SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks (2013)
Published online in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.793
SPECIAL ISSUE PAPER
On collaborative anonymous communications inlossy networksDavid Rebollo-Monedero, Jordi Forné*, Esteve Pallarès, Javier Parra-Arnau,Carolina Tripp, Luis Urquiza and Mónica Aguilar
Department of Telematics Engineering, Universitat Politècnica de Catalunya (UPC), Campus Nord, Módulo C3, C. Jordi Girona 1-3,E-08034 Barcelona, Spain
anonymous communications; quality of service; Crowds; lossy, wireless and vehicular networks
*Correspondence
Jordi Forné, Department of Telematics Engineering, Universitat Politècnica de Catalunya (UPC), Campus Nord, Módulo C3, C. JordiGirona 1-3, E-08034 Barcelona, Spain.E-mail: [email protected]
1. INTRODUCTION
Recent times have witnessed the emergence of a wide vari-ety of wireless and mobile technologies, such as WiFi(IEEE 802.11a/b/g/n), bluetooth, wireless USB, 3G and4G mobile telephony (HSDPA+, LTE), which enable andrespond to an increasingly clear trend toward a completelyinterconnected world, an Internet of things where individ-uals and objects are seamlessly integrated into a globalinformation network, where physical entities graduallyacquire a virtual counterpart, and where vast quantities ofdata are generated and processed directly by users andautomatically by software on their behalf. Widespreadforms of online access, such as web browsing, social net-working, and virtual shopping, are becoming a commonoccurrence on mobile devices, which, in addition, allownew forms of online services, such as those based on GPS
location. And yet, free or inexpensive mobile ad hoc andvehicular networks, along with the presence of hot spots onthe streets, are making Internet more accessible than it everwas. These and many other information and communica-tion technologies make it possible to envision smart citieswhere people share experiences everywhere, and activelycontribute to the betterment of their environment. Thanksto this ubiquitous connectivity, citizens may report inci-dences such as traffic jams or violations and poor trafficsignaling, or emergency situations such as car accidentsand crimes.
But many of these unquestionably useful technologiescome at a price, as the availability of potentially sensi-tive information about all sorts of individual preferencesand behavior across a diversity of services, translates intonumerous, increasingly prominent privacy risks. Further,in applications such as reporting of traffic violations,
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
users may strongly prefer remaining anonymous in orderto avoid personal repercussions. The implementation ofmechanisms to protect user privacy, key to a sustainabledevelopment of such technologies, cannot disregard anyimpact on service quality due to any form of traffic orprocessing overhead, a particularly delicate issue in wire-less networks. Of particular importance for user acceptanceis the ability to protect the anonymity of the sender inapplications involving both two-way communication andreporting, including any of the aforementioned examples.
Message encryption is notably insufficient to mitigateall possible kinds of privacy risks derived from networkeavesdropping. Concealing the content of data packetshinders attackers in their efforts to learn the informa-tion exchanged, but does not prevent those attackers fromunveiling who is communicating with whom, when, or howfrequently. Anonymous-communication systems emergedto mitigate the serious privacy risk posed by illicit trafficanalysis based on routing, size, timing, and frequency pat-terns of messages between identified senders and receivers,beyond the mere protection of the confidentiality of mes-sage content via encryption.
The fundamental strategies to counter traffic analysisbased on message routing, size, and timing commonlyresort to a network architecture involving trusted nodes oruser collaboration, relying on rerouting, header encryption,message padding and splitting, dummy traffic insertion,and message delay and reordering, with varying degreesof sophistication. A constant in all of these strategies isthat any anonymity gain comes at a price in processingand communication overhead, often causing a measurabledegradation of the quality of service (QoS) offered by thenetwork. Users and system designers are thus faced with adilemma in the form of a trade-off between the contrastingaspects of privacy and usability, of inescapable relevancein any practical, modern communication system.
Of great importance in this context are wireless, mobilead hoc, and vehicular networks. Although their rapidexpansion obeys to unquestionable advantages in innu-merable fields of application, these type of networks areespecially vulnerable to the aforementioned traffic analysisrisks. Further, these networks are subject to packet losses,mainly owing to signal attenuation and message collisionin the wireless medium. Consequently, any traffic overheadincurred by the anonymous-communication mechanismsenumerated is likely to translate into message lossesand delays.
An archetypical example of anonymous-communi-cation system is the Crowds protocol [1], which buildsupon the principle of user collaboration with a limiteddegree of trust. Crowds is particularly helpful to minimizerequirements for infrastructure and trusted intermediariessuch as pseudonymizers, or to simply provide an addi-tional layer of anonymity. In this protocol, a group of userswill collaborate to submit their messages to a specifiedrecipient, from whose standpoint they wish to remain com-pletely anonymous. In simple terms, the protocol worksas follows. When sending a message, a user flips a biased
coin to decide whether to submit it directly to the recipi-ent, or to send it to another user, who will then repeat therandomized decision. In the end, anonymity comes at theexpense of traffic overhead and delay.
It is our contention that if we wish to propose usableprivacy solutions, we must contemplate both the gain inanonymity offered and the cost in QoS demanded. A sys-tematic approach consists in first establishing quantifiablemeasures not only of QoS, but also of anonymity, tothen assess, compare, improve, and ultimately optimizeanonymous-communication systems, in terms of the inher-ent trade-off discussed. In certain cases, including but notlimited to ad hoc networks, the specific requirements of thenetwork architecture may lead to prefer solutions based onuser collaboration in lieu of those involving infrastructurewith trusted intermediaries. The object of this work is toapply this systematic approach to the theoretical analysisof a specific yet representative privacy application.
1.1. Contribution and organization
Because of its paramount importance, the trade-off be-tween anonymity and QoS in anonymous-communicationsystems has been frequently addressed when proposingand assessing solutions, either through theoretical analy-sis or experimental evaluation [2–6]. However, to the bestof our knowledge, this is the first theoretical analysis ofthe anonymity QoS trade-off for Crowds in the presenceof losses.
More precisely, in this work, we
� formulate a mathematical model of a Crowd-likeprotocol for anonymous communication in a lossynetwork,
� establish appropriate metrics of anonymity and QoS,and
� theoretically characterize the trade-off between them.
A further dimension of our contribution lies beyond themathematical solution to the specific problem formulated.Namely, the general, systematic methodology applied tothe analysis of the protocol as a privacy enhancing mech-anism, from the establishment of quantifiable metrics allthe way to the theoretical study of the trade-off. This paperconstitutes an illustration of said methodology.
Two important differences in our contribution withrespect to the original Crowds protocol must be stressed.
� First, the possibility of losses, and more generallythe focus of our work on the compromise posed bythe price of anonymity in the form of violation ofstringent QoS requirements.
� Second and concordantly, we do not introduce amandatory initial forwarding step. One reason is thatsuch initial step would double the minimum possi-ble message forward count from 1 to 2, imposing aprice on average delay and loss probability which,in the context of the intended applicability of ourwork, we deem more than significant. Another reason
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
is that, although the present study attributes anyanonymity attacks to a common, untrusted receiver,the benefit in anonymity of said initial forward-ing would not be as pronounced in a more gen-eral setting where collaborating users were not fullytrusted.
On a more practical note, recall that in single-hop wire-less networks, all nodes are within transmission range,and messages are thus sent directly, as opposed tomultihop networks, where to attain the desired coverageand throughput, messages may be relayed a number oftimes before they reach their intended destination. Thispreliminary contribution on the subject of collaborativeanonymous communications in lossy networks is restrictedto the former case, single-hop networks, which alreadyoffers a rich interplay of issues that translate into a suf-ficiently complex mathematical analysis, but should con-stitute a first step toward the understanding of the moreintricate case of multihop networks.
Finally, we also exclude from the necessarily limitedscope of this preliminary contribution on the subject, theissue of analysis of the entire forwarding path based onmessage timing or length. Details on privacy and secu-rity assumptions and their justification are provided later.These and other restrictions in our study, along with appli-cability considerations, are the object of discussion ofan entire section prior to our theoretical analysis. Farfrom presenting a complete analysis of a comprehensiveanonymous-communication solution to all possible formsof attacks based on traffic analysis, along with detailedconfiguration guidelines and implementation details, thecurrent work addresses a partial albeit sufficiently richaspect of Crowds in lossy networks.
From a mathematical perspective, it must be pointedout that, despite the apparent simplicity of the Markovchain modeling the main problem of the paper, the proofcorresponding to its full-fledged version with losses butwithout self-forwarding, requires an intricate deconstruc-tion into a series of preliminarily lemmas. These lemmas,specifically developed here for the problem at hand, shouldgreatly facilitate its understanding. In particular, the proofof the second theorem resorts to two consecutive, non-trivial transformations into a simpler version; it is thetwo transformations themselves, not the simpler, reducedversion, which draw upon the lemmas.
The rest of the paper is organized as follows. After aquick note on the main causes of packet losses in wire-less networks, Section 2 succinctly places the Crowdsprotocol in the context of the state of the art on anonymous-communication systems and related anonymity metrics.Section 4 describes our main assumptions, formalizes theproblem investigated in this paper, and presents and dis-cusses our theoretical analysis. The theorems laying thefoundation of our disquisition are proven in Section 5. Ourmain results are validated and illustrated by means of anumerical example in Section 6, and briefly summarized inthe conclusions of Section 7.
2. BACKGROUND
Before delving into the state of the art on anonymous-communication systems and related anonymity metrics, webriefly enumerate the causes of packet losses in wirelessnetworks.
2.1. Packet losses in wireless networks
Roughly speaking, the causes of packet losses in a wirelessnetwork are as follows:
� Saturated link. Whenever the available bandwidth to anode in a link becomes (nearly) nonexistent, that nodenever gains access to the radio medium or alreadyemits frames at a rate that saturates the medium.
� Collision. If the medium is busy on the receiver’sside, frames systematically experience collisions andcommunication cannot succeed. The likelihood ofcollision increases with packet size and frequency ofattempts to access the medium.
� Fading and attenuation. Buildings and a variety ofstructures, specially in urban scenarios, may attenu-ate or even impede signal propagation, due not onlyto shadowing from objects blocking the line of sight,but also to multipath destructive interference.
� Link breakage. Particularly in vehicular ad hoc net-works, the moving speed of the nodes can be high,thereby quickly altering topology and link effectivelifetime.
2.2. State of the art onanonymous-communication systems
The concept and purpose of anonymous-communicationsystems have already been introduced in Section 1. Next,we offer a glimpse into the extensive literature on the sub-ject, while placing the Crowds protocol, also defined inthat section, in the context of this type of systems. Beforewe proceed, however, we must stress that the focus of ouroverview captures only a fraction of a wide spectrum ofexisting forms of user privacy risks and mechanisms incommunication systems [7], beyond those directly relatedto traffic analysis. A simple yet notable way of enforcingmessage anonymity employs a trusted third party actingas a pseudonymizer between user and information serviceprovider, effectively hiding the identity of the user. Anappealing twist that does not require that the trusted thirdparty be online is that of digital credentials [8,9]. Needlessto say, many existing alternative privacy-enhancing tech-nologies, far from being mutually exclusive, may in fact becombined synergically.
Timing analysis [10–12], essentially traffic analysis thatinfers the correspondence between incoming and out-going messages for a given node based on the arrivaland departure times, has already been motivated in theintroduction. The first anonymous-communication system
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
attempting to also counter timing analysis was the Chaummix [13], essentially a trusted node that delays and reordersmessages with the purpose of providing unlinkability, asdefined by [14], between incoming and outgoing messages.
A wide range of sophisticated variations on the origi-nal mix shortly ensued [15], with the same purpose. Oneof the most relevant varieties is a family of mixes knownas threshold pool mixes. The leading idea is for the mixto collect a number of incoming messages, store them inthe internal memory of the mix, and output some of themwhen the number of messages kept in its memory reachesa certain threshold. To reduce the correlation between out-going and incoming messages, the mix modifies the flowof messages by resorting to two strategies, namely delayand reordering.
Naturally, chains of mixes can be implemented to dis-tribute trust, as Chaum already suggested in his originalwork [13] but, certainly, delaying messages may seri-ously affect the usability of these systems. Nevertheless,higher delays provide users with a higher degree of mes-sage unlinkability. In short, mix systems pose an inherenttrade-off between anonymity and delay, in addition to theoverheads derived from any encryption or padding.
Alternative low latency anonymous-communicationsystems appeared later to provide routing anonymity onthe Internet to a certain extent, without the price of mes-sage delay. Onion routing, and subsequent improvementstermed the second generation version of onion routing(Tor) [16], consist in networks of trusted routing nodeswhich, unlike mixes, do not insert artificial delays. In a nut-shell, a user wishing to send a message chooses a chainof onion routers, and encrypts the message in a multilay-ered manner, hence the onion metaphor. This multilayeredencryption is such that each router, after decrypting—peeling off a layer of encryption—, retrieves the address inplaintext of the node immediately subsequent in the path,along with an encrypted portion meant for said next node,all the way to the final recipient. We would like to stressthat, as these systems boil down to anonymously relayingmessages without introducing delays, they are susceptibleto traffic analysis based on timing comparisons.
Yet, another type of anonymous-communication sys-tems builds upon the principle of user collaboration witha limited degree of trust. We already mentioned in theintroductory section the Crowds protocol [1], accordingto which a group of users will collaborate to submit theirmessages to a specified recipient. As we explained, whensending a message, a user flips a biased coin to decidewhether to submit it directly to the recipient, or to sendit to another user, who will then repeat the same random-ized decision. In fact, Crowds provides anonymity from theperspective of not only the final recipient, but also the inter-mediate nodes. Therefore, trust assumptions are essentiallylimited to fulfillment of the protocol. The original proposalsuggests adding an initial forwarding step, which substan-tially increases the uncertainty of the first sender from thepoint of view of the final receiver, at the cost of an addi-tional hop. In addition, we remarked that, in Crowds as
in most anonymous-communication systems, anonymitycomes at the expense of traffic overhead and delay. Justas the rest of low latency systems described, Crowds onlyaddresses part of the risks derived from traffic analysis,excluding attacks based on timing.
Anonymous-communication systems in general are vul-nerable to a number of attacks based on traffic analysis.When striving to reveal the recipient of a communicationfor a given sender, attackers may perpetrate what is knownas disclosure attack [17], based on the intersection of suc-cessive sets of possible candidate receivers for a givensender throughout extended periods. A refinement of thisattack, the statistical disclosure attack [18], considers notonly possibilities, but also probabilities.
Apart from these attacks, considerable research efforthas been devoted to investigate more specific weaknessesof the Crowds protocol itself. Possibly the best knownattack is the predecessor attack, which was suggested inthe original paper [1]. Such an attack contemplates that themost likely initiator of a communication is the immedi-ate node preceding the first attacker. A generalized versionof said attack assumes that an originator node will com-municate with a certain destination more than once. Inthis more general attack, malicious collaborators can trackcommunication flows over a number of rounds; at everyround, the communication path between the originator anddestination nodes is reconfigured.
A closely related work is [19]. Here, it is assumed thatthe attackers are able to track a given session, that is,a communication between a sender and a receiver. Thecited work conducts an analysis of complexity in terms ofthe number of rounds, size of the crowd, and number ofmalicious collaborators, with the aim of ascertaining theoriginator with high probability. However, in the specialcase when several originators establish a communicationwith a single destination, the authors find that the attackerscannot link specific data streams to each originator. Thisis unless there exists information in at least one packet perround that distinguishes the sessions from each other.
Another study regarding this same attack [20] deter-mines how many rounds the attackers need to calculate,with arbitrary precision, the frequency with which a cer-tain user communicates with the receiver. For that purpose,the authors use a Poisson distribution that enables them tomodel the flow messages to a destination. To counter thisattack, they propose that honest users passively monitor thenetwork to estimate both the sending rate and the peers ofother users, to adapt their behavior to not be detected by anattacker.
Also in relation to the subject of attacks against Crowds,[21] defines participant payload as the amount of mes-sages sent or forwarded by a given node. On the basis ofthis concept, the cited work presents a study of the par-ticipant payload in Crowds as a function of the lengthof the forwarding paths. The study concludes that theexpected participant payload is, on the one hand, equal tothe expected length of forwarding paths, and on the other,it is independent of the size of the crowd. Furthermore, the
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
authors perform tests to obtain the relationship between thenumber of rounds needed for the predecessor attack to suc-ceed, and the maximum length of forwarding paths. Theauthors did not find a remarkable dependence.
With regard to recent implementations of Crowds forproviding sender anonymity, an example over bluetoothwith Java technology is described in [22]. The systemdeveloped is one-way only, on account of the fact thatthe mobility of nodes cannot guarantee a valid two-waypath. In [23], Crowds is implemented over a wireless net-work, using the NTRUEncrypt public-key cryptosystem.More specifically, the authors propose a scheme with lowerlatency and CPU consumption, more suited to wireless net-works, which only performs one decryption operation perpath.
VIPER [24] is a modification of Crowds for vehicle-to-infrastructure communications, in which vehicles forwardmessages directed to a common infrastructure access point.Messages are sent in batches in predetermined time slotsto counter timing attacks. The efficiency of VIPER ismeasured in terms of buffer occupancy and delivery time.
Lastly, we would like to remark that hybrid privacy pro-tocols leverage not only user collaboration, but also queryforgery, such as the private location-based informationretrieval protocol via user collaboration in [25].
2.3. Related anonymity metrics
We argued in the introductory section that quantifiablemeasures of privacy and usability are undoubtedly essen-tial to the assessment, comparison, improvement, and opti-mization of any privacy-enhancing technologies. In thespecial case of anonymous-communication systems, theknowledge of the privacy attacker may be modeled by aprobability distribution on the possible senders of a givenmessage.
Certainly, one could measure the degree of anonymityattained by the mere cardinality of the set of candidatesenders, that is, the size of the anonymity set [26]. Thelogarithm of such cardinality is in fact called Hartley’sentropy. Loosely speaking, Hartley’s entropy is a possi-bilistic metric, in the sense that it disregards the likelihoodassociated to each candidate.
Recall that Shannon’s entropy is a measure of theuncertainty of a random event, associated with a prob-ability distribution across the set of possible outcomes.Informally, Shannon’s entropy is a good approximation tothe minimum of the average number of binary questionsregarding the nature of possible outcomes of an event, todetermine which one in fact has come to pass, intelligentlyexploiting their known probabilities [27]. Its particularsignificance and wide application in the fields of informa-tion theory, statistics, and engineering are unquestionable.Inspired by the interpretation of Shannon’s entropy asthe effective uncertainty within a set endowed with aprobability distribution, [28,29] proposed it as a measureof anonymity.
Recall also that maximum a posteriori estimation(MAP) is that in which the estimate is the most likelyoutcome, thereby minimizing the probability of estima-tion error in a finite set of candidates. In [30], a numberof privacy metrics is studied under a unifying concep-tual perspective, namely that of an attacker’s estimationerror in ascertaining the outcome of a random event, oreffort in removing any residual uncertainty. The cited workincludes, in addition to the two aforementioned entropies,min-entropy as a measure equivalent to the probability oferror in MAP.
Because both Shannon’s entropy and min-entropy,unlike Hartley’s, take into consideration the probabilitydistribution, thereby exploiting its potential skewness, theyconstitute probabilistic metrics. All three belong to thefamily of Rényi entropies, interpreted under the perspectiveof privacy measures in [30]. Additional surveys on infor-mation theoretic quantities as privacy measures and novelproposals include [31]. Incidentally, [30] illustrates someof the entropies discussed with a vastly simplified exam-ple of Crowds, albeit considering neither losses nor QoSmetrics.
The trade-off between anonymity and QoS has beenfrequently addressed in the literature. In [2], the authorsillustrate the trade-off between anonymity and QoS forsolutions implementing location privacy in wireless net-works, and propose a new technique named silent cascadeto enhance a user’ location privacy without QoS degrada-tion. Anonymity is measured as the Shannon and Hartleyentropies of a mix network, whereas QoS is measuredas the share of time a user spends on location privacyprotection and as the delay introduced by the mix network.
The Scalar Anonymity System is proposed in [3] toprovide a trade-off between anonymity and cost for differ-ent users with different requirements. In Scalar AnonymitySystem, by selecting the level of anonymity, a user obtainsthe corresponding anonymity and QoS and also sustainsthe corresponding load of traffic rerouting for other users.Anonymity is studied in terms of the predecessor attack,whereas QoS is measured by the length of the reroutingpath.
The QoS of Tor is systematically analyzed in [4]. TheTCP throughput is used as the QoS metric and extensiveexperiments on the real-world Tor network are presented.
The impact of using established standard anonymitymechanisms on selected QoS parameters for web servicesin real networks is evaluated in [5]. QoS is measured asthe response time, consisting of the network latency forthe message transport and the service’s execution timeon the provider side. The authors set up a measurementinfrastructure and evaluate the response time of differentanonymity systems, including Tor, I2P, and JonDo (freeand commercial).
Finally, [6] addresses the need for applications such asVoIP to provide anonymity to clients while maintaininglow latency to satisfy QoS requirements. They describedifferent triangulation-based timing attacks and show thateven when a small fraction of the network is malicious,
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
the adversary can infer the source (caller) with reasonablyhigh probability. The QoS property of an on-demand routesetup protocol can be characterized by route latency androute setup latency
3. PRIVACY, SECURITY AND QOSREQUIREMENTS, APPLICABILITYAND IMPLEMENTATION
We would like to preface the mathematical analysis of thenext section with more practical considerations, specifi-cally, with a discussion of anonymity, security and QoSrequirements, assumptions, limitations, implementationand configuration choices concerning our study, with thepurpose of delimiting the most immediate real-world appli-cability of our work.
3.1. Requirements and applicability
The introductory section already motivated the interestof this proposal, pertaining to the subject of anonymous-communication systems through user collaboration, whichencompasses all information systems built on computernetworks in which the disclosure of the identity of thesender of a message, by means of traffic analysis, repre-sents a privacy risk. This includes both anonymous query-ing of an untrusted information provider and the deliveryof the corresponding reply, and mere reporting or one-waycommunication. Examples may be found in the contextsof web browsing, location-based and general recommen-dation systems, online social networks, online shopping,reporting of traffic conditions or violations, posting ofreviews or opinions, and detailed power consumption ina household for smart grid optimization, to name a fewapplication scenarios of key relevance in a future, com-pletely interconnected world. Conceivably, messages maybe sent either by people, or automatically by devices ontheir behalf, although the term user may informally beemployed throughout the text for senders, receivers andintermediate, collaborating entities.
Our overview of the literature on anonymous-communication systems in Section 2.2 described a numberof privacy attacks. Far from presenting a comprehensive,definitive solution to all forms of privacy and security risksthat may arise in any given type of network with packetlosses, the current study focuses solely on anonymityattacks perpetrated by the final, intended recipient of themessage. These attacks are of the utmost relevance inbehavioral profiling inferred from statistically matchingthe contents of said queries or reports with user identities,or from the observation of who—or more generally, whichentity— is communicating with whom, when, or how fre-quently. Table I gathers up in a conceptual manner thefundamental elements of the adversarial model assumedin this work, details of which are provided mainly in thecurrent subsection and in Section 4.1. We may add, tothe probabilistic forwarding strategy in the Crowds pro-tocol, message encryption to reinforce the confidentiality
of messages in either direction, against collaborating usersand external observers. Beyond those preliminary securitymeasures, in the necessarily limited scope of this contribu-tion on the subject, we shall assume that the collaboratingnodes in the network properly follow the forwarding pro-tocol, thus disregarding denial-of-service attacks, and theywill not be viewed as attackers against the anonymity ofthe messages, be it individually or in collusion with otherforwarders or with their final recipient.
We stressed in Section 1.1 that one of the maindifferences in this work with respect to the classicalformulation of the Crowds protocol is the incorpora-tion of message losses into the theoretical model. Thisenables us to extend the applicability of Crowds, as ananonymous-communication protocol, which capitalizes onuser collaboration to reduce infrastructure requirements,more realistically to wireless, mobile ad hoc, and vehicularnetworks.
Another notable difference already pointed out is theelimination of the initial, mandatory forwarding step in theoriginal proposal of Crowds. The purpose of this initialstep is to substantially increase the anonymity of messagesfrom the perspective of their final, intended receiver. Wejustified its suppression in terms of a focus shift towardQoS-sensitive applications, say voice-based or emergency-related, as the minimum message forward count is halved,which translates into a significant reduction in end-to-enddelay, message losses, and traffic overhead. Despite ourfocus on the receiver as the potential anonymity attacker,we also noted that the benefit in anonymity of said initialforwarding would not be as pronounced in a more generalsetting where collaborating users were not fully trusted.
It was also anticipated in the introductory section thatour theoretical model is restricted to single-hop networks,mainly because these networks already offer a rich inter-play of issues that translate into a sufficiently complextheoretical analysis. Due to the significance of multihopnetworks, we should hasten to stress that our mathemati-cal analysis on the modified Crowds protocol with messagelosses, with emphasis on the anonymity QoS trade-off,may very well lay part of the fundamental principles toapproach the theoretical study of the more intricate case ofmultihop networks in future research.
In wireless networks, particularly prone to eavesdrop-ping, and especially in the single-hop case, the finalreceiver of a message may attempt to unveil the identity ofits original sender, and inferring the entire forwarding path,by examining the timing and length of packets throughintermediate nodes, provided that they are within recep-tion range. In our review of the literature in anonymous-communication systems, we saw that mixes resort to theintroduction of artificial delays and padding to counter thisform of traffic analysis, strategies that could very well beimplemented by trusted collaborating nodes. Alternatively,one may consider application scenarios where collabo-rating users have direct visibility with each other, saywithin a bluetooth network or within a single vehicularnetwork cell, but a common information provider remains
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
Table I. Main conceptual highlights of the adversarial model assumed in this work. Additional details appear in Sections 3.1 and 4.1
Adversarial Model Highlights
Who is the privacy attacker? The scope of this work is limited to anonymity attacksperpetrated by a common receiver a group of collaboratingusers communicate with. Notable examples of such receiversare untrusted information providers and recipients ofanonymous reports.
What is the attacker’s goal? The immediate goal is to identify the identity of the sender of amessage. Ultimate purposes include profiling of user interestsand behavior inferred from statistically matching the contentsof queries with sender identities, and violation of anonymity insensitive reporting.
What are the attacker’s capabilities? The receiver is assumed to know the specifics of theanonymous-communication, Crowds-like protocol employedby the users. Additionally, the receiver observes the identity ofthe last sender of a message in an incoming forwarding path.From all this information, the receiver may estimate the mostlikely identity of the sender of a message, although withlimited certainty.
accessible only through a separate network, say a GSM ora UMTS cellular network, or through an access point wiredto the Internet. In any case, as we already stated, our pre-liminary theoretical model will exclude the form of trafficanalysis described.
Clearly, the choice of specific, quantifiable metrics ofanonymity and QoS, necessary to systematically assess,compare, and optimize usable privacy mechanisms, shouldreflect the particular requirements of the underlying infor-mation systems and the privacy preferences and concernsof users and system designers.
The establishment of QoS metrics such as averagedelay, jitter, probability of message loss, and number ofhops are a necessary step to compare and improve rout-ing protocols [32,33]. Average delay is a wildly popularmeasure of QoS, which reflects the intent of privacy andgeneral system designers to tune performance accordingto the principle of average-case optimization, and enjoysthe advantages of simplicity and mathematical tractability.Averages may be replaced by medians, a more complexquantity, for increased robustness against statistical out-liers. In time-sensitive applications where significantlydelayed packets may have to be discarded or their valueis severely diminished, such as those involving voiceor reporting of emergencies, examples of suitable QoSmetrics comprise high delay percentiles—interpretable asrobust maxima—, and the probability that a delay exceedsa given threshold, to be established in accordance withthe application at hand. These more pessimistic metricsadhere to the principle of worst-case minimization, whichmay indeed yield less extreme delays, but cannot possiblyimprove over the average values resulting from average-case optimization. The probability of end-to-loss of a
message is also a traditional measure of QoS, commonlyaccompanying average delay to offer a more informativepicture. A simple measure combining the effects of mes-sage delays and losses is the aforementioned probabilitythat a given time threshold is exceeded.
In our mathematical analysis, we shall measure QoSjointly as end-to-end loss probability and as the averagenumber of times a message is forwarded because of themodified Crowds protocol, and argue that the latter is anindirect measure of average delay in time units. Note thatdelay is also an indicator of traffic overhead and con-gestion, as in Crowds forwarded messages translate intorepeated packets. Later, to represent the anonymity QoSdelay trade-off more simply, as a two-dimensional curve,we shall resort to the combined QoS metric described.
Similar considerations of dependence on specific userpreferences and system requirements affect the choiceof privacy metrics. Our review of the state of the art,more precisely the subsection on related anonymity met-rics, Section 2.3, succinctly described the examination in[30] of a variety of information-theoretic privacy measuresunder a unifying perspective, which considers privacy asan attacker’s estimation error in ascertaining the outcomeof a random event. In the current paper, we are concernedwith the statistical estimation of the identity of the originalsender of a message, carried out by the final receiver, fromthe observed identity of the last forwarding node. In thetheoretical analysis in the next section, the anonymity mea-sure chosen will be the probability of error in the attacker’sassumption that the most likely sender is the correct one.As explained in the state of the art section of this paper,this choice is in keeping with the MAP estimation strat-egy, which [30] discusses in the context of privacy andshows to be equivalent to measuring anonymity as themin-entropy of the probability distribution across possi-ble senders. The cited work investigates alternative privacymeasures, including
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
� Hartley’s entropy as a possibilistic metric that simplycounts the number of candidate identities, irrespectiveof their probability,
� Shannon’s entropy, as a measure of uncertainty in theset of possible identities that is interpreted as an aver-age quantity involving all probabilities, not just thehighest, and
� the parametric family of Rényi entropies that includesthe three aforementioned as special cases.
Additional measures of anonymity and considerationsregarding their applicability can be found in [31].
The anonymity metric chosen here, based on the mostlikely identity and equivalent to min-entropy, one amongthe numerous alternative measures in the literature, reflectsa specific concern of the user or designer of the privacysystem and its parametrization. Namely, this anonymitymetric reflects the most exposed or vulnerable candi-date sender, and in this regard may be viewed as aworst-case measure. Obviously, both our choices for QoSand anonymity metrics partly owe to their mathematicaltractability and in future research, alternatives might beconsidered.
We shall quantitatively characterize the optimalanonymity QoS curve, which represents maximumanonymity for a given QoS, and vice versa, parametrizedin terms of the sending probability. In practice, users orsystem designers may select a desired QoS goal, depen-dent on the application at hand, and refer to the opti-mal trade-off curve to find out the best possible level ofanonymity attainable, and the corresponding sending prob-ability. Users of privacy-sensitive applications may feelalternatively inclined to fix an anonymity level first. Addi-tionally, we shall define two points of operation within thecurve, called absolute and relative equilibria, which consistin points where a small increment in QoS corresponds toan equivalent increment in anonymity, and where small rel-ative increments or percentages match, respectively. Saidequilibria may come in handy as quantitative reference val-ues to further assist users and system designers in theirdecisions.
Finally, the implementation of our modified Crowdsprotocol would entail the decision and communication ofits main working parameter, namely the probability ofdirect sending to the intended recipient. Regarding its deci-sion, the metrics proposed would inform users and systemdesigners of the impact in terms of QoS and anonymity. Asfar as communication is concerned, the sending probabilitycould simply be agreed upon as the group of collaborat-ing nodes is formed, or accompany the recipient’s headerif chosen by the sender on a per message basis.
4. FORMAL PROBLEM STATEMENTAND MAIN RESULTS
In this section, we formulate our modification of theCrowds protocol in a lossy network, and present themain theoretical result characterizing the trade-off betweenquantifiable measures of anonymity and QoS.
Throughout the paper, we shall follow the conven-tion of uppercase letters for random variables (r.v.’s), andlowercase letters for particular values they take on. Forcompactness, for any probability expression p, we write1 – p as Np.
4.1. Formal problem statement
Consider n > 2 collaborating users wishing to communi-cate with a common, untrusted receiver. To attain a certaindegree of anonymity, each user flips a biased coin anddepending on the outcome chooses to send the messagedirectly to the receiver Rx or else to another user, who isasked to perform the same exact probabilistic forwarding.More precisely, we suppose that for each forwarding oper-ation, with (link) loss probability q < 1, the message inquestion is lost. If no loss occurs, with sending probabilityp > 0, the message is sent directly to the receiver. Other-wise, it is forwarded to any of the other users with equalprobability 1/(n – 1), where the entire probabilistic pro-cess will be repeated. This process is depicted by a Markovchain in Figure 1, with two absorbing states modeling thereceipt and the loss of a message.
We avoided cluttering the figure with arrows such asthose coming out from the rest of the users, entirelyanalogous to the first’s.
Define the (extended) delay � as an r.v. in {1, 2, : : : } [{1}, equal to the number of times the message is sentfrom its origin to the final recipient when it is not lost,and infinity otherwise. Natural measures of QoS are theaverage delay ıavg = E[�|� < 1], and the end-to-endloss probability qend = P{� = 1}. Note that both �and ıavg are delays in terms of message hops rather thandirect time units, that is, hops due to the forwarding pro-tocol described to improve anonymity, even in networkswhere direct communication would otherwise require asingle hop.
Let F be an r.v. represent the first, original sender of amessage, and L, the last sender in the forwarding path tothe receiver. When a loss occurs, simply define L =1. Theuntrusted receiver, who is assumed to know the forward-
Figure 1. Markov model of a Crowd-like forwardingmechanism for anonymous communication in a lossy network.
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
ing protocol, the loss model, and their precise parameters,strives to estimate the original sender F from observing thelast L, as the most likely. Let OF, be such MAP estimate. Areasonable measure of anonymity is the probability that theestimate, defined for received messages, is erroneous.
a = P{ OF ¤ F |� <1}.
This probability of error may be equivalently written as anaverage error across all messages received,
a = EL |�<1PnOF ¤ F | L, � <1
o=
=nX
i=1
P{L = i |� <1} PnOF ¤ F | L = i, � <1
o.
We shall assume that the receiver assigns equal proba-bility P{F = i} = 1/n to each possible first sender F of amessage i = 1, : : : , n, prior to the observation of the lastL, although this assumption may be easily relaxed, as weremark later.
We argued in Sections 1.1 and 3.1 that our modificationof the Crowds protocol focused on stringent QoS require-ments and that concordantly eliminated the first forwardingstep in the traditional proposal. In terms of the modelintroduced, the independent, uniform choice of forwardingnode in this initial step would render F and L statisti-cally independent (conditionally on successful reception� < 1). This means that if the first forwarding step wereenforced, we would equate priors and posteriors, having
P{F = i | L = j, � <1} = P{F = i},
and under the assumption of equal prior probability,we would attain perfect anonymity a = 1 – 1/n fromthe perspective of the untrusted receiver. However, suchanonymity would come at the cost of doubling the min-imum delay, that is, at the cost of making � > 2 (withprobability 1) for any sending probability p, no matter howlarge, which would impact both ıavg and qend negatively.
4.2. Fundamental theorems
The following results theoretically characterize theanonymity QoS trade-off in our model of Crowds in lossynetworks. Proofs are provided in the next section.
In these results, we define the effective sending proba-bility peff = 1 – NpNq (peff = NpNq). It is clear that if q = 0,then peff = p. Interestingly, we shall discover that part ofthe behavior of the protocol in a lossy network with send-ing probability p and loss probability q replicates that of alossless network with sending probability precisely peff.
Theorem 1 (QoS).
(1) � conditioned on � < 1 is geometrically dis-tributed with parameter peff.
(2) ıavg = 1/peff.(3) qend = q/peff = q ıavg.
Theorem 2 (Anonymity).
(1) P{F = i | L = i} == P{L = i | F = i, � <1} == P{F = L |� <1} for any user i = 1, : : : , n.
(2) P{F = L | � <1} = 1+(n–2)peffn–peff
.
(3) OF = L and a = P{F ¤ L |� <1} = (n–1)peffn–peff
.
In light of the previous theorems, from the point ofview of the receiver, the most likely identity of the origi-nal sender of a message turns out to be the last’s, whichjustifies the predecessor attack cited in Section 2.2. (Care-ful inspection of our proofs will show that the uniformityassumption on the message generation rate is only neededto conclude that the MAP estimate is OF = L. Precisely,if such estimation rule were taken as a starting hypothesisrather than a consequence, all of the results in the theoremsin this section, except for (i) in Theorem 2, would still holdtrue. Further, for any prior message generation probabilityP{F = i}, no matter how unequal, there exists a suffi-ciently high p for which OF = L remains the best attacker’sstrategy.)
Further, one may regard a network with loss proba-bility q and sending probability p as a lossless networkwith a higher effective sending probability p 6 peff < 1,where the left inequality holds with equality when q = 0,and the right one in the limit as q ! 1. This is con-sistent with the intuition that higher link loss probabilitydecreases the likelihood of longer message forwarding.Lastly, careful inspection of the proofs shows that allow-ing self-forwarding would make no difference in terms ofanonymity, at the expense of worse QoS.
Thus far, we have presented two separate, traditionalQoS metrics on the extended delay �. However, we maycombine both the effects of end-to-end losses and delayin a single quantity, for a simpler representation of theanonymity QoS trade-off on a unique plane. One exampleof such combined (inverse) QoS metric is
c = P{� > ımax}
for some maximum delay ımax tolerable by a given mes-saging application, which we may regard as the cost ofanonymity. It is routine� to check that
c = P{� > ımax} = qend + qend peffımax . (1)
Additional examples are percentiles of �, such as themedian or the 90th percentile, suitable for average-case andworst-case scenarios, respectively.
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
(a) (b)
Figure 2. Trade-off between anonymity a and QoS, the latter in terms of (a) average delay ıavg and (b) end-to-end loss probability qend.
4.3. Further trade-off analysis
To complete our characterization of the anonymity QoStrade-off, we proceed to draw a series of consequences ofthe previous theorems. As they only require straightfor-ward notions of algebra and calculus, proofs are omittedor merely hinted at. In short, these results shed some lighton the usability in a lossy network, from the perspective ofimpact on QoS, of the Crowd-like protocol for anonymityjust described. We succinctly and conceptually recapitulatethe main conclusions in Section 7.
Our initial consequences are graphically summarizedin Figure 2. For each q 2 [0, 1), peff is an increasing,affine function of p 2 (0, 1], with infimum q and maxi-mum 1. As p vanishes, that is, in the high anonymity region,
peff approaches q, and a tends to its supremum (n–1)Nqn–q ,
upper bounded by 1 – 1n , corresponding to a uniform pos-
terior probability distribution on F given L, ideal from theanonymity standpoint, but reachable only for q = 0 in thelimit of small p. In this region, ıavg and qend approach theirsuprema, 1/q and 1, respectively. For p ' 1, correspondingto the high QoS region�,
a ' ıavg – 1 = qendı
q – 1.
For p = 1, ıavg = 1 and qend = q, their respective minimumvalues. The trade-off itself has the same shape, regardlessof whether QoS is measured as ıavg or qend, and a is anincreasing, strictly concave function, which means that theprotocol has diminishing returns, albeit always positive.
� This is a first-order Taylor approximation to a as a function ofıavg for p ' 1, equivalent to peff ' 1, where we compute
da
dıavg=
dadpeffdıavgdpeff
,
for peff = 1 from the formulas in Theorems 1 and 2.
Figure 3. Trade-off between anonymity a and QoS, the latterexpressed by means of the metric c = P{� > ımax}, combining
both the effects of delay and end-to-end loss.
Figure 3 provides a snapshot of the anonymity QoStrade-off as a single curve, simply by merging the effectsof both delay and end-to-end losses into the QoS metric cdefined in (1).
Because
c = P{� > ımax} > P{� =1} = qend,
the trade-off with respect to c appears shifted toward theright of the one with respect to qend, plotted in Figure 2(b)and superimposed in Figure 3. It is clear from its definitionthat c will approach the end-to-end loss metric qend in thelimit of increasing maximum delay tolerance ımax, that is,limımax!1 c = qend. Less obvious is the fact that for anyfixed ımax, c becomes asymptotically equivalent to qend inthe high QoS region, that is, limp!1 c
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
A striking observation is that� in the high QoS region,a ' c/q – 1. This means that whenever the link lossprobability q is small, the rate of anonymity gain withrespect to QoS degradation is highly favorable, as the slopeof the curve in this region approaches 1/q.
4.4. Absolute and relative equilibria
The characterization of the anonymity QoS trade-off car-ried out thus far may very well suffice when making aninformed decision regarding the specific point of opera-tion within the curves analyzed. Typically, a user or systemdesigner might simply specify a desired QoS, which imme-diately determines the best anonymity attainable, or viceversa. Still, there exists a couple of natural points of equi-librium within the trade-off we would like to consider here,even if merely as additional information to assist in saiddecision. Throughout this subsection, we content ourselveswith the special case of combined QoS metric (1).
The problem of maximizing the anonymity a while min-imizing the QoS degradation c may be approached fromthe perspective of multiobjective optimization. In essence,when one wishes to minimize several competing costs, as itwould technically be the case of –a and c here, it is custom-ary to consider the minimization of their Lagrangian cost[34]. This is effectively a weighted sum of those individualcosts, modeling their overall impact, where the nonnega-tive weights, called Lagrangian multipliers, represent theimportance of one optimization objective with respect tothe rest.
Accordingly, define the Lagrangian cost –a +� c, whichwe wish to minimize, and in which the multiplier � quan-tifies the importance of QoS degradation in relation toanonymity, clearly application dependent. Because of thesimple one-to-one correspondence between the sendingprobability p and its effective version peff, we may thinkof a and c as functions of either, the latter leading to some-what simpler expressions; and of course, we may view adirectly as a function of c.
The Lagrangian optimal operation point within thetrade-off is given by any of the following equivalent con-ditions:
da
dpeff= �
dc
dpeff,
da
dc= �. (2)
Graphically, this corresponds to the point of the c–a curvein Figure 3 with slope �. We shall refer to the solution,
� As before, a first-order Taylor approximation to a is computedfor p ' 1, this time in terms of c, given in (1), after carefullycalculating, for the equivalent condition peff = 1,
da
dc=
dadpeff
dcdpeff
.
whether in p or peff, as the absolute equilibrium, in thesense that it represents the sending probability for whicha small increment in cost would lead to an incrementin anonymity with the same overall impact. Informally,da = d(�c).
We already mentioned at the end of Section 4.3 that inthe high QoS region the steep slope of the curve could beinterpreted as an argument in favor of implementing ourprotocol, or at the very least against unprotected, directdelivery (p = 1). Indeed,
da
dc
ˇ̌ˇ̌p=1
=1
q, (3)
a large gain under the mild assumption of a small linkloss probability q. Mathematically, there exists an absoluteequilibrium p < 1 for any weight � < 1/q.
Alternatively, we might be interested in a point of oper-ation within the trade-off such that relative increments inboth objectives, rather than absolute increments, match.Informally, da/a = dc/c, where either member of theequation may be thought of as a small percentage. Moreformally, we define the relative equilibrium as the solu-tion, whether in p or peff, to any of the following equivalentconditions:
1
a
da
dpeff=
1
c
dc
dpeff,
da
dc=
a
c. (4)
Note that this equilibrium is invariant with respect toscaling of either of the objective functions. Under the per-spective of relative gains and the assumption that lossesexist, because at p = 1, a = 0 but c = q > 0, there isa strong incentive to avoid message delivery without anyanonymity protection, mathematically reflected by the factthat for q > 0,
1
a
da
dc
ˇ̌̌ˇp=1
=1. (5)
We would like to remark that the notion of logarithmicderivatives enables us to connect this type of equilibriumwith the previous one. Precisely, define Qa = – ln a and Qc =– ln c. Because in this case both a and c are probabilities, Qaand Qc are nonnegative. Because
dQa
dpeff= –
1
a
da
dpeff,
and similarly for the rest of variables, the condition for rel-ative equilibrium becomes that for absolute equilibrium,with � = 1, in terms of the transformed objectives. Ina doubly logarithmic graphical representation, this equi-librium would correspond to the point in the curve withunit slope.
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
da
dpeff=–
�n – 1
n – peff
�2
dc
dpeff=
1
p2eff
�–q+(q peff–ımax(peff – q) peff) peff
ımax–1�
1
a
da
dpeff=
1 – n
(n – peff) peff=
1
n – peff–
1
peff
1
c
dc
dpeff=
–q + (q peff – ımax(peff – q) peff) peffımax–1
peff
�q + (peff – q) peff
ımax�
(6)
We would like to finish with explicit expressions (6) ofthe traditional and logarithmic derivatives involved in theseequilibria, obtained after careful simplification but ulti-mately straightforward. Replacing the members of the firstform of each of the equilibria equations (2) and (4) by theircorresponding expression in (6), polynomial equations inpeff are obtained. These polynomial equations may besolved numerically with mathematical and computationalsoftware such as MATLAB or MATHEMATICA. The former,for instance, provides the function roots, which exploitsthe fact that finding the roots of a polynomial is equivalentto finding the eigenvalues of its companion matrix [35].
5. THEORETICAL ANALYSIS OF THEFUNDAMENTAL THEOREMS
We first develop a couple of lemmas on a certain type ofMarkov chains with absorbing states we call exit states,which will serve as a stepping stone toward the theoret-ical resolution of the problem formulated in Section 4,conducted next.
5.1. Markov chains with exit states
Consider the binary Markov chain of Figure 4(a). In thischain, no arrow is depicted to represent that 0 is an absorb-ing state, meaning that, once entered, it cannot be left.Denote the transition probability from state 1 to state 0 bye, so that the return probability to 1 is Ne. Assuming thatthe starting state is 1, and considering only the portion1 1 : : : 1 0 of the sequence of states until 0 is reached, we
may refer to 0 as an exit state, and define the exit time as ther.v. T determined by the length of such finite subsequence,including 0. Clearly, T is a geometric r.v. with parame-ter e, the exit probability, and recall that, consequently,E[T] = 1/e.
We generalize this Markov chain by introducing theadditional exit state 1, as depicted in Figure 4(b), withexit probability e1, for a total exit probability e = e0 +e1. Assuming again that the chain is started at state1, the exit time T is redefined analogously, consideringnow the length of subsequences of the form 1 1 : : : 1 0or 1 1 : : : 11. From these definitions, the probabilitiesof each of such subsequences are Ne t–1e0 and Ne t–1e1,respectively, for any given exit time t = 1, 2, : : : Finally,define the exit outcome as a binary r.v. E taking values on{0,1}, corresponding to the last state of the aforemen-tioned subsequences. The following lemma characterizesthe geometric r.v. with an additional exit state representedin Figure 4(b).
Lemma 3. Consider a geometric r.v. with an additionalexit state, under the previous assumptions, with exit time Tand exit outcome E.
(i) T and E are statistically independent.(ii) The distribution of T, whether conditioned on the
event E = 0 or not, is geometric with parameter e.(iii) P{E = 0} = e0/e and P{E =1} = e1/e.
Proof. The statistical independence between T and E isimmediate from their definition, which also implies that Tconditioned on E = 0 is distributed exactly as its uncon-ditioned version. To see that the latter T is geometricallydistributed with parameter e = e0 + e1, simply regard thetwo exit states as a macrostate. Lastly, due to the symmetryin the definition of the two exit states, it suffices to showthe third statement for one of them:
P{E = 0} =1Xt=1
P{E = 0, T = t} =
=1Xt=1
Ne t–1e0 =e0
e
1 0
(a)
1
0
∞
(b)
Figure 4. Markov chain representing (a) a geometric random variable and (b) its generalization with an additional exit state.
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
Alternatively, apply independence to write P{E = 0} =P{E = 0 | T = 1}, proportional to P{E = 0, T = 1}, andconclude that P{E = 0}/P{E =1} = e0/e1.
We may now proceed to extend Lemma 3 to a Markovchain with two exit states, enabling us to address the the-oretical analysis of the problem formulated in Section 4.Specifically, consider a Markov chain with finite statespace {1, : : : , n} and transition matrix P = (pij)ij. Assumewe enlarge this chain with two exit states 0 and 1, thatis, absorbing states, with equal transition probabilities e0and e1 from each of the original n states, adding up to atotal exit probability e = e0 + e1. The new transition prob-abilities between the original states are obtained from theoriginal pij simply by multiplying by Ne, representing thattransitions occur with the original likelihood in the absenceof exit. Suppose further that the chain is started at one ofthe original states i0 = 1, : : : , n with probability �i0 . Aspreviously, we are only interested in the sequence of statesuntil the exit event, which we denote by I = I0 I1 : : : IT–1,where I0 is the initial state, T the exit time, and the exitoutcome E would occur immediately after IT–1. Thus,
P{I = i, E = 0} =
= �i0 pi1 i0 : : : pit–1 it–2 Net–1 e0, (7)
and similarly for E = 1. The following lemma character-izes this type of Markov chain.
Lemma 4. Consider a Markov chain with two exit states,under the previous assumptions, with initial state proba-bilities �i0 , random sequence of states until the exit eventI, exit time T, and exit outcome E. Viewing the set of noriginal states as a single macrostate, it is clear that Tis geometrically distributed with parameter e, and that allproperties of Lemma 3 hold for T and E, in particular.More generally,
(i) I and E are statistically independent.(ii) For any sequence i until the exit event,
P{I = i | E = 0} = P{I = i} =
= �i0 pi1 i0 : : : pit–1 it–2 Net–1 e.
Proof. The statistical independence between I and E isimmediate from their definition, which also implies thatP{I = i | E = 0} = P{I = i}. The last equation in thelemma follows from rewriting (7) for P{I = i}, viewing thetwo exit states as a single macrostate with exit probabilitye = e0 + e1. Alternatively, the equation in question can beshown by writing
P{I = i | E = 0} = P{I = i, E = 0}/P{E = 0},
and then applying (7) and Lemma 3(iii).
The importance of the statistical independence resultsstated in (i) of both Lemma 3 and 4 is best understoodunder the well-known fact that for any two events, thelatter with positive probability, independence is equiva-lent to requiring that the prior on the first be equal to itsposterior given the second. Mathematically, A and B arestatistically independent (i.e., P(A\B) = P(A)P(B)), if andonly if, P(A|B) = P(A), under the mild assumption thatP(B) > 0. We would also like to stress that statements (ii)in both Lemma 3 and 4 mean that conditioning on E = 0preserve the behavior of the corresponding stochastic pro-cesses. That is, the role of the total exit probability e ispreserved in the distribution of both T and I, running con-trary to any intuition that might suggest replacing e by theexit probability e0 of the conditioning outcome.
5.2. Proofs of the main theorems
We proceed to prove our main results, stated in the theo-rems in Section 4. Both proofs resort to the lemmas in theprevious part of this section, identifying the exit states 0and 1 depicted in Figure 4(b), with the events of send-ing and losing a message shown in Figure 1, respectively.Under this correspondence, the exit probabilities are e0 =Nq p, e1 = q and
e = q + Nq p = 1 – Nq + Nq p = 1 – Np Nq = peff.
Proof of Theorem 1. Recall the geometric r.v. withan additional exit state of Lemma 3, represented inFigure 4(b). The extended delay � defined in Section 4may be expressed as T when E = 0, and 1 otherwise.Bearing in mind the aforementioned exit state correspon-dence, observe that the distribution of � conditioned on� < 1 precisely coincides with that of T conditionedon E = 0, which the lemma asserts to be geometric withparameter e = peff, proving (i) in the theorem. Statement(ii) is an immediate consequence of the well-known factthat the expectation of a geometric r.v. is the inverse of itsparameter. The last statement of the theorem follows fromits counterpart in Lemma 3, by identifying P{E = 1} =qend, e1 = q and e = peff.
Proof of Theorem 2 (Sketch). We proceed by consideringdecreasingly simplified variations of the model representedin Figure 1. Consider first the special case without losses,q = 0, and concordantly disregard any conditioning on� <1. Suppose further that users were allowed to forwardmessages to themselves, so that the transition probabilitiesin the corresponding Markov chain became Np/n in lieu ofNp Nq/(n – 1). In this variation of the problem, regardless of i,we claim that
P{L = i | F = i} = p + Np/n > 1/n. (8)
Indeed, either i sends directly the message to the receiver,with probability p, or else, with probability Np, the mes-sage is forwarded with equal probability 1/n to any user,
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
including the original sender, and any consecutive hopswill maintain this uniform uncertainty. Thus,
P{L = i | F = i} = P{F = L | F = i}
is a constant quantity. To verify the bound, simply applyp > p/n.
We assumed equal prior sending rate among users.Hence, by symmetry, P{F = i} = 1/n = P{L = i}, andconsequently‘,
P{F = i | L = i} =P{F = i}
P{L = i}P{L = i | F = i} =
= P{L = i | F = i} = P{F = L | F = i} =
=1
n
Xi
P{F = L | F = i} = P{F = L} = Na.
Again by symmetry, P{L = j | F = i} will remain the samefor any j ¤ i. For that reason, the bound in (8) implies thatP{L = j | F = i} is maximized at j = i. Concordantly, theMAP estimator is OF = L.
Still in the special case q = 0, suppose now that self-forwarding is no longer allowed, so that transition proba-bilities between distinct nodes corresponding to users areNp/(n–1). Although this may seem a problem fairly differentfrom the completely symmetric simplification with self-forwarding previously, a clever application of Lemma 3will enable us to transform it into the former simplification.
Before proceeding, we need the immediate generaliza-tion of statement (iii) in the lemma to n exit states withtransition probabilities ej, j = 0 representing direct send-ing, and j > 0 forwarding to any of the other n – 1users. For a total e =
Pj ej, the return probability model-
ing self-forwarding in the former simplification would ber = Ne. Said generalization of (iii) would guarantee that theprobability of each exit outcome E = i would be ei/e = ei/Nr.
Back to the argument relating the earlier, symmetricsimplification allowing self-forwarding, and the variationwithout self-forwarding, it may help thinking of the lat-ter strategy as implemented exactly as the former, with thecaveat that the self-forwarding event remains hidden froman external observer and yields no delay.
Define p0 as the sending probability in the earlier, sym-metric simplification allowing self-forwarding. Then, fromthe point of view of the statistics involving F and L,both strategies are utterly equivalent under the transforma-tion given by P{E = 0} = e0/Nr for the new forwardingprobability p = p0/(1 – p0/n).
‘ For any events A and B with positive probability,
P(A|B) =P(A\ B)
P(B)=
P(A)
P(B)
P(A\ B)
P(A)=
P(A)
P(B)P(B|A).
After routine algebraic manipulation, p0 = (n – 1)p/(n –p), and on account of (8) and the hypothesis of uniformprior message generation, we conclude
P{L = i | F = i} = P{F = L} =1 + (n – 2)p
n – p, (9)
and
P{F ¤ L} = P{F = L} = (n – 1)Np/(n – p).
Finally, we move to the most general case, with q > 0and without self-forwarding. To complete the proof, it willsuffice to apply Lemma 4 to the previous variation forq = 0. Specifically, we identify the absence of loss repre-sented by the event � < 1 with the exit outcome E = 0,and apply assertion (ii) in the lemma, on the fact thatafter conditioning, the behavior of the underlying stochas-tic process remains the same, in terms of the total exitprobability e = peff in lieu of the exit probability of the con-ditioning outcome, e0. Accordingly, we replace p by peffin (9). The two consecutive transformations of the prob-lem prove all three statements in the theorem, in the mostgeneral version.
6. NUMERICAL EXAMPLE
To confirm and illustrate the theoretical results inSections 4.2 through 4.4, we conduct a simulation of theMarkov chain corresponding to the full-fledged version ofthe problem, with losses and without self-forwarding.
In our simulation, a total of n = 10 users follow our vari-ation of the Crowds protocol on a network with link lossprobability q = 0.1. The combined QoS metric (1) is used,for a maximum delay tolerance of ımax = 5 hops. Theprotocol is repeated for each of the sending probabilitiesp = 0.05, 0.25, 0.5, 0.75, 1, and for 104 messages uniformlygenerated by the users, for each of those probabilities. Theanonymity a and the QoS cost c are estimated directly asthe corresponding relative frequencies found empirically.
The results of the simulation are shown in Figure 5,in which the simulated points quite accurately lie alongthe theoretical trade-off curve, verifying the analysis inFigure 3. Further, we numerically compute the absoluteand relative equilibria, the former for equal weight (� = 1),following the method explained at the end of Section 4.4.As expected, at the absolute equilibrium, corresponding top ' 0.373, the linear curve has unit slope, and so does thelogarithmic curve at the relative equilibrium, p ' 0.536.
The equilibrium condition (2), together with the steepslope in the high QoS region of Figure 5(a), given by (3),suggest that unless QoS cost is weighted 10 times morethan anonymity, our protocol should be used (p ¤ 1).Anonymity is bound by the supremum
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
0 0.2 0.4 0.6 0.8 10
0.2
0.4
0.6
0.8
1
0 1 2 3 4 50
1
2
3
4
5
(a) (b)
Figure 5. Trade-off between anonymity a and combined quality of service (QoS) cost c, represented linearly (a) and after logarithmictransformation (b), with n = 10, q = 0.1 and ımax = 5. We conduct simulations for 104 messages and p = 0.05, 0.25, 0.5, 0.75, 1, whoseresults are superimposed onto the theoretical curve. At the absolute equilibrium p ' 0.373 with weight � = 1, the linear curve has
unit slope, and so does the logarithmic curve at the relative equilibrium p ' 0.536.
below the ideal value of 1 – 1/n = 0.9, attainable in thelimit of p ! 0 only when q = 0. Loosely speaking, lossesdegrade anonymity, as peff > q means that the effectivesending probability cannot be made arbitrarily small.
If we are concerned with relative gains in lieu of abso-lute increments, q > 0 suffices to argue strongly in favorof using the protocol, as (5) mathematically reflects. Inthis regard, the vertical asymptote at – ln q ' 2.30 inFigure 5(b) responds to the fact that as p ! 1, c ! qbut a! 0.
7. CONCLUSION
We propose a theoretical model of the trade-off betweenanonymity and QoS of a Crowd-like protocol, suitable forlossy networks. The anonymity metric chosen adheres toand illustrates the recently established principle of prag-matically measuring privacy as an attacker’s estimationerror.
The necessarily limited scope of this preliminary con-tribution on the subject of Crowds in networks with lossescontemplates only the special case of single-hop wire-less networks, thus excluding the multihop case, largelybecause the former already requires a sufficiently intricateanalysis.
Still, by introducing the presence of message losses,we extend the applicability of the protocol beyond thetypes of networks considered in the original Crowds pro-posal. We quantify the intuition that anonymity now comesat the expense of, not only delay, but additional end-to-end losses. Focusing on stringent QoS requirements, weconcordantly eliminate the initial forwarding step of theoriginal version of the protocol.
Our analysis shows that packet losses lead to a highereffective sending probability, as longer forwarding pathslead to end-to-end loss. Decreasing the sending probabil-ity yields significant albeit diminishing returns in terms ofanonymity.
When measuring QoS in terms of the probability thatmessage delay exceeds a maximum tolerance threshold,we find that the gain in anonymity per QoS cost in thehigh QoS region is inversely proportional to the link lossprobability, and thus potentially very favorable under smallvalues of such loss likelihood. In addition, absolutelyno anonymity is provided if direct delivery is enforced,although losses will impose imperfect QoS even in thiscase. This strongly argues in favor of anonymity mecha-nisms, even if we are only willing to accept minimal QoSdegradation.
Notwithstanding the limitation of our work to single-hop networks, we expect that our first steps towardintroducing losses in the modified Crowds protocol,while analyzing the contrasting aspects of anonymityand QoS jointly, may very well lay part of the fun-damental principles to approach the theoretical studyof the more intricate case of multihop networks infuture endeavors. Additional future research avenuesinclude more extensive simulations with precise wire-less network models, both single-hop and multihop,comparing different anonymous-communication protocolsor variations thereof, along with alternative measuresof anonymity and QoS reflecting diverse applicationrequirements.
Last but not least, and beyond the mathematical detailsspecific to the problem at hand, this work may be construedas an illustration of a systematic approach to privacy-enhancing strategies. In this approach, we contemplate
On collaborative anonymous communications in lossy networks D. Rebollo-Monedero et al.
both privacy and utility in a quantifiable manner thatenables us to address the important issue of their inher-ent trade-off.
ACKNOWLEDGEMENTS
We would like to thank J. Moreira for a number of helpfulcomments. This work was partly supported by the SpanishGovernment through projects Consolider Ingenio 2010CSD2007-00004 “ARES” and TEC2010-20572-C02-02“Consequence”, by the Government of Catalonia undergrants 2009 SGR 1362 and FI-AGAUR, and by the UAS inMexico. D. Rebollo-Monedero is the recipient of a Juan dela Cierva postdoctoral fellowship, JCI-2009-05259, fromthe Spanish Ministry of Science and Innovation.
REFERENCES
1. Reiter M K, Rubin A D. Crowds: Anonymity for Webtransactions. ACM Transactions on Information andSystem Security 1998; 1(1): 66–92.
2. Huang L, Matsuura K, Yamane H, Sezaki K. Silentcascade: Enhancing location privacy without commu-nication QoS degradation. In Proceedings of the Inter-national Conference on Security in Pervasive Comput-ing (SPC), vol. 3934, Lecture Notes Computer Science(LNCS). Springer-Verlag: York, UK, 2006; 165–180.
3. Xu H, Fu X, Zhu Y, Bettati R, Chen J, Zhao W. Ascalar anonymous communication system. In Proceed-ings of the International Conference on Networkingand Mobile Computing (ICCNMC), vol. 3619, LectureNotes Computer Science (LNCS). Springer-Verlag:Zhangjiajie, China, 2005; 452–461.
4. Pries R, Yu W, Graham S, Fu X. On performancebottleneck of anonymous communication networks,Proceedings of the IEEE International Symposium onParallel and Distributed Processing (IPDPS), Miami,FL, April 2008; 1–11.
5. Miede A, Lampe U, Schuller D, Eckert J, Steinmetz R.Evaluating the QoS impact of Web service anonymity,Proceedings of the IEEE European Conference on WebServices (ECOWS), Ayia Napa, Cyprus, Dec. 2010;75–82.
6. Srivatsa M, Liu L, Iyengar A. Preserving calleranonymity in voice-over-IP networks, Proceedings ofthe IEEE Symposium on Security and Privacy (SP),Oakland, CA, May 2008; 50–63.
7. Dingledine R. Free Haven’s anonymity bibliogra-phy, 2009. Available at: www.freehaven.net/anonbib/[Accessed date: 19 April 2013].
8. Chaum D. Security without identification: transactionsystems to make big brother obsolete. Communica-tions of the ACM 1985; 28(10): 1030–1044.
9. Bianchi G, Bonola M, Falletta V, Proto F S, TeofiliS. The SPARTA pseudonym and authorization system.Science of Computer Programming 2008; 74 (1–2):23–33.
10. Levine B N, Reiter M K, Wang C, Wright M. Tim-ing attacks in low-latency mix systems. In Proceed-ings of the International Conference on FinancialCryptography. Springer-Verlag: London, UK, 2004;251–265.
11. Murdoch Steven J, Danezis George. Low-cost trafficanalysis of Tor, Proceedings of the IEEE Symposiumon Security and Privacy (SP), Oakland, CA, 2005;183–195.
12. Bauer K, McCoy D, Grunwald D, Kohno T, SickerD. Low-resource routing attacks against anonymoussystems. Technicl Report, University of Colorado,2007.
13. Chaum D. Untraceable electronic mail, returnaddresses, and digital pseudonyms. Communicationsof the ACM 1981; 24(2): 84–88.
14. Pfitzmann A, Hansen M. A terminology for talkingabout privacy by data minimization: Anonymity,unlinkability, undetectability, unobservability,pseudonymity, and identity management, 2010. v0.34.Available at: http://dud.inf.tu-dresden.de/literatur/Anon_Terminology_v0.34.pdf [Accessed date: 19April 2013].
15. Serjantov A, Dingledine R, Syverson P. From a trickleto a flood: active attacks on several mix types. In Pro-ceedings of the International Workshop on InformationHiding (IH). Springer-Verlag: Berlin, Germany, 2002;36–52.
16. Dingledine R, Mathewson N, Syverson P. Tor: Thesecond-generation onion router, Proceedings of theUSENIX Security Symposium, Berkeley, CA, 2004;21–21.
17. Kesdogan D, Agrawal D, Penz S. Limits of anonymityin open environments. In Proceedings of the Interna-tional Workshop on Information Hiding (IH), LectureNotes Computer Science (LNCS). Springer-Verlag:Noordwijkerhout, The Netherlands, 2002.
18. Danezis G. Statistical disclosure attacks: traffic con-firmation in open environments, Proceedings of theSecurity and Privacy in the Age of Uncertainty (SEC),Athens, Greece, May 2003; 421–426.
19. Wrigh M K, Adler M, Levine B, Shields C. Thepredecessor attack: an analysis of a threat to anony-mous communications systems. ACM Transactions onInformation and System Security 2004; 7(4): 489–522.
20. Panchenko A, Pimenidis L. Crowds revisited: practi-cally effective predecessor attack, Proceedings of theNordic Workshop on Secure IT-Systems, Reykjavik,Iceland, 2007; 1–6.
D. Rebollo-Monedero et al. On collaborative anonymous communications in lossy networks
21. Sui H, Wang J, Chen J, Chen S. An analysis of for-warding mechanism in Crowds, Proceedings of theInternational Conference on Communication (ICC),Anchorage, AK, May 2003; 261–265.
22. Vaha-Sipila A, Virtanen T. BT-Crowds: Crowds-styleanonymity with bluetooth and Java, Proceedings ofthe IEEE Annual Hawaii International ConferenceOn System Sciences (HICSS), Washington, DC, 2005;1–11.
23. Xu G. Wireless Crowds based on NTRU. TechnicalReport, Iowa State University, 2001.
24. Cencioni P, Piertro R. Di. VIPER: a vehicle-to-infrastructure communication privacy enforcement-protocol, Proceedings of the IEEE InternatonalConference on Mobile Adhoc and Sensor Systems(MASS), Pisa, Italy, 2007; 1–6.
25. Rebollo-Monedero D, Forné J, Solanas A, Martínez-Ballesté T. Private location-based information retrievalthrough user collaboration. Computer Communica-tions 2010; 33 (6): 762–774, Available at: http://dx.doi.org/10.1016/j.comcom.2009.11.024 [Accesseddate: 19 April 2013].
26. Chaum D. The dining cryptographers problem: uncon-ditional sender and recipient untraceability. Journal ofCryptology 1988; 1(1): 65–75.
27. Cover T M, Thomas J A. Elements of InformationTheory, 2nd ed. Wiley: New York, 2006.
28. Serjantov A, Danezis G. Towards an information the-oretic metric for anonymity. In Proceedings of theInternational Conference on Privacy Enhancing Tech-nologies (PET), Vol. 2482. Springer-Verlag: Berlin,Germany, 2002; 41–53.
29. Díaz C, Seys S, Claessens J, Preneel B. Towards mea-suring anonymity. In Proceedings of the internationalconference on Privacy enhancing technologies (PET),vol. 2482, Lecture Notes Computer Science (LNCS).Springer-Verlag: Berlin, Germany, April 2002;54–68.
30. Rebollo-Monedero D, Parra-Arnau J, Diaz C, Forné J.On the measurement of privacy as an attacker’s esti-mation error. International Journal of InformationSecurity 2013; 12(2): 129–149.
31. Bagai R, Jiang N. Measuring anonymity by pro-filing probability distributions, Proceedings of theIEEE International Conference on Trust, Securityand Privacy in Computing and Communica-tion (TRUSTCOM), Liverpool, UK, Jun. 2012;366–374.
32. Chen S, Nahrstedt K. On finding multi-constrainedpaths, Proceedings of the International Conferenceon Communication (ICC), Atlanta, GA, Jun. 1998;874–879.
33. Boban M, Misek G, Tonguz O K. What is thebest achievable QoS for unicast routing in VANETs?Proceedings of the IEEE Global TelecommunicationConference (GLOBECOM), New Orleans, LA, Dec.2008; 1–10.
34. Boyd S, Vandenberghe L. Convex Optimization.Cambridge University Press: Cambridge, UK, 2004.
35. Horn R A, Charles R J. Matrix Analysis. CambridgeUniv. Press: Cambridge, UK, 1985.
