Privacy and Performance Trade-offs in Anonymous Communication Networks

Abstract

Anonymous communication systems attempt to prevent adversarial eavesdroppers from learning the identities of any two parties communicating with each other. In order to protect from global adversaries, such as nation states and large internet service providers, systems need to induce large amounts of latency in order to sufficiently protect users identities. Other systems sacrifice protection against global adversaries in order to provide low latency service to their clients. This makes the system usable for latency sensitive applications like web browsing. In turn, more users participate in the low latency system, increasing the anonymity set for everybody. These trade-offs on performance and anonymity provided are inherent in anonymous communication systems. In this dissertation we examine these types of trade-offs in Tor, the most popular low latency anonymous communication system in use today. First we look at how user anonymity is affected by mechanisms built into Tor for the purpose of increasing client performance. To this end we introduce an induced throttling attack against flow control and traffic admission control algorithms which allow an adversarial relay to reduce the anonymity set of a client using the adversary as an exit. Second we examine how connections are managed for inter-relay communication and look at some recent proposals for more efficient relay communication. We show how some of these can be abused to anonymously launch a low resource denial of service attack against target relays. With this we then explore two potential solutions which provide more efficient relay communication along with preventing certain denial of service attacks. Finally, we introduce a circuit selection algorithm that can be used by a centralized authority to dramatically increase network utilization. This algorithm is then adapted to work in a decentralized manner allowing clients to make smarter decisions locally, increasing performance while having a small impact on client anonymity.