Message Splitting Against the Partial Adversary

  • Andrei Serjantov
  • Steven J. Murdoch
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3856)


We review threat models used in the evaluation of anonymity systems’ vulnerability to traffic analysis. We then suggest that, under the partial adversary model, if multiple packets have to be sent through these systems, more anonymity can be achieved if senders route the packets via different paths. This is in contrast to the normal technique of using the same path for them all. We comment on the implications of this for message-based and connection-based anonymity systems. We then proceed to examine the only remaining traffic analysis attack – one which considers the entire system as a black box. We show that it is more difficult to execute than the literature suggests, and attempt to empirically estimate the parameters of the Mixmaster and the Mixminion systems needed in order to successfully execute the attack.


Threat Model Analysis Attack Entry Node Partial Adversary Adaptive Adversary 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Pfitzmann, A., Köhntopp, M.: Anonymity, unobservability, and pseudonymity: A proposal for terminology. Draft, version 0.17 (2000)Google Scholar
  2. 2.
    Serjantov, A.: On the Anonymity of Anonymity Systems. PhD thesis, University of Cambridge (2004)Google Scholar
  3. 3.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III Anonymous Remailer Protocol. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (2003)Google Scholar
  4. 4.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium (2004)Google Scholar
  5. 5.
    Kesdogan, D., Pimenidis, L.: The hitting set attack on anonymity protocols. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 326–339. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  6. 6.
    Kesdogan, D., Agrawal, D., Penz, S.: Limits of anonymity in open environments. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 53–69. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Agrawal, D., Kesdogan, D., Penz, S.: Probabilistic Treatment of MIXes to Hamper Traffic Analysis. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy (2003)Google Scholar
  8. 8.
    Danezis, G.: Statistical disclosure attacks: Traffic confirmation in open environments. In: Gritzalis, Vimercati, Samarati, Katsikas (eds.) Proceedings of Security and Privacy in the Age of Uncertainty (SEC 2003), IFIP TC11, Athens, pp. 421–426. Kluwer, Dordrecht (2003)CrossRefGoogle Scholar
  9. 9.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On flow correlation attacks and countermeasures in mix networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  11. 11.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol – Version 2. Draft (2003)Google Scholar
  12. 12.
    Danezis, G.: The traffic analysis of continuous-time mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  13. 13.
    Syverson, P.F., Tsudik, G., Reed, M., Landwehr, C.: Towards an Analysis of Onion Routing Security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: An analysis of the degradation of anonymous protocols. In: Proceedings of the Network and Distributed Security Symposium – NDSS 2002. IEEE, Los Alamitos (2002)Google Scholar
  15. 15.
    Feamster, N., Dingledine, R.: Location diversity in anonymity networks. In: Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2004), Washington, DC, USA (2004)Google Scholar
  16. 16.
    Danezis, G.: Better Anonymous Communications. PhD thesis, University of Cambridge (2004)Google Scholar
  17. 17.
    Serjantov, A., Dingledine, R., Syverson, P.: From a trickle to a flood: Active attacks on several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  18. 18.
    Díaz, C., Sassaman, L., Dewitte, E.: Comparison between two practical mix designs. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 141–159. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Díaz, C., Serjantov, A.: Generalising mixes. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 18–31. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  20. 20.
    Python Software Foundation (2003),
  21. 21.
    R Development Core Team: R: A language and environment for statistical computing. R Foundation for Statistical Computing, Vienna, Austria (2004),, ISBN 3-900051-07-0
  22. 22.
    Tufte, E.R.: The Visual Display of Quantitative Information, 2nd edn. Graphics Press (1992), ISBN 0-961392-10-XGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Andrei Serjantov
    • 1
  • Steven J. Murdoch
    • 2
  1. 1.The Free Haven ProjectUK
  2. 2.University of Cambridge Computer LaboratoryCambridgeUK

Personalised recommendations