51
A Survey on Routing in Anonymous
Communication Protocols
FATEMEH SHIRAZI, KU Leuven, ESAT/COSIC and imec
MILIVOJ SIMEONOVSKI, CISPA, Saarland University, Saarland Informatics Campus
MUHAMMAD RIZWAN ASGHAR, Cyber Security Foundry, The University of Auckland
MICHAEL BACKES, CISPA Helmholtz Center i.G., Saarland Informatics Campus
CLAUDIA DIAZ, KU Leuven, ESAT/COSIC and imec
The Internet has undergone dramatic changes in the past 2 decades and now forms a global communication
platform that billions of users rely on for their daily activities. While this transformation has brought tremen-
dous benets to society, it has also created new threats to online privacy, such as omnipotent governmental
surveillance. As a result, public interest in systems for anonymous communication has drastically increased.
In this work, we survey previous research on designing, developing, and deploying systems for anonymous
communication. Our taxonomy and comparative assessment provide important insights about the dierences
between the existing classes of anonymous communication protocols.
CCS Concepts: • Security and privacy → Pseudonymity, anonymity and untraceability;
Additional Key Words and Phrases: Anonymous communication, routing protocols, communication networks
ACM Reference format:
Fatemeh Shirazi, Milivoj Simeonovski, Muhammad Rizwan Asghar, Michael Backes, and Claudia Diaz. 2018.
A Survey on Routing in Anonymous Communication Protocols. ACM Comput. Surv. 51, 3, Article 51 (June
2018), 39 pages.
https://doi.org/10.1145/3182658
1 INTRODUCTION
The Internet has evolved from a mere communication network used by millions of users to a
global platform for social networking, communication, education, entertainment, trade, and po-
litical activism used by billions of users. In addition to the indisputable societal benets of this
transformation, the mass reach of the Internet has created new powerful threats to online privacy.
This work was supported by the Research Council KU Leuven C16/15/058 and through KU Leuven BOF OT/13/070. In
addition, it was supported by the European Commission project H2020-DS-2014-653497 PANORAMIX and by Microsoft
Research through its Ph.D. Scholarship Programme. Moreover, this work was supported by the German Federal Ministry
of Education and Research (BMBF) through funding for the Center for IT-Security, Privacy and Accountability (CISPA)
(FKZ: 16KIS0345) and by the European Research Council Synergy Grant imPACT (n. 610150).
Authors’ addresses: F. Shirazi and C. Diaz, KU Leuven ESAT/COSIC, Kasteelpark Arenberg 10 - Bus 2452, B-3001 Leuven-
Heverlee, Belgium; emails: {fatemeh.shirazi, claudia.diaz}@esat.kuleuven.be; M. Simeonovski and M. Backes, CISPA, Cam-
pus E 9-1, 66123 Saarbruecken, Germany; emails: {milivoj.simeonovski, backes}@cispa.saarland; M. R. Asghar, Building
303S - Room 585, Department of Computer Science, The University of Auckland, Private Bag 92019, Auckland 1142, New
Zealand; email: r.asghar@auckland.ac.nz.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee
provided that copies are not made or distributed for prot or commercial advantage and that copies bear this notice and
the full citation on the rst page. Copyrights for components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires
prior specic permission and/or a fee. Request permissions from permissions@acm.org.
© 2018 ACM 0360-0300/2018/06-ART51 $15.00
https://doi.org/10.1145/3182658
ACM Computing Surveys, Vol. 51, No. 3, Article 51. Publication date: June 2018.
51:2 F. Shirazi et al.
The widespread dissemination of personal information that we witness today in social media
platforms and applications is certainly a source of concern. The disclosure of potentially sensitive
data, however, not only happens when people deliberately post content online but also becomes
possible inadvertently by merely engaging in any sort of online activities. This inadvertent data
disclosure is particularly worrisome because non-expert end-users cannot be expected to under-
stand the dimensions of the collection taking place and its corresponding privacy implications.
Widely deployed communication protocols only protect, if at all, the content of conversations,
but do not conceal from network observers who is communicating with whom, when, from where,
and for how long. Network eavesdroppers can silently monitor users’ online behavior and build up
comprehensive proles based on the aggregation of user communications’ metadata. Today, users
are constantly tracked, monitored, and proled, both with the intent of monetizing their personal
information through targeted advertisements and by nearly omnipotent governmental agencies
that rely on the mass collection of metadata for conducting dragnet surveillance at a planetary
scale.
Anonymous Communication (AC) systems have been proposed as a technical countermeasure
to conceal from network observers who is communicating with whom, when, from where, and
for how long, mitigating the threats of communications surveillance. The concept of AC systems
was introduced by Chaum (1981) in 1981, with his proposal for implementing an anonymous email
service that aimed at concealing who sent emails to whom. The further development of this concept
in the past 2 decades has seen it applied to a variety of problems and scenarios, such as anonymous
voting (Sako and Kilian 1995; Jakobsson et al. 2002), Private Information Retrieval (PIR) (Dingledine
et al. 2000), censorship-resistance (Waldman et al. 2000; Waldman and Mazières 2001), anonymous
web browsing (Goldschlag et al. 1996), hidden web services (Dingledine et al. 2004), and many
others.
Public interest in AC systems has strikingly increased in the past few years. This could be ex-
plained as a response to recently revealed dragnet surveillance programs, the fact that deployed
AC networks seem to become (according to leaked documents
1
) a major hurdle for communica-
tions surveillance, and to somewhat increased public awareness on the threats to privacy posed
by modern information and communication technologies.
The literature oers a broad variety of proposals for anonymity network designs. Several of
these designs have been implemented, and some are successfully deployed in the wild. Of the
deployed systems, the most successful example to date is the Tor network, which is used daily by
about two million users (The Tor Project 2017).
Existing designs take a variety of approaches to anonymous routing for implementing the AC
network. Routing determines how data is sent through the network, and it as such is the core
element of the AC design, determining to a large extent both security and performance of the
system. State-of-the-art approaches rely on dierent threat models and sets of assumptions, and
they provide dierent guarantees to their users. Even though survey articles on AC systems ex-
ist (Erdin et al. 2015; Sampigethaya and Poovendran 2006; Conrad and Shirazi 2014; AlSabah and
Goldberg 2015; Ren and Wu 2010; Edman and Yener 2009; Danezis and Díaz 2008; Serjantov 2004;
Raymond 2000), we still lack a systematic understanding, classication, and comparison of the
routing characteristics of the plurality of existing AC approaches.
The purpose of this survey is to provide a detailed overview of the routing characteristics of
current AC systems and to discuss how their routing features impact anonymity against dierent
types of adversaries, as well as overall performance. To this end, we rst identify the routing char-
acteristics that are relevant for AC protocols and provide a taxonomy for clustering the systems
1
https://wikileaks.org/.
ACM Computing Surveys, Vol. 51, No. 3, Article 51. Publication date: June 2018.
A Survey on Routing in Anonymous Communication Protocols 51:3
with respect to their routing characteristics, deployability, and performance. Then, we apply the
taxonomy to the extensive literature on AC systems, in particular including Mixnets, DCnets, Tor-
related systems, and Random Walk/Distributed Hash Table (DHT)-based protocols. To select AC
protocols for our examination we chose systems that have presentation value in terms of routing.
Most of the reviewed protocols are systems designed as overlay networks. We excluded next-
generation Internet AC solutions such as Sankey and Wright (2014) and Hsiao et al. (2012). Finally,
we discuss the relationship between dierent routing decisions, and how they aect performance
and scalability.
Outline. Section 2 provides our taxonomy for anonymous routing and describes the various
routing features and dimensions that we are considering for our evaluation and discusses the rela-
tionship between these routing features. Section 3 gives a compact tabular overview describing the
classication of existing systems in our taxonomy and reviews existing AC systems with respect
to their routing characteristics. Section 4 compares the four main categories of AC protocols in
terms of anonymity goals against dierent types of adversaries, scalability, and their applications.
Section 5 concludes the paper.
2 ANONYMOUS ROUTING PROTOCOL CHARACTERISTICS
In this section, we introduce the routing characteristics, deployability, and performance metrics
considered in our taxonomy, and we discuss the relationship between these characteristics.
2.1 Routing Characteristics
Generally, routing in a communication network refers to the selection of nodes for relaying com-
munication through the network. Routing schemes, however, require some essential design com-
ponents. For anonymous communication, we consider four building blocks that are relevant to
routing in AC networks. These building blocks are node management, transfer/retrieval of node
information to/by the routing decision maker, path selection, and forwarding or relaying; where
path selection is the main design component of routing schemes for AC protocols.
Several taxonomies and classications for routing protocols have been proposed in the litera-
ture (Bell and Jabbour 1986; Feeney 1999; Zou et al. 2002). However, AC networks aim to conceal
the metadata of communications and thus have security requirements that make them fundamen-
tally dierent from other networks.
In this section, we present a classication for anonymous routing protocols (see Table 1). Our
classication (see Tables 2 and 5) is an adaptation of Feeney’s taxonomy (Feeney 1999), which
classies the routing characteristics of mobile ad hoc networks into four categories:
(1) Communication model describes whether the communication is based on a single- or multi-
channel.
(2) Structure describes whether or not nodes are treated equally.
(3) State information describes where the topology information is maintained.
(4) Scheduling describes whether the information about routes is maintained at the source or
is instead computed on-demand.
This taxonomy does not address several relevant design features of AC networks, such as prob-
abilistic node selection for constructing circuits and security considerations for protecting routing
information from dierent network adversaries. In addition, not all the characteristics identied by
Feeney are relevant to AC routing. For example, the distinction between single- and multi-channel
features is not relevant to overlay networks, which constitutes a standard design choice for many
AC networks.
ACM Computing Surveys, Vol. 51, No. 3, Article 51. Publication date: June 2018.
51:4 F. Shirazi et al.
Table 1. Overview of the Protocol Routing Characteristics
We redene Feeney’s criteria to account for design choices that are relevant to anonymous
routing protocols. Nevertheless, we distinguish three groups of features inspired by Feeney’s cat-
egories: network structure, routing information,andcommunication model:
(1) Network structure describes the characteristics of the anonymous relays, the connections
between them, and the underlying network topology.
(2) Routing information describes the network information available to entities deciding on
the route of an anonymous connection.
(3) Communication model denes the entities that make the routing decisions and describes
how these decisions are made.
In what follows, we describe these features in more detail, including their various sub-features
and corresponding notation symbols used to denote individual feature instantiations. We refer to
Table 1 for a general overview of the resulting taxonomy.
2.1.1 Network Structure. We consider rst the network features that are relevant to anony-
mous routing. These are, specically, features related to: (a) the topology of the network, which
describes how nodes are connected; (b) the connection type, describing the characteristics of the
connections between nodes; and (c) symmetry, describing whether the entities participating in
the network are all similar, or if they can take on dierent roles and responsibilities for routing
data through the network.
(a) Topology. The topology describes the arrangement of various elements of the network,
such as routers and communication links between those routers. We only take the logical
topology of the network into account, which determines how data ows within it. We
note that physical topology characteristics, such as the geographical location of comput-
ers, sometimes matters in anonymous routing decisions, for example, when considering
ACM Computing Surveys, Vol. 51, No. 3, Article 51. Publication date: June 2018.
A Survey on Routing in Anonymous Communication Protocols 51:5
adversaries who control an Autonomous System (AS) (Feamster and Dingledine 2004;
Edman and Syverson 2009).
We consider the network as a graph in which the routers are represented by graph
nodes. An edge between two nodes exists if the routing strategy allows both nodes to be
directly connected as part of the same anonymous circuit.
The connectivity of nodes varies widely across AC network designs, and the advantages
and disadvantages of high and low levels of connectivity have been the subject of debate
for over a decade (Böhme et al. 2005).
Restricted routing proposals (Danezis 2003a) have shown that for applications that
are latency-tolerant, partially connected networks with certain topological characteris-
tics (e.g., based on expander graphs) provide optimal anonymity and latency trade-os
and mitigate certain attacks. These results further emphasize the impact of network con-
nectivity features for anonymous routing.
We classify anonymity networks into three categories according to their connectivity:
fully connected, mostly connected,andpartially connected networks.
• We consider a network to be fully connected ()
2
when nodes can potentially connect to
most(orall)othernodes.Notethatourruleofthumbisthatanodeonaverageshould
be able to connect to at least 95% of the other nodes.
• We call a network mostly connected () if its nodes can potentially connect to at least
half of the nodes.
• Finally, in partially connected () networks, nodes only connect to a relatively small
subset of the whole network.
Higher connectivity in the network topology leads to better resilience (availability) against
node failure, such as Denial of Service (DoS) attacks; such resilience might have, in turn,
a positive inuence on anonymity (Böhme et al. 2005). While having a fully connected
topology is better than having a very restricted network topology, such as a xed sequence
of relays, called cascade, Diaz et al. have shown a partially connected network structure—
in particular, a stratied topology—can provide better anonymity than a fully connected
network structure (Diaz et al. 2010). However, eliminating connections that might induce
security problems, such as the connection between two nodes from the same IP family
that may be easier to control by an adversary, can be benecial to anonymity. The same
holds for eliminating connections that would induce higher latency, which would, in turn,
improve the performance of the system.
(b) Connection Type. Here, we consider the direction and synchronization of connections.
As far as the direction is concerned, we consider the following options:
• A connection is unidirectional (→) if the data ow between two entities can only be in
one direction.
• A connection between two entities is bidirectional (↔) if data can ow in both directions
and the same connection is used for sending back the response to a received message.
Typically, interactive applications, such as web browsing, require bidirectional channels,
while non-interactive applications, such as email, can just close the connection as soon as
the message has been forwarded.
Bidirectional circuits have the advantage that they induce less overhead in terms of cir-
cuit construction. Unidirectional connections have the advantage that they are less vulner-
able to timing attacks, as a malicious node can only observe data owing in one direction,
which is less informative than bidirectional connections in which patterns of requests
2
In parenthesis, we dene the symbol or the keyword that is used in the comparative Tables 2, 3, 4,and5 to indicate the
corresponding characteristic.
ACM Computing Surveys, Vol. 51, No. 3, Article 51. Publication date: June 2018.
