Design of Pool Mixes Against Profiling Attacks in Real Conditions

Current implementations of high-latency anonymous communication systems are based on pool mixes. These tools act as routers that apply a random delay to the messages traversing them, making it hard for an eavesdropper to guess the correspondences between incoming and outgoing messages. This hides the identities of communicating partners in the network, but it does not prevent an adversary continuously monitoring the network from unveiling the communication profiles of the users. In this paper, we tackle the problem of designing the delay characteristic of pool mixes so as to maximize the protection of the users against profiling attacks. First, we propose a theoretical model for users' sending behavior which we validate using three real data sets of a different nature. Then, we use this model to perform a privacy analysis of the system and obtain the delay function of the mix, which is optimal in the sense of protecting the users. Since computing the delay characteristic of this optimal pool mix requires information about the users' behavior, we also propose a user-independent but less effective mix design. We evaluate these pool mixes, comparing them with one of the most studied existing designs, the binomial pool mix. Our experiments show that an adversary against our optimal design may need up to 30 times as long to achieve the same level of disclosure as for a binomial pool mix.