Anonymous Communication

Notes for Slide 1 of 67 ()
Anonymous Communication
Clemens H. Cap
ORCID: 0000-0003-3958-6136
Department of Computer Science

University of Rostock
Rostock,Germany
[email protected]
Version 2
https://iuk.one/1033-1013
% ½ 1 67 ö È C.H.Cap
Overview Notes for Slide 2 of 67 (Overview )
1. What is Anonymity?
2. Superposed Sending
3. Mix Networks
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 2 67 ö È C.H.Cap
1. What is Anonymity? 1. What is Anonymity?
Understanding the concept
and the necessity. 3. Mix Networks
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 3 67 1. What is Anonymity? ö È C.H.Cap

1. What is Anonymity? Notes for Slide 4 of 67 (What is Privacy?)
What is Privacy? 1 An approach of which privacy activists like Jakob Appelbaum say that it is bullshit. Personally I tend to agree,
maybe not with the same drastic choice of words, but: I think that privacy is one of the most fundamental rights
of a human being and that it must be upheld at all costs, in particular in a digital society. But, as we know from
Possible Answers: 4 Doctrines of Privacy other social developments, it often takes many decades if not centuries for a proper understanding of the proper
human reaction to technological innovation. First, as always, the greedy and the powerful take their turn and
only then society can react and stop them.
Privacy in Private (Warren & Brandeis)
Concept of privacy as “right to be left alone”.
Legal concept which as developed when photography was invented.
Privacy in Public (Volkszählungsurteil)

Every person has the right to determine who has access to her personal data.
Interpersonal Privacy (Trading)

Personal data can be traded for benefits (eg: Facebook: Free social network).
Zero Privacy (Post Privacy Society)

“There is no privacy – get over it” (Scott McNealy) 1

1. What is Anonymity? Notes for Slide 5 of 67 (Many Variants of Anonymity and Privacy)
Many Variants of Anonymity and Privacy 1 What is anonymous communication and how can it be established?
2 How can I prove a fact to a verifier without the verifier being able to prove the fact himself.
3 How can I split a secret in such a way that a single split provides no knowledge at all but only a certain
number of splits allows the reconstruction of the secret.
Many variants: 4 How can three people calculate a function on three inputs, with the inputs staying private and only the result
becoming public.
Anonymous communication (this unit). 1
5 How can I retrieve information from a server without the server learning in which information items I was
Zero Knowledge Protocols. 2
interested in.
Secret Splitting and Secret Sharing. 3
6 How can I have a cloud provider compute on my data without learning the true nature of my data.
Multi Party Computation. 4
Private Information Retrieval. 5
Homomorphic Encryption. 6

1. What is Anonymity? Notes for Slide 6 of 67 (What is Anonymity?)
What is Anonymity? 1 An unclear and unrealistic concept, which often is used. It is nto wrong, but it also is not very helpful.
Answer 1: Not knowing an identity. 2 Not completely clear what the used protocol can help short of illustrating the concept of context information,
Same problem as with “absolute security”. 1 but for this purpose it is fine.
Allows no quantification. 3 Very large set but almost 100% certain in a chat communication.
Does not properly address notion of “identity”.
Answer 2: Unlinkability
I cannot link a communication act to context information.
Examples: IP/MAC address, name, pseudonym, year of writing, used protocol. 2
Solves the “identity” problem via “linkage”.

Still does not allow a quantification.
Answer 3: Size of anonymity set
User is one out of a set with n elements.
Example 1: Year of writing. 3
Example 2: IP address of writer.

Allows quantification by the probability with which information can be linked.
1. What is Anonymity? Notes for Slide 7 of 67 (Use Cases for Anonymity)
Use Cases for Anonymity 1 Enter you favorite phantasies for the dots.
2 Keep in mind that many things are prohibited somewhere, world is different in culture, politics, religion and
many other aspects.
Abstract Use Cases
3 For this, google the concept of cookie pricing.
Separating the message from the messenger.
Anti censorship. 4 And that is not necessarily bed.
No tracking.
Escaping unwanted communication (spam).
Concrete Use Cases

We are a ... dissident in ... 1
We want to read ... material which is prohibited in ... 2
We want to write ... material which is prohibited in ...

We want to buy a product and not pay the highest price. 3
We ... umm ... have something we want to hide. 4

1. What is Anonymity? Notes for Slide 8 of 67 (Ethical Aspects of Anonymity)
Ethical Aspects of Anonymity
Pro: Philosophic position of enlightenment (“Aufklärung”)
Rational debate needs opportunity to state positions without detriment for messenger.
Restrictions to open, anonymous communication damage democracy.
Voltaire: “I might disagree with your opinion but I will fight that you can voice it freely.”
Contra: Anonymous communication may be used to cover illegal activity.

Use for distributing copyrighted, banned or illegal contents.
Threats, blackmailing
Infrastructure Design Argument
Building IT infrastructure that it strengthens human rights or promotes surveillance.
Technological Neutrality Argument
Technology should not prejudice social and legal decisions.
1. What is Anonymity? Notes for Slide 9 of 67 (Scenarios of Anonymity Quantification)
Scenarios of Anonymity Quantification
Criminal court:
“Beyond reasonable doubt”
“In dubio pro reo”
Scenario 1:
The probability of Alice being the sender (and thus guilty) is less than 50%.
The probability of Alice being innocent is higher than of Alice being guilty.
Scenario 2:
One of Alice, Bob, Carol, Dave, ... is the sender.
Statistical analysis shows the following sender probabilities:
Alice: Less than 1%
Bob: Less than 1%
Carol: Less than 40%
Dave: Less than than 1%
What will happen in practice?
1. What is Anonymity? Notes for Slide 10 of 67 (Modes of Unlinkability)
Modes of Unlinkability 1 That is pretty much easy, just look at their hard disc and installed programs or observe their network hand-
shaking protocols.
Classical Unlinkability: Entities exchange messages, we want unlinkability of any pair of

sender of a message
reader of a message
content of a message
Distinguish from
Who uses this service? 1
Anonymous publishing only (writer-content unlinkability)

Censorship free reading only (reader-content unlinkability)
Content confidentiality (just encrypt)

1. What is Anonymity? Notes for Slide 11 of 67 (Security Analysis)
Security Analysis 1 and this is unanimously true for all forms of security jobs:
2 Just look at the packets and from where to where they are moving.
3 Somebody injects 500 packets. Do we see anybody within the next 2 seconds receiving 500 packets?
Needs for every solution: 1
4 All kinds of interesting attacks.
1 Protection goals.
2 Attack model. 5 All kinds of interesting thingfs. For example: Let us change the routing and some node or the reachability.
3 Attacker capabilities.
Does this have an impact on retransmissions? From which node?
Typical attacks:
Traffic analysis. 2
Timing attacks. 3
Side channel attacks. 4
Active attacks. 5

1. What is Anonymity? Notes for Slide 12 of 67 (Typical Solutions)
Typical Solutions 1 And we shall actually start with one form of such other approaches.
High Latency Routing Obfuscation Solutions:

Typical application: Email.
Disadvantages: No interactivity due to high latency
Advantage: Can be constructed very secure.
Low Latency Routing Obfuscation Solutions:

Typical application: Web Services.
Advantage: Convenient for real-time-near services.
Disadvantage: Not very secure.
Other forms of approaches. 1

1 We know the dining philosophers, so its pretty topical here to invent the dining cryptographers.
2. Superposed Sending 1. What is Anonymity?
Charming protocol by David Chaum.
Anecdote of the dining cryptographers. 1
3. Mix Networks
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 13 67 2. Superposed Sending ö È C.H.Cap

2. Superposed Sending Notes for Slide 14 of 67 (Cryptographical Anecdote)
Cryptographical Anecdote
Anecdote of the Dining Cryptographers:

Alice, Bob and Carol receive an invitation for dinner.
The waiter informs them that the meal has been paid for.
Alice, Bob and Carol want to find out if one of them or a third party has paid.
Since the spender could be one of them, they want to keep his anonymity.
Centralized solution: A trusted entity.

Assume the waiter is trusted.
All privately tell the waiter.
The waiter tells the result while keeping privacy guarantees.
Question: Is there a decentralized solution?

2. Superposed Sending Notes for Slide 15 of 67 (Decentralized Solution)
Decentralized Solution
Is an "anonymous broadcast communication" of one bit to all participants.
Also is a “secure multiparty computation” of a logical function of three inputs.

2. Superposed Sending Notes for Slide 16 of 67 (Preliminary Observation)
Preliminary Observation
Every pair of nodes generates a 1-bit secret: sAB , sCA , sBC .
This secret is known to only these two nodes.
Eg: A knows: sAB and sCA .
Every node computes the xor of these two values she knows.
Eg: A computes sAB ⊕ sCA .
Every node broadcasts the result to all other nodes.
Observation: In this case the number of 1 among the three broadcast bits is even.
Equivalent: The xor of the three broadcast bits is 0.
Equivalent: We have an invariant of 0 – independently from the specific situation.
Proof: (sAB ⊕ sCA ) ⊕ (sBC ⊕ sAB ) ⊕ (sCA ⊕ sBC ) =

(sAB ⊕ sAB ) ⊕ (sCA ⊕ sCA ) ⊕ (sBC ⊕ sBC ) = 0 ⊕ 0 ⊕ 0 = 0

2. Superposed Sending Notes for Slide 17 of 67 (Decentralized Protocol)
Decentralized Protocol
Mechanism:
Carry out the above protocol.
If one of the three dinner guests paid,
this person violates the described protocol by broadcasting the opposite result.
Interpretation:
If the invariant still holds: NSA has paid.
If the invariant is violated: One of them has paid.
Correctness of the result: Simple checking.

2. Superposed Sending Notes for Slide 18 of 67 (Analysis (1))
Analysis (1)
Let bX be the bit broadcast by X : bA = sAB ⊕ sCA bB = sAB ⊕ sBC bC = sCA ⊕ sBC .
When nobody has paid When A has paid, it deviates

there are even 1s among the b. there are odd 1s among the b.
Shared Broadcast Shared Broadcast
sAB sBC sCA bA bB bC sAB sBC sCA bA bB bC
0 0 0 0 0 0 0 0 0 1 0 0
0 0 1 1 0 1 0 0 1 0 0 1
0 1 0 0 1 1 0 1 0 1 1 1
0 1 1 1 1 0 0 1 1 0 1 0
1 0 0 1 1 0 1 0 0 0 1 0
1 0 1 0 1 1 1 0 1 1 1 1
1 1 0 1 0 1 1 1 0 0 0 1
1 1 1 0 0 0 1 1 1 1 0 0

Analysis (2)
When nobody has paid When C has paid it deviates!
there are even 1s among the b. there are odd 1s among the b.
0 0 0 0 0 0 0 0 0 0 0 1
0 0 1 1 0 1 0 0 1 1 0 0
0 1 0 0 1 1 0 1 0 0 1 0
0 1 1 1 1 0 0 1 1 1 1 1
1 0 0 1 1 0 1 0 0 1 1 1
1 0 1 0 1 1 1 0 1 0 1 0
1 1 0 1 0 1 1 1 0 1 0 0
1 1 1 0 0 0 1 1 1 0 0 1

Analysis (3) 1 And, of course, the same is true for all the other parties – except for the case of that party which has paid,
in case there is such a party.
However B does not see sCA . The two tables (a part from sorting of rows) look identical
for B. B sees that one of A, C has paid but not who! 1
When A has paid as seen by B. When C has paid as seen by B.

0 0 1 0 0 0 0 0 0 1
0 0 0 0 1 0 0 1 0 0
0 1 1 1 1 0 1 0 1 0
0 1 0 1 0 0 1 1 1 1
1 0 0 1 0 1 0 1 1 1
1 0 1 1 1 1 0 0 1 0
1 1 0 0 1 1 1 1 0 0
1 1 1 0 0 1 1 0 0 1

2. Superposed Sending Notes for Slide 21 of 67 (Analysis)
Analysis Of course, not everybody has the use case of finding out whether the NSA invited them for
dinner. So what can we do with this nice protocol?
1 So we have one more example of such a protocol – in addition to the one time pad.
Extension to longer messages:
2 This is a disadvantage, since it scales quadratically with the number of participants. This means: For 1 billion
Extend protocol from 1 bit to n bits using rounds. internet participants it would not work. However, there are certain tricks which may be applied.
In every round, one anonymous bit may be sent.
Unconditionally secure protocol. 1
Correct communication (provided in every round at most one party sends).

Maintains privacy (unless all other participants collude).
Extension to more participants:

Situation translates to n nodes with complete graph.
Same result as with n = 3.
Needs shared values on all n · (n − 1)/2 edges. 2

2. Superposed Sending Notes for Slide 22 of 67 (Using Sparse Graphs)
Using Sparse Graphs 1 A sparse graph is the opposite of a complete graph: Not all edges are realised. Even worse: quite a large
number are not realized.
Sparse Graph: 1
Basically a similar situation.

Topology dependent loss of some security properties.
Linear scaling can be maintained at the price of security.
Example:
Ring with secrets shared with left and right neighbor.
If both neighbors conspire, privacy can be revoked.
In complete graph all but one must conspire.

2. Superposed Sending Notes for Slide 23 of 67 (Collision Problem (1))
Collision Problem (1) 1 There is however one remaining problem. The protocol computes the xor of all private bits. This realizes a
broadcast communication only when at every round at most one party wants to communicate.
Problem: 1 2 and it looks like this provides a path to a solution.
Special case: Only one or zero participants could adhere to the rule of 3 The individual participant does not violate the rules of sending, of collision prevention, of exponential backoff.
“Behave differently if you have paid”. In this sense he is honest. The participants also do not collude with each other to break the anonymity of a
General case: More than one party sends. specific guy among them. However, they are not fully trusted but curious. If they manage to learn something
they should not be knowing they will use that opportunity.
Communication is disrupted by collisions. However, while the protocol works for the honest but curious model it allows a bad form of attack, namely:
Similar to collisions in CSMA-type protocols. 2
4 So for quite some time researchers believed that this protocol could not be used.
Idea 1: Collision Prevention.
Similar concept as with CSMA/CD.
Detect collisions using checksums.
In case of a collision, do an exponential backoff.
May combine with protocol for reservations.
Works only under the assumption of reasonable participants (honest but curious). 3
Attacker can (anonymously) disrupt the network. 4

2. Superposed Sending Notes for Slide 24 of 67 (Collision Problem (2))
Collision Problem (2)
Idea 2: Trap Protocol: Catch the disrupter.

Proposal for a (complex) protocol where an anonymous attacker can be caught.
Was later broken: Can be used to break anonymity of honest participants.
Idea 3: Reservations Protocol.

Provide a reservation protocol for participants.
Participants must prove via zero knowledge protocol that they adhere to reservations.
Quite complex, still unbroken.

3. Mix Networks 1. What is Anonymity?
A low latency solution
for anonymous communication 3. Mix Networks
with a touch of centralization.
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 25 67 3. Mix Networks ö È C.H.Cap

3. Mix Networks Notes for Slide 26 of 67 (Mix Network Scheme)
Mix Network Scheme
Fig. 1: A mix network © Rights see appendix.

3. Mix Networks Notes for Slide 27 of 67 (Mix Network Operation)
Mix Network Operation
Mechanism:
n ≥ 3 nodes are operating in a linear cascade.
Every node has a (public, private) key pair (ei , di )
Input into first node consists of an onion-like layer e1 (e2 (e3 (m))).
Every mix removes one layer of crypto and forwards to next node.

3. Mix Networks Notes for Slide 28 of 67 (Attacks on Mixes (1))
Attacks on Mixes (1)
Traffic analyst sees traffic between nodes and attempts to correlate traffic.
By sequence:
First packet sent to first node corresponds to first packet received from last node.
Prevent by reordering in the node.
By timing:
Prevent by buffering messages for some time.
Leads to (too) high latency.

3. Mix Networks Notes for Slide 29 of 67 (Attacks on Mixes (2))
Attacks on Mixes (2) 1 and there are countries which do so and then users of mixe cascades can be punished if such technology is
forbidden.
By content:
Prevent by using (different) encryption from node to node.
By length:
Prevent by sending only messages of one fixed length.
By number of messages:
Prevent by sending decoy traffic.
Evaluation:
Attacker cannot link sender and recipient.
But: Attacker can identify participants in the system (from protocol handshake). 1
But: Attacker can distinguish senders from recipients.

3. Mix Networks Notes for Slide 30 of 67 (Plausible Deniability of Mix Use)
Plausible Deniability of Mix Use
Scenario 1: Use of tools for anonymous communication forbidden in some countries.

Solution: Additional layers (tunnel, VPN or steganographic) hide handshake.
Scenario 2: Confirmation of suspicion

Alice is suspect in a criminal case and her communication is intercepted.
The day Alice learns that she is a suspect her use of mixing cascades goes up.
This is no proof in court.
This may trigger behavior of her observers.
General Recommendation
If you once in a while have to send something important with crypto grade security then
always send with crypto grade security in order not to tip-off an attacker. Cryptographic
and anonymous communication should be the default.

3. Mix Networks Notes for Slide 31 of 67 (Problems with Mixes (1))
Problems with Mixes (1) 1 and the answer, quite clearly, is: It cannot.
2 And finally you learn, they are organizationally independent, but all of them are infiltrated by the NSA or the
KGB.
Problem: Collusion of Mixes
A node should only know its own private key.
How can this be guaranteed
when an entire cascade is operated by a single privacy-service? 1
Idea: The individual nodes should be organizationally independent. 2
Problem: Authenticity of Mixes

Attack: Set up an anonymizer only to catch interesting information
Question: How to distinguish true from fake anonymization service?
Question: Why should I trust a security service more than a possible attacker?
Just because they call themselves security service?
Or rather because I have means to verify trust aspects!

3. Mix Networks Notes for Slide 32 of 67 (Problems with Mixes (2))
Problems with Mixes (2) 1 Ok, that is pretty paranoid. But it is the job of a crypto person to be paranoid.
Problem: Scaling
Security gets better when more and independent nodes use the system
Thought experiment 1: Only 1 node uses the system.
Thought experiment 2: Only 2 nodes use the system.
Thought experiment 3: 1 node plus 500 nodes of the NSA use the system.
Thought experiment 4: 100 different nodes plus 500 nodes of the NSA use the
system.
Problem: Collusion of Other Users

If all the other users conspire against me, anonymity can be broken easily. 1

3. Mix Networks Notes for Slide 33 of 67 (JAP and AN.ON)
JAP and AN.ON
JAP and AN.ON

Initiated by TU Dresden and
Unabhängiges Landeszentrum für den Datenschutz Schleswig-Holstein.
Fixed cascade of three nodes.
All nodes operated by well-known entities.
User can chose from several cascades.
More Information

4. Remailers 1. What is Anonymity?
High latency solutions
for anonymous communication. 3. Mix Networks
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 34 67 4. Remailers ö È C.H.Cap
4. Remailers Notes for Slide 35 of 67 (Overview)
Overview 1 We can learn a lot from those.
2 People wanted to use the World Wide Web anonymously as well. So, these days, anonymous communication
Overview: uses services based on TOR and I2P and others.
First attempt to develop working anonymous communication.

Several conceptually interesting development steps. 1
Today mostly defunct and superseded by other, by low latency tech (TOR, I2P). 2
Sad: High latency remailers would offer much better anonymity than low latency tech.
Timing / Flow attack:

Attacker watches packets flow between nodes.
Attacker produces correlations between traffic.
With low latency (3s end-to-end) this is rather easy.
High latency does a store-reschuffle sequence-forward approach for several days.
Problem: If only 2, 3 people use it – the anonymity set is too small.
The convenience of the many (using low latency tech) produces the risk for all.
4. Remailers Notes for Slide 36 of 67 (4 Types of Classical Remailers)
4 Types of Classical Remailers
4 Types of classical remailers

Type 0: Pseudonymous Remailers
Type 1: Cypherpunk Remailers
Type 2: Mixmaster Remailers
Type 3: Mixminion Remailers
4. Remailers Notes for Slide 37 of 67 (Type 0: Pseudonymous Remailers (1))
Type 0: Pseudonymous Remailers (1)
Idea: First attempt at remailers: anon.penet.fi by Johan Helsingius.
Mechanism:
Sender provides email address and registers a pseudonym.
Sender sends mail to remailer.
Remailer removes identifying headers.
Remailer fills in pseudonymous address.
Remailer forwards to final recipient.
Receiver replies to pseudonymous address.
Remailer forwards in similar fashion.
4. Remailers Notes for Slide 38 of 67 (Type 0: Pseudonymous Remailers (2))
Type 0: Pseudonymous Remailers (2)
Analysis: Many problems.

Remailer knows original addresses and address mappings.
No security against attacks from remailer itself.
Remailer can be compromised or subpoenaed.
Susceptible to eavesdropping attacks since messages are sent as plain text.
But: User can use payload encryption.
Susceptible to traffic analysis attacks.
Susceptible to replay attacks.
4. Remailers Notes for Slide 39 of 67 (Type 1: Cypherpunk Remailers)
Type 1: Cypherpunk Remailers
Idea: Partially solve problem of plain text transport by encryption.
Mechanism:
User retrieves public key of remailer.
User sends encrypted message to remailer with an additional Anon-To header
indicating true recipient
Remailer decrypts
Remailer removes identifying information
Remailer forwards to true recipient in Anon-To header.
Analysis:
Secure against eavesdropping by third parties.
Susceptible against eavesdropping by remailer; user can employ separate encryption.
No reply possible.
Remailer knows sender – but can use chains of remailers.
Susceptible to traffic analysis and replay attacks.
4. Remailers Notes for Slide 40 of 67 (Type 2: Mixmaster Remailers)
Type 2: Mixmaster Remailers
Idea: Solve problem of traffic analysis by mixing.
Mechanism: First application of mix concept.
Analysis:
No reply possible
High latency allows excellent security.
Body may describe a reverse path, but no automatic protocol provided mechanism
Replay attacks possible
4. Remailers Notes for Slide 41 of 67 (Type 3: Mixminion Remailers (1))
Type 3: Mixminion Remailers (1)
Idea: Solves most remaining problems of remailers.

Design document by the inventors of the concept nicely illustrates the many important
aspects of anonymous communication.
Concept: Single Use Reply Block (SURB)
Along the path of mail delivery, encode and encrypt a layered return path.
Receiver of the message may reply but does not learn identity of partner.
Concept: Preventing replay attacks by key rotation

Problem: Do not want to have time stamps (could allow attacks).
Problem: Do not want to have serial numbers (need to keep status, which is
operational burden and could allow attacks).
Solution: Use changing encryption keys.
4. Remailers Notes for Slide 42 of 67 (Type 3: Mixminion Remailers (2))
Type 3: Mixminion Remailers (2) 1 Because nobody is operating mixminion remailers any more and, even worse, nobody is using them, which
reduces the anonymity set.
Concept: Dummy traffic.

When volume of traffic is too low, traffic analysis may succeed.
Remailers generate dummy traffic to prevent traffic analysis.
Concept: Spam prevention via exit policies

Every anonymously delivered mail comes with instructions how recipient can
confidentially request not to get more anonymous mail from a remailer.
Analysis:
Great concept, currently mostly defunct. 1
More information available: Active (?) github Original github
4. Remailers Notes for Slide 43 of 67 (Other Mail Services)
Other Mail Services
Anonymous mailing services on top of other (mostly low latency) technologies:

I2PBote
BitMessage
TorMail (now defunct)
5. Onion Routing 1. What is Anonymity?
A low latency solution
for anonymous communication 3. Mix Networks
with strong distribution.
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 44 67 5. Onion Routing ö È C.H.Cap

5. Onion Routing Notes for Slide 45 of 67 (Tor Basics)
Tor Basics
Idea: A kind of distributed, decentralized mix cascade.
Three types of nodes

1 Guard node: Knows identity of the Tor network user.
2 Relay node: Knows only guard and exit node.
3 Exit node: Knows the relay node and the resource which is accessed.
TOR Circuit:
Anonymous replacement for TCP protocol.
First set up Tor circuit.
Then use circuit for the remainder of the session.
Normal Tor circuit uses 3 nodes.

5. Onion Routing Notes for Slide 46 of 67 (How Tor Works (1))
How Tor Works (1)
Fig. 2: Alice contacts the directory server to obtain a list of Tor nodes. © Rights see appendix.

5. Onion Routing Notes for Slide 47 of 67 (How Tor Works (2))
How Tor Works (2)
Fig. 3: Alice builds up a Tor circuit to the node she uses as exit node. © Rights see appendix.

5. Onion Routing Notes for Slide 48 of 67 (How Tor Works?)
How Tor Works?
Fig. 4: Alice uses Tor at another occasion. © Rights see appendix.

5. Onion Routing Notes for Slide 49 of 67 (Attacks Against Tor)
Attacks Against Tor As usual: Understanding why a system is safe means analyzing its attack vectors!
Attack Scenarios:
Attacker controls all three nodes: Can link surfer to website.
Attacker controls guard & exit: Timing and packet number attack on guard & exit.
Important:
Chose the right guard, since the guard knows who you are.
Variant 1: Chose a trusted guard.
Variant 2: Next best option: Chose a random guard once in a while.

5. Onion Routing Notes for Slide 50 of 67 (Practical Use of Tor)
Practical Use of Tor 1 Decoy traffic means that meaningless traffic is sent all the time. This requires tremendous amounts of
bandwith.
Compromises:
Tor is an operative system which requires compromises of performance and anonymity.
Tor does not use padding; some mild padding was introduced recently.
Tor does not use decoy traffic. 1
Tor only transports TCP.

Negative: For example, VoIP or DNS over Tor does not work.
Positive: Other protocols could leak identity information.
Riscs in operating an exit node:

Forwarding requests to dubious sites.
Seizing of equipment and legal trouble.
Attention of three-letter-agencies.

5. Onion Routing Notes for Slide 51 of 67 (Map of Tor Relais)
Map of Tor Relais
Fig. 5: This map of Tor relais nodes shows that operating a normal relais node is quite popular. © Rights see appendix.

5. Onion Routing Notes for Slide 52 of 67 (Map of Tor Exit Nodes)
Map of Tor Exit Nodes
Fig. 6: Map of Tor exit nodes shows that operating exit nodes is less common in countries known for more restrictive
legal systems. © Rights see appendix.

5. Onion Routing Notes for Slide 53 of 67 (Can We Trust Tor?)
Can We Trust Tor? 1 Fro example, only to use an up to date Tor browser bundle.
Basic evaluation: 2 and this is pretty much everything which is illegal somewhere. Because then we are up against strong
opponents.
Open source project.
Active research on Tor security. 3 I certainly would not be using Tor from China.
Some centralized components: Directory server.

Many decentralized components: Nodes.
Yes, provided:
We know a lot about Tor.
We follow the pertinent research.
We adhere to the (many) security rules. 1
We do not operate services drawing in focused attacks. 2
No, provided:
We assume the existence of a global traffic analyst.
We need interactive, responsive Web 2.0 convenience.
We operate out of Tor-banning countries. 3

5. Onion Routing Notes for Slide 54 of 67 (Nym Situation in TOR)
Nym Situation in TOR 1 And this, of course, attracts people who want to do shady and illegal things on the internet.
Remailer Anonymity:
Attacker knows the email addresses of all receivers.
Attacker knows the email addresses of all sender.
Attacker cannot link a specific sender to a specific receiver.
TOR Anonymity:
Attacker knows the IP address of surfers.
Attacker knows the IP address of servers.
Attacker cannot link a specific surfer to a specific server.
TOR Hidden Service Anonymity:
Attacker knows the IP address of surfers.
Attacker does not know the IP address of a hidden service.
Attacker cannot link a specific surfer to a specific server.
Attacker cannot link a hidden service to a person. 1

5. Onion Routing Notes for Slide 55 of 67 (What are Hidden Services?)
What are Hidden Services? 1 The obvious question is: How can this be possible at all?
2 So there is a unique toplevel domain used for Tor hidden services. Of course, they do not resolve within the
normal DNS service system.
Paradoxical Situation:
Naming: Surfer uses (names, references) a service
without knowing its IP address.
Routing: Surfer routes to a service.
without having or compromising its IP address. 1
Answers:
Use .onion addresses for naming. 2
Use an untraceable routing mechanism

Note: Tor exit nodes are known to attackers and cannot serve as service providers.

5. Onion Routing Notes for Slide 56 of 67 (Hidden Services (1))
Hidden Services (1)
Fig. 7: Hidden Services (1) © Rights see appendix.

Hidden Services (2)

Hidden Services (3)

Hidden Services (4)

Hidden Services (5)

Hidden Services (6)

5. Onion Routing Notes for Slide 62 of 67 (Analysis of Hidden Services)
Analysis of Hidden Services
Purposes are often illegal

Botnet command and control servers
Drug, weapon, illegal goods sale
Ongoing debate how to ban illegality without compromising anonymity.
Problem 1: Attacks.
Traffic correlation & side channel attacks can deanonymize hidden services.
Problem 2: Trust
There is no trust / reputation source, so you can end up at fake sites.

5. Onion Routing Notes for Slide 63 of 67 (I2P)
I2P
Comparison:
Many conceptual similarities with Tor.
More advanced and flexible than Tor.
Smaller community with less funding, less activity, smaller anonymity set.
Two Essential Differences:

Garlic routing encrypts several payload messages into message.
Tracking is more difficult than with onion routing.
Unidirectional tunnels instead of bidirectional tunnels as with Tor.

6. Further Remarks 1. What is Anonymity?
Another solution
and some further problems. 3. Mix Networks
4. Remailers
5. Onion Routing
6. Further Remarks
%Î ½ 64 67 6. Further Remarks ö È C.H.Cap

6. Further Remarks Notes for Slide 65 of 67 (Dolev Bus)
Dolev Bus 1 Just one example representing a range of similar ideas.
Description in a paper of Beimel and Dolev. 1
Mechanism:
Every user is a bus station.
All bus stations from a ring.
There is a bus going around the ring.
At every bus stations messages may “hop on” or “get off” the bus.
Encryption from station to station for every passenger seat prevents tracking.
Constant size of the bus prevents length correlation.
Variants:
Use a second bus going in the opposite direction.
Use different topologies and bus schedules.

6. Further Remarks Notes for Slide 66 of 67 (Problems)
Problems 1 It is said that ... Wikileaks...
Wide range of practical problems must be solved:

Identity leaks via browser fingerprinting, cookies, DNS traffic, Javascript snippets, ...
Tor developers recommend use of special Tor browser bundle.
Stupid user leaks identity via content (“Yours sincelery, Tom Sawyer”).
User uses unencrypted services and exit node can intercept. 1
Javascript picks up usage characteristics (keyboard typing is a biometric signal!).

Tor browser should have Javascript turned off.
User leaks identity via writing style: Paper
High security requirements may damage web surfing quality.
The practice of really secure anonymous communication is difficult.

6. Further Remarks Notes for Slide 67 of 67 (Broken Services)
Broken Services
Fig. 13: A very large number of self-proclaimed anonymization services are broken. © Rights see appendix.

Part I
Appendix
%Î ½ 68 77 LoF © § → È ö È C.H.Cap
Contents of Appendix Notes for Slide 2 of 8 (Contents of Appendix)
Contents of Appendix
List of Figures LoF
List of Rights ©
Terms of Use §
Citing This Document →
List of Slides È
%Î ½ 69 77 LoF © § → È ö È C.H.Cap
List of Figures Notes for Slide 3 of 8 (List of Figures )
1 Mix Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

2 How Tor Works (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3 How Tor Works (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4 How Tor Works (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
5 Map of Tor Relais Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
6 Map of Tor Exit Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
7 Hidden Services (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
8 Hidden Services (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
9 Hidden Services (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
10 Hidden Services (4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
%Î ½ 70 77 LoF © § → È List of Figures ö È C.H.Cap

Notes for Slide 4 of 8 (List of Figures (2/2))
11 Hidden Services (5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

12 Hidden Services (6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
13 Broken Anonymity Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
%Î ½ 71 77 LoF © § → È List of Figures ö È C.H.Cap

List of Rights (1/2) Notes for Slide 5 of 8 (List of Rights (1/2))
Fig. 1 Source: https://commons.wikimedia.org/wiki/File:Red_de_mezcla.png Primepq by CC BY-SA

3.0 https://creativecommons.org/licenses/by-sa/3.0
Fig. 2 Electronic Frontier Foundation, CC BY 3.0 https://creativecommons.org/licenses/by/3.0
Fig. 5 Source: https://tormap.void.gr/, Screenshot 2018.
Fig. 6 Source: https://tormap.void.gr/, Screenshot 2018.
Fig. 7 Source: https://2019.www.torproject.org/docs/onion-services
%Î ½ 72 77 LoF © § → È List of Rights ö È C.H.Cap

Notes for Slide 6 of 8 (List of Rights )
Fig. 13 Source: https://www.privacy-handbuch.de/handbuch_22b2.htm
%Î ½ 73 77 LoF © § → È List of Rights ö È C.H.Cap

Terms of Use (1) Notes for Slide 7 of 8 (Terms of Use (1))
Die hier angebotenen Inhalte unterliegen deutschem Urheberrecht. Inhalte Dritter werden unter Nennung der Rechtsgrundlage ihrer
Nutzung und der geltenden Lizenzbestimmungen hier angeführt. Auf das Literaturverzeichnis wird verwiesen. Das Zitatrecht in dem für
wissenschaftliche Werke üblichen Ausmaß wird beansprucht. Wenn Sie eine Urheberrechtsverletzung erkennen, so bitten wir um Hinweis
an den auf der Titelseite genannten Autor und werden entsprechende Inhalte sofort entfernen oder fehlende Rechtsnennungen nachholen.
Bei Produkt- und Firmennamen können Markenrechte Dritter bestehen. Verweise und Verlinkungen wurden zum Zeitpunkt des Setzens
der Verweise überprüft; sie dienen der Information des Lesers. Der Autor macht sich die Inhalte, auch in der Form, wie sie zum Zeitpunkt
des Setzens des Verweises vorlagen, nicht zu eigen und kann diese nicht laufend auf Veränderungen überprüfen.
Alle sonstigen, hier nicht angeführten Inhalte unterliegen dem Copyright des Autors, Prof. Dr. Clemens Cap, ©2020. Wenn Sie diese
Inhalte nützlich finden, können Sie darauf verlinken oder sie zitieren. Jede weitere Verbreitung, Speicherung, Vervielfältigung oder
sonstige Verwertung außerhalb der Grenzen des Urheberrechts bedarf der schriftlichen Zustimmung des Rechteinhabers. Dieses dient der
Sicherung der Aktualität der Inhalte und soll dem Autor auch die Einhaltung urheberrechtlicher Einschränkungen wie beispielsweise Par
60a UrhG ermöglichen.
Die Bereitstellung der Inhalte erfolgt hier zur persönlichen Information des Lesers. Eine Haftung für mittelbare oder unmittelbare
Schäden wird im maximal rechtlich zulässigen Ausmaß ausgeschlossen, mit Ausnahme von Vorsatz und grober Fahrlässigkeit. Eine
Garantie für den Fortbestand dieses Informationsangebots wird nicht gegeben.
Die Anfertigung einer persönlichen Sicherungskopie für die private, nicht gewerbliche und nicht öffentliche Nutzung ist zulässig, sofern sie
nicht von einer offensichtlich rechtswidrig hergestellten oder zugänglich gemachten Vorlage stammt.
Use of Logos and Trademark Symbols: The logos and trademark symbols used here are the property of their respective owners. The
YouTube logo is used according to brand request 2-9753000030769 granted on November 30, 2020. The GitHub logo is property of
GitHub Inc. and is used in accordance to the GitHub logo usage conditions https://github.com/logos to link to a GitHub account. The
Tweedback logo is property of Tweedback GmbH and here is used in accordance to a cooperation contract.
%Î ½ 74 77 LoF © § → È ö È C.H.Cap
Terms of Use (2) Notes for Slide 8 of 8 (Terms of Use (2))
Disclaimer: Die sich immer wieder ändernde Rechtslage für digitale Urheberrechte erzeugt für
mich ein nicht unerhebliches Risiko bei der Einbindung von Materialien, deren Status ich nicht
oder nur mit unverhältnismäßig hohem Aufwand abklären kann. Ebenso kann ich den
Rechteinhabern nicht auf sinnvolle oder einfache Weise ein Honorar zukommen lassen, obwohl
ich – und in letzter Konsequenz Sie als Leser – ihre Leistungen nutzen.
Daher binde ich gelegentlich Inhalte nur als Link und nicht durch Framing ein. Lt EuGH Urteil
13.02.2014, C-466/12 ist das unbedenklich, da die benutzten Links ohne Umgehung technischer
Sperren auf im Internet frei verfügbare Inhalte verweisen.
Wenn Sie diese Rechtslage stört, dann setzen Sie sich für eine Modernisierung des völlig
veralteten Vergütungssystems für urheberrechtliche Leistungen ein. Bis dahin klicken Sie bitte
auf die angegebenen Links und denken Sie darüber nach, warum wir keine für das digitale
Zeitalter sinnvoll angepaßte Vergütungssysteme digital erbrachter Leistungen haben.
Zu Risiken und Nebenwirkungen fragen Sie Ihren Rechtsanwalt oder Gesetzgeber.
Weitere Hinweise finden Sie im Netz hier und hier oder hier.
%Î ½ 75 77 LoF © § → È ö È C.H.Cap
Citing This Document Notes for Slide 9 of 8 (Citing This Document)
If you use contents from this document or want to cite it,

please do so in the following manner:
Clemens H. Cap: Anonymous Communication. Electronic document. https://iuk.one/1033-1013
3. 7. 2021.
Bibtex Information: https://iuk.one/1033-1013.bib
@misc{doc:1033-1013,
author = {Clemens H. Cap},
title = {Anonymous Communication},
year = {2021},
month = {7},
howpublished = {Electronic document},
url = {https://iuk.one/1033-1013}
}
Typographic Information:
Typeset on July 3, 2021
This is pdfTeX, Version 3.14159265-2.6-1.40.21 (TeX Live 2020) kpathsea version 6.3.2
This is pgf in version 3.1.5b
This is preamble-slides.tex myFormat©C.H.Cap
%Î ½ 76 77 LoF © § → È ö È C.H.Cap
List of Slides Notes for Slide 9 of 8 (Citing This Document)
Title Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 3. Mix Networks

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Mix Network Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
1. What is Anonymity? Mix Network Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
What is Privacy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Attacks on Mixes (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Many Variants of Anonymity and Privacy . . . . . . . . . . . . . . . . . . 5 Attacks on Mixes (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
What is Anonymity? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Plausible Deniability of Mix Use . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Use Cases for Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Problems with Mixes (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Ethical Aspects of Anonymity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Problems with Mixes (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Scenarios of Anonymity Quantification . . . . . . . . . . . . . . . . . . . . . 9 JAP and AN.ON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Modes of Unlinkability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 4. Remailers
Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Typical Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 4 Types of Classical Remailers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2. Superposed Sending Type 0: Pseudonymous Remailers (1) . . . . . . . . . . . . . . . . . . . . . 37
Cryptographical Anecdote . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Type 0: Pseudonymous Remailers (2) . . . . . . . . . . . . . . . . . . . . . 38
Decentralized Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Type 1: Cypherpunk Remailers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Preliminary Observation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Type 2: Mixmaster Remailers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Decentralized Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Type 3: Mixminion Remailers (1) . . . . . . . . . . . . . . . . . . . . . . . . . 41
Analysis (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Type 3: Mixminion Remailers (2) . . . . . . . . . . . . . . . . . . . . . . . . . 42
Analysis (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Other Mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Analysis (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Using Sparse Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Collision Problem (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Collision Problem (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
%Î ½ 77 77 LoF © § → È List of Slides ö È C.H.Cap

Notes for Slide 9 of 8 (Citing This Document)
5. Onion Routing Hidden Services (5) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Tor Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Hidden Services (6) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
How Tor Works (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Analysis of Hidden Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
How Tor Works (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 I2P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
How Tor Works? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 6. Further Remarks
Attacks Against Tor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 Dolev Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Practical Use of Tor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Map of Tor Relais . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Broken Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Map of Tor Exit Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Can We Trust Tor? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Nym Situation in TOR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
What are Hidden Services? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Legend:
Hidden Services (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 £ continuation slide
Hidden Services (2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 A slide without title header
Hidden Services (3) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Õ image slide
Hidden Services (4) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
%Î ½ 78 77 LoF © § → È List of Slides ö È C.H.Cap

Anonymous Communication

Uploaded by

Copyright:

Available Formats

Anonymous Communication

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Anonymous Communication

Uploaded by

Copyright:

Available Formats

Notes for Slide 1 of 67 ()

Department of Computer Science

1. What is Anonymity? 1. What is Anonymity?

%Î ½ 3 67 1. What is Anonymity? ö È C.H.Cap

Privacy in Public (Volkszählungsurteil)

Interpersonal Privacy (Trading)

Zero Privacy (Post Privacy Society)

%Î ½ 4 67 1. What is Anonymity? ö È C.H.Cap

Private Information Retrieval. 5

%Î ½ 5 67 1. What is Anonymity? ö È C.H.Cap

Solves the “identity” problem via “linkage”.

Example 2: IP address of writer.

Concrete Use Cases

We want to read ... material which is prohibited in ... 2

We want to write ... material which is prohibited in ...

We ... umm ... have something we want to hide. 4

%Î ½ 7 67 1. What is Anonymity? ö È C.H.Cap

Contra: Anonymous communication may be used to cover illegal activity.

Classical Unlinkability: Entities exchange messages, we want unlinkability of any pair of

Anonymous publishing only (writer-content unlinkability)

%Î ½ 10 67 1. What is Anonymity? ö È C.H.Cap

Side channel attacks. 4

%Î ½ 11 67 1. What is Anonymity? ö È C.H.Cap

High Latency Routing Obfuscation Solutions:

Low Latency Routing Obfuscation Solutions:

Other forms of approaches. 1

%Î ½ 12 67 1. What is Anonymity? ö È C.H.Cap

%Î ½ 13 67 2. Superposed Sending ö È C.H.Cap

Anecdote of the Dining Cryptographers:

Centralized solution: A trusted entity.

Question: Is there a decentralized solution?

%Î ½ 14 67 2. Superposed Sending ö È C.H.Cap

Is an "anonymous broadcast communication" of one bit to all participants.

Also is a “secure multiparty computation” of a logical function of three inputs.

%Î ½ 15 67 2. Superposed Sending ö È C.H.Cap

Proof: (sAB ⊕ sCA ) ⊕ (sBC ⊕ sAB ) ⊕ (sCA ⊕ sBC ) =

%Î ½ 16 67 2. Superposed Sending ö È C.H.Cap

Correctness of the result: Simple checking.

%Î ½ 17 67 2. Superposed Sending ö È C.H.Cap

When nobody has paid When A has paid, it deviates

%Î ½ 18 67 2. Superposed Sending ö È C.H.Cap

%Î ½ 19 67 2. Superposed Sending ö È C.H.Cap

When A has paid as seen by B. When C has paid as seen by B.

%Î ½ 20 67 2. Superposed Sending ö È C.H.Cap

Correct communication (provided in every round at most one party sends).

Extension to more participants:

%Î ½ 21 67 2. Superposed Sending ö È C.H.Cap

Basically a similar situation.

%Î ½ 22 67 2. Superposed Sending ö È C.H.Cap

Attacker can (anonymously) disrupt the network. 4

%Î ½ 23 67 2. Superposed Sending ö È C.H.Cap

Idea 2: Trap Protocol: Catch the disrupter.

Idea 3: Reservations Protocol.

%Î ½ 24 67 2. Superposed Sending ö È C.H.Cap

3. Mix Networks 1. What is Anonymity?

%Î ½ 25 67 3. Mix Networks ö È C.H.Cap

Fig. 1: A mix network © Rights see appendix.

%Î ½ 26 67 3. Mix Networks ö È C.H.Cap

%Î ½ 27 67 3. Mix Networks ö È C.H.Cap

%Î ½ 28 67 3. Mix Networks ö È C.H.Cap