Balancing anonymity and resilience in anonymous communication networks

Anonymous communication networks (ACNs) are intended to protect the metadata privacy during the communication. As typical ACNs, onion mix-nets adopt source routing where the source defines a static path and wraps the message with the public keys of on-path nodes so that the message could be delivered to the destination. However, onion mix-nets lack resilience when the static on-path mixes fail, which could result in message loss, communication failure and even de-anonymization attacks. Therefore, it is desirable to achieve routing resilience in onion mix-nets for persistent routing capability even against node failure. The state-of-the-art solutions mainly adopt mix groups and thus need to share secrets among all the group members, which may cause single point of failure and render massive loss of anonymity. To address the above problem, in this work we design a hybrid routing approach, which essentially embeds the onion mix-net with hop-by-hop routing to achieve desirable routing resilience. Furthermore, we extend our scheme with a threshold setting, and propose T-hybrid routing to mitigate the anonymity loss when group mixes are compromised. Besides, we propose the active defense mechanism to defend replay attacks in the scenario of mix groups. As for experimental evaluations, we conduct a quantitative analysis of the resilience and anonymity for various schemes, and demonstrate that T-hybrid routing can achieve a good balance between resilience and anonymity. In addition, we manage to realize the full T-hybrid routing prototype and test its performance in the cloud hosting environment. The experimental results show that compared with typical onion mix-nets, our T-hybrid routing mechanism only increases about 20%-25% regarding the end-to-end delay, and thus is still practical while with better resilience. © 2020 Elsevier Ltd