Cashmere: Resilient Anonymous Routing
Li Zhuang, Feng Zhou
U. C. Berkeley
{zl,zf}@cs.berkeley.edu
Ben Y. Zhao
U. C. Santa Barbara
ravenben@cs.ucsb.edu
Antony Rowstron
Microsoft Research UK
antr@microsoft.com
Abstract
Anonymous routing protects user communication from
identi cation by third-party observers. Existing anony-
mous routing layers utilize Chaum-Mixes for anonymity
by relaying traf c through relay nodes called mixes. The
source de nes a static forwarding path through which
traf c is relayed to the destination. The resulting path
is fragile and shortlived: failure of one mix in the path
breaks the forwarding path and results in data loss and
jitter before a new path is constructed. In this paper, we
propose Cashmere, a resilient anonymous routing layer
built on a structured peer-to-peer overlay. Instead of
single-node mixes, Cashmere selects regions in the over-
lay namespace as mixes. Any node in a region can act
as the MIX, drastically reducing the probability of a mix
failure. We analyze Cashmere’s anonymity and measure
its performance through simulation and measurements,
and show that it maintains high anonymity while pro-
viding orders of magnitude improvement in resilience to
network dynamics and node failures.
1 Introduction
In many applications it is desirable to hide the identity
of the communicating parties from each other and third-
party observers. The ability to anonymously route pack-
ets is used in many applications, such as anonymous web
browsing [1], anonymous voting and in peer-to-peer ap-
plications wanting to ensure fair resource sharing [19].
The rst-generation of applications that used anony-
mous routing, including the Anonymizer [1], were
centralized, with central points of failure. More re-
cent anonymous routing proposals [22, 30, 11] extend
Chaum-Mixes [3] by forwarding traf c through a se-
quence of relays. Each relay is a single network end-
point. They attempt to ensure that the identity of the mes-
sage source is never revealed to the destination, and the
source and destination identities are hidden from relays
and third-party observers. They achieve this by wrapping
the payload and the sequence of relays through which a
message is to be forwarded in layers of public key en-
cryption, with one layer for each relay to be used. This
requires that a set of relays be statically chosen at the
beginning of a communication session. In general, if
A sends a message M to B, then A de nes a forward-
ing path that is a sequence of L relays R1, R2, . . . , RL.
Each relay has a public/private key pair, where the pub-
lic key of relay Ri is Ki. The message M is then sent
encrypted in the form of R1 < R2, < R3, . . . < RL, <
B,M >KL>KL−1 . . . >K2>K1 .
Successful end-to-end message delivery requires that
every relay Ri in the forwarding path successfully de-
crypts its designated layer and forwards the message to
the next relay. If the next relay has failed or is unreach-
able, then the message cannot be forwarded any further.
When this occurs the source must discover the failure
and then select a new set of live relays and resend the
payload. Detecting failures in the routing path is made
dif cult because relays cannot send error messages to
the anonymous source. This means that while these sys-
tems work in static and reliable networks, their perfor-
mance degrades on less reliable wide-area links. They
are also unlikely to function well on peer-to-peer and ad-
hoc networks, where both end-point and link failure are
observed regularly.
We propose a failure resilient anonymous routing sys-
tem called Cashmere. Cashmere achieves resilience by
using a set of distributed endpoints as a single virtual re-
lay rather than a single endpoint. We refer to these end-
points as relay groups, and the forwarding path used in
Cashmere is a sequence of relay groups. All members
of a relay group share a public/private key pair. Lay-
ered encryption is still used on the forwarding path, us-
ing the public key of the relay group. Every member of
the relay group has the ability to independently decrypt
the next layer in the forwarding path. A forwarding path
is valid as long as each relay group used in the forward-

ing path has at least one single live reachable member.
While Chaum-Mixes route to the destination as the last
hop, the destination in Cashmere is a member of any one
of the relay groups on the forwarding path. The source
randomly orders the relay groups to hide the destination
relay group. When a message arrives at a member of a
relay group, the receiver both anycasts the message to the
next relay group and broadcasts the decrypted contents to
all other members of the relay group. This ensures that if
the destination is a member of the current group, it will
receive the message.
Design Goals There are different types of
anonymity [23]. Cashmere is designed to provide
both source anonymity and unlinkability of source and
destination. Unlinkability means that even if the source
and destination can each be identi ed as participating
in some communication, they can not be identi ed as
communicating with each other. Source anonymity
means that the identity of the source is hidden to all
other nodes including the receiver. An attacker may be
able to associate a set of messages with the same session
but cannot determine the source, destination or the
message payload. Provided the source does not divulge
its identity in the message payload or collude with
attackers, Cashmere provides both source anonymity
and unlinkability even if the destination is controlled by
an attacker. Cashmere can easily be extended to provide
destination anonymity, where the destinations identity is
hidden to all other nodes including the source, using an
additional level of indirection.
Attack model We assume the attacker controls a
fraction f of the nodes in the Cashmere network and
these compromised nodes collude, sharing all informa-
tion such as private keys. We assume a Byzantine failure
model where compromised nodes can behave arbitrarily.
The attacker can observe all messages sent over the net-
work, regardless of whether the source or destination is
controlled by the attacker, and there is zero latency for
messages sent between compromised nodes.
The rest of this paper is structured as follows. We give
an overview of related work and their limitations in Sec-
tion 2. Next, we present the design of Cashmere in Sec-
tion 3. We then discuss details of our current Cashmere
implementation in Section 4. In Section 5, we analyze
the level of anonymity in Cashmere and evaluate its se-
curity and performance using both simulation and mea-
surements from an actual implementation. Finally, we
outline future work and conclude in Section 6.
2 Related Works and Limitations
The original anonymous system redirected traf c
through a centralized proxy [1]. Chaum [3] improved on
this by using mix networks to create anonymous email,
and inspired a number of subsequent systems [11, 24, 10,
7], including the Onion Routing system [22, 31]. Onion
Routing relies on traf c redirection between a static set
of dedicated onion routers that maintain pair-wise sym-
metric keys. To send a message, the source selects a
set of currently active routers through which a message
is forwarded. These requirements limit the scalability
of Onion Routing, especially in environments with node
churn. Tor [9] proposes using a directory server to main-
tain router information but this approach is also limited
in scalability. It has also been shown that if the rst or
last router is compromised in an Onion Routing network,
the source or destination is revealed [30].
Tarzan [11] also uses layered encryption and multi-
hop routing. The source chooses a set of relays to act as
a path and iteratively establishes a tunnel through these
relays with symmetric keys between them. Hence, the
creation of a tunnel incurs both signi cant computation
overhead and delay. The tunnels are static and any relay
failure requires formation of a new tunnel.
Crowds [23] and more recently AP3 [16] make use of
probabilistic random forwarding. Crowds is limited in
scalability because of its centralized admission control
server, and has been shown to provide lower anonymity
than Chaum-Mixes based systems [8].
Wright et al. [32, 33] have shown that relying on static
forwarding paths impacts the anonymity properties of
anonymous routing layers. They proposed a degradation
attack applicable to Crowds, Onion Routing and other
anonymizing systems that exploits the requirement to re-
construct the paths when they break due to node or link
failure. During a long communication session, the path
between source and destination is reconstructed many
times, and each instance of the path must include the
sender. After a large number of resets, the sender has
much higher probability of being a path member than
other nodes. Assume that the rst attacker on each
path (of the same session) logs its predecessor. After a
number of path resets, the identity of the sender can be
guessed with increasing probability.
Cashmere addresses these limitations by removing the
reliance on static paths. By using exible relay groups to
maintain resilient long-lived paths, we improve perfor-
mance by reducing path reconstruction time, and also re-
duce our vulnerability to the degradation attacks [32, 33]
mentioned above. We gain these bene ts with minimal
loss to the level of anonymity attained compared to other
Chaum-Mixes approaches.
3 Cashmere Architecture
Cashmere uses layered-encryption and multi-hop routing
through relays. Instead of using a single node as a relay,