Nonesuch: a Mix Network with Sender Unobservability Thomas S. Andrei Serjantov Benessa Defend Heydt-Benjamin The Freehaven Project University of Massachusetts at University of Massachusetts at [email protected] Amherst Amherst [email protected] [email protected] ABSTRACT common among such anonymity systems that certain kinds Oblivious submission to anonymity systems is a process by of adversaries can easily determine the identity of all enti- which a message may be submitted in such a way that nei- ties submitting messages to the network. In Mixminion [5] ther the anonymity network nor a global passive adversary and other mix-based designs, for example, a sender can be may determine that a valid message has been sent. We identified with certainty by a global passive adversary or present Nonesuch: a mix network with steganographic sub- even a single corrupt entry node [17]. In other words, many mission and probabilistic identification and attenuation of systems (with the notable exception of DC-nets) provide un- cover traffic. In our system messages are submitted as ste- linkability rather than sender unobservability and hence the gotext hidden inside Usenet postings. The steganographic identities of all the senders are easily known. extraction mechanism is such that the the vast majority of There are many situations, however, in which mere knowl- the Usenet postings which do not contain keyed stegotext edge of submission is too much knowledge to permit the will produce meaningless output which serves as cover traf- adversary to achieve. Even if the contents and the recipi- fic, thus increasing the anonymity of the real messages. This ent of a message are occluded by the anonymity network, a cover traffic is subject to probabilistic attenuation in which sender may wish to keep secret the very fact of participa- nodes have only a small probability of distinguishing cover tion in an anonymity protocol. Users who need this level messages from “real” messages. This attenuation prevents of privacy protection include, for example, citizens of op- cover traffic from travelling through the network in an infi- pressive governments with widespread surveillance, and cor- nite loop, while making it infeasible for an entrance node to porate whistle blowers. In addition to possible threats of distinguish senders. negative consequences for participating in anonymous com- munication, these users may be prevented from participation by an adversarial service provider. Categories and Subject Descriptors We propose Nonesuch: a high latency mix network which D.2.11 [Software]: Software Architectures, Information Hid- supports oblivious submission. Nonesuch provides the same ing; C.2.1 [Computer Systems Organization]: ,Computer- sender-receiver unlinkability provided by other mix networks, Communication Networks, Network Architecture and De- while providing better sender anonymity and strong pro- sign; E.3 [Data Encryption]: ,Public Key Cryptosystems tection against tagging attacks. Nonesuch offers improved sender anonymity against both compromised nodes and against General Terms passive adversaries. In Nonesuch, users steganographically embed messages in Algorithms, Security images which they then post to the most popular Usenet newsgroups. Note that by the nature of popularity, neither Keywords subscribing to nor posting to these newsgroups is a suspi- cious activity. The majority of images in Usenet will not Mix Networks, Sender Unobservability, Public Key, Steganog- contain stegotext and will serve as cover traffic. Nonesuch raphy, Oblivious Channels, Minx Packet Format nodes operate by performing a steganographic extraction on each new posting to the protocol-specified range of Usenet 1. INTRODUCTION newsgroups. These messages are then routed based on a Many different kinds of anonymity networks exist in which tunably sparse routing table. This routing mechanism per- it is difficult to link senders of messages to recipients. It is mits correct routing of messages while only slightly reducing the anonymity set of a valid message from the set of all valid messages and cover traffic combined. Cover traffic is prob- abilistically revealed as such and is attenuated out of the Permission to make digital or hard copies of all or part of this work for network as soon as it is detected. personal or classroom use is granted without fee provided that copies are Anonymity of messages and quantity of cover traffic are not made or distributed for profit or commercial advantage and that copies inversely proportional. As a message travels deeper in the bear this notice and the full citation on the first page. To copy otherwise, to anonymity network it becomes more difficult to link it to its republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. entrance and thus its sender. In Nonesuch, cover traffic is WPES’06, October 30, 2006, Alexandria, Virginia, USA. attenuated as it travels deeper. Therefore we concentrate Copyright 2006 ACM 1-59593-556-8/06/0010 ...$5.00. Figure 1: In the Nonesuch protocol submission is accomplished over a subliminal channel, and anonymity nodes can only distinguish real messages from cover traffic with small probability. cover traffic where it is most needed; to occlude submission. difficult for an adversary to distinguish senders from non- Cover traffic then becomes sparse where it is not needed; at sending participants. An important difference between Bauer’s the end of a real message’s path. system and ours is that his system requires the participa- In this paper we: tion of the servers belonging to popular websites, whereas our protocol uses only existing features of Usenet. We ob- 1. Present a novel design for oblivious submission serve that it is much easier for a user to submit a posting to Usenet than to submit software to a major website and ask 2. Utilize the Minx packet format in what we believe is a them to run it on their servers. novel way The Minx packet format uses probabilistic attenuation in order to gain resistance to active tagging attacks [6]. While 3. Present a Baysean inference based attack against un- this goal is quite different from our central one of oblivious certainty about the number of real and dummy mes- submission we find the Minx packet format compatible with sages in the mix our system as discussed in section 3.3. 4. Demonstrate that this attack does not alter the advan- All mixes are vulnerable to timing attacks [13]. However, tage of Nonesuch over more traditional Mix networks Since all non-Nonesuch postings to the most popular Usenet image newsgroups serve as cover traffic in our system, the volume of cover traffic in Nonesuch is both high and difficult 2. RELATED WORK for an adversary to control. Our system should therefore be Chaum [4] introduced the concept of anonymizing mix more resilient than mix-based systems which have less cover networks. ore modern systems, such as Mixminion [5] al- traffic, or which rely on artificial (and therefore more easily low features such secure anonymous replies, resistance to manipulated) dummy traffic for cover. tagging, and more security against active attacks. More ad- DC-nets [3] provide strong sender anonymity, in which vanced analysis techniques allow us to prove [2] or at least a passive adversary is not aware of when an originator is to some extent analyze mix networks [15, 7]. sending a message. However, the adversary can still deter- Nevertheless, mix net protocols offer strong sender-receiver mine that the sender is a member of an anonymity network. unlinkability, especially when few messages are exchanged. Disclosure of this knowledge is unacceptable in situations However, none of these systems conceal the fact that an where entities such as governments or companies may pro- originator has submitted a message to the mix net when the hibit involvement in anonymity networks. Nonesuch pro- originator’s outgoing traffic is monitored by a passive adver- vides strong sender anonymity without requiring the sender sary. Nonesuch offers secret submission to a mix net using to join an anonymity network. Our system does not, how- a steganographic covert channel. ever, provide recipient anonymity which is a property of Our work is inspired in part by Matthias Bauer’s work on DC-nets. limited unobservability in the context of a mix network [1]. This system uses covert channels in HTTP to make it more first b bits of file difficult problem, and is not the focus of this work. We note 0101001010011101010010 that the global parameter distribution problem for Nonesuch 101001011011101001010} 1 Message 1001010100101011011101010011 Routing Table is almost exactly the same as that for Tor and Mixminion. A 0110100110110111101010110101 satisfactory solution for either of these systems will also suf- 1101101001010011110101010110 Node J 0101001101001001001001001011 fice for Nonesuch. At the moment both Tor and Mixminion 0110101001001010101100101010 Node A 0010100101010101101001001001 rely on trusted directory servers [8, 5]. For simplicity of dis- 1001110110100101010001001011 1101100001011010110110101010 Node Q cussion, let us assume the existence of a trusted certificate 0101001010011101010010 Node T authority, which we will call CA. In implementation, CA 1010010110111010010101 h( ) Node Y can be replaced with any suitable directory server scheme. Nodes wishing to participate in the protocol contact CA Node E before the beginning of a new time epoch. The nodes must 1101001010010110101001 1111101010010100101001 <Discard> participate throughout the epoch or else some messages