Paper 2017/1000

No right to remain silent: Isolating Malicious Mixes

Hemi Leibowitz and Ania Piotrowska and George Danezis and Amir Herzberg

Abstract

Mix networks are a key technology to achieve network anonymity, private messaging, voting and database lookups. However, simple mix networks are vulnerable to malicious mixes, which may drop or delay packets to facilitate traffic analysis attacks. Mix networks with provable robustness address this drawback through complex and expensive proofs of correct shuffling, but come at a great cost and make limiting or unrealistic systems assumptions. We present {\em Miranda}, a synchronous mix network mechanism, which is {\em provably secure} against malicious mixes attempting active attacks to de-anonymize users, while retaining the simplicity, efficiency and practicality of mix networks designs. Miranda derives a robust mix reputation through the first-hand experience of mix node unreliability, reported by clients or other mixes. As a result, each active attack -- including dropping packets -- leads to reduced connectivity for malicious mixes and reduces their ability to attack. We show, through experiments, the effectiveness and practicality of Miranda by demonstrating that attacks are neutralized early, and that performance does not suffer.