Data Caching for Enhancing Anonymity

Transcription

1 Data Caching for Enhancing Anonyity Rajiv Bagai and Bin Tang Departent of Electrical Engineering and Coputer Science Wichita State University Wichita, Kansas , USA Eail: {rajiv.bagai, Abstract The benefits of caching for reducing access tie to frequently needed data, in order to iprove syste perforance, are already well-known. In this paper, a proposal for eploying data caching for increasing the level of anonyity provided by an anonyity syste is presented. This technique is especially effective for user sessions containing bidirectional counication, such as anonyous web browsing. A fraework is first constructed for capturing the effect of attacks on anonyity systes that have the ability to serve soe incoing user requests fro their cache. A syste-wide etric is then presented for easuring the anonyity provided by such systes. It is shown that the anonyity level of such systes rises with the aount of data caching perfored by the. This behavior is illustrated in an exaple threshold ix network. Index Ters Anonyity Metrics, Caching, Privacy. I. INTRODUCTION Applications of the Internet that require anonyous counication are becoing increasingly visible and their need is expected to grow significantly. Anonyous web surfing, chatting, e-ailing and e-voting are just soe exaples of tasks that require anonyity. As the underlying architecture of the Internet was not designed with such applications in ind, it has becoe necessary to develop special systes that bridge this gap and provide the needed anonyity. Two fundaental directions in which research on anonyity systes is usually perfored are: Syste architecture, which includes designs of anonyity systes, various techniques and strategies that underlie the, study of attacks they are vulnerable to, etc., and Anonyity etrics, which includes ethods for easuring the level of anonyity provided by systes, evaluating and coparing robustness of systes against given attacks, etc. The work described in this paper spans both of the above directions. Our architectural contribution is a proposal to adopt the technique of data caching in an anonyity syste that, in addition to resulting in the expected perforance gain due to caching, has the benefit of enhancing the level of anonyity provided by the syste. While ost currently popular techniques for providing anonyity, such as essage routing via proxies and onion encryption, do so at the expense of increasing essage latency, data caching has the advantage of providing anonyity in addition to decreasing latency. As our etric contribution, we develop a new etric for easuring the anonyity level of a syste equipped with caching abilities, and show that the greater the aount of caching perfored by the syste, the higher its resulting anonyity level. We also illustrate this phenoenon of rising anonyity in an exaple threshold ix network. To the best of our knowledge, our work is the first attept at quantifying the anonyity gains resulting fro caching. A. Related Work The ost popular architecture to date for anonyity systes is a ix network, proposed by Chau [1], which is a collection of proxy achines that jointly relay essages between senders and receivers connected to the network. TOR [6] and Mixinion [4] are well-known exaples of real systes based on this architecture. Not uch work has yet been done, however, on eploying data caching as a technique for achieving anonyity, despite the recognition ade by Shubina and Sith [14] of the potential of caching for this purpose. They proposed providing anonyity by a proactive procureent of web content fro available caches, such as Google cache, but since then there has not been any follow-up work in this direction, such as an analysis of anonyity gains thus achieved or a study of caching strategies for axiizing anonyity, etc. Ki and Ki [9] also noted the possibility of using caching for achieving anonyity, but their work focuses on server anonyity in unstructured P2P systes. In this paper, we study caching perfored by ix-based anonyity systes. The subject of anonyity etrics, on the other hand, has enjoyed uch research attention. Chau [2] suggested usage of the size of the set of possible users, within which a particular user blends in, as a easure of anonyity provided to that user. Serjantov and Danezis [11] proposed an entropy-based easure that takes into account the probabilities assigned by an attacker to different users for being the sender (or receiver of a particular essage. Diaz, Seys, Claessens and Preneel [5] gave a better entropy-based etric that can be used to copare systes with different nuber of users. Tóth, Hornák and Vajda [15] argued to additionally consider as a etric, the axiu probability an attacker can assign to any user. Kelly et al. [8] is a good survey of well-known work in the area of anonyity etrics. All approaches entioned above for easuring anonyity are fro the point of view of a single user of the syste or essage. In contrast, Edan, Sivrikaya, and Yener [7] proposed a fraework for easuring the anonyity provided

2 by a syste as a whole. Their ethod is based upon the size of the set of possible input-output pairs of essages that any particular input-output essage pair blends in. In this paper, we first develop a syste-wide etric that is a generalization of this etric for systes that perfor data caching. We then show that the anonyity level of such a syste rises with increased caching, and illustrate this phenoenon in an exaple threshold ix network. Such networks were first proposed by Serjantov, Dingledine and Syverson [12]. B. Paper Outline The rest of this paper is organized as follows. Section II gives an overview of the approach of Edan et al. [7] for easuring anonyity. It presents the underlying syste odel for which their etric is constructed, soe exaples of attack results on such systes, and the rationale for their etric. Section III presents our approach that first reoves soe of the liitations of the syste odel of [7] and then equips the syste with an ability to cache data. This section then presents our generalized anonyity etric for systes that eploy caching. It goes on to showing that the level of anonyity of a syste enjoys a onotonically increasing relationship with the aount of caching perfored in it. Section IV highlights this relationship in an exaple threshold ix network. Finally, Section V contains conclusions fro our work and gives several directions for future work. II. A SYSTEM-WIDE ANONYMITY METRIC In this section we give an overview of the etric proposed by Edan, Sivrikaya, and Yener [7] for the level of anonyity provided by an anonyity syste. Their etric is not specific to any particular architecture of the underlying syste, such as one organized as a coon network of ixes introduced by Chau [1], but is applicable to any syste that attepts to provide anonyity to counication transitted via it. Moreover, the etric gives a syste-wide easure of the effectiveness of the anonyity syste, unlike ost other approaches that typically easure the anonyity provided fro the perspective of a single user or essage in the syste. A. The Underlying Model Let S be the set of input essages observed by a passive observer having entered an anonyity syste, and T be the set of output essages observed by the sae observer having exited fro that syste. We assue that every input essage eventually appears as an output essage, and that the anonyity syste does not generate any output essages by itself. Thus, there is a one-to-one correspondence between S and T, and the sizes of these sets are identical. We let denote their size, i.e. S = T =. The ain goal of the anonyity syste is to prevent the observer fro deterining the underlying correspondence between S and T. It ay attept to achieve that goal by eploying a nuber of techniques such as: odifying essage encoding by encryption/decryption to prevent essage bit-pattern coparison by the observer, outputting essages in an order other than the one in which they were received to prevent sequence nuber association by the observer, etc. The axiu anonyity this syste can strive to achieve is when for any particular output essage in T, each of the input essages in S is a possible candidate to be the one that exited the syste as that essage in T. We depict this situation by the coplete bipartite graph K, between S and T, as shown in Figure 1(a. Any edge s i, t j in this graph indicates that the incoing essage s i could possibly have been the outgoing essage t j. s 4 (a t 4 Fig. 1. (a Coplete anonyity. (b An instance of no anonyity. An attacker, on the other hand, attepts to eliinate as any edges as possible fro the coplete bipartite graph of Figure 1(a, due to their infeasibility concluded fro the attack. After a copletely successful attack, for each outgoing essage t in T, the attacker would have identified exactly one possible incoing essage that could have exited the syste as t. In other words, the attacker would have obtained a perfect atching between the input and output essages of the syste. In this case, the syste is thus considered to provide no anonyity. There are! possible perfect atchings between S and T, an arbitrary one of which is shown in Figure 1(b. B. Soe Attack Exaples Figure(a and 1(b correspond to the two extree situations, naely coplete anonyity and no anonyity at all. In general, after having detected soe input-output pairings as infeasible, an attack would result in a bipartite graph that lies soewhere in between these two extree ends. Let this graph of possible input-output pairings resulting fro an attack be called the candidacy graph of that attack. Exactly which edges of the coplete bipartite graph are issing fro an attack s candidacy graph will depend upon how uch inforation is available to that attack. For exaple, if essages passing through an anonyity syste are not padded to becoe of the sae size, then essage sizes can clearly be used to rule out input-output essage pairings that are of different sizes. Many anonyity systes therefore pad their essages to becoe of equal size. s 4 (b t 4

3 However, systes in which all essages are of the sae size are then constrained to have soe axiu route length for essages, due to the fact that each essage (upon leaving the sender contains in it the addresses of all proxy servers it will go via. Serjantov and Danezis [11] present an attack that exploits knowledge of this axiu route length. The exaple of Figure 2 shows how this attack can render certain input-output pairings as infeasible. b a s3 (a c (b Fig. 2. (a Route length attack. (b Candidacy graph. Figure 2(a shows an anonyity syste with three ix nodes, S = {,, }, and T = {,, }. Messages a, b, and c are within the syste. Suppose the axiu route length for essages in this syste i, i.e. any s i can pass through at os ix nodes. If an attacker knows the axiu route length of this syste, and can observe essages entering and leaving each ix node, then he can infer that essage c ust be, because if it were either or the route length condition is violated as then that essage would have passed through 3 ix nodes. Therefore, cannot be. Figure 2(b shows the candidacy graph resulting fro this analysis, fro which the edge, is thus absent. Edan et al. [7] give another attack that notes the ties at which essages enter an anonyity syste and exit fro it. If in addition to this, the attacker knows the iniu and/or axiu latency of essages in the syste, a candidacy graph better than the coplete bipartite graph can be arrived at, as shown in the exaple of Figure 3. Entry ties (a Exit ties = 1 = 4 = 2 = 5 = 4 = 7 s 4 = 5 t 4 = 8 Fig. 3. (a Message entry and exit ties. (b Candidacy graph. s 4 (b t 4 Suppose each essage entering a certain anonyity syste coes out after a delay of between 1 and 4 tie units. If 4 essages enter and exit this syste at ties shown in Figure 3(a, then ust be either or, because the other outgoing essages, naely and t 4, are outside the possible latency window of. Siilar reasoning can be perfored on all other essages to arrive at the candidacy graph of this attack, shown in Figure 3(b. C. Anonyity Metric Given a candidacy graph obtained after perforing an attack, the nuber of possible perfect atchings allowed by that graph between senders and receivers is a good indication of the anonyity left in the syste in the afterath of the attack. For any bipartite graph G = (U, V, E, where U = V, we let Ĝ denote the nuber of one-to-one correspondences between U and V allowed by G. In other words, Ĝ is the cardinality of the following set: {f : U V f is a bijection, and u U, u, f(u E}. Ĝ is also known as the peranent of the 0-1 adjacency atrix of G (see Servedio and Wan [13] for the peranent of a atrix. When G = (S, T, E, where S = T = 1, is the candidacy graph of an attack, then Ĝ is essentially the nuber of perfect atchings between the incoing and outgoing essages possible after the attack. For a copletely toothless attack, G is the coplete bipartite graph K,, as in Figure 1(a, and Ĝ =!. If, on the other hand, G is the result of the ost successful attack that has succeeded in correlating all incoing essages with their outgoing counterparts, as in Figure 1(b, then Ĝ = 1. For the attack of Figure 2, Ĝ can be seen to be 4, and for that of Figure 3, Ĝ can be seen to be 4 as well. We define the anonyity level of the syste after an attack with candidacy graph G as: { 0 if = 1, d(g = log(ĝ log(! otherwise. As Ĝ perfect atchings between S and T are still possible after the attack (of the! total possible before the attack, log(ĝ / log(! captures the aount of inforation the attacker still needs to reveal the entire counication pattern of the syste. The value of d(g always lies between 0 and 1. When d(g = 0, Ĝ = 1 and the syste provides no anonyity to any sender. When d(g = 1, Ĝ =!, i.e. the syste is providing axiu anonyity. For the attack of Figure 2, the anonyity level is log(4 / log( , and for that of Figure 3, the anonyity is log(4 / log( It is instructive to observe that ost other entropy-based etrics, such as of Serjantov and Danezis [11] or of Diaz et al. [5], are for single essages. Such etrics thus have reasonable intuitive interpretations with as well as without

4 noralization by the nuber of essages or users in the syste. The etric defined above, on the other hand, is for the entire anonyity syste. Here, noralization (i.e. division by log(! is necessary for correct easureent, as illustrated by the following arguent. Suppose a new ix is added to the syste in Figure 2(a with s 4 as its only input and t 4 the only output. The candidacy graph of this syste will have the edge s 4, t 4, in addition to those in Figure 2(b. The anonyity level of the odified syste is clearly lower than that of the original one, as it exposes s 4 copletely. However, Ĝ = 4 is still the sae for both systes, so by itself is not a good etric. The noralized etric, on the other hand, decreases fro log(4 / log( to log(4 / log( , which is in line with our intuitive lowering of the anonyity level. III. DATA CACHING The odel of the anonyity syste presented in the previous section has the following two characteristics: the counication carried by the syste is only unidirectional, and the syste siply relays all essages. The above characteristics are liiting. Firstly, such systes are often used by clients to anonyously access resources fro servers, such as web-browsers obtaining files fro web-servers during a session of anonyous web-surfing. In such applications, clients need to send anonyous requests to servers and receive responses to their requests, i.e. counication via the anonyity syste is bidirectional. Secondly, if the anonyity syste is equipped with the ability to store soe requested content in its cache, subsequent client requests for those cached resources can be satisfied by the syste itself. As those requests do not need to be relayed to their respective end servers, they can be blocked by the anonyity syste. In this section we present a odel of an anonyity syste with such caching abilities, and show that this added functionality iproves the overall anonyity provided by the syste. A. A New Model We consider an anonyity syste that aintains one or ore internal caches. The syste ight fill its caches either in an eager and proactive anner, such as by fetching in advance contents of web pages frequently accessed via it, or in a lazy and reactive anner, as by storing a copy of soe of the server responses that pass through it. Upon receiving any request essage fro a sender, it first deterines if that request can be served by cached content already present in the syste. If so, that incoing request is served fro within and it does not appear as an outgoing essage of the syste. If S and T are, as before, the sets of input and output essages of this syste, respectively, this syste behavior results in S T. Note that, in general, a perfect atching between S and T is not possible any ore. Of the S = input essages of the syste, suppose only T = n appear as output, where n. The reaining n essages are assued to be blocked by the syste due to caching. The candidacy graph of an attack will now be a bipartite graph between S and T whose set of edges will be a subset of the set of edges in the coplete K,n bipartite graph. As an exaple, suppose the syste of Figure 2(a does not produce essage as output because it can service that request fro its cache. Thus, for this syste, S = {,, }, and T = {, }. The candidacy graph of the sae attack on this odified syste is essentially that in Figure 2(b, fro which the vertex is deleted, along with all edges connected to it. The resulting candidacy graph is shown in Figure 4(a. It is, in fact, the coplete bipartite graph K 3,2, because the attack can now eliinate no input-output essage pair as infeasible. (a (b Fig. 4. (a Candidacy graph G of route length attack on syste of Figure 2, odified with cache for essage. (b All left-projections of G. B. A Generalized Anonyity Metric As for easuring the anonyity provided by a syste that perfors caching, we begin by aking the following two observations: The n blocked essages do not appear as output, so cannot be correlated with any outgoing essage. The anonyity received by these blocked essages is therefore considered to be axial, since an observer cannot deduce who their senders counicated with. Although there ay not be a perfect atching between S and T (if their sizes are different, the n outgoing essages ust be soe n of the incoing essages. The total nuber of possible atchings allowed by a candidacy graph, between T and any subset of S of size n, is a now a good indication of the anonyity provided by the syste after the attack. For any set U, and n 0, we let S n (U be the set of all subsets of U of size n. Definition 1: A bipartite graph P = (W, V, F is called a left-projection of a bipartite graph G = (U, V, E, if: 1 W S V (U, and 2 F = { u, v E u W }. In other words, P is a subgraph obtained fro G by reoving any U V vertices fro U (and edges connected to those vertices. We let L(G denote the set of all left-projections of

5 G. The following proposition follows iediately fro the above definition. Proposition 1: If G is a coplete bipartite graph K,n, where n, then each P L(G is a coplete bipartite graph K n,n. Figure 4 is an exaple of the situation entioned in the above proposition. The candidacy graph of Figure 4(a is coplete, with = 3 and n = 2. Figure 4(b shows all its left-projections. They are all coplete as well, with just different vertex labels. The following proposition is also straightforward. Proposition 2: Any labeled bipartite graph G = (U, V, E has ( U V distinct left-projections. We now develop our etric for the anonyity provided by a syste after an attack that results in a candidacy graph G = (S, T, E, where S = 1, T = n 0, and n. We define the syste s anonyity level as: d (G = 0 if = n = 1, 1 if n = 0, ( 1 n log ( P P L(G n + log(( n n! otherwise. The above etric can be viewed as the arithetic ean of the anonyity provided by the syste to each of the incoing essages. Its value also lies between 0 (for no anonyity and 1 (for full anonyity. As observed earlier, of all the input essages, n essages get blocked by the syste and do not appear as output, so the anonyity provided to those n essages is axial, i.e. 1. The total nuber of perfect atchings allowed by G for the reaining n essages is the su of the nuber of their perfect atchings allowed by all the left-projections of G, i.e. P. P L(G Moreover, there are ( n left-projections of G, each of which can allow a axiu of n! perfect atchings. The following theore shows that the above etric d is a generalization of the old etric d, in that the two coincide when the syste cannot ake use of caching to eliinate any output essage. Theore 1: If = n, d (G = d(g. Proof: Both etrics are 0 for = 1. When > 1, since = n, L(G is the singleton set {G}, and ( n = 1. Thus, in this case, d (G siply reduces to log(ĝ / log(!, which is d(g. C. Enhanced Anonyity Although it is intuitive that caching enhances the anonyity provided by a syste, we now forally prove that fact. We begin by revisiting the exaple of Figure 4 and, as an exercise, copute the anonyity of that attack according to our new etric. For the candidacy graph G of Figure 4(a, = 3 and n = 2. All left-projections of this candidacy graph are shown in Figure 4(b. It is easily seen that for each P L(G, P = 2. The anonyity level d (G is thus 1 3 [ log ( log( ( 3 2 2! which i. On the other hand, the anonyity level of the candidacy graph of Figure 2(b was coputed in Section II-C to be log(4 / log( Caching has thus resulted in an increase in the anonyity of this syste by eliinating the outgoing essage. It can be verified that a soewhat odest gain in anonyity, fro to 0.849, is achieved by eliinating instead any one of the other essages, or. If, however, both as well as can be eliinated, the syste s anonyity level is higher, We now show that such a gain in the anonyity can always be expected by caching. Definition 2: A bipartite graph H = (U, Q, F is called a right-clipping of a bipartite graph G = (U, V, E, denoted G H, if: 1 V Q, and 2 F = { u, v E v Q}. In other words, H is a subgraph obtained fro G by reoving zero or ore vertices fro V (and edges connected to those vertices. The following proposition follows iediately fro the above definition. Proposition 3: If G is labeled, it ha V right-clippings. Note also, that is a reflexive, antisyetric, and transitive relation on bipartite graphs, resulting in the following proposition. Proposition 4: is a partial order. It is instructive to observe that, adding caching into an anonyity syste essentially reduces the candidacy graph of a given attack to soe right-clipping of it. Our ain result of this section will deonstrate a onotonic relationship between the aount of caching perfored by a syste and the level of anonyity provided by it. We first establish the following lea pertaining to clipping exactly one right-vertex of a candidacy graph. Lea 1: Let G = (U, V, E and H = (U, Q, F, where U = V = n + 1, and Q = n. If G H, then ( (n + 1 log P ( P L(G log( ( n log P P L(H 1 + n+1 (n + 1! log((. n n! Proof: G has one vertex, called v, in addition to those in H, i.e. V Q = {v}. Let X be the nuber of perfect atchings in H of Q, i.e. X = P L(H P. Consider any such perfect atching of Q in soe fixed P 0 = (U 0, Q, F 0 L(H. As shown in Figure 5, since U 0 = n, the vertex v can be connected in G to at ost all of n vertices of U U 0. There are thus at ost n perfect atchings in G of V that preserve the given perfect atching in H. Therefore, P L(G P ( nx. ],

6 Any given atching U 0 = n Q = n graph exists, and secondly, > 1. Let H 0 be that graph. Fro the definition of d (H 0, we have ( d (H 0 = 1 (n + 1 log P P L(H 0 n 1 + log( (. n+1 (n + 1! - n v By applying Lea 1, we obtain ( d (H 0 1 n log P P L(H n + log((. n n! Fig. 5. All possible connections of vertex v in G, for any given perfect atching of Q in H. Also, let Y = ( n n!. It is easily verified that ( n+1 (n + 1! = ( ny. It thus suffices to show that 1 + n log(x log(y (n + 1 log(( nx log(( ny 0. Both denoinators in the above expression are positive. The nuerator of the expression obtained by converting the above to have a coon denoinator for its ters is log(y log(( ny + n log(x log(( ny (n + 1 log(( nx log(y. It reains to be shown that the above is always non-negative. By using eleentary properties of logariths and perforing algebraic siplification, the above expression can be easily transfored to [log(y log(x] [log(y log(( n n ]. As Y is the axiu nuber of perfect atchings possible in H of Q, and X is the actual nuber of the, it follows that Y X, thus log(y log(x 0. Also, since Y = i= n+1 i, which is a product of n values, each of who is larger than n, we have that Y ( n n. Thus, log(y log(( n n 0, and the lea holds. We now show that by increasing the aount of data caching perfored by an anonyity syste, the level of anonyity provided by that syste is also increased. Theore 2: Let G = (U, V, E and H = (U, Q, F, where U = V = n G Q = n. If G H, then d (G d (H. Proof (By weak induction on n G n: In the base case, n G n = 0. The theore follows trivially, as now G H iplies G = H. In the inductive case, n G n > 0. By the inductive hypothesis, for all bipartite graphs H = (U, Q, F, such that Q = n + 1 and G H, we have that d (G d (H. Of these, there are exactly n G n graphs H for which, additionally, H H. Since n G > n, firstly, at least one such The above expression is d (H, and the theore follows fro the transitivity of. IV. APPLICATION TO THRESHOLD MIX NETWORKS Threshold ix networks were introduced by Serjantov, Dingledine and Syverson [12] as a high-latency strategy to counter input-output essage correlation by operating a ix in iterative rounds. A essage is initially ultiply encrypted, and each ix that it passes through decrypts its outerost layer. In each round, a ix in such networks collects soe threshold nuber of incoing essages and outputs a decrypted version of the in soe different order. The decryption prevents correlation by siple essage bit-pattern coparison. The ain goal of this strategy is to prevent correlation by essage entry/exit sequence nubers by flushing essages out in an order other than the one in which they cae in. Waiting for essages to arrive before sending the out adds latency, which is the price paid for achieving this goal. Fro the point of view of anonyity, an iportant difference between this odel and the one we have been considering so far in this paper is that any incoing essage now blends in with other essages only in its own round. This has a detriental effect on the overall anonyity of the syste, especially as rounds progress. Let after r rounds, n be the average nuber of essages sent out in each round (where the reaining n incoing essages per round were served by the syste s internal cache. s 4 Round 1 Round 2 Fig. 6. Candidacy graph without any attack after two rounds, with = 4 and n = 3. Figure 6 shows the candidacy graph without any attack after two rounds, with = 4 and n = 3. Since there is no attack, s 5 s 6 s 7 s 8 t 4 t 5 t 6

7 the candidacy graph after the first round is K 4,3, for which the level of anonyity is d = (1/4 (( log(24 / log(24 = 1. However, after two rounds, as shown in Figure 6, the candidacy graph is K 4,3 K 4,3, for which the anonyity level can be seen to have been lowered fro d = 1 to d = (1/8 (( log(24 / log(56 = In general, after r rounds, the overall anonyity provided by the ix thus far is 1 [ n + nr log(( n n! log(( r nr (nr! Table I shows how the anonyity level of an exaple syste with = 100 varies with the nuber of rounds and the average aount of caching in each round perfored by the syste. ]. Round Average Caching Level Nuber 0% 20% 40% 70% 100% TABLE I ANONYMITY IN A THRESHOLD NETWORK WITH = 100, OVER DIFFERENT AVERAGE CACHING LEVELS AND MIX ROUNDS In the above table, the case of 0% caching corresponds to n =. If, on an average, the syste responds to 20% of the incoing essages by its cache, then n = 0.8. As an extree case, if all incoing essages can be handled by the syste s cache, i.e. n = 0, then the level of anonyity provided by the syste after each round i, which is the axiu. Figure 7 depicts the anonyity variation given in Table I in the for of an easier to visualize graph. It is evident fro the graph that the anonyity provided by the syste reduces as the rounds progress, but increases with the aount of caching perfored in the syste. V. CONCLUSIONS AND FUTURE WORK Anonyity systes that are used for applications such as anonyous web surfing, first attept to provide sender anonyity for requests sent by the users to servers, and then receiver anonyity for the responses sent back by the servers to the requesting users. If such systes have the ability to cache soe server responses, then those cached contents can be used for future user requests for the sae resources, without having to relay those requests to the servers. We have shown that the overall anonyity provided by such systes to their users is higher than that provided by systes that do not eploy caching. In fact, our results show that the greater the nuber of requests that can be served fro the syste s = 100 Full caching 70% caching 40% caching 20% caching No caching Fig. 7. Graphical representation of anonyity levels in Table I. internal cache, the higher the anonyity. To the best of our knowledge, our work is the first attept at quantifying the anonyity gains resulting fro caching. Most currently popular techniques for providing anonyity, such as essage routing via proxies and onion encryption, result in increasing essage latency and are thus carried out at the expense of perforance. In contrast, data caching has the advantage of providing anonyity in addition to iproving perforance, as it clearly also results in reduction of bandwidth usage and data access latency. Extra storage capacity of ix nodes for holding the caches and extra effort needed to keep those caches up-to-date are two trade-offs for the gains achieved by caching. As storage is constantly becoing ore readily available, the first trade-off is insignificant. However, aintaining cache consistency incurs traffic overhead and, if not dealt with carefully, could cause unreasonable perforance degradation. Analysis of this aspect of caching in anonyity systes, we have for now left as future work. Our technique opens up several other possible future research directions, as outlined below. A network of ix nodes, as proposed by Chau [1], is a popular architecture of current anonyity systes, such as TOR [6] and Mixinion [4]. In these systes, essages are routed over paths of ix nodes, and these paths are constructed dynaically fro the pool of available ix nodes at any tie. An interesting direction for future research is developing strategies for selecting ix nodes for placeent of caches, integrated with strategies for constructing paths of ix nodes in order to axiize the syste s anonyity level. If a user s access patterns can be anticipated, then that user s requests can be routed over paths that are ore likely to contain caches that can satisfy those requests. The Statistical Disclosure Attack (SDA, proposed by Danezis [3], is known to be a very powerful attack, targeted against a single user. The attack uncovers the servers often contacted by that user. Many defense strategies have been proposed for thwarting this attack, of which the one by Mallesh

8 and Wright [10] of sending duy essages generated fro within the anonyity syste is particularly effective. We plan to cobine that strategy with our caching technique, such as for exaple by generating a duy request each tie a genuine request is served by a cache. Such a cobined strategy should be an even ore effective countereasure against SDA, especially if the syste has an intelligent strategy to send its duy essages to strategically chosen servers. The edges of the candidacy graphs we considered in this paper are all equally likely. However, an attacker ay be able to assign probabilities to the by soe function p(u, v indicating the probability that the incoing essage u is the outgoing essage v. An anonyity etric for systes with probabilistic attacks is presented in Edan et al. [7]. We are currently working on arriving at a etric for such systes in the presence of caching. ACKNOWLEDGMENT The research described in this paper has been partially supported by the United States Navy Engineering Logistics Office contract no. N C REFERENCES [1] D. Chau. Untraceable electronic ail, return addresses, and digital pseudonys. Counications of the ACM, 24(2:84 88, [2] D. Chau. The dining cryptographers proble: Unconditional sender and recepient untraceability. Journal of Cryptology, 1:65 75, [3] G. Danezis. Statistical disclosure attacks: Traffic confiration in open environents. In Proceedings of Security and Privacy in the Age of Uncertainty, pages , Athens, May [4] G. Danezis, R. Dingledine, and N. Mathewson. Mixinion: Design of a type iii anonyous reailer protocol. In Proceedings of the IEEE Syposiu on Security and Privacy, page 15, May [5] C. Diaz, S. Seys, J. Claessens, and B. Preneel. Towards easuring anonyity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop, pages 54 68, [6] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The secondgeneration onion router. In Proceedings of the 13th USENIX Security Syposiu, page03 320, Augus004. [7] M. Edan, F. Sivrikaya, and B. Yener. A cobinatorial approach to easuring anonyity. In Proceedings of the IEEE International Conference on Intelligence and Security Inforatics, page56 363, [8] D. Kelly, R. Raines, M. Griaila, R. Baldwin, and B. Mullins. A survey of state-of-the-art in anonyity etrics. In Proceedings of the 1st ACM Workshop on Network Data Anonyization, page1 39, [9] B. Ki and K. Ki. Efficient caching strategies for Gnutella-like systes to achieve anonyity in unstructured P2P file sharing. In Proceedings of the 6th Conference on Next Generation Inforation Technologies and Systes, page17 128, Kibbutz Shefayi, Israel, [10] N. Mallesh and M. Wright. Countering statistical disclosure with receiver-bound cover traffic. In Proceedings of the 12th European Syposiu on Research In Coputer Security, pages , Dresden, Gerany, [11] A. Serjantov and G. Danezis. Towards an inforation theoretic etric for anonyity. In Proceedings of the 2nd Privacy Enhancing Technologies Workshop, pages 41 53, [12] A. Serjantov, R. Dingledine, and P. Syverson. Fro a trickle to a flood: Active attacks on several ix types. In Proceedings of the 5th International Workshop on Inforation Hiding, Noordwijkerhout, The Netherlands, October [13] R. A. Servedio and A. Wan. Coputing sparse peranents faster. Inforation Processing Letters, 96(3:89 92, [14] A. M. Shubina and S. W. Sith. Using caching for browsing anonyity. ACM SIGEco Exchanges, 4(2:11 20, [15] G. Tóth, Z. Hornák, and F. Vajda. Measuring anonyity revisited. In Proceedings of the 9th Nordic Workshop on Secure IT Systes, pages 85 90, Espoo, Finland, 2004.