We present a design for a system of anonymous storage which resists the attempts of powerful adversaries to find or destroy any stored data. We enumerate distinct notions of anonymity for each party in the system, and suggest a way to classify anonymous systems based on the kinds of anonymity provided. Our design ensures the availability of each document for a publisher-specified lifetime. A reputation system provides server accountability by limiting the damage caused from misbehaving servers. We identify attacks and defenses against anonymous storage services, and close with a list of problems which are currently unsolved.

Abstract. We present Mixminion, a message-based anonymous remailer protocol that supports secure single-use reply blocks. MIX nodes cannot distinguish Mixminion forward messages from reply messages, so forward and reply messages share the same anonymity set. We add directory servers that allow users to learn public keys and performance statistics of participating remailers, and we describe nymservers that allow users to maintain long-term pseudonyms using single-use reply blocks as a primitive. Our design integrates link encryption between remailers to provide forward anonymity. Mixminion brings together the best solutions from previous work to create a conservative design that protects against most known attacks. Keywords: anonymity, MIX-net, peer-to-peer, remailer, nymserver, reply block 1

Attacks on servers that provide anonymity generally fall into two categories: attempts to expose anonymous users and attempts to silence them. Much existing work concentrates on withstanding the former, but the threat of the latter is equally real. One particularly e#ective attack against anonymous servers is to abuse them and stir up enough trouble that they must shut down. This paper describes the design, implementation, and operation of nym.alias.net, a server providing untraceable email aliases. We enumerate many kinds of abuse the system has weathered during two years of operation, and explain the measures we enacted in response. From our experiences, we distill several principles by which one can protect anonymous servers from similar attacks. 1 Introduction Anonymous on-line speech serves many purposes ranging from fighting oppressive government censorship to giving university professors feedback on teaching. Of course, the availability of anonymous speech also leads to many fo...

This work develops a novel approach to hide the senders and the receivers of messages. The intuition is taken from an everyday activity that hides the "communication pattern" -- the public transportation system. To describe our protocols, busses are used as a metaphor: Busses, i.e., messages, are traveling on the network, each piece of information is allocated a seat within the bus. Routes are chosen and buses are scheduled to traverse these routes.

Chaum ([Cha79, Cha81]) suggested a simple and e#cient protocol aimed at providing anonymity in the presence of an adversary watching all communication links. Chaum's protocol is known to be insecure. We show Chaum's protocol becomes secure when the attack model is relaxed and the adversary can control at most 99% of communication links.