Perfect Matching Disclosure Attacks

  • Carmela Troncoso
  • Benedikt Gierlichs
  • Bart Preneel
  • Ingrid Verbauwhede
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5134)


Traffic analysis is the best known approach to uncover relationships amongst users of anonymous communication systems, such as mix networks. Surprisingly, all previously published techniques require very specific user behavior to break the anonymity provided by mixes. At the same time, it is also well known that none of the considered user models reflects realistic behavior which casts some doubt on previous work with respect to real-life scenarios. We first present a user behavior model that, to the best of our knowledge, is the least restrictive scheme considered so far. Second, we develop the Perfect Matching Disclosure Attack, an efficient attack based on graph theory that operates without any assumption on user behavior. The attack is highly effective when de-anonymizing mixing rounds because it considers all users in a round at once, rather than single users iteratively. Furthermore, the extracted sender-receiver relationships can be used to enhance user profile estimations. We extensively study the effectiveness and efficiency of our attack and previous work when de-anonymizing users communicating through a threshold mix. Empirical results show the advantage of our proposal. We also show how the attack can be refined and adapted to different scenarios including pool mixes, and how precision can be traded in for speed, which might be desirable in certain cases.


Bipartite Graph Perfect Match User Behavior Single User Linear Assignment Problem 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Agrawal, D., Kesdogan, D.: Measuring anonymity: The disclosure attack. IEEE Security & Privacy 1(6), 27–34 (2003)CrossRefGoogle Scholar
  2. 2.
    Bellman, R.: On a routing problem. Quarterly of Applied Mathematics 16, 87–90 (1958)zbMATHMathSciNetGoogle Scholar
  3. 3.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  4. 4.
    Danezis, G.: Statistical disclosure attacks: Traffic confirmation in open environments. In: Gritzalis, Vimercati, Samarati, Katsikas (eds.) Proceedings of Security and Privacy in the Age of Uncertainty (SEC 2003), Athens, May 2003, IFIP TC11 pp. 421–426. Kluwer, Dordrecht (2003)Google Scholar
  5. 5.
    Danezis, G., Diaz, C., Troncoso, C.: Two-sided statistical disclosure attack. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, p. 15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  6. 6.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: Design of a Type III Anonymous Remailer Protocol. In: Proceedings of the 2003 IEEE Symposium on Security and Privacy, pp. 2–15 (May 2003)Google Scholar
  7. 7.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Dijkstra, E.W.: A note on two problems in connexion with graphs. Numerische Mathematik 1, 269–271 (1959)zbMATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Edman, M., Sivrikaya, F., Yener, B.: A combinatorial approach to measuring anonymity. In: ISI, pp. 356–363. IEEE, Los Alamitos (2007)Google Scholar
  10. 10.
    Hughes, D., Shmatikov, V.: Information hiding, anonymity and privacy: A modular approach. Journal of Computer Security 12(1), 3–36 (2004)Google Scholar
  11. 11.
    Jakobsson, M., Juels, A., Rivest, R.L.: Making mix nets robust for electronic voting by randomized partial checking. In: Proceedings of the 11th USENIX Security Symposium (August 2002)Google Scholar
  12. 12.
    Kesdogan, D., Agrawal, D., Penz, S.: Limits of anonymity in open environments. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 53–69. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  13. 13.
    Kesdogan, D., Pimenidis, L.: The hitting set attack on anonymity protocols. In: Fridrich, J.J. (ed.) IH 2004. LNCS, vol. 3200, pp. 326–339. Springer, Heidelberg (2004)Google Scholar
  14. 14.
    Kilian, J., Sako, K.: Receipt-free MIX-type voting scheme - a practical solution to the implementation of a voting booth. In: EUROCRYPT 1995. Springer, Heidelberg (1995)Google Scholar
  15. 15.
    Kuhn, H.W.: The Hungarian method for the assignment problem. Naval Research Logistic Quarterly 2, 83–97 (1955)CrossRefMathSciNetGoogle Scholar
  16. 16.
    Mathewson, N., Dingledine, R.: Practical traffic analysis: Extending and resisting statistical disclosure. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 17–34. Springer, Heidelberg (2005)Google Scholar
  17. 17.
    Möller, U., Cottrell, L., Palfrader, P., Sassaman, L.: Mixmaster Protocol — Version 2. IETF Internet Draft (July 2003)Google Scholar
  18. 18.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P. (eds.) PET 2002. LNCS, vol. 2482. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Sinkhorn, R.: A relationship between arbitrary positive matrices and doubly stochastic matrices. The Annals of Mathematical Statistics 35(2), 876–879 (1964)zbMATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Carmela Troncoso
    • 1
  • Benedikt Gierlichs
    • 1
  • Bart Preneel
    • 1
  • Ingrid Verbauwhede
    • 1
  1. 1.ESAT/SCD-COSIC, IBBTK.U. LeuvenLeuven-HeverleeBelgium

Personalised recommendations