Probabilistic Analysis of Onion Routing in a Black-box Model

TL;DR

This paper provides a probabilistic analysis of onion routing's anonymity properties in a black-box model, quantifying how an active adversary's knowledge impacts user anonymity as network size grows.

Contribution

It introduces a formal probabilistic framework for analyzing onion routing's anonymity in the presence of an active adversary controlling part of the network.

Findings

Anonymity is worst when other users' choices are either all u's least likely or most likely destinations.

As network size increases, worst-case anonymity approaches the best-case scenario under certain adversary controls.

The analysis compares the impact of adversaries controlling different fractions of the network on user anonymity.

Abstract

We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication in the Universally Composable framework that abstracts the essential properties of onion routing in the presence of an active adversary that controls a portion of the network and knows all a priori distributions on user choices of destination. Our results quantify how much the adversary can gain in identifying users by exploiting knowledge of their probabilistic behavior. In particular, we show that, in the limit as the network gets large, a user u's anonymity is worst either when the other users always choose the destination u is least likely to visit or when the other users always choose the destination u chooses. This worst-case anonymity with an adversary that controls a fraction b of the routers is shown to be comparable to the best-case anonymity against an adversary that controls a fraction \surdb.