Cryptographic defense against traffic analysis

We present a model which allows us formally to define “untraceability” of messages in a network of synchronously communicating processors. We consider several different definitions, based on different assumptions about the strength of the “adversary” attempting to identify the senders and receivers of messages; for example, the adversary may be able to control some of the processors to obtain information, or even disrupt the traffic in the network. We present efficient protocols which are provably secure against each such adversary, using such cryptographic techniques as secure multiparty computation ([ GMWl) and non-interactive zero-knowledge proof ([BFM]). One proof of security also relies on an interesting general lemma about the “mixing” achieved by certain kinds of random processes, or “shuffles”, performed on a set of items. *This work was supported in part by NSERC operating grants and ITRC, an Ontario Centre of Excellence. t Department of Computer Science, University of Toronto, Toronto, Ontario, Canada M5S 1A4; rackoff@cs.toronto. edu : D6partement IRO, Universit6 de Montr6al, C.P. 6128, Succursale “A”, Montr&d, Qu6bec, H3C 3J7; simon@iro.umontreal .ca Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for direct commercial advantage, the ACM copyright notice and the title of the publication and its date appaar, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. 25th ACM STOC ‘93-51931CA, K.A o 1993 ACM 0-89791 -591 -7/93 /0005 /0672 . ..$1 .50