Delay Anonymity Tradeoff in Mix Networks: Optimal Routing

Anonymous systems on the Internet aim to protect users from revealing to an external unauthorized entity their identities and their network activities. Despite using layered encryption, these systems are still vulnerable to timing analysis, wherein an eavesdropper can use traffic correlation mechanisms to identify the source of packets arriving at a destination. Mixes are intelligent routers or proxy servers that aim to provide packet source anonymity from timing analysis by delaying and shuffling the order of received packets prior to transmission. Such shuffling strategies naturally increase latency and result in a tradeoff between anonymity and latency. This paper investigates this tradeoff in a network of mixes, by deriving the optimal routing for sources which maximizes weighted sum of anonymity and delay. The achievable anonymity is characterized analytically for a general multipath model, and it is shown that under light traffic conditions, there exists a unique single route strategy, which achieves the optimal delay anonymity tradeoff. A low complexity algorithm is presented that derives the optimal routes to achieve a desired tradeoff. The light traffic results are specialized for a graphical model of existing practical anonymous systems, and optimal scaling behavior with the size of such networks is characterized. In the heavy traffic regime, it is shown that optimal anonymity is achieved for any allocation of rates across the different routes. Simulations on example networks are presented where it is shown that the optimal routes derived under light traffic performs quite well in general traffic regime.