyłowski
    • 1
  1. 1.Institute of Mathematics and Computer ScienceWrocław University of TechnologyWrocławPoland

Personalised recommendations