Limits of Anonymity in Open Environments

  • Dogan Kedogan
  • Dakshi Agrawal
  • Stefan Penz
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2578)


A user is only anonymous within a set of other users. Hence, the core functionality of an anonymity providing technique is to establish an anonymity set. In open environments, such as the Internet, the established anonymity sets in the whole are observable and change with every anonymous communication. We use this fact of changing anonymity sets and present a model where we can determine the protection limit of an anonymity technique, i.e. the number of observations required for an attacker to “break” uniquely a given anonymity technique. In this paper, we use the popular MIX method to demonstrate our attack. The MIX method forms the basis of most of the today’s deployments of anonymity services (e.g. Freedom, Onion Routing, Webmix). We note that our approach is general and can be applied equally well to other anonymity providing techniques.


Open Environment Learning Phase Batch Size Communication Partner Anonymous Communication 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    D. Chaum: The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology, 1:65–75, 1988. 53zbMATHCrossRefMathSciNetGoogle Scholar
  2. [2]
    D. Chaum: Untraceable electronic mail, return addresses and digital pseudonyms. Communications of the A. C. M., 24(2):84–88, February 1981. 53, 55Google Scholar
  3. [3]
    D. J. Farber, K.C. Larson: Network Security Via Dynamic Process Renaming. Fourth Data Communication Symposium, 7-9 October 1975, Quebec City, Canada. 53Google Scholar
  4. [4]
    P.A. Karger: Non-Discretionary Access Control for Decentralized Computing Systems. Master Thesis, Massachusetts Institute of Technology. Laboratory for Computer Science, 545 Technology Square, Camebridge, Massachusetts 02139, Mai 1977, Report MIT/LCS/TR-179. 53Google Scholar
  5. [5]
    A. Pfitzmann, M. Waidner, Networks without user observability, design options. In: Advances in Cryptology. Eurocrypt’ 85, volume 219 of Lecture Notes in Computer Science. Spinger-Verlag, 1985. 53Google Scholar
  6. [6]
    B. Chor, O. Goldreich, E. Kushilevitz, M. Sudan: Private information retrieval. In: 36th IEEE Conference on the Foundations of Computer Science, pages 41–50. IEEE Computer Society Press, 1995. 53Google Scholar
  7. [7]
    D.A. Cooper, K.P. Birman: Preserving privacy in a network of mobile computers. In: 1995 IEEE Symposium on Research in Security and Privacy, pages 26–38. IEEE Computer Society Press, 1995. 53Google Scholar
  8. [8]
    A. Pfitzmann: Dienstintegrierende Kommunikationsnetze mit teilnehmerüberpr üfbarem Datenschutz. IFB 234, Springer-Verlag, Heidelberg 1990(in German). 53, 56Google Scholar
  9. [9]
    H. Federrath, A. Jerichow, A. Pfitzmann: MIXes in Mobile Communication Systems: Location Management with Privacy. Information Hiding, LNCS 1174. Springer-Verlag, Berlin 1996, 121–135. 54Google Scholar
  10. [10]
    C. Gülcü, G. Tsudik: Mixing E-mail with BABEL. In: Symposium on Network and Distributed Systems Security (NDSS’ 96), San Diego, California, February 1996. 54, 56Google Scholar
  11. [11]
    A. Jerichow, J. Müller, A. Pfitzmann, B. Pfitzmann, M. Waidner: Real-Time Mixes: A Bandwidth-Efficient Anonymity Protocol. IEEE Journal on Selected Areas in Communications, 1998. 54Google Scholar
  12. [12]
    A. Pfitzmann, B. Pfitzmann, M. Waidner: ISDN-mixes: Untraceable communication with very small bandwidth overhead. In: GI/ITG Conference: Communication in Distributed Systems, pages 451–463. Springer-Verlag, Heidelberg, February 1991. 54Google Scholar
  13. [13]
    M. G. Reed, P. F. Syverson, D. M. Goldschlag: Anonymous connections and onion routing. IEEE Journal on Special Areas in Communications, 16(4):482–494, May 1998. 54CrossRefGoogle Scholar
  14. [14]
    M. G. Reed, P. F. Syverson, D. M. Goldschlag: Protocols using Anonymous Connections: Mobile Applications, Security Protocols. 5th International Workshop Proceedings. B. Christianson, B. Crispo, M. Lomas, and M. Roe (eds.). Springer-Verlag LNCS 1361, 1998, pp. 13–23. 54Google Scholar
  15. [15]
    D. Kesdogan, J. Egner, R. Büschkes: Stop-and-go mixes providing probabilistic security in an open system. In: David Aucsmith (ed.): Information Hiding: Second InternationalWorkshop, volume 1525 of Lecture Notes in Computer Science, pages 83–98. Springer-Verlag, Berlin, Germany, 1998. 54, 56CrossRefGoogle Scholar
  16. [16]
    B. Pfitzmann, A. Pfitzmann: How to Break the Direct RSA-Implementation of MIXes. Eurocrypt’ 89, LNCS 434. Springer-Verlag, Berlin 1990, pp. 373–381. 55Google Scholar
  17. [17]
    J. F. Raymond: Traffic Analysis: Protocols, Attacks, Design Issues, and Open Problems. International Workshop on Design Issues in Anonymity and Unobservability, Berkley, LNCS 2009. Springer-Verlag, 2001. 56, 57Google Scholar
  18. [18]
    O. Berthold, H. Langos: Dummy Traffic Against Long Term Intersection Attacks. Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA, April 14-15, 2002. 56Google Scholar
  19. [19]
    M. Wright, M. Adler, B.N. Levine, C. Shields: An Analysis of the Degradation of Anonymous Protocols. Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS 2002), February 2002. 56Google Scholar
  20. [20]
    L. Cottrell: Mixmaster, 56
  21. [21]
    D. Kesdogan: Evaluation of Anonymity Providing Techniques using Queueing Theory. The 26th Annual IEE Conference on Local Computer Networks (LCN 2001), November 15-16, 2001, Tampa, Florida. 56Google Scholar
  22. [22]
    A. Serjantov, G. Danezis: Towards an Information Theoretic Metric for Anonymity. Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA, April 14-15, 2002. 56Google Scholar
  23. [23]
    C. Diaz, S. Seys, J. Claessens, B. Preneel: Towards Measuring Anonymity,Workshop on Privacy Enhancing Technologies, San Francisco, CA, USA, April 14-15, 2002. 56Google Scholar
  24. [24]
    R. Dechter, D. Frost: Backtracking algorithms for constraint satisfaction problems. An ICS technical report, September 1999. 61, 63Google Scholar
  25. [25]
    P. v. Beek: A C-library of routines for solving binary constraint satisfaction problems. 63
  26. [26]
    V. Kumar: Algorithms for Constraint Satisfaction Problems, A Survey. AI magazine, 13(1):32–44, 1992. 63Google Scholar
  27. [27]
    O. Berthold, H. Federrath, S. Köpsell: Web MIXes: A System for Anonymous and Unobservable Internet Access. International Workshop on Design Issues in Anonymity and Unobservability, Berkley, 2009 LNCS. Springer-Verlag, 2001.Google Scholar
  28. [28]
    I. Goldberg, A. Shostack: Freedom network whitepapers.Google Scholar
  29. [29]
    C. Racko., D.R. Simon: Cryptographic defence against traffic analysis. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on the Theory of Computing, pages 672–681, San Diego, California, 16-18 May 1993.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Dogan Kedogan
    • 1
  • Dakshi Agrawal
    • 2
  • Stefan Penz
    • 1
  1. 1.Computer Science Department Informatik IVAachen University of TechnologyAachenGermany
  2. 2.IBM T. J. Watson Research CenterHawthorneUSA

Personalised recommendations