A Combinatorial Approach to Measuring Anonymity

Abstract: In this paper we define a new metric for quantifying formally define our proposed anonymity metric. We then show the degree of anonymity collectively afforded to users of an how our model can be generalized to include probabilistic anonymous communication system. We show how our metric, information in Section III. We demonstrate how to apply our based on the permanent of a matrix, can be useful in evaluating the amount of information needed by an observer to reveal the metio some common type o me istin iV. In … Show more

“…Much of the work on anonymity metrics, such as that of Serjantov and Danezis [1] or of Diaz, Seys, Claessens and Preneel [2], has focused on measuring anonymity from the point of view of a single message or user. In contrast, Edman, Sivrikaya and Yener [3] proposed a system-wide metric for measuring an attacker's uncertainty in linking each input message of a system with the corresponding output message it exited the system as. They employ the framework of a complete bipartite graph between the system's input and output messages.…”

“…Edman et al [3] gave metrics for measuring anonymity after two kinds of attacks, which we name as infeasibility and probabilistic attacks. Infeasibility attacks determine infeasibility of some edges in the system's complete bipartite graph and arrive at a reduced graph by removing such edges.…”

“…Probabilistic attacks, on the other hand, arrive at probabilities for each edge in the complete bipartite graph of being the actual communication pattern. Both metrics of [3] are based upon permanent values of certain underlying matrices.…”

“…We first demonstrate that while the metric given in [3] for infeasibility attacks is sound, the one for probabilistic attacks has two major shortcomings. We then propose a new, unified anonymity metric for both classes of attacks that overcomes these shortcomings.…”

“…By presenting an intuitive understanding of the permanent of a matrix for probabilistic attacks, we show that the first shortcoming of the metric in [3] for such attacks is that the permanent, which is a composite value, is at best a rough indicator of the system's anonymity level. We highlight situations in which the permanent is especially inadequate, and show that a better anonymity indicator is the breakdown of the permanent as a probability distribution on the graph's perfect matchings.…”

An Accurate System-Wide Anonymity Metric for Probabilistic Attacks

“…Much of the work on anonymity metrics, such as that of Serjantov and Danezis [1] or of Diaz, Seys, Claessens and Preneel [2], has focused on measuring anonymity from the point of view of a single message or user. In contrast, Edman, Sivrikaya and Yener [3] proposed a system-wide metric for measuring an attacker's uncertainty in linking each input message of a system with the corresponding output message it exited the system as. They employ the framework of a complete bipartite graph between the system's input and output messages.…”

“…Edman et al [3] gave metrics for measuring anonymity after two kinds of attacks, which we name as infeasibility and probabilistic attacks. Infeasibility attacks determine infeasibility of some edges in the system's complete bipartite graph and arrive at a reduced graph by removing such edges.…”

“…Probabilistic attacks, on the other hand, arrive at probabilities for each edge in the complete bipartite graph of being the actual communication pattern. Both metrics of [3] are based upon permanent values of certain underlying matrices.…”

“…We first demonstrate that while the metric given in [3] for infeasibility attacks is sound, the one for probabilistic attacks has two major shortcomings. We then propose a new, unified anonymity metric for both classes of attacks that overcomes these shortcomings.…”

“…By presenting an intuitive understanding of the permanent of a matrix for probabilistic attacks, we show that the first shortcoming of the metric in [3] for such attacks is that the permanent, which is a composite value, is at best a rough indicator of the system's anonymity level. We highlight situations in which the permanent is especially inadequate, and show that a better anonymity indicator is the breakdown of the permanent as a probability distribution on the graph's perfect matchings.…”

An Accurate System-Wide Anonymity Metric for Probabilistic Attacks

Practical Metrics for Evaluating Anonymous Networks

A Theory of Gray Security Policies