Breaking anonymity by learning a unique minimum hitting set

Abstract

Anonymity protocols are not secure unless the communication structure is not learnable even in the case that the entire network traffic can be monitored by an adversary. When the true communication structure is cloaked under anonymity sets, the adversary may disclose the peers of a certain user by waiting for the observations to contain a unique minimum hitting set. This approach has been called the hitting set attack in the literature. We give the first mathematical analysis on the number of observations required to learn a unique minimum hitting set. Because this attack involves solving an NP-hard problem in each round, we propose two new learning algorithms, both of which are very efficient computationally. The first one breaks anonymity by combining the most suspicious elements into a hitting set. Because this algorithm is not capable of verifying its hypothesis, it is imperative to estimate the required number of observations. On the other hand, the second one is able to prove its hypothesis correct, but needs more observations. © 2009 Springer.