On the Analysis of the Predecessor Attack on Anonymity Systems

Systems that allow users to communicate anonymously with a destination have received increasingly more attention since users of network applications became more concerned with their privacy. Unfortunately, anonymity systems are vulnerable to attacks that attempt to reveal the identity of nodes that communicate anonymously. Moreover, the distributed nature of such systems facilitates certain types of attacks. In this paper we focus on the predecessor attack, a robust traffic analysis attack that targets nodes that communicate with the same destination repeatedly over time. In particular, we perform a qualitative analysis of the attack using a generalized model for anonymous communication. We establish the necessary and sufficient conditions for the attack to succeed and also determine the effort required by the attacker. We consider different situations and investigate the scenario where multiple nodes communicate with the same destination. Our results show that for a common class of protocols, where paths are constructed uniformly at random, the attack always succeeds and the effort required is proportional to the number of initiators and the number of nodes in the system. Moreover, knowing the number of initiators present in the system does not reduce the effort required by the attacker. Understanding the capabilities and limitations of this attack is an important step toward designing more secure anonymity systems.