How to Bypass Two Anonymity Revocation Schemes

  • George Danezis
  • Len Sassaman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5134)


In recent years, there have been several proposals for anonymous communication systems that provide intentional weaknesses to allow anonymity to be circumvented in special cases. These anonymity revocation schemes attempt to retain the properties of strong anonymity systems while granting a special class of people the ability to selectively break through their protections. We evaluate the two dominant classes of anonymity revocation systems, and identify fundamental flaws in their architecture, leading to a failure to ensure proper anonymity revocation, as well as introducing additional weaknesses for users not targeted for anonymity revocation.


Covert Channel Private Information Retrieval Anonymous Communication Honest Node Covert Communication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Beimel, A., Dolev, S.: Buses for anonymous message delivery. Journal of Cryptology 16(1), 25–39 (2003)zbMATHCrossRefMathSciNetGoogle Scholar
  2. 2.
    Berthold, O., Federrath, H., Köpsell, S.: Web MIXes: A system for anonymous and unobservable Internet access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Borisov, N., Danezis, G., Mittal, P., Tabriz, P.: Denial of service or denial of security? In: Ning, et al. (eds.) [27], pp. 92–102Google Scholar
  4. 4.
    Brands, S., Demuynck, L., De Decker, B.: A practical system for globally revoking the unlinkable pseudonyms of unknown users. In: Pieprzyk, J., Ghodosi, H., Dawson, E. (eds.) ACISP 2007. LNCS, vol. 4586, pp. 400–415. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  5. 5.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  6. 6.
    Chaum, D.: The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology 1, 65–75 (1988)zbMATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Chor, B., Goldreich, O., Kushilevitz, E., Sudan, M.: Private information retrieval. In: Proceedings of the IEEE Symposium on Foundations of Computer Science, pp. 41–50. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  8. 8.
    Claessens, J., Díaz, C., Goemans, C., Preneel, B., Vandewalle, J., Dumortier, J.: Revocable anonymous access to the Internet. Journal of Internet Research 13(4), 242–258 (2003)CrossRefGoogle Scholar
  9. 9.
    Claessens, J., Díaz, C., Nikova, S., De Win, B., Goemans, C., Loncke, M., Naessens, V., Seys, S., De Decker, B., Dumortier, J., Preneel, B.: Technologies for controlled anonymity. APES deliverable D10, Katholieke Universiteit Leuven (2003)Google Scholar
  10. 10.
    Danezis, G.: The traffic analysis of continuous-time mixes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 35–50. Springer, Heidelberg (2005)Google Scholar
  11. 11.
    Danezis, G., Clulow, J.: Compulsion resistant anonymous communications. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 11–25. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Danezis, G., Diaz, C.: A survey of anonymous communication channels. Technical Report MSR-TR-2008-35, Microsoft Research (January 2008)Google Scholar
  13. 13.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III anonymous remailer protocol. In: IEEE Symposium on Security and Privacy, pp. 2–15. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar
  14. 14.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004)Google Scholar
  15. 15.
    Deibert, R.J., Palfrey, J.G., Rohozinski, R., Zittrain, J. (eds.): Access Denied: The Practice and Policy of Global Internet Filtering. MIT Press, Cambridge (2008)Google Scholar
  16. 16.
    Díaz, C., Preneel, B.: Accountable anonymous communication. In: Security, privacy and trust in modern data management. Springer, Heidelberg (2006)Google Scholar
  17. 17.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)Google Scholar
  18. 18.
    Dingledine, R., Shmatikov, V., Syverson, P.: Synchronous batching: From cascades to free routes. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 186–206. Springer, Heidelberg (2005)Google Scholar
  19. 19.
    Goldberg, I.: Improving the robustness of private information retrieval. In: IEEE Symposium on Security and Privacy, pp. 131–148. IEEE Computer Society Press, Los Alamitos (2007)CrossRefGoogle Scholar
  20. 20.
    Jakobsson, M., Juels, A., Rivest, R.L.: Making mix nets robust for electronic voting by randomized partial checking. In: Boneh, D. (ed.) USENIX Security Symposium, pp. 339–353 (2002)Google Scholar
  21. 21.
    Johnson, P.C., Kapadia, A., Tsang, P.P., Smith, S.W.: Nymble: Anonymous IP-address blocking. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 113–133. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  22. 22.
    Köpsell, S., Hillig, U.: How to achieve blocking resistance for existing systems enabling anonymous web surfing. In: Atluri, V., Syverson, P.F., di Vimercati, S.D.C. (eds.) WPES, pp. 47–58. ACM, New York (2004)CrossRefGoogle Scholar
  23. 23.
    Köpsell, S., Wendolsky, R., Federrath, H.: Revocable anonymity. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 206–220. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Mathewson, N., Dingledine, R.: Practical traffic analysis: Extending and resisting statistical disclosure. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 17–34. Springer, Heidelberg (2005)Google Scholar
  25. 25.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol — Version 2. IETF Internet Draft (July 2003)Google Scholar
  26. 26.
    Neff, C.A.: A verifiable secret shuffle and its application to e-voting. In: Samarati, P. (ed.) Proceedings of the 8th ACM Conference on Computer and Communications Security (CCS 2001), November 2001, pp. 116–125. ACM Press, New York (2001)CrossRefGoogle Scholar
  27. 27.
    Ning, P., De Capitani di Vimercati, S., Syverson, P.F.: Proceedings of the 2007 ACM Conference on Computer and Communications Security, CCS 2007, Alexandria, Virginia, USA, October 28-31, 2007. ACM Press, New York (2007)CrossRefGoogle Scholar
  28. 28.
    Patterson, M.L., Sassaman, L.: Subliminal channels in the private information retrieval protocols. In: Proceedings of the 28th Symposium on Information Theory in the Benelux, Enschede, NL. Werkgemeenschap voor Informatie- en Communicatietheorie (2007)Google Scholar
  29. 29.
    Reiter, M.K., Rubin, A.D.: Anonymous web transactions with crowds. Commun. ACM 42(2), 32–38 (1999)CrossRefGoogle Scholar
  30. 30.
    Sassaman, L., Cohen, B., Mathewson, N.: The Pynchon Gate: a secure method of pseudonymous mail retrieval. In: Atluri, V., De Capitani di Vimercati, S., Dingledine, R. (eds.) WPES, pp. 1–9. ACM Press, New York (2005)CrossRefGoogle Scholar
  31. 31.
    Serjantov, A., Dingledine, R., Syverson, P.F.: From a trickle to a flood: Active attacks on several mix types. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 36–52. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  32. 32.
    Syverson, P., Tsudik, G., Reed, M., Landwehr, C.: Towards an Analysis of Onion Routing Security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  33. 33.
    Tsang, P.P., Au, M.H., Kapadia, A., Smith, S.W.: Blacklistable anonymous credentials: blocking misbehaving users without TTPs. In: Ning, et al. (eds.) [27], pp. 72–81.Google Scholar
  34. 34.
    Wright, M., Adler, M., Levine, B.N., Shields, C.: Defending anonymous communication against passive logging attacks. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, May 2003, pp. 28–43. IEEE Computer Society Press, Los Alamitos (2003)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • George Danezis
    • 1
  • Len Sassaman
    • 2
  1. 1.Microsoft ResearchCambridgeUK
  2. 2.ESAT/COSICK.U. LeuvenLeuven-HeverleeBelgium

Personalised recommendations