Balancing anonymity and resilience in anonymous communication networks

Highlights

• We provide the probabilistic definition of routing resilience.

• We integrate hop-by-hop routing with onion mix-nets to achieve routing resilience.

• We present T-hybrid routing by integrating threshold public key encryption.

• We propose the active defense mechanism to defend the replay attacks.

• We conduct various evaluations on the routing resilience, anonymity, and delay.

Abstract

Anonymous communication networks (ACNs) are intended to protect the metadata privacy during the communication. As typical ACNs, onion mix-nets adopt source routing where the source defines a static path and wraps the message with the public keys of on-path nodes so that the message could be delivered to the destination. However, onion mix-nets lack resilience when the static on-path mixes fail, which could result in message loss, communication failure and even de-anonymization attacks. Therefore, it is desirable to achieve routing resilience in onion mix-nets for persistent routing capability even against node failure. The state-of-the-art solutions mainly adopt mix groups and thus need to share secrets among all the group members, which may cause single point of failure and render massive loss of anonymity.

To address the above problem, in this work we design a hybrid routing approach, which essentially embeds the onion mix-net with hop-by-hop routing to achieve desirable routing resilience. Furthermore, we extend our scheme with a threshold setting, and propose T-hybrid routing to mitigate the anonymity loss when group mixes are compromised. Besides, we propose the active defense mechanism to defend replay attacks in the scenario of mix groups. As for experimental evaluations, we conduct a quantitative analysis of the resilience and anonymity for various schemes, and demonstrate that T-hybrid routing can achieve a good balance between resilience and anonymity. In addition, we manage to realize the full T-hybrid routing prototype and test its performance in the cloud hosting environment. The experimental results show that compared with typical onion mix-nets, our T-hybrid routing mechanism only increases about 20%-25% regarding the end-to-end delay, and thus is still practical while with better resilience.

Introduction

With the revelations of mass electronic surveillance and illicit harvesting of personal data, many Internet users turn to use anonymous and private communication tools. Popular services like WhatsApp and Telegram utilize end-to-end encryption to protect confidentiality of the content, but fail to protect the metadata of the message, which can be exploited to infer the user’s private information. In contrast, anonymous communication networks (ACNs) are intended to protect the metadata, in the context of whistleblowing, anonymous microblogging, or anonymous surveys. So far, a variety of ACNs have been put forward by Kwon, Corrigan-Gibbs, Devadas, Ford, 2017, Kwon, Lazar, Devadas, Ford, 2016; Tyagi et al. (2017); Wolinsky et al. (2012), the first design for modern ACNs. Among them, TOR proposed by Dingledine et al. (2004) is the most popular anonymous communication system used by millions of customers. However, Tor suffers limited security guarantees against traffic analysis attacks (Murdoch, Danezis, 2005, Syverson, Tsudik, Reed, Landwehr, 2001).

To achieve strong anonymity, recently, researchers have gained increasing interests again in Onion Mix-Nets proposed by Chaum (1981). An onion mix-net mainly adopts the source routing, where the source defines a static path and wraps the message multi-times with the public keys of on-path nodes, through which the message could be relayed to the destination. Recent work on onion mix-nets have concentrated on improving performance (Piotrowska et al., 2017), scalability (Tyagi, Gilad, Leung, Zaharia, Zeldovich, 2017, Van Den Hooff, Lazar, Zaharia, Zeldovich, 2015), and the defense capability against active attacks (Leibowitz et al., 2019). However, although onion mix-nets can provide strong anonymity, it lacks routing resilience when the mix fails during the message transmission. Specifically, when some mix fails due to denial-of-service (DoS) attacks or frequent network churn in peer-to-peer (P2P) anonymous networks, the mix would be unable to route the messages it receives. Moreover, simply routing them to other active mixes does not work since the messages are only decryptable to the failed mix. Consequently, the mix node failure would easily result in message loss and communication failures, decreasing the performance of the ACNs. To make matters worse, the failures can be exploited for selective DoS attacks proposed by Borisov et al. (2007), in which the adversary keeps forcing users to re-establish the connection, until the first and last node of the connection are adversarial. Therefore, it is desirable to achieve resilient routing in onion mix-nets for persistent routing capability even in the case of node failure.

To achieve resilience in onion mix-nets, there has been some work put forward in the literature. Typically, existing methods presented in Li et al. (2010); Pfitzmann (1987); Zhuang et al. (2005) mainly utilize mix groups to replace single-node mix, so that the message can be relayed as long as at least one member is reachable in the group. In this circumstance, any active node in the group can act as the backup for the failed node. Consequently, this scheme (here after is referred to as Group-Mixes) can provide considerable resilience. However, the main drawback of the group-mixes scheme is that group members have to share some secrets, and thus a single compromised mix node would render massive loss of anonymity in the system. In Section 2.1, we quantitatively compare the degree of anonymity of group-mixes with that of onion mix-nets, to further illustrate the above case.

In this work, we aim at a better balance between anonymity and resilience for onion mix-nets. Particularly, we turn to hop-by-hop routing, which requires each on-path node to determine the next hop dynamically and thus the source need not to maintain the up-to-date view of the whole network. Therefore, failed nodes can be bypassed to achieve strong routing resilience. Despite this, hop-by-hop routing has not been widely adopted in ACNs, because it suffers some weaknesses, e.g., being vulnerable to route capture attacks (Danezis and Clayton, 2006), and incompatible with onion encryption, which results in weakened anonymity. In this circumstance, integrating hop-by-hop routing to achieve a better balance is not straightforward as it appears, and below we discuss how we overcome the concrete problems.

P1. How to resolve the weaknesses of hop-by-hop routing in our scenario? We present a new routing scheme called hybrid routing, which combines source routing with hop-by-hop routing in ACNs. Hybrid routing adopts the mix group to undertake the relay function of a single mix in mix-nets, and utilizes different routing strategies inside and outside the group. Specifically, outside the groups, it adopts source routing, requiring the message to be onion-encrypted with public keys of specific on-path groups. However, inside the groups, hop-by-hop routing is adopted, enabling each on-path mix to determine the next hop locally. In this way, hybrid routing could defend route capture attacks significantly, and provide quite strong anonymity.

P2. How to mitigate the loss of anonymity when group mixes are compromised? The main issue of typical group-mixes scheme is that simply sharing the key among group members could decrease the anonymity enormously. To solve this problem, we present threshold hybrid routing (hereafter is referred to as T-hybrid routing), which combines hybrid routing with threshold public key encryption (TPKE) (Shoup and Gennaro, 1998). Essentially, for the onion encrypted message, TPKE enables the T-hybrid routing to unwrap a layer of encryption without revealing the whole secret to any mix in the group. A certain number of mixes can conduct the decryption operation together in a non-interactive way, and thus the necessity of revealing the whole secret is avoided. In this way, T-hybrid routing achieves better key management to mitigate the loss of anonymity when mixes are compromised.

In addition, despite that adopting the mix groups increases the resilience effectively, it also introduces the risk of replay attacks, which remains unsolved in the literature. The traditional method of local caching is ineffective as the replayed message may be routed through another path. Therefore, we propose the active defense mechanism to defend this attack. Briefly, the active defense detects the replayed messages by relying on on-path nodes to broadcast the brief of the forwarding message.

Our contributions Overall, our contributions can be concluded as follows:

• We formalize the calculation model of routing resilience and provide the probabilistic definition of routing resilience.

• We design hybrid routing which embeds hop-by-hop routing in onion mix-nets. Hybrid routing achieves routing resilience and resolves the weaknesses of hop-by-hop routing in our scenario.

• We propose T-hybrid routing, which utilizes TPKE to achieve a better balance between anonymity and resilience. T-hybrid routing can obviously mitigate the loss of anonymity when mixes are compromised.

• We propose the active defense against the replay attacks in the scenario of mix groups.

• We conduct various evaluations on the routing resilience, anonymity, and delay of our schemes. Particularly, we conducted quantitative analysis on the resilience and anonymity, and realized the full T-hybrid routing prototype to measure its performance in the cloud hosting environment.

Our experimental results demonstrate that T-hybrid routing can indeed achieve similar level of resilience with group-mixes while offer better anonymity. In addition, T-hybrid routing only increase about 20%-25% of the end-to-end delay of typical onion mix-nets in our cloud environment, showing good performance.

Comparisons with the previous conference version We remark that parts of this work have previously appeared in a short conference version (Xia et al., 2020). The previous version did not consider the loss of anonymity when increasing resilience in ACNs, and only conducted simulation to compare the performance. Compared to previous version, we have revised and enriched the work substantially. First, we not only focus on the increased routing resilience by various schemes, but also consider the tradeoff between resilience and anonymity, especially the accompanying loss of anonymity. Second, we conducted quantitative analysis on the loss of anonymity for various schemes, thus highlight the advantages of T-hybrid routing. Third, we evaluated the end-to-end delay of our scheme in the cloud hosting environment, reflecting the performance in real-life scenarios. Fourth, we presented the active defense against the replay attacks, which has not been taken seriously before. Lastly but not least, we extended the basic hybrid routing scheme, to support multiple key mixes.

The remainder of this paper is as follows. Section 2 introduces group-mixes, and defines the network model, threat model, and desired properties. Section 3 defines the notation. Section 4 introduces the details of our schemes. Section 5 evaluates the resilience, anonymity and performance. Section 6 conducts the security analysis. Section 7 discusses some issues. Section 8 discusses the related work. Finally, Section 9 concludes the paper.