Paper 2016/943

Stadium: A Distributed Metadata-Private Messaging System

Nirvan Tyagi, Yossi Gilad, Derek Leung, Matei Zaharia, and Nickolai Zeldovich


Private communication over the Internet remains a challenging problem. Even if messages are encrypted, it is hard to deliver them without revealing metadata about which pairs of users are communicating. Scalable anonymity systems, such as Tor, are susceptible to traffic analysis attacks that leak metadata. In contrast, the largest-scale systems with metadata privacy require passing all messages through a small number of providers, requiring a high operational cost for each provider and limiting their deployability in practice. This paper presents Stadium, a point-to-point messaging system that provides metadata and data privacy while scaling its work efficiently across hundreds of low-cost providers operated by different organizations. Much like Vuvuzela, the current largest-scale metadata-private system, Stadium achieves its provable guarantees through differential privacy and the addition of noisy cover traffic. The key challenge in Stadium is limiting the information revealed from the many observable traffic links of a highly distributed system, without requiring an overwhelming amount of noise. To solve this challenge, Stadium introduces techniques for distributed noise generation and differentially private routing as well as a verifiable parallel mixnet design where the servers collaboratively check that others follow the protocol. We show that Stadium can scale to support 4X more users than Vuvuzela using servers that cost an order of magnitude less to operate than Vuvuzela nodes.

Available format(s)
Publication info
Published elsewhere. MAJOR revision.SOSP 2017
anonymous communicationdifferential privacymixnetverifiable shuffle
Contact author(s)
tyagi @ cs cornell edu
2017-09-25: revised
2016-10-01: received
See all versions
Short URL
Creative Commons Attribution


      author = {Nirvan Tyagi and Yossi Gilad and Derek Leung and Matei Zaharia and Nickolai Zeldovich},
      title = {Stadium: A Distributed Metadata-Private Messaging System},
      howpublished = {Cryptology ePrint Archive, Paper 2016/943},
      year = {2016},
      doi = {10.1145/3132747.3132783},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.