Attacking Unlinkability: The Importance of Context

  • Matthias Franz
  • Bernd Meyer
  • Andreas Pashalidis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4776)


A system that protects the unlinkability of certain data items (e. g. identifiers of communication partners, messages, pseudonyms, transactions, votes) does not leak information that would enable an adversary to link these items. The adversary could, however, take advantage of hints from the context in which the system operates. In this paper, we introduce a new metric that enables one to quantify the (un)linkability of the data items and, based on this, we consider the effect of some simple contextual hints.


Equivalence Class Random Graph Communication Session Anonymous Communication Privacy Breach 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Adida, B.: Advances in cryptographic voting systems. PhD thesis, Massachusetts Institute of Technology (2006)Google Scholar
  2. 2.
    Agrawal, D., Kesdogan, D., Penz, S.: Probabilistic treatment of mixes to hamper traffic analysis. In: 2003 IEEE Symposium on Security and Privacy (S&P 2003), Berkeley, CA, May 11-14, 2003, pp. 16–27. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  3. 3.
    Bell, E.T.: Exponential numbers. American Mathematical Monthly 41, 411–419 (1934)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Berthold, O., Federrath, H., Köpsell, S.: Web mixes: A system for anonymous and unobservable internet access. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 115–129. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Bollobás, B.: Random Graphs. In: Cambridge Studies in Advanced Mathematics, 2nd edn., vol. 73, Cambridge University Press, Cambridge (2001)Google Scholar
  6. 6.
    Boneh, D., Golle, P.: Almost entirely correct mixing with applications to voting. In: Atluri, V. (ed.) Proc. of the 9th ACM Conference on Computer and Communications Security, pp. 68–77. ACM Press, New York (2002)CrossRefGoogle Scholar
  7. 7.
    Camenisch, J., Lysyanskaya, A.: An efficient system for non-transferable anonymous credentials with optional anonymity revocation. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 93–118. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
    Camenisch, J., Lysyanskaya, A.: Signature schemes and anonymous credentials from bilinear maps. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 56–72. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  10. 10.
    Chaum, D.: Security without identification: transaction systems to make big brother obsolete. Communications of the ACM 28(10), 1030–1044 (1985)CrossRefGoogle Scholar
  11. 11.
    Chaum, D.: Showing credentials without identification: transferring signatures between unconditionally unlinkable pseudonyms. In: Seberry, J., Pieprzyk, J.P. (eds.) AUSCRYPT 1990. LNCS, vol. 453, pp. 246–264. Springer, Heidelberg (1990)CrossRefGoogle Scholar
  12. 12.
    Chen, L.: Access with pseudonyms. In: Dawson, E., Golic, J.D. (eds.) Cryptography: Policy and Algorithms. LNCS, vol. 1029, pp. 232–243. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  13. 13.
    Chen, L., Enzmann, M., Sadeghi, A.-R., Schneider, M., Steiner, M.: A privacy-protecting coupon system. In: Patrick, A.S., Yung, M. (eds.) FC 2005. LNCS, vol. 3570, pp. 93–108. Springer, Heidelberg (2005)Google Scholar
  14. 14.
    Damgård, I.: Payment systems and credential mechanisms with provable security against abuse by individuals. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 328–335. Springer, Heidelberg (1990)Google Scholar
  15. 15.
    Danezis, G., Serjantov, A.: Statistical disclosure or intersection attacks on anonymity systems. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 293–308. Springer, Heidelberg (2004)Google Scholar
  16. 16.
    Díaz, C., Preneel, B.: Reasoning about the anonymity provided by pool mixes that generate dummy traffic. In: Fridrich, J. (ed.) IH 2004. LNCS, vol. 3200, pp. 309–325. Springer, Heidelberg (2004)Google Scholar
  17. 17.
    Díaz, C., Preneel, B.: Security, Privacy and Trust in Modern Data Management, chapter Accountable Anonymous Communication. Springer, Berlin, 2006 (in print)Google Scholar
  18. 18.
    Díaz, C., Seys, S., Claessens, J., Preneel, B.: Towards measuring anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 54–68. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  19. 19.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The second-generation onion router. In: Proceedings of the 13th USENIX Security Symposium, August 9-13, 2004, San Diego, CA, USA, USENIX, pp. 303–320 (2004)Google Scholar
  20. 20.
    Douceur, J.: The sybil attack. In: Druschel, P., Kaashoek, M.F., Rowstron, A. (eds.) IPTPS 2002. LNCS, vol. 2429, pp. 251–260. Springer, Heidelberg (2002)Google Scholar
  21. 21.
    Erdös, P., Rényi, A.: On random graphs I. Publicationes Mathematicae Debrecen 6, 290–297 (1959)MathSciNetGoogle Scholar
  22. 22.
    Graham, R.L., Knuth, D.E., Patashnik, O.: Concrete Mathematics: A Foundation for Computer Science. ch. 6.1, 2nd edn., pp. 257–267. Addison-Wesley, Reading (1994)Google Scholar
  23. 23.
    Janson, S., Łuczak, T., Ruciński, A.: Random Graphs. In: Interscience Series in Discrete Mathematics and Optimization, John Wiley & Sons, Inc., Chichester (2000)Google Scholar
  24. 24.
    Kagan, D.: The origin and purposes of ostracism. Hesperia 30(4), 393–401 (1961)CrossRefMathSciNetGoogle Scholar
  25. 25.
    Kesdogan, D., Agrawal, D., Penz, S.: Limits of anonymity in open environments. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 53–69. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  26. 26.
    Kesdogan, D., Egner, J., Büschkes, R.: Stop-and-go-mixes providing probabilistic anonymity in an open system. In: Aucsmith, D. (ed.) IH 1998. LNCS, vol. 1525, pp. 83–98. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  27. 27.
    Klonowski, M., Kutylowski, M.: Provable anonymity for networks of mixes. In: Barni, M., Herrera-Joancomartí, J., Katzenbeisser, S., Pérez-González, F. (eds.) IH 2005. LNCS, vol. 3727, pp. 26–38. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Ling, R.F.: The expected number of components in random linear graphs. The Annals of Probability 1(5), 876–881 (1973)zbMATHGoogle Scholar
  29. 29.
    Lysyanskaya, A., Rivest, R.L., Sahai, A., Wolf, S.: Pseudonym systems. In: Heys, H.M., Adams, C.M. (eds.) SAC 1999. LNCS, vol. 1758, pp. 184–199. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  30. 30.
    Mathewson, N., Dingledine, R.: Practical traffic analysis: Extending and resisting statistical disclosure. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 17–34. Springer, Heidelberg (2005)Google Scholar
  31. 31.
    Pashalidis, A., Meyer, B.: Linking anonymous transactions: The consistent view attack. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 384–392. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  32. 32.
    Persiano, G., Visconti, I.: An efficient and usable multi-show non-transferable anonymous credential system. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 196–211. Springer, Heidelberg (2004)Google Scholar
  33. 33.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for Web transactions. ACM Transactions on Information and System Security 1(1), 66–92 (1998)CrossRefGoogle Scholar
  34. 34.
    Rennhard, M., Plattner, B.: Introducing morphmix: peer-to-peer based anonymous internet usage with collusion detection. In: Jajodia, S., Samarati, P. (eds.) Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES 2002, Washington, DC, USA, November 21, 2002, pp. 91–102. ACM, New York (2002)CrossRefGoogle Scholar
  35. 35.
    Rota, G.C.: The number of partitions of a set. American Mathematical Monthly 71, 498–504 (1964)zbMATHCrossRefMathSciNetGoogle Scholar
  36. 36.
    Serjantov, A., Danezis, G.: Towards an information theoretic metric for anonymity. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 41–53. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  37. 37.
    Steinbrecher, S., Köpsell, S.: Modelling unlinkability. In: Dingledine, R. (ed.) PET 2003. LNCS, vol. 2760, pp. 32–47. Springer, Heidelberg (2003)Google Scholar
  38. 38.
    Verheul, E.R.: Self-blindable credential certificates from the Weil pairing. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 533–551. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Matthias Franz
    • 1
  • Bernd Meyer
    • 1
  • Andreas Pashalidis
    • 2
  1. 1.Siemens AG, Corporate Technology, Otto-Hahn-Ring 6, 81739 MünchenGermany
  2. 2.NEC Europe Ltd, Network Laboratories, Kurfürsten-Anlage 36, 69115 HeidelbergGermany

Personalised recommendations