The Loopix Anonymity System

Ania M. Piotrowska1 Jamie Hayes1 Tariq Elahi2 Sebastian Meiser1

George Danezis1

1 2
University College London, UK KU Leuven

1 / 19
Mixnets Background
A set of cryptographic relays hiding input and output correspondence, by using
layered encryption and secret permutation.

Alice Other users

Bob

Other users

2 / 19
Motivation

Mixnet design shortcomings:

In order to guarantee anonymity, mixnet requires long delays (high
latency) and cover traffic (scalability).
Not resistant against active attacks.
No support for offline delivery.

Onion-routing design shortcomings:

Not resistant against global passive adversary.

3 / 19
Loopix Overview

A new mixnet-based anonymous communication system, allowing for a tunable

trade-off between latency and genuine and cover traffic volume.

Sender Service Provider Service Provider Recipient

Mixnet

4 / 19
Loopix Overview

A new mixnet-based anonymous communication system, allowing for a tunable

trade-off between latency and genuine and cover traffic volume.

Sender Service Provider Service Provider Recipient

Mixnet

5 / 19
End-to-end messages

6 / 19
Drop cover traffic

7 / 19
Client’s loop cover traffic

8 / 19
Mix’s loop cover traffic

9 / 19
Client - Provider Link
Sending - each stream of traffic follows a Poisson process

ΛP
Λ P + ΛD + Λ L
ΛL
ΛD

Retrieving - a fixed number of packets from the Provider

10 / 19
Mixing strategy - Poisson mix

Each packet is delayed according to a sender determined exponential

delay.

Properties:
Poisson mix can be modeled as a pool mix.
Event i − 1 Event i + 1

Pool i − 1 Pool i Pool i + 1

Event i Event i + 2

Messages in the mix pool are indistinguishable due to the memoryless

property.
No synchronized rounds required.

11 / 19
Security Properties - Summary

Corrupt Corrupt
GPA
mixes provider
Sender-Recipient Third-Party Unobservability X X X
Sender online unobservability X X X
Sender anonymity X X X
Receiver unobservability X X
Receiver anonymity X X

12 / 19
Anonymity vs Latency vs Rate of traffic

Figure: Entropy versus the changing rate of the incoming traffic for different delays
(seconds). Lower µ is a higher delay.

13 / 19
Performance - Throughput

300
All traffic Starting conditions:
Messages processed per sec

250 Payload traffic

ΛP = 3 msg/min
200 ΛL = 1 msg/min
150 ΛD = 1 msg/min
100 ΛM = 1 loop/min
50 Avg. delay / hop
00 20 40 60 80 100 120 140 160 = 1 ms
Rate of sending per client ( ) per minute
Periodic increase
Figure: Overall bandwidth and goodput per second for a single by 2 msg/min
mix node.

14 / 19
Performance - Latency Overhead

4.0
3.5 Λ = 30 msg/min
Latency Overhead (ms)

3.0
2.5 ΛM = 10 loops/min
2.0
1.5
1.0
0.5
0.0
0 50 100 150 200 250 300 350 400 450 500
Number of clients

15 / 19
Performance - End-to-end Message Latency

Gamma distribution fit Λ = 180 msg/min

0.6
0.5 ΛM = 60 loops/min

0.4 Avg. delay / hop

Frequency

0.3 = 0.5 sec

0.2
0.1
0.00 1 2 3 4 5 6 7
Latency (s)

Figure: End-to-end latency histogram.

16 / 19
Loopix Key takeaways
Unlinkability of senders and recipients
Detection of active attacks
Unobservability of clients actions
Balanced trade-off between latency and cover traffic
Supporting off-line storage

17 / 19
Loopix Key takeaways
Unlinkability of senders and recipients
Detection of active attacks
Unobservability of clients actions
Balanced trade-off between latency and cover traffic
Supporting off-line storage

Loopix Implementation: https://github.com/UCL-InfoSec/loopix

My Website: http://www0.cs.ucl.ac.uk/staff/A.Piotrowska/
My E-mail: a.piotrowska@cs.ucl.ac.uk

Thank you!

18 / 19
 Low Low Communication Scalable Asynchronous Active Offline Resistance
Latency Overhead Deployment Messaging† Attack Resistant Storage* to GPA
Loopix X X X X X X X
Dissent X X
Vuvuzela X X X
Stadium X X X X
Riposte X X X
Atom X X X X
Riffle X X X X
AnonPoP X X X X
Tor X X X X

Table: Comparison of popular anonymous communication systems. By *, we mean if the design intentionally
incorporates provisions for delivery of messages when a user is offline, perhaps for a long period of time. By †, we
mean that the system operates continuously and does not depend on synchronized rounds for its security
properties and users do not need to coordinate to communicate together.

19 / 19