Accountable Anonymous Group Messaging

Users often wish to participate in online groups anonymously, but misbehaving users may abuse this anonymity to spam or disrupt the group. Messaging protocols such as Mix-nets and DC-nets leave online groups vulnerable to denial-of-service and Sybil attacks, while accountable voting protocols are unusable or inefficient for general anonymous messaging. We present the first general messaging protocol that offers provable anonymity with accountability for moderate-size groups, and efficiently handles unbalanced loads where few members have much data to transmit in a given round. The N group members first cooperatively shuffle an NxN matrix of pseudorandom seeds, then use these seeds in N “pre-planned” DC-nets protocol runs. Each DC-nets run transmits the variable-length bulk data comprising one member’s message, using the minimum number of bits required for anonymity under our attack model. The protocol preserves message integrity and one-to-one correspondence between members and messages, makes denial-of-service attacks by members traceable to the culprit, and efficiently handles large and unbalanced message loads. A working prototype demonstrates the protocol’s practicality for anonymous messaging in groups of 40+ member nodes.

💡 Research Summary

The paper introduces Dissent, a novel anonymous group messaging protocol that simultaneously provides strong anonymity, integrity, and accountability for closed, moderate‑size groups. Existing anonymity mechanisms such as mix‑nets and DC‑nets protect sender privacy but are vulnerable to denial‑of‑service (DoS) attacks, Sybil attacks, and inefficient handling of unbalanced traffic loads. Dissent addresses these shortcomings by combining a shuffle phase with a bulk‑transfer phase, both built on well‑studied cryptographic primitives.

In the shuffle phase, each of the N participants creates a fixed‑length secret message and encrypts it under a cascade of public‑key encryptions (2N layers). Participants then iteratively strip one layer of encryption, randomly permute the list, and forward it to the next participant. The final participant broadcasts the shuffled list, and all members verify that their own intermediate ciphertext appears. A new “go/no‑go” and “blame” mechanism is added: if any participant detects a problem, they withhold their private decryption key and reveal the secrets used to construct the intermediate ciphertexts, thereby exposing the misbehaving party without compromising the anonymity of honest users. This extension preserves the original shuffle’s anonymity guarantees (no coalition of up to N‑2 colluding members can do better than random guessing) while providing provable accountability for protocol failures.

The bulk phase leverages the shuffled output of the first phase not to transmit the messages themselves, but to distribute an N×N matrix of pseudorandom seeds. Each participant receives a unique seed vector that determines a set of bulk ciphertexts they must transmit. By XOR‑ing all assigned ciphertexts, the target recovers the concatenated, permuted messages. Because each participant’s seed vector includes a “junk” seed for themselves and hashes that validate each bulk ciphertext, any deviation can be detected. If a participant sends an incorrect bulk ciphertext, the blame phase re‑runs the shuffle to pinpoint the offender. This design guarantees that every honest member obtains exactly one message per round, regardless of message length, and that the total number of bits transmitted is close to the information‑theoretic minimum for the given load.

The security model assumes a polynomial‑time adversary who can monitor all network traffic and compromise any subset of group members. The protocol’s security properties are formally defined: integrity (honest members either receive all honest messages or detect failure), anonymity (no coalition of size ≤ N‑2 can link a message to its sender with probability better than random guessing), and accountability (misbehaving members can be exposed with third‑party verifiable evidence, while honest members are never falsely accused).

Experimental evaluation on Emulab with up to 44 nodes shows that Dissent can handle large, unbalanced payloads (e.g., a 16 MB document from a single sender among 16 nodes) with an initial shuffle latency of about 1.4 minutes and a total transmission time roughly 3.5× that of non‑anonymous TCP multicast. Scaling results indicate that a 1 MB message can be delivered in under a minute for 4 nodes, about 4 minutes for 20 nodes, and roughly 14 minutes for 40 nodes. These figures demonstrate practicality for delay‑tolerant applications such as whistleblowing, confidential document distribution, or small‑scale voting where strong anonymity and accountability are paramount.

The authors acknowledge limitations: the protocol is unsuitable for large, open‑access anonymous communication or real‑time messaging due to the serial nature of the shuffle phase and the per‑round startup delay. It also provides only a limited form of coercion resistance and relies on external mechanisms (e.g., PeerReview) to guarantee liveness when participants drop out. Future work may explore parallelizing the shuffle, reducing per‑round overhead, and strengthening coercion resistance.

In summary, Dissent offers the first general‑purpose anonymous messaging protocol that enforces a one‑message‑per‑round constraint, replaces vulnerable slot‑reservation mechanisms with a provably secure shuffle, and integrates a blame system that makes DoS attacks traceable. By achieving anonymity, integrity, and accountability together, Dissent fills a critical gap for secure, accountable communication in closed groups of moderate size.