Anonymity Trilemma: Strong Anonymity, Low Bandwidth, Low Latency Choose Two

Transcription

1 Anonymity Trilemma: Strong Anonymity, Low Bandwidth, Low Lateny Choose Two Debajyoti Das Purdue University, USA Sebastian Meiser University College London, U s.meiser@ul.a.uk Esfandiar Mohammadi ETH Zurih, Switzerland mohammadi@inf.ethz.h Aniket ate Purdue University, USA aniket@purdue.edu Abstrat This work investigates the fundamental onstraints of anonymous ommuniation AC) protools. We analyze the relationship between bandwidth overhead, lateny overhead, and sender anonymity or reipient anonymity against the global passive network-leve adversary. We onfirm the trilemma that an AC protool an only ahieve two out of the following three properties: strong anonymity i.e., anonymity up to a negligible hane), low bandwidth overhead, and low lateny overhead. We further study anonymity against a stronger global passive adversary that an additionally passively ompromise some of the AC protool nodes. For a given number of ompromised nodes, we derive neessary onstraints between bandwidth and lateny overhead whose violation make it impossible for an AC protool to ahieve strong anonymity. We analyze prominent AC protools from the literature and depit to whih extent those satisfy our neessary onstraints. Our fundamental neessary onstraints offer a guideline not only for improving existing AC systems but also for designing novel AC protools with non-traditional bandwidth and lateny overhead hoies. I. INTRODUCTION Millions of users from all over the world employ anonymous ommuniation networks, suh as Tor [], to protet their privay over the Internet. The design hoie made by the Tor network to keep the lateny and bandwidth overheads small has made it highly attrative to its geographially diverse user-base. However, over the last deade, the aademi literature [2] [8] has demonstrated Tor s vulnerability to a variety of traffi orrelation attaks. In fat, Tor also has been suessfully attaked in pratie [9]. It is widely aepted that low-lateny low-bandwidth overhead of anonymous ommuniation AC) protools, suh as Tor [0], an only provide a weak form of anonymity []. In the anonymity literature, several AC protools were able to overome this seurity barrier to provide a stronger anonymity guarantee ryptographi indistinguishability based anonymity [2], [3]) by either inreasing the lateny overhead or the bandwidth overhead. In partiular, high-lateny approahes suh as threshold mix networks [4]) an ensure strong anonymity by introduing signifiant ommuniation delays for users messages, while high-bandwidth approahes suh as Dining Cryptographers network [5] and its extensions [6] [8]) an provide strong anonymity by adding opious noise or dummy) messages. There have been a few efforts to propose hybrid approahes [9] [24] that try to provide anonymity by simultaneously introduing lateny and bandwidth overhead. However, it is not lear how to balane suh system parameters to ensure strong anonymity while preserving pratial performane. In general, in the last 35 years a signifiant amount of researh efforts have been put towards onstruting novel AC protools, deploying them, and attaking real-world AC networks. However, unlike other seurity fields suh as ryptography, our understanding regarding the fundamental limits and requirements of AC protools remains limited: Can we prove that stronger anonymity annot be ahieved without introduing large lateny or bandwidth overhead? When we wish to introdue the lateny and bandwidth overheads simultaneously, do we know the overhead range values that still fall short at providing stronger anonymity? This work takes some important steps towards answering these fundamental questions assoiated with anonymous ommuniation. Our Contribution. We onfirm a previously onjetured [24], [25] relationship between bandwidth overhead, lateny overhead and anonymity. We find that there are fundamental bounds on sender and reipient anonymity properties [2], [3], [26] of a protool that diretly depend on the introdued bandwidth and lateny overheads. This work presents a generi model of AC protools using petri nets [27], [28] suh that different instantiations of this model will represent different AC protools, overing most pratial AC systems in the literature. We derive upper bounds on anonymity as funtions of bandwidth overhead and lateny overhead, against two prominent adversary lasses: global passive network-level adversaries and stritly stronger adversaries that further passively) ompromise some protool parties e.g., relays in ase of Tor). Naturally, the bounds are valid against any stronger adversary lass as well. For both adversary lasses, we analyze two different user distributions: i) synhronized user distributions, where users globally synhronize their messages, and ii) unsynhronized user distributions, where eah user loally deides when to send his messages independent of other users. We analyze the trade-off between lateny overhead and bandwidth overhead required to ahieve strong anonymity, i.e., anonymity up to a negligible in a seurity parameter η) hane of failure. For any AC protool where only a fration of β users send noise messages per ommuniation round, and where messages an only remain in the network for l ommuniation rounds, we find that against a global network-

2 level adversary no protool an ahieve strong anonymity if 2βl < polyη) even when all the protool parties are honest. In the ase where a stritly stronger adversary additionally passively ompromises out of ) protool parties, we show that strong anonymity is impossible if 2l )β < polyη) for <, or 2βl < polyη) and l O) for. We show the orretness of our results and assess their pratial impat by analyzing prominent AC protools. Our impossibility results naturally only offer neessary onstraints for anonymity, but not suffiient onditions for the AC protool. However, these neessary onstraints for sender and reipient anonymity are ruial for understanding bi-diretional anonymous ommuniation. In fat, we find that several AC protools in literature are asymptotially lose to the suggested onstraints, and we propose designers of new AC protools to use our results as a neessary guideline of their designs. Organization. Setion II presents a detailed overview of our protool model and our analysis. Setion III formally defines the anonymity property, the game setup, and the user distributions. Setion IV details our protool model for AC protools using timed olored petri-net, the anonymity invariant, and an ideal protool. In Setion V and Setion VI, we analyze the anonymity for the synhronized user distribution against non-ompromising and partially ompromised adversary respetively. In Setion VII and Setion VIII, we analyze the anonymity for the unsynhronized user distribution. In Setion IX, we desribe the results for reipient anonymity. Setion X ompares our anonymity bounds for some prominent AC protools. Setion II-E disusses the related work. II. OVERVIEW A. Formalization and Adversary Model AC Protools as Petri Nets. We define a view of AC protools as petri nets [27], [28], i.e., as graphs with two types of labeled nodes: plaes, that store olored tokens, and transitions, that define how these tokens are sent over the graph. In our ase, eah olored token represents a message, plaes are the protool parties that an reeive, hold and send messages, and transitions desribe how parties exhange and relay messages. Our model aptures all AC protools under the assumption that messages are transmitted diretly, i.e., in order for Bob to reeive a message from Alie, Alie has to send the message and the message albeit relayed, delayed and ryptographially modified) eventually has to reah Bob. While this requirement may sound strit, as elaborated in Setion IV-C, we effetively only exlude few esoteri protools. User distributions, ommuniation rounds, bandwidth overhead, and lateny. We onsider two types of user distributions. In the first user distribution synhronized) N users send their messages in exatly N rounds see Figure for notations). Per round, exatly one user sends a message. The protool deides whih users send noise messages in eah round. In the seond user distribution unsynhronized) eah user independently deides whether to send a message in a round using a biased oin flip, with a bias p. The model onsiders synhronous ommuniation rounds as in [6], [7], [29], [30]. We model lateny overhead l as the number of rounds a message an be delayed by the protool before being delivered. We formalize bandwidth overhead β as the number of noise messages per user that the protool an reate in every round, i.e., the dummy message rate. Our two types of user distributions over a large array of possible senarios. Results for our user distributions imply results for similar distributions, if a redution proof an show that they are less favorable to the protool. Adversaries. We onsider global passive non-ompromising adversaries, that an observe all ommuniation between protool parties; and stritly stronger partially ompromising passive) adversaries, that an ompromise protool parties to learn the mapping between inputs and outputs for this party. Anonymity Property. We leverage an indistinguishability based anonymity notion for sender anonymity: the adversary has to distinguish two senders of its own hoosing [2], [3]. For a seurity parameter η, we say that a protool ahieves strong anonymity, if the adversary s advantage remains negligible in η. If an AC protool has strong anonymity, it is seure under omposition e.g., for streams of messages or usage over a longer time period) and formally, η limits the number of ompositions. Strong anonymity is relative to a strength η, whih is bound to system parameters or analysis parameters suh as the number of users or protool parties, the lateny overhead and the bandwidth overhead. These parameters typially inrease as η inreases, whih improves the protool s anonymity. 2 Anonymity in relation to η unifies a wide variety of possible analyses on how the anonymity bound hanges with hanging system parameters, and user numbers and behaviors. B. Brief Overview of the Proof Tehnique As non-ompromising adversaries are a subset of partially ompromising adversaries, our proof tehnique for the former is a simplified ase of the latter. In general, we derive our results in four main steps. First, we define a onrete adversary A paths, that uses a well established strategy: upon reognizing the hallenge message as soon as it reahes a reeiver) A paths onstruts the possible paths this message ould have taken through the network, and tries to identify the user who has sent the message. Seond, given the onrete adversary A paths, we identify a neessary invariant that any protool has to fulfill in order to provide anonymity. Intuitively: both hallenge users hosen by the adversary must be ative i.e., send at least one message) before the hallenge message reahes the reipient, and it must be possible for these messages to meet in at least one Suh distributions might ontain usage patterns, irregularities between users and synhronization failures that the adversary an exploit. 2 In some analyses, individual parameters may redue with inreasing η, suh as the bandwidth overhead per user, as the other parameters, suh as the number of users, inrease. 2

3 honest party along the way. We prove that indeed this natural invariant is neessary for anonymity. Next, we propose an ideal protool Π ideal that is optimal in terms of satisfying the invariant: The probability that Π ideal fulfills the neessary invariant is at least as high as for any protool within our model limited by the same onstraints for β and. Moreover, whenever Π ideal satisfies the invariant, the advantage of A paths is zero. Thus, Π ideal is at least as good as any protool within our model at winning against A paths. Finally, we alulate the advantage of A paths against Π ideal to obtain a lower bound on the adversarial advantage against all protools within our model. 3 C. Senarios and Lower Bounds We devise neessary onstraints for four different senarios. Let Π be a protool in our model, with N users, restrited by bandwidth overhead β and lateny overhead l. For the ompromising ases, the adversary is allowed to ompromise out of protool parties. We derive the following lower bounds for δ-sender anonymity in the respetive senarios. Synhronized Users, Non-ompromising Adversaries: )) δ < f β, where f β d) = min,. d+βnd N Synhronized Users, Partially Compromising Adversaries: { [ δ < ]fβ l [ ) ]fβ ) f β l ) < l. Unsynhronized Users, Non-ompromising Adversaries: δ < [ 2 + f p ], where for p β we have f p d) = min 2, p) d ) for a positive integer d. Unsynhronized Users, Partially Compromising Adv.: [ ][ 2 + f p] l δ < [ ) ][ 2 + f p)]) [ [ 2 + f pl )]] < l. We derive bounds for sender anonymity in the body of this paper. The bounds for reipient anonymity are obtained analogously and an be found in Appendix C. D. Interpretation and Interesting Cases Our first and third lower bounds, for respetively synhronized and unsynhronized user behaviors against in a nonompromised AC network, suggest an anonymity trilemma. Both lower bounds an be simplified under some natural onstraints to the following simplified lemma: Lemma Informal Trilemma). For seurity parameter η, no protool an ahieve strong anonymity if 2lβ < ɛη), where ɛη) = for any positive onstant d. η d 3 A paths is a possible adversary against all protools within our model. If A paths has an advantage of δ against our ideal protool Π ideal bounded by β and, then A paths will also have an advantage of at least δ against any protool within our model that is also bounded by β and. Thus, our bound for δ desribes a lower bound on the adversarial advantage against any protool within the model, while against partiular protools there an be other adversaries in the same adversary lass) with an even higher advantage. Ideal asymptoti values for lateny overhead is l = O) i.e., a onstant number of hop separation from the reeiver), while ideal asymptoti values for bandwidth overhead is β = ON) = Opolyη)) i.e., a onstant number of message per round from all N = polyη) users ombined). It is easy to see that for this ideal overhead lβ = Opolyη)), the trilemma exludes strong anonymity, while, with lateny overhead l = N = Opolyη)) or with bandwidth overhead β = O), the trilemma does not exlude strong anonymity. We find some interesting possible overhead onstraints for strong anonymity e.g. l = Oη) and β = Oη)) demanding some ompromise in both lateny and bandwidth. These onstraints an help understand and improve existing AC protools as well as inform the design of future AC protools. For partially ompromised senarios the requirements are naturally stronger. All onstraints disussed here are in addition to the requirements from the non-ompromised ase. While bandwidth overhead might be suffiient against nonompromising adversaries, it is not suffiient if parts of the protool are ompromised. With l = η and = onstant strong anonymity may be possible, whereas with l = O), strong anonymity is impossible, even for polyη) and = O). In ase < l, strong anonymity guarantees may be possible if 2l )p < ɛη), where p = p +β ombines the genuine user messages p with their bandwidth overhead β. Our result shows a onnetion between the expeted usage behavior p and the lateny l. If p is not partiularly large, the lateny annot be low; otherwise, the path-length annot be suffiiently high to ensure mixing at an honest node. In other words, unless p is very large as should be the ase for some file sharing appliations), a low lateny renders the AC protool heap to ompromise, i.e., an be low. E. Related Work In ontrast to previous work, our work provides neessary onstraints for strong anonymity w.r.t. to bandwidth and lateny overhead. While there is a suessful line of work on provable anonymity guarantees [2], [32] [36], it is is inomparable sine it provides lower bounds on anonymity for speifi protools, and does not prove any general statements about suffiient onditions for strong anonymity. Previous work on attaks against anonymous ommuniation protools, exept for Oya et al. [37], solely provides upper bounds on anonymity for speifi protools [38] [4]. Oya et al. [37] ast their attak in a general model and provide a sophistiated generi attaker. However, they only ompute bounds w.r.t. a dummy message rate against timed pool mixes, not against other protools and not w.r.t. lateny and ompromisation rate. Even more important, none of these results disuss the relationship of the lower bounds for lateny and bandwidth overheads. III. ANONYMITY DEFINITION AND USER DISTRIBUTIONS Here, we define our indistinguishability-based anonymity notion. 3

4 l Lateny overhead for every message. β Bandwidth overhead for every user per round. p Probability to send a message per user per round. Number of interna protool parties. Number of ompromised protool parties. N Number of online users that may send messages). δ Adversarial advantage in the anonymity game. Π A protool. Π M: Π is within our model. η The seurity parameter. ɛ A very small, but not negligible) funtion. Fig.. Notation A. AnoA-Style Anonymity Definition We define our anonymity notions with a hallenge-response game similar to AnoA [26], where the hallenger simulates the protool and the adversary tries to deanonymize users. The hallenger ChΠ, α, b) allows the adversary to adaptively ontrol user ommuniation in the network, up to an unertainty of one bit for hallenges, and is parametri in the following parts: i) the AC protool Π to be analyzed, ii) the so alled anonymity funtion α, that desribes the speifi variant of anonymity suh as sender anonymity, reipient anonymity and relationship anonymity, iii) and the hallenge bit b whih determines the deision the hallenger takes in hallenge inputs from the adversary. Given a seurity parameter η, we quantify the anonymity provided by the protool Π simulated by ChΠ, α, b) in terms of the advantage the probabilisti polynomial time PPT) adversary A has in orretly guessing Ch s hallenge bit b. We measure this advantage in terms of indistinguishability of random variables additively, where the random variables in question represent the output of the interations A ChΠ, α, 0) and A ChΠ, α, ). Definition α, δ)-ind-ano). A protool Π is α, δ)-ind-ano 4 for the seurity parameter η, an adversary lass C, an anonymity funtion α and a distinguishing fator δ ) 0, if for all ppt mahines A C, Pr [0 = A ChΠ, α, 0) ] Pr [0 = A ChΠ, α, ) ] + δη) For an anonymity funtion α, we say that a protool Π provides strong anonymity [2], [3] if it is α, δ) IND-ANO with δ negη) for any negligible funtion neg. If δ is instead non-negligible in η, then we say that Π provides weak anonymity. Note that η does not measure the size of the anonymity set, but the omputational limitation of the adversary. Sender Anonymity. Sender anonymity haraterizes the anonymity of users against a maliious server through the inability of the server or some intermediary) to deide whih of two self-hosen users have been ommuniating with the server. We borrow the sender anonymity α SA definition from the AnoA framework [26], where α SA selets one of two possible 4 AnoA also allows a multipliative fator ε; we use the simplified version with ε = 0, suh that δ diretly orresponds to the adversarial advantage. Adaptive AnoA Challenger ChΠ, α, b) Upon message Input, u, R, m): RunProtoolu, R, m) Upon message Challenge, u 0, u, R 0, R, m): if this is the first time, suh a message is reeived then Compute u, R ) αu 0, u, R 0, R, b) RunProtoolu, R, m)) end if RunProtoolu, R, m): Run Π on r = u, R, m) and forward all messages that are sent by Π to the adversary A and send all messages by the adversary to Π. α RA u 0, u, R 0, R, b) = u b, R 0 ) α SA u 0, u, R 0, R, b) = u 0, R b ) Fig. 2. Adaptive AnoA Challenger [26] for sender anonymity hallenge users and makes sure that the users annot be distinguished based on the hosen reipients) or messages). Definition 2 Sender anonymity). A protool Π provides δ- sender anonymity if it is α SA, δ)-ind-ano for α SA as defined in Figure 2. Reipient Anonymity. Reipient anonymity haraterizes that the reipient of a ommuniation remains anonymous, even to observers that have knowledge about the sender in question. Similar to sender anonymity, we borrow the reipient anonymity α RA definition from the AnoA framework, where α RA selets one of two possible reipients for a message and makes sure that the reipients annot be distinguished based on the hosen senders) or messages). Definition 3 Reipient anonymity). A protool Π provides δ-reipient anonymity if it is α RA, δ)-ind-ano for α RA as defined in Figure 2. We omit the detailed tehnial notation of the anonymity funtions in the following setions, and write Pr [0 = A b = i] instead of Pr [0 = A ChΠ, α SA, i) ]. B. Game Setup Let S be the set of all senders, R be the set of all reipients, and P be the set of protool parties that partiipate in the exeution of the protool like relaysmix-nodes in Tormixnets, for DC-net or P2P mixing users and protool parties are the same). We onsider a system of total S = N senders. Given our fous on sender anonymity, we need only a single element in R. We allow the adversary to set the same entity say R) as the reipient of all messages, and expet R to be ompromised by the adversary. The adversary uses a hallenge as defined in Figure 2) of the form u 0, u, R,, m 0 ), where u 0, u S, for our sender anonymity game. We onsider a ompletely onneted topology, whih means any party an send a message diretly to any other party. We assume the standard bounded) synhronous ommuniation model as in [6], [7], [29], [30], where a protool operates 4

5 in a sequene of ommuniation rounds. In eah round, a party performs some loal omputation, sends messages if any) to other party through an authentiated link. By the end of the round, every party reeives all messages sent by the other parties to her the same round. With our fous on omputing lower bounds, our model abstrats from the time the omputations at the node take and also the length of the messages. Nevertheless, as we are interested in quantifying the ommuniationbandwidth overhead, unlike [6], [7], [30], we do not assume that the parties have aess to ready-made broadast ommuniation hannels; Parties are expeted to ommuniate with eah other to implement broadast features [29], [42]. Lastly, the use of the asynhronous ommuniation model offers more apabilities to the attaker, and thus, our impossibility results for the synhronous model naturally apply to the asynhronous model as well. We define the lateny overhead l as the number of rounds a message an be delayed by the protool before being delivered. We define the bandwidth overhead β as the number of noise messages per user that the protool an reate in every round and we do not restrit the time these noise messages reside within the protool i.e., the dummy message rate). We onsider two types of global passive adversaries: Our non-ompromising adversaries whih model networklevel eavesdroppers) an observe all ommuniation between all protool parties, but do not ompromise any party of the AC protool exept the reipient R. We say that the AC protool is non-ompromised. Our stritly stronger partially ompromising adversaries whih model haking and infiltration apabilities) an additionally ompromise some of the AC parties in the setup phase of the game to obtain these parties mapping between the input messages and output messages during the protool s runtime. We say the AC protool is partially ompromised. C. User Distributions We onsider two kinds of user distributions in our anonymity games and both of them assume an N sized set S of users that want to send messages. In both ases, the adversary an hoose any two senders u 0, u S. However, the time and method by whih they atually send messages differs: In the synhronized user distribution the users globally synhronize who should send a message at whih point in time. We assume that eah user wants to send exatly one message. Consequently, we hoose a random permutation of the set of users S and the users send messages in their respetive round. In every single round out of a total of N rounds exatly one user sends a message. Sine the users globally synhronize their sending of messages, we allow the protool to also globally deide on the bandwidth overhead it introdues. Note that, here, the requirements are idential to those of the Bulk protool in [7]. In the unsynhronized user distribution eah of the N users wants to send messages eventually and we assume that eah user loally flips a biased) oin every round to deide whether or not to send a message. In this ase we define the bandwidth $ S Protool T S P P 2 P 3 T P T P2 T P3 Fig. 3. Petri net of an AC protool with = 3 parties. overhead as an inreased hane of users sending messages. Sine the protool does not globally synhronize the input messages, for noise messages also we allow the users to deide it loally and send noise messages with a ertain probability. IV. A PROTOCOL MODEL FOR AC PROTOCOLS An AC protool allows any user in the set of users S to send messages to any user in R, via a set of anonymizing parties P. We define protools that are under observation of an eavesdropping adversary A that may have ompromised a set of parties P P and that furthermore observes the ommuniation links between any two parties, inluding users. Tehnially, whenever a party P P S sends a message to another party P 2 P R, the adversary is able to observe this fat together with the urrent round number. However, we assume the protool applies suffiient ryptography, s.t., the adversary an not read the ontent of any message exept the messages sent to the maliious reipient, whih tehnially results in simply being able to additionally reognize when the hallenge reahes the reipient. For an atual protool, the sets S, R, and P may not be mutually exlusive [5], [6], [8]. Sine we have only one maliious party in R, and the ontent of a message an only be read when it reahes its final reipient, we onsider R to be mutually exlusive from S P for the purpose of simpliity. With the above preliminaries in mind, we shall now formally define our generi AC protool using a petri net model. A. Protool Model We model any AC protool with parties by a timed olored petri net [27], [28] M, onsisting of plaes S for the users, P,..., P symbolizing the protool parties, $ for randomness and R for reipients of messages, and olored tokens m symbolizing the messages real or noise) sent by lients or protool parties, and transitions T S for inserting messages into the network and T P,..., T P as funtions for sending the messages from one party to another. The struture of the petri net with its plaes, tokens and transitions remains the same for every AC protool. However, the implementation of the guards within the transitions is different for different protools: protools an hoose to whih party messages are R 5

6 to be sent next and whether they should be delayed. We refer to Figure 3 for a graphial depition of petri net model M. Definition 4 Colored token). A olored token is represented by the tuple m = msg, meta, t r, ID t, prev, next, ts, where, msg is the ontent of the message, meta is the internal protool meta-data for this message, t r is the time the message an remain in the network, ID t is a new unique ID generated by eah transition for eah token by honest parties; dishonest parties instead keep the ID untouhed to allow the adversary to link inoming and outgoing messages, prev is partyuser that sent the token and next is the userparty that reeives the token. Finally, ts is the the time remaining for the token to be eligible for a firing event a feature of timed petri-net). Here, ts either desribes when new messages are introdued into the petri net or is set to the next round, suh that messages an be proessed in every round as soon as they enter the network. The four fields ID t, prev, next, ts are publi, and are visible to the adversary. The remaining three fields msg, meta and t r in a token are private and an not be observed by the adversary, with the exeption that msg an be observed when a message reahes its destination, i.e, is reeived by a reipient. Formally, we introdue a set Tokens, that is initially empty and in whih we ollet the pair t, r), where t is a token and r the round number in whih the token was observed. Plaes. Any AC protool with parties P = {P,..., P } onsists of the following plaes: S: A token in S denotes a user message real or noise) whih is sheduled to enter to network after ts rounds. $: This plae is responsible for providing randomness. Whenever a transition piks a token from this plae, the transition basially piks a random value. P i with P i P: A token in P i denotes a message whih is urrently held by the party P i P. R: A token in R denotes a message whih has already been delivered to a reipient. Transitions. As part of the initial onfiguration, the hallenger populates S on behalf of the protool. All other plaes are initially empty. The transitions then onsumes tokens from one plae and generate tokens to other plaes, to modify the onfiguration of the petri-net. The event of onsumption of a token from one plae by a transition and generation of a new token represents the movement of a message from one party to another. We define the following transitions: T S : takes a token msg,,,, u,, ts from S and a token from $ to write t = msg, meta, l, ID t, u, P i, ts = to P i ; the values of i and meta are deided by the AC protool. T Pi : takes a token msg, meta, t r, ID t,, P i, ts from P i and a token from $ to write t = msg, meta, t r, ID t, P i, P, to P. If P i is an honest party ID t is freshly generated, but if P i is a ompromised party ID t = ID t. The plae P {P,..., P } {R} and meta are deided by the AC protool, with the exeption that if t r = 0, P always is R. In either ase, the transition also adds an element t, r) to the set Tokens, where r is the urrent round number and t Transitions in petri net model M T S on tokens q = msg,,,, u,, ts from S and $ from $: P i, meta) = f Π q, $); ID t = a fresh randomly generated ID r = urrent round; t = msg, meta, l, ID t, u, P i, if P i = R then Tokens = Tokens msg,,, ID t, u, P i,, r) else Tokens = Tokens,,, ID t, u, P i,, r) Output: token t at P i T Pi on tokens q = msg,, t r, ID t,, P i, ts from P i, $ from $: P, meta ) = f Π q, $) ; r = urrent round if t r = 0 then P = R if P i is honest then ID t = a fresh randomly generated ID else if P i is ompromised then ID t = ID t t = msg, meta, t r, ID t, P i, P, if P i = R then Tokens = Tokens msg,,, ID t, P i, P,, r) else Tokens = Tokens,,, ID t, P i, P,, r) Output: token t at P f Π : The ode for this funtion is provided by protool Π. It deides the next party where the message should go, as well as the ontent of the meta field in the token. Fig. 4. Transitions in petri net model M is the respetive new) token, where the fields meta and t r are removed. If the plae t was written to is not R, then additionally the field msg is removed. B. Game Setting We onsider the following game between a PPT adversary A and an honest hallenger Ch: A ompromises up to parties from P. A hooses two distint users u 0 and u. A sends the hallenge for those hosen users. Ch then sets the initial onfiguration omplying with the hallenge sent by the A. But Ch an not use the knowledge of ompromised parties to deide the initial onfiguration. Then Ch runs the petri-net in a non-deterministi way. Ch does not use the knowledge of hallenge users or hallenge message to make her deisions. Ch piks the best sequene of onfigurations, and outputs the tokens of all the onfigurations of that sequene in order. A an see the publi parts of all tokens ID t, prev, next, ts), but not the private parts msg, meta, t r ). The goal of the adversary is to deanonymize the sender of the hallenge message, i.e., to learn whether the hallenge message was sent by u 0 or by u. The interation between Ch and A ends as soon as A makes his guess. Validity of the Protool Model. The above protool model M behaves as expeted more details in Lemma 2 in Appendix A). The protools indeed have a bandwidth overhead of β and a lateny overhead of l. For every message that is sent from one party in S P to another party in P R, the adversary learns the time, the sender, and the reeiver. When a message leaves the network, the attaker learns whether it was the target i.e., the hallenge) message. The attaker also learns the mapping between the input and output messages of ompromised parties. 6

7 C. Expressing Protools Our protool model M allows the expression of any AC protool with very few, esoteri exeptions. Mix networks an be naturally embedded into our model, in partiular any stopand-go mix [43] that uses disrete distribution and even AC protools with speialized path seletion algorithms [44], [45]. This setion illustrates embedding tehniques into our model for some other kinds of protools, but a muh larger variety of protools an be expressed in our model. Users as protool parties. In peer-to-peer protools like dining ryptographers networks DC net) [6], [46], there are no separate protool parties, users at as a type of relays. Also, any noise sent by users ounts into the bandwidth overhead of the protool we will see in Claim 2 that noise sent by nodes that are not users an be treated differently). Whenever a user wants to send a message it should use the transition T S, but when it ats as a relay it should use the transition T Pi. For interested readers, we show in Setion A-B how to model a speifi DC net type protool using our petri net model. Splitting and Reombining Messages. We model protools that split and later re-ombine messages by delaring one of the parts as the main message and the other parts as noise, whih may ount into the bandwidth overhead. This delaration is mainly required for the analysis, i.e., for evaluating the suess of the adversary and for quantifying the amount of noise messages introdued by the protool. We don t restrit the strategy by whih the protool deides whih message is the main share i.e., the message that is sent on) and whih is an additional share i.e., a fresh noise message). A more omplex senario involves threshold shemes in whih a smaller number of shares suffies for reonstruting the message and in whih some shares are dropped randomly. In suh ases we onsider the protool to deide beforehand whih of the onstruted shares will be dropped later and to delare one of the remaining shares the main share. Broadasting Messages. If the protool hooses to opy or broadast messages to several reeivers, we onsider the opy sent to the hallenge reeiver to be the main message and opies sent to other reeivers to be noise whih, if the opies are reated by nodes that are not users, will not ount into the bandwidth overhead). 5 Private Information Retrieval. In shemes based on private information retrieval we require that the reeiver retrieves the information suffiiently fast within the lateny limit). Otherwise, our method is similar to the broadasting of messages: the reeiver of interest will retrieve the main message, whereas other reeivers will retrieve opies that are modeled as noise. Exluded Protools. For this work we exlude protools that annot guarantee the delivery of a message within the given 5 We note that in some ases, where users at as nodes and broadast messages to other users, our quantifiation of the bandwidth overhead might be a bit harsh. If the group of users to whih the broadast will be sent is known in advane i.e., if messages are broadast to all users or to pre-existing groups of users), we an allow the protool to use a single reeiver for these messages instead. lateny bound exept if this ours with a negligible probability). Moreover, we annot easily express the exploitation of side hannels to transfer information, e.g., sending information about one message in the meta-data of another message, or sending bits of information by not sending a message. D. Constrution of a Conrete Adversary Given two hallenge users u 0 and u and the set of observed tokens t, r) Tokens, where t is the token and r the round in whih the token was observed, an adversary an onstrut the sets S 0 and S as follows for j {0, }): S j = {p = t.prev,..., t k.prev, t k.next) : t, r ),..., t k, r k )) Tokens s.t. i {,...,k } t i.next = t i+.prev i {,...,k } r i+ = r i + t.prev = u j t k.next = R t k.msg = Challenge k l i {,...,k } t i+, r i+ ) Tokens : t i+.prev = t i.next t i+.id t = t i.id t) t i+ = t i+ } Eah element p S j represents a possible path of the hallenge message starting from u j j {0, }). With hallenge bit b, S b annot be empty, as the atual path taken by the hallenge message to reah R has to be one element in S b. Definition 5 Adversary A paths ). Given a set of users S, a set of protool parties P, and a number of possibly ompromised nodes, the adversary A paths proeeds as follows: ) A paths selets and ompromises different parties from P parties uniformly at random. 2) A paths hooses two hallenge users u 0, u S uniformly at random. 3) A paths makes observations and, based upon those, onstruts the sets S 0 and S. For any i {0, }, if S i =, then A paths returns i. Otherwise, it returns 0 or uniformly at random. A paths thus heks whether both hallenge users ould have sent the hallenge message. We expliitly ignore differenes in probabilities of the hallenge users having sent the hallenge message, as those probabilities an be protool speifi. Naturally, when = 0, A paths represents a non-ompromising adversary; but when 0, A paths is partially ompromising. E. Protool Invariants We now investigate the robustness of protools against our adversary. We define an invariant that, if not satisfied, allows A paths to win against any protool. Moreover, we present a protool that maximizes the probability of fulfilling the invariant. Moreover, we show that whenever the invariant is fulfilled by our protool, the advantage of A paths redues to zero as it is fored to randomly guess b). Neessary invariant for protool anonymity. It s neessary that at least both hallenge users send messages in the l rounds before the hallenge message reahes the reipient, 7

8 as otherwise there is no way both of them ould have sent the hallenge message. Moreover, on the path of the atual hallenge message, there needs to be at least one honest unompromised) party, as otherwise the adversary an trak the hallenge message from the sender to the reipient S b will have exatly one element and S b will be empty). Those two onditions together form our neessary protool invariant. Invariant. Let u 0 and u be the hallenge users; let b be the hallenge bit; and let t 0 be the time when u b sends the hallenge message. Assume that the hallenge message reahes the reipient at r. Assume furthermore that u b sends her messages inluding noise messages) at V = {t, t 2, t 3,..., t k }. Now, let T = {t : t V r t < r}. Then, i) the set T is not empty, and ii) the hallenge message passes through at least one honest node at some time t suh that, t {mint ),..., r }. Claim Invariant is neessary for anonymity). Let Π be any protool M with lateny overhead l and bandwidth overhead β. Let u 0, u, b and T be defined as in Invariant. If Invariant is not satisfied by Π, then our adversary A paths as in Definition 5 wins. We refer to Appendix B for the proof. We next show that it suffies to onsider noise messages sent by users that also remain within the system for at most l rounds, i.e., noise messages that follow the same rules as real messages. Note that we onsider every new message originating from any user s lient as a fresh noise message. Claim 2 Internal noise does not influene Invariant ). Any message not originating from an end user u S does not influene the probability for Invariant being true. Moreover, noise messages do not ontribute to the probability for Invariant being true after they stayed in the network for l rounds. Proof. Let u 0, u be the hallenge users and let b be the hallenge bit and let r be the round in whih the hallenge message is delivered to the reipient. We disuss both parts of the invariant separately: i) The set T is not empty. Sine by definition, T is the set of messages sent by u b, messages originating in any party not in S do not influene T. Moreover, any message sent by u b in a round previous to r l does not influene T either. Thus, noise messages staying in the protool for more than l rounds, does not improve the probability of T being not empty. ii) The hallenge message passes through at least one honest node at some time t suh that, t {mint ),..., r }. Obviously this seond part of the invariant does not depend on any noise message. Consequently, noise introdued by u in P but not in S do not modify the probability to fulfill Invariant. We heneforth onsider noise messages as a protool input. F. Ideal Protool We now provide a protool Π ideal that maximizes the probability of fulfilling Invariant. Moreover, we show that the invariant is also suffiient for Π ideal to win against A paths, i.e., to redue its advantage to zero. Thus, quantifying the probability that Π ideal satisfies Invariant yields an impossibility result for all protools within our model. Given the set of all protool parties P = {P 0,..., P } of size, the strategy of Π ideal is as follows: in round r, Π ideal delivers all messages sheduled for delivery to a reipient. All other messages are sent to the protool party P i with i = r mod. For every message that enters the protool, Π ideal queries an orale O for the number of rounds the message should remain in the protool. Before explaining how orale O works, let us define the following events: u.sentx, y) : user u has sent at least one message within rounds from x to y. For a single round we use u.sentx). Cmprx) : A paths has ompromised the next x onseutive parties on the path. H : NOT of event H. Given a message sent at t 0 by sender x, and delivered to the reipient at t 0 + t), we define P t for sender v S \ {x}: P t = t 0 j=r l + r j=t 0 + Pr [v.sentj) v.sentj +, t0)] Pr [ Cmprt)] Pr [v.sentj) v.sentr l, j )] Pr [ Cmprr j + )] When v = u b, and the message is the hallenge message, P t is the probability of fulfilling Invariant, for the above mentioned strategy. But sine our protool, and onsequently the orale, is oblivious to the hallenge users or the hallenge message, orale O hooses an optimal t that maximizes the expetation of P t over all users. And that maximizes the probability of Invariant being true, sine u b an be any random user from S. Due to the over-approximation with this most likely not realizable) orale, the resulting protool is optimal w.r.t. Invariant proof in the appendix). Claim 3 Ideal protool is ideal for the invariant). Π ideal satisfies Invariant with a probability at least as high as any other protool in M, against the given adversary A paths. Proof. We want to prove our laim by ontradition. Suppose, Π ideal is not the best protool. Then, there exists a protool Π new, whih satisfies Invariant with a probability higher than that of Π ideal, against the given adversary A paths. Now we onstrut a new protool Π hybrid, whih exatly follows the strategy of Π ideal with one exeption: for a given message Π hybrid selets the time delay t same as Π new, instead of querying it from orale O. Suppose, the hallenge message is delivered to the reipient at round r. Given the set {mint ),..., r }, the ideal strategy for ensuring that at least one honest party is on the path of the hallenge message is to ensure that as many distint parties as possible are on this path. Also, given the time delay t, the value of mint ) is independent of the protool, sine protools in M 8

9 are oblivious to the hallenge users and the hallenge message. Hene, Π hybrid has a probability of satisfying Invariant at least as high as Π new. Now, if we ompare Π hybrid and Π ideal : they follow the same strategy. But Π ideal piks the time delay t for any message from orale O suh that t is optimal. The time delay t an be piked for eah message independent of other messages. Hene, the value of t reeived from orale O for the hallenge message is also optimal. Hene, Π ideal satisfies Invariant with a probability at least as high as Π hybrid. Thus, Π new does not have a higher probability of satisfying Invariant than Π ideal. Claim 4 Ideal protool wins). If Π ideal satisfies Invariant, A paths has an advantage of zero: Pr[b = A paths Invariant holds] = 2 Proof. If the Invariant is true, the hallenge message passes through an honest party at t, suh that t > mint ). Hene, there is at least one message noise or original message) from u i whih visits the same honest party together with the hallenge message Π ideal ensures that all messages are always kept together until they are delivered). That ensures that in addition to S b, we also have S b and thus A paths outputs a random bit and has an advantage of zero). V. SYNCHRONIZED USERS WITH NON-COMPROMISING ADVERSARIES Our first senario is a protool-friendly user distribution U B, where inputs from all users are globally synhronized: over the ourse of N rounds, exatly one user per round sends a message, following a random permutation that assigns one round to eah user. Analogously, the protool globally instruts the users to send up to B = βn noise messages per round in total, or β noise messages per user per round, where 0 β. We onsider non-ompromising passive adversaries that an observe all network traffi. A. Lower Bound on Adversarial Advantage Theorem. No protool Π M an provide δ-sender anonymity for the user distribution U B, for a δ < f β, where f β d) = min, d + βnd)n ))). Proof. By Claim 3, we know that Π ideal is an optimal protool against A paths ; and with = 0, A paths is our representative non-ompromising adversary. Thus, it suffies to alulate the advantage of A paths against Π ideal as a lower bound of the adversary s advantage against any protool. Let, u 0 and u be the users hosen by the adversary and let b be the hallenge bit. Let t 0 be the round in whih u b sends the hallenge message and let r be the round in whih the hallenge message reahes the reipient. Reall that Invariant is neessary for the protool to provide anonymity; u b sends her messages an be a noise message) at V = {t, t 2, t 3,..., t k }, then T = {t : t V r t < r}. Sine we are onsidering a non-ompromising adversary, Pr [ Invariant is true] = Pr [T is not empty]. With the above in mind, let us define the following events: H : In l rounds u b sends at least one noise message. H 2 : u b sends his own message within the hosen l rounds. H 3 : there is at least one message from u b within the hosen l rounds T is not empty Invariant is true. Consider any slie of l rounds around the hallenge message, there are exatly l ) user messages other than the hallenge message. Hene, any slie of l rounds yields the same probability of ontaining a user message from u b, exept when r < l OR r > N where the probability is smaller. Thus, no matter what value of t is returned by O, Pr [H 2 ] l N. Given any values l, β 0, A paths has the least hane of winning, if for a given interval of l rounds, βnl unique users are piked to send the noise messages in suh a way that they are not sheduled to send their own messages in that interval. Pr [ H 3] = Pr [ H, H 2] max0, N l βnn )). Pr [H 3] = Pr [ H 3] min, l + βnn ))). Thus, we an bound the probability for the adversary as P r[0 = A paths b = ] = P r[ = A paths b = 0] = 2 Pr [H 3]; and P r[0 = A paths b = 0] = 2 Pr [H 3]. And therefore, sine δ P r[0 = A paths b = 0] P r[0 = A paths b = ], δ Pr [H 3 ] f β. B. Impossibility for Strong Anonymity We now investigate under whih onstraints for l and β Theorem rules out strong anonymity. Theorem 2. For user distribution U B with l < N and βn, no protool in M an ahieve strong anonymity if 2lβ < ɛη), where ɛη) = η d for a positive onstant d. We refer to Appendix B for the proof. Case Study. For illustration, we now disuss a few examples for different values of l, β, and N. ) If l = N, we an have δ = 0 even for β = 0. Anonymity an be ahieved trivially by aumulating all messages from all N users and delivering them together at round N + ). In this ase 2lβ = 0 < ɛη), but also βn = 0. 2) β = N η N η, l = η: We have δ N η N. In l rounds the protool an send lβn = N noise messages and ahieve strong anonymity all N users send a noise message eah). 3) β = 2η, l = η: Here we have, δ N η N 2 N = 2 η N. In this ase, strong anonymity is possible if η N 2 negη). Even though 2lβ = > negη), anonymity depends on the relation between η and N. 4) β = 2, l = : We have δ N N 2 N 2. For Π ideal, only half of the users send messages in l rounds. Π ideal annot ahieve strong anonymity here even though 2lβ > negη). 5) β = 9, l = 3: For η > 3 and N > 3, whih is a very natural assumption, we have 2lβ = 2 3 < negη). Then, δ N 3 N 3 N = 3 N 3. Here, δ an not be negη). If we onsider our Π ideal, in l rounds it reeives only N 3 +3) messages noise + user messages). So a maximum of N 3 + 2) users an send messages other than the hallenge user, and there is a high probability that u b has not sent a message. Hene Π ideal 9

10 annot ahieve strong anonymity, and onsequently no other protool an ahieve that. VI. SYNCHRONIZED USERS WITH PARTIALLY COMPROMISING ADVERSARIES We now extend our analysis of the previous setion by having ompromised protool parties. Given the set of protool parties P, now our adversary A paths an ompromise a set of parties P P. If A paths an ompromise all the parties in P, anonymity is broken trivially - that s why we do not analyze that ase separately. Reall from Setion IV-D that A paths piks the parties from P uniformly at random. We onsider the same user distribution U B as in Setion V. A. Lower Bound on Adversarial Advantage In our protool Π ideal the orale O deides on the time t to deliver eah message, whih is within [, l], s.t. t maximizes the probability that Invariant is true. Similar to Setion V, we now alulate the advantage of A paths against Π ideal. Theorem 3. No protool Π M an provide δ-sender anonymity { for the user distribution U B, where [ ) l ) l ]fβ l δ < [ ) ]fβ ) f β l ) < l where f β d) = min, d+βnd N )). Proof. Let u 0, u be the hallenge users and let b be the hallenge bit. Moreover, let t 0 be the time the hallenge message is sent by u b and let r = t 0 + t be the time it is reeived by the reipient, where t is the delivery time deided by the orale O. We distinguish two ases, depending on l and : ) First, where the number of ompromised parties is at least as large as the maximal lateny l. In this ase, all parties on the path of the hallenge message ould be ompromised. 2) Seond, where all parties on the path of the hallenge message an not be ompromised. And hene, the analysis fouses on the arrival times of messages from u b. For a graphial depition of the relationship between the rounds a message from u b arrives and it satisfying Invariant we refer to Figure 5. ) Case l. We know, l t holds by definition. The invariant is true if and only if u b sends at least one message in one of the rounds between r and r ) and for the first of those messages, arriving at time t, there is at least one non-ompromised party on the path between t and r. Note that, l.also remember from Setion IV that A paths piks the parties uniformly at random from parties. Hene, Pr [Invariant is true] t 0 + r j=r l Pr [u b.sentj) u b.sentj +, t 0 )] Pr [ Cmprt)] j=t 0+ Pr [u b.sentj) u b.sentr l, j )] Pr [ Cmprr j + )] Pr [ Cmpr] Pr [u b.sentr l, r )] [ ) ) ] min, l + βnn ))). l l Case l: r r l t 0 t r Case < t < l: l r l t 0 r r t Case t < < l: l r l r t 0 r t Arriving messages satisfy Invariant. Arriving messages satisfy Invariant depending on P. Arriving messages don t satisfy Invariant. Fig. 5. Satisfying Invariant depending on the arrival time of messages from u b in the ases of the proof for Theorem 3. Sine by Claim the adversary wins whenever Invariant is not true, we know that the probability that the adversary guesses inorretly is bounded by: Pr [0 = A paths b = ] = Pr [ = A paths b = 0] 2 Pr [Invariant is true] 2 [ ) t ] min, l+βnl N )). Thus, δ [ ) l ] min, l+β Nl N )). 2) Case l: The probability that all parties on the mutual path of the hallenge message and a message from the alternative sender u b are ompromised now mainly depends on the arrival time of the messages from u b. We distinguish two sub-ases depending on the orale s hoie for t: 2a) Case t: Pr [Invariant is true] Pr [u b.sentr l, r )] + Pr [ u b.sentr l, r )] Pr [u b.sentr, r)] Pr [ Cmpr)] min, l )+βnl ) N )) + min, N l ) βnl ) +βn N ) N l ) βnl ) ))[ ) ] f β l ) + f β )[ ) ]. Note that the probability that there are no messages from u b in [r, r )] and that there is at least one message from u b in [r ), r] are not independent from eah other. The best thing a protool an do with the noise messages is to have Nβl unique users, different from the l users who send their atual message, send the noise messages. Thus, if a user sends a message in [r, r )], he an not send a message in [r ), r]. The above alulations are done onsidering that best senario. Also note that the value of may be larger or l 0

11 smaller than l and t, but as long as, the bound given above holds. Hene, δ f β l ) [ ) ] fβ ). 2b) Case t < : Pr [Invariant is true] Pr [u b.sentr l, r )] Pr [ Cmprt)] + Pr [ u b.sentr l, r )] Pr [u b.sentr ), r)] Pr [ Cmprt)] Pr [u b.sentr l, r )] + Pr [ u b.sentr l, r )] Pr [u b.sentr, r)] Pr [ Cmprt)] The event expression above is the same as in the previous ase t > ). The bound on δ thus follows analogously. B. Impossibility for Strong Anonymity Theorem 4. For user distribution U B with polyη), > l, l < N AND βn, no protool M an ahieve strong anonymity if 2lβ < ɛη) OR l O), where ɛη) = η d for a positive onstant d. We refer to Appendix B for the proof. To ahieve strong anonymity against A paths, we need l ω), additional to the onstraint of 2lβ > negη). We now fous on the onstraint l ω) and refer to Setion V-B for a omprehensive ase study on the other onstraint. Case Study. Now we are going to disuss a few interesting ases for different values of l,, and. ) l = η and = onstant: In this ase we have, ) l = )... l+) < )... l+) )l = ) η. Hene, ) l beomes negligible and strong anonymity is possible. Even though has a high value, beause of the high value of l it is highly likely that the hallenge message will meet a message from u b at some honest node, given a high value of β suh that 2lβ > negη). 2) l = O), = O): Now we have, ) l ) l = )... l+) > )... l+) )l. But polyη), and and l an only have integer values. Hene ) l is non-negligible, and hene is also non-negligible. Even though has a small value, l is also small. Hene, it is unlikely that the hallenge message will mix with a message from u b at some honest node. Thus, strong anonymity annot be ahieved. Theorem 5. For user distribution U B with polyη), onstant, > l >, l < N AND βn, no protool an ahieve strong anonymity if 2l )β < ɛη), where ɛη) = for a positive onstant d. η d We refer to Appendix B for the proof. The onstraint 2l )β < ɛη) is neessary for anonymity, but it is not a suffiient ondition. The analysis in this ase is exatly same as Setion V-B, exept that here we need to onsider the slie of l ) rounds instead of l rounds. VII. UNSYNCHRONIZED USERS WITH NON-COMPROMISING ADVERSARIES In this and the subsequent setion we use an unsynhronised user distribution U P : In eah round, independent of other users and other rounds, eah lient tosses a biased oin with suess probability p. On a suess the lient sends a message in that round, otherwise it does not send a message. Consequently, the number of messages per round follows Binomial distribution BinomN, p) if the number of users N is large and p suffiiently small, the resulting binomial distribution redues to a Poisson distribution, whih is a lose approximation of real-life traffi patterns. For a protool with bandwidth overhead β, we distinguish between the atual probability that users want to send messages p and the value for p that we use in our analysis, i.e., we set p = p + β. In this unsynhronised senario the bandwidth of genuine messages ontributes to the anonymity bound. As in Setion V we onsider a non-ompromising adversary. A. Lower Bound on Adversarial Advantage Theorem 6. No protool Π M an provide δ-sender anonymity for the user distribution U P, for any δ < 2 + f p ), where f pd) = min 2, p) d ) for a positive integer d. Proof. Similar to Setion V, we alulate the advantage of A paths against Π ideal, and that bound is valid against any other protool in our model. Sine we onsider a non-ompromising adversary, Pr [Invariant is True] = Pr [T is not empty], where T is defined as in Invariant. Let us onsider the random variables X ), X 2),..., X N), where X i) denotes the event of the i th user sending her own message within a given interval of l rounds [a, b], with b a) = l. All { X i) s are mutually independent and we have, X i) 0 with probability p) l = with probability p) l ). Next, let X = N i= Xi) be a random variable representing the number of users that send messages in an interval of l rounds. We alulate for the expeted value E[X] of X, E[X] = E[ N i= Xi) ] = N i= E[Xi) ] = N p) l ) = µ. Using the Chernoff Bound on the random variable X we derive Pr [X µ Na] exp 2a 2 N), whih for a = µ N lets us estimate, Pr [X 2µ] exp 2µ 2 N 2 N). For brevity in the following alulation we denote, P r [X 2µ] by E and the event that T is non-empty by Y and sine all users are ating independently from eah other we get for d {0,..., N}, Pr [Y X = d] = Pr [ Y X = d] = d. N For 2µ N, we have, Pr [Y ] =Pr [X 2µ] Pr [Y X 2µ] + Pr [X < 2µ] Pr [Y X < 2µ] Pr [X 2µ] Pr [Y X = N] + Pr [X < 2µ] Pr [Y X = 2µ] =E Pr [Y X = N] + E) Pr [Y X = 2µ] =E N N + E) 2µ = E) 2fp). N If 2µ > N, we get with f = min 2, p), Pr [Y ] E + E) E) 2f p ). Thus, δ Pr [Y ] E) 2f p ). We now use Markov s Inequality on X and derive E = Pr [X 2µ] 2, whih means, δ 2 2f p) 2 f p.

12 Note that in proof of Theorem 6, in ase p is a onstant and N is a very high value, then E goes towards zero and instead of using Markov s inequality, we an derive δ 2f p. Also note that, the random variable X an be defined over any interval d, not neessarily l; and we an alulate f p d). B. Impossibility for Strong Anonymity Theorem 7. For user distribution U P and p > 0, no protool an ahieve strong anonymity if 2lp < ɛη), where ɛη) = η d for a positive onstant d. We refer to Appendix B for the proof. For strong anonymity, we need 2lp > negη). Note that, this is a neessary onstraint for anonymity, not a suffiient ondition. There an exist l and p suh that 2lp > negη), but still no protool an ahieve strong anonymity. Case Study. Now we are going to disuss a few interesting ases for different values of l, p, and N. ) p = η, l = η : Here, f p = p) l > e > 2. Hene, δ 2 f p = 0. Sine pl =, in l rounds the protool has message per user on an average. So, the protool has a high hane of winning. Whereas in Setion V-B, we saw that Π ideal an win with absolute ertainty in this ase. 2) p = 2η, l = η: even for η > 2, fp = p)l < Hene, δ 2 f p > Even though 2lp =, strong anonymity an not be ahieved in this ase. In an expeted senario, in a slie of l rounds only pl = 2 portion of the total users send messages, and hene there is a signifiant hane that u b is in the other half. Note that this is different from the senario with synhronised users where Π ideal ould ahieve strong anonymity in this ase.f. Setion V-B). 3) p = 2, l = : We have, f p = p) l = 2. Hene, δ 0. Although we have 2lp =, beause of low l= ), u b does not send a message with high probability= 2 ). This ase again highlights that the requirement 2lp ɛη) is not neessarily suffiient: As in Setion V-B, Π ideal an not ahieve strong anonymity in suh a situation. 4) p = 9, l = 3: Here, fp = p)l = ) < 0.29, and δ 2 f p > 0.2; beause of low values of both p and l only a few users send messages within the interval of l rounds, and hene the protool has a really less hane to win. As in Setion V-B, Π ideal an not ahieve strong anonymity in this ase, sine the neessary onstraints are not satisfied. VIII. UNSYNCHRONIZED USERS WITH PARTIALLY COMPROMISING ADVERSARIES Finally, we onsider partially ompromising adversaries that an ompromise a set of parties P P for the user distribution U P defined in Setion VII. A. Lower Bound on Adversarial Advantage Theorem 8. Any protool Π M annot provide δ-sender anonymity for the user distribution U P, for any [ ) l ][ 2 + f p] l δ < [ ) ][ 2 + f p)]) [ 2 + f p l )]) < l where f pd) = min 2, p) d ) for a positive integer d. We derive the bound in Theorem 8 by ombining the tehniques presented in Setion VI and Setion VII. Sine the proof does not introdue novel tehniques, we omit it and instead refer the interested reader to Appendix B for the proof. B. Impossibility for Strong Anonymity To analyze the negligibility ondition of δ in this senario, we heavily borrow the analyses that we already have in Setion VII-B and Setion VI-B. We are going to analyze this senario in two parts: Case l: We have, δ [ [ ] + fp]. 2 To make δ negligible, both the fators [ ] and [ 2 + f p] have to beome overwhelming. From Theorem 4, we know that we need l ω) to make [ ] overwhelming. This is a neessary ondition, but not suffiient. For a detailed ase study refer to Setion VI-B. From Setion VII-B we know that the neessary ondition for [ 2+f p] to be overwhelming is 2lp > negη). Hene, both onditions are neessary to ahieve strong anonymity. Case < l: We have, δ [ 2 + f pl )]) [ ) ][ 2 + f p)]). In the above expression, we an see two fators: i) F = [ +fpl )]), ii) 2 F2 = [ ) ][ +fp)]). 2 To make δ negligible, it suffies that F or F 2 beome negligible. Unlike Setion VI, here f p l ) and f p ) are independent, whih allows us to analyze F and F 2 independently. First, F is similar to the δ-bound in Setion VII, exept that we onsider f p l ) instead of f p. Hene, the analysis of F is analogous to Setion VII-B. Seond, F 2 is negligible if both [ ) ] and [ 2 + f p)] are overwhelming. From Setion VI-B we know that [ ) ] an not be overwhelming for a onstant. Moreover, f p ) an be analyzed exatly as f p in Setion VII-B. IX. RECIPIENT ANONYMITY For reipient anonymity, we analyze the adversary s suess in determining the reipient of a partiular message sent by a user. Tehnially, instead of seleting one sender of the adversary s hoie at random, the hallenger selets a reipient at random. Moreover, the adversary is naturally not informed about the delivery of the hallenge message by a reipient, but of the sending of the hallenge message by a user. We derive impossibility results analogous to our results for sender anonymity via the same strategy we employed in the previous setions. In this ase, instead of ignoring all internally generated messages in Claim 2 we ignore all internally terminating messages. Note that this gives β a slightly different flavor. Synhronized Users. We slightly tweak the user distribution to suit the definition of reipient anonymity. We assume that all the input messages ome within R rounds, exatly 2

13 one message per round, following a random permutation the assigns one round to eah reipient. In a given round, exatly one sender sends a message to the assigned reipient. Then, the protool deides when to deliver the message to the reipient, but not delaying more than l rounds. Let U B be the user distribution as)) disussed above and let fβ, RAd) = min d++2d+βr R. Then we get for nonompromising adversaries, that no protool Π M an provide δ-reipient anonymity in the following ases: Without ompromisation: δ < fβ RA. For adversaries that ompromise up to parties: if l: δ < [ ) l ]f RA β. if < l: δ < [ ) ]f RA β ) fβ RA l ). Moreover, no protool M with polyη) an ahieve strong reipient anonymity when l < N and βn in the following ases, where ɛη) = η d for a positive onstant d: Without ompromisation: if 4lβ < ɛη), For adversaries that ompromise up to parties: if > l: 4lβ < ɛη) OR l O). if > l > : 4l )β < ɛη). Unsynhronized Users. Similar to the previous ase, here also we borrow the definition of user distribution from Setion VII, with a minor modifiation. The biased oins are now assoiated with reipients instead of senders - in eah round a sender sends a message for a reipient, with probability p. Let, fp RA d) = min 2, p) l+d ). Then we get for non-ompromising adversaries, that No protool Π M an provide δ-reipient anonymity for U P in the following ases: Without ompromisation: δ < 2 + fp RA ). For adversaries that ompromise up to parties: If l: δ < [ ) l ][ 2 + fp RA ]. If < l: δ < [ 2 + fp RA l )]) [ 2 + fp RA )][ ) ]). Moreover, For user distribution U P and p > 0, no protool an ahieve strong reipient anonymity if 2lp < ɛη), where ɛη) = η d for a positive onstant d. X. IMPLICATIONS To put our result into perspetive, we disuss whether our trilemma exludes strong anonymity for ten different AC protools from the literature. More preisely, this setion exemplarily applies the results from Theorem 2 and Theorem 7, i.e., with synhronized and unsynhronized user distributions and a global network-level, non-ompromising adversary. We use both results sine for some AC protools e.g., DCnets [5]) the synhronized user distribution is more aurate and for other protools e.g., Tor [0]) the unsynhronized user distribution is more aurate. Our onstraints mark an area on a 2D graph see Figure 6) with lateny overhead x-axis) versus bandwidth overhead y-axis) where strong anonymity is impossible. As the lateny of some AC protools depends on system parameters and we want to plae the protools in a 2D graph, we arefully hoose system parameters and make a few simplifying assumptions, whih are subsequently desribed. This setion is solely intended to put our impossibility result into perspetiveby disussing how we estimated the bandwidth β and lateny l bounds in the sense of this work. It is not meant and not qualified to be a performane and salability omparison of the disussed AC protools, whih would have to take many other dimensions into aount, e.g., the ommuniation and omputation omplexity of the servers and the reeivers, the omputation omplexity of the senders and the different kinds of funtionalities that are offered by the different AC protools e.g., group ommuniation vs. internet-like visitorwebpage ommuniation). Table I summarizes the different bounds on the bandwidth β and lateny overhead l in the sense of this work). Tehnially, this setion onsiders translations of AC protools into our protool modeland estimates the lateny and bandwidth overhead of these translations. As these translations do not provide any additional insights, we do not present the full translated protools but only the abstration steps. We abstrat away the ryptographi instantiation of messages inluding the bandwidth overhead they introdue over the plaintext. We assume an upper bound on the lateny of the protool and are oblivious to server-side noise see Claim 2). Moreover, reall that we are only interested in the question whether our trilemma exludes strong anonymity the ten AC protools from the literature; hene, we onsider the upper bound on the lateny and bandwidth overhead for deterministi lateny. For randomized lateny, suh as Loopix [24], we list for simpliity the expeted delay as the lateny bound. Low-lateny protools. Tor [0], Hornet [47], and Herd [48] are low-lateny AC protools, i.e., they immediately forward messages. While Tor and Hornet do not produe asymptotially more than a onstant amount of both bandwidth overhead and lateny overhead and thus annot provide strong anonymity, Herd produes dummy traffi linearly proportional to the number of users bandwidth overhead β θnn)), thus the trilemma does not exlude strong anonymity for Herd. Riposte. Riposte [49] uses seure multiparty omputation and a variant of PIR to implement an anonymous bulletin board. Riposte operates in epohs and for eah epoh the set of users is publi. Hene, Riposte is expeted to be run with long epohs to maximize the number of users that partiipate in an epoh, whih leads us to estimating the lateny overhead to be l θn). To ounter traffi analysis attaks, Riposte lients send onstant dummy traffi, resulting in a bandwidth overhead of β θnn). Thus, the trilemma does not exlude strong anonymity for Riposte. Vuvuzela. Vuvuzela [20] is a mix net that is tailored towards messengers. Clients ommuniate by deposing their enrypted messages in one of the mix net nodes. To ahieve strong resistane against ompromised servers, Vuvuzela takes a path through all servers, resulting in a lateny overhead of l θ) for servers). Additionally, Vuvuzela utilizes onstant traffi, leading to a bandwidth overhead of β θnn), and has the potential for strong anonymity. Riffle. Riffle [2] uses a verifiable mix-net, however not only 3

14 TABLE I Lateny vs. bandwidth vs. strong anonymity of AC protools, with the number of protool-nodes, number of lients N, and message-threshold T, expeted lateny l per node, dummy-message rate β. Protool Lateny Bandwidth Strong Anonymity Tor [0] θ) θn) impossible Hornet [47] θ) θn) impossible Herd [48] θ) θnn) possible Riposte [49] θn) θnn) possible Vuvuzula [20] θ) θnn) possible Riffle [2] θ) θnn) possible Threshold mixes [4] θt ) θn) impossible Loopix [24] θ l ) θβ) possible DC-Net [5], [46] θ) θnn) possible Dissent-AT [22] θ) θnn) possible DieMix [6] θ) θnn) possible if T in opolyη)) p log ) p poly ) Herd DC-Net Dissent-AT Riffle Diemix Vuvuzela Hornet Tor Threshold Mix log ) Loopix p 2`p apple poly ) Riposte Threshold Mix se poly ) Fig. 6. Asymptoti lateny and bandwidth overhead bounds against 2lp ɛη), with p = β in Theorem 2, p = β + p Theorem 7), a rate p at whih users are sending messages, the bandwidth overhead β, and the seurity parameter η. This graph assumes N is a. polyη), the number of nodes is a. log η. The threshold for Threshold Mix T = and for Threshold Mix se T = N = polyη). for messenger ommuniation but also for normal lient-server web traffi. Just as Vuvuzela, Riffle also hooses paths that traverse all servers, leading to l θ) and if we assume θlogη)), we get l θlogη)). We assume that the lients send dummy traffi up to a onstant rate depending on the user s sending rate p ), so we have β θnn) and the potential for strong anonymity. Threshold mix nets. In a Threshold mix net, eah of the mix servers waits until it reeived up to a threshold T many messages before relaying the messages to the next mix, resulting in l θt ). Threshold mixes [4] do not provide strong anonymity unless their threshold T is of the order of the number of users N. As suh a large threshold are impratial for a large number of users, we judge it impossible to ahieve strong anonymity for pratial deploymentsof Threshold mixes. Loopix. Loopix [24] is a mix net that ombines exponentially ` distributed delays at eah mix-node and dummy messages from eah user. Ignoring so-alled loop messages meant to ounter ative attaks), Loopix naturally enfores our unsynhronised user distribution: the rate at whih Loopix lients send messages is the sum of a dummy-message rate β) and a payload message rate p ), whih are system parameters. We assume that the path lengths in Loopix stratified topology is with the number of nodes θlogη)). If β +p η, and if every hop introdues an expeted delay of l η, the expeted lateny overhead is l = l, in partiular l θ η)). We get p + β)l = η η = and the trilemma does not exlude strong anonymity for Loopix, whih grants the protool an interesting spot in our figure. AC protools based on DC-nets. In a DC-net [5], [46] eah party broadasts either a dummy or real message in every round to every other party. As our bandwidth overhead only ounts dummy-message rates, it does not apture the broadast, thus β θnn). DC-nets use a ombination operation a simple XOR in Chaum s original paper) that auses dummy messages to anel out. Then, all parties output the resulting bitstring. If only one real message is sent, the bitstring equals this message. As Theorem 7 already assumes a synhronized user distribution, eah round only one party sends a message; hene, in our model we treat the lateny overhead as l θ). The Dissent-AT [22] sheme the AnyTrust-variant of Dissent) improves on the performane of DC-nets by relying on dediated servers. Instead of sending in eah round fake or real iphertexts to every other lient, lients in Dissent-AT send these messages to at least one of these dediated servers. These servers then perform a DC-net ommuniation round. Abstrating from an initial set-up phase and only ounting the lient-messages, Dissent-AT has β θnn) for the lients assuming that eah lient ommuniates to one server), and l θ). Diemix [6] is a peer-to-peer AC protool that is based on the DC-net approah. While Diemix inludes a self-healing mehanism that leads to 4 + 2f ommuniation rounds for one message if f peers are maliious, this mehanism does not kik in if all peers are honest, leading to only 4 ommuniation rounds. The authors additionally had the insight that a trusted party, i.e., a bulleting board, an be used for the broadast. This party an even be maliious in whih ase the bulleting board an stop the protool but not deanonymize the parties. This bulleting boards keeps the lateny at 4, whih is in θ).as every party sends a message in every round β θnn). XI. CONCLUSION & FUTURE WOR This paper proves the anonymity trilemma: strong anonymity, low bandwidth, low lateny hoose two! We derive neessary onstraints for sender anonymity and reipient anonymity, and thereby presents neessary onstraints that are ruial for understanding bi-diretional anonymous ommuniation: sender anonymity for hiding the sender and reipient anonymity for hiding the reipient of a message. To put 4