On the Complexity of Anonymous Communication Through Public Networks

The problem of anonymous communications is to hide the fact that Alice is communicating with Bob at all, rather than the contents of her communications. More formally, the scenario in which Alice sends a message to Bob should be indistinguishable from the one in which Alice sends a message to Carol instead. While many cryptographic constructions (e.g., blind signatures, anonymous credentials and blockchains) assume anonymous channels as a starting point, there are significant drawbacks to all known protocols that aim to achieve them in the standard active adversary setting where the adversary can observe the network traffic on all links and, additionally, control a constant fraction of the parties. Onion routing is the most promising approach to anonymous channels. In onion routing, messages are sent via intermediaries and wrapped in layers of encryption, resulting in so-called "onions"; each intermediary's task is to "peel off" a layer of encryption and send the resulting onion to the next intermediary or to its final destination. In this paper, we initiate a rigorous theoretical study of onion routing. We consider the "simple input-output setting" where each participant desires to send a fixed-length message to a unique interlocutor and show that in this setting: - For an onion routing protocol to be anonymous and fault-tolerant, each party must transmit, on average, a polylogarithmic (in the security parameter) number of onions during an execution of the protocol. - There exists an onion routing protocol that is anonymous and fault-tolerant such that each party transmits only a polylogarithmic (in the security parameter) number of onions during an execution of the protocol.