PHI: Path-Hidden Lightweight Anonymity Protocol at Network Layer

  • 1 Carnegie Mellon University, United States of America Switzerland
  • 2 ETH Zurich, Switzerland


We identify two vulnerabilities for existing highspeed network-layer anonymity protocols, such as LAP and Dovetail. First, the header formats of LAP and Dovetail leak path information, reducing the anonymity-set size when an adversary launches topological attacks. Second, ASes can launch session hijacking attacks to deanonymize destinations. HORNET addresses these problems but incurs additional bandwidth overhead and latency.

In this paper, we propose PHI, a Path-HIdden lightweight anonymity protocol that solves both challenges while maintaining the same level of efficiency as LAP and Dovetail. We present an efficient packet header format that hides path information and a new back-off setup method that is compatible with current and future network architectures. Our experiments demonstrate that PHI expands anonymity sets of LAP and Dovetail by over 30x and reaches 120 Gbps forwarding speed on a commodity software router.

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] CAIDA AS-relationship dataset. data/as-relationships/.

  • [2] curve25519-donna.

  • [3] DPDK: Data Plane Development Kit.

  • [4] Global surveillance disclosures (2013-present).

  • [5] Intel AESNI Sample Library.

  • [6] The invisible internet project.

  • [7] iPlane dataset.

  • [8] JonDonym anonymous proxy servers.

  • [9] NSA collecting phone records of millions of verizon customers daily.

  • [10] RouteView project.

  • [11] Spirent TestCenter.

  • [12] The CAIDA UCSD Anonymized Internet Traces 2015 - equinix-chicago 2015-01-20.

  • [13] Tor metrics: Ddrect users by country. " Retrieved on Nov.3, 2015.

  • [14] Tor project.

  • [15] B. Augustin, X. Cuvellier, B. Orgogozo, F. Viger, T. Friedman, M. Latapy, C. Magnien, and R. Teixeira. Avoiding traceroute anomalies with Paris traceroute. In ACM IMC, 2006.

  • [16] O. Berthold, H. Federrath, and S. Köpsell. Web mixes: A system for anonymous and unobservable internet access. In PETS, 2001.

  • [17] S. Chakravarty, M. V. Barbera, G. Portokalidis, M. Polychronakis, and A. D. Keromytis. On the effectiveness of traffic analysis against anonymity networks using flow records. In PAM, 2014.

  • [18] D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of cryptology, 1(1):65-75, 1988.

  • [19] D. Chaum, F. Javani, A. Kate, A. Krasnova, J. de Ruiter, and A. T. Sherman. cMix: Anonymization by highperformance scalable mixing. Technical report, 2016.

  • [20] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84-88, Feb.1981.

  • [21] C. Chen, D. E. Asoni, D. Barrera, G. Danezis, and A. Perrig. HORNET: High-speed onion routing at the network layer. In ACM CCS, 2015.

  • [22] G. Danezis. The traffic analysis of continuous-time mixes. In PETS, 2004.

  • [23] G. Danezis, C. Diaz, C. Troncoso, and B. Laurie. Drac: An architecture for anonymous low-volume communications. In PETS, 2010.

  • [24] G. Danezis, R. Dingledine, and N. Mathewson. Mixminion: Design of a type III anonymous remailer protocol. In IEEE S&P, 2003.

  • [25] G. Danezis and I. Goldberg. Sphinx: A compact and provably secure mix format. In IEEE S&P, 2009.

  • [26] S. DiBenedetto, P. Gasti, G. Tsudik, and E. Uzun. ANDaNA: Anonymous named data networking application. arXiv preprint arXiv:1112.2205, 2011.

  • [27] R. Dingledine, N. Mathewson, and P. Syverson. Tor: The second-generation onion router. In USENIX Security, 2004.

  • [28] R. Dingledine and S. J. Murdoch. Performance improvements on Tor or, why Tor is slow and what we’re going to do about it. Online:, 2009.

  • [29] M. J. Freedman and R. Morris. Tarzan: A peer-to-peer anonymizing network layer. In ACM CCS, 2002.

  • [30] P. Godfrey, I. Ganichev, S. Shenker, and I. Stoica. Pathlet routing. ACM SIGCOMM CCR, 39(4):111-122, 2009.

  • [31] C. Gülcü and G. Tsudik. Mixing email with babel. In NDSS, 1996.

  • [32] N. Hopper, E. Y. Vasserman, and E. Chan-Tin. How much anonymity does network latency leak? ACM Transactions on Information and System Security, 13(2), February 2010.

  • [33] A. Houmansadr, N. Kiyavash, and N. Borisov. RAINBOW: A robust and invisible non-blind watermark for network flows. In NDSS, 2009.

  • [34] H. C. Hsiao, T. H. J. Kim, A. Perrig, A. Yamada, S. C. Nelson, M. Gruteser, and W. Meng. LAP: Lightweight anonymity and privacy. In IEEE Security & Privacy, 2012.

  • [35] S. Le Blond, D. Choffnes, W. Caldwell, P. Druschel, and N. Merritt. Herd: A scalable, traffic analysis resistant anonymity network for VoIP systems. In ACM SIGCOMM, 2015.

  • [36] S. Le Blond, D. Choffnes, W. Zhou, P. Druschel, H. Ballani, and P. Francis. Towards efficient traffic-analysis resistant anonymity networks. In ACM SIGCOMM, 2013.

  • [37] V. Liu, S. Han, A. Krishnamurthy, and T. Anderson. Tor instead of ip. In ACM HotNets, 2011.

  • [38] P. Mahadevan, D. Krioukov, M. Fomenkov, B. Huffaker, X. Dimitropoulos, k. claffy, and A. Vahdat. The Internet AS-level topology: Three data sources and one definitive metric. ACM SIGCOMM CCR, 36(1):17-26, Jan 2006.

  • [39] N. Mathewson and R. Dingledine. Practical traffic analysis: Extending and resisting statistical disclosure. In PETS, 2005.

  • [40] P. Mittal, A. Khurshid, J. Juen, M. Caesar, and N. Borisov. Stealthy traffic analysis of low-latency anonymous communication using throughput fingerprinting. In ACM CCS, 2011.

  • [41] U. Möller, L. Cottrell, P. Palfrader, and L. Sassaman. Mixmaster protocol (version 2). IETF Internet Draft, July 2003.

  • [42] S. J. Murdoch and G. Danezis. Low-cost traffic analysis of Tor. In IEEE S&P, 2005.

  • [43] L. Overlier and P. Syverson. Locating hidden servers. In IEEE S&P, 2006.

  • [44] A. Pfitzmann and M. Köhntopp. Anonymity, unobservability, and pseudonymity - a proposal for terminology. In PETS, 2001.

  • [45] Y. Rekhter and T. Li. A border gateway protocol 4 (BGP-4), 1995.

  • [46] J. Sankey and M. Wright. Dovetail: Stronger anonymity in next-generation internet routing. In PETS, 2014.

  • [47] R. Sherwood, B. Bhattacharjee, and A. Srinivasan. P5: A protocol for scalable anonymous communication. In IEEE S&P, 2002.

  • [48] D. I. Wolinsky, H. Corrigan-Gibbs, B. Ford, and A. Johnson. Dissent in numbers: Making strong anonymity scale. In Usenix OSDI, 2012.

  • [49] X. Yang, D. Clark, and A. W. Berger. NIRA: a new interdomain routing architecture. IEEE/ACM Transactions on Networking, 15(4):775-788, 2007.

  • [50] X. Zhang, H.-C. Hsiao, G. Hasker, H. Chan, A. Perrig, and D. G. Andersen. SCION: Scalability, control, and isolation on next-generation networks. In IEEE S&P, 2011.


Journal + Issues