Are continuous stop-and-go mixnets provably secure?

—This work formally analyzes the anonymity guarantees of continuous stop-and-go mixnets and attempts to answer the above question. Existing mixnet based anonymous communication protocols that aim to provide provable anonymity guarantees rely on round-based communication models — which requires synchronization among all the nodes and clients, and difficult to achieve in practice. Continuous stop-and-go mixnets (e.g., Loopix and Nym) provide a nice alternative by adding a random delay for each message on every hop independent of all other hops and all other messages. The core anonymization technique of continuous mixnets combined with the fact that the messages are sent by the clients to the mixnet at different times makes it a difficult problem to formally prove security for such mixnet protocols; all existing analyses for such designs provide only experimental evaluations for anonymity. We are the first to close that gap and provide a formal analysis. We provide two indistinguishability based definitions (of sender anonymity), namely pairwise unlinkability and user unlinkability, tuned specifically for continuous stop-and-go mixnets. We derive the adversarial advantage as a function of the protocol parameters for the two definitions. We show that there is a fundamental lower bound on the adversarial advantage δ for pairwise unlinkability; however, strong user unlinkability (negligible adversarial advantage) can be achieved if the users message rate ( λ u ) is proportional to message processing rate ( λ ) on the nodes.


Introduction
Anonymous communication (AC) protocols based on mixnets [1], [2], [3], [4], [5], [6], [7] aim to provide anonymity by rerouting packets over several hops and adding delays on every hop of messages that allow the messages to mix with each other.All mixnets that attempt to provide provable anonymity guarantees do so by relying on some kind of round based communication modelit is difficult to implement such rounds in practice when there are thousands of nodes and millions of clients in the system.Continuous stop-and-go mixnets (or simply, continuous mixnets) like Loopix [8] and Nym [9] avoid such round-based communication by adding a random delay (chosen from a predefined distribution) on every hop of each message, independent of all other hops of the message as well as independent of all other messages.
Although attractive as a system-design choice, it was not yet known if continuous mixnets can actually provide provable anonymity guarantees -all existing analyses [8], [10] rely on experimental evaluations of entropy of messages [11] for specific settings and parameter choices in terms of number of users, topology, choice of delays etc.Such evaluations cannot provide a comprehensive understanding about how the anonymity guarantees will vary with the variation of those parameters/settings.This work attempts to solve that open problem by providing a formal analysis of the anonymity guarantees provided by such continuous mixnets.
One major challenge towards formally proving anonymity for continuous mixnets is that the users do not send their messages in batches, rather different messages arrive the mixnet from the clients at different times.Any anonymous communication protocol (even a trusted third party) with bounded delay guarantees will inherently have some leakage in such a setting. 1 We precisely quantify the above leakage, that we coin as 'FIFO attack' (first-in-firstout), with continuous mixing strategy in the presence of a global passive adversary even when all the nodes in the mixnet are honest ( §4).
Based on the above insight, we consider two indistinguishability-based definitions of sender anonymity.The first one, called user unlinkability, corresponds to an adversary that observes all messages going through the network, but does not control the messages of the honest users, and attempts to track specific target messages.The second one, called pairwise unlinkability, allows a strong adversary that controls all the client messages except the challenge messages, and also controls when the challenge users initiate the challenge messages.Our definitions are improvements over existing indistinguishability-based definitions [12], [13], to more suitably capture the FIFO effect.
As the main highlight of this work, we derive the upper bound on adversarial advantage δ as a function of protocol parameters of the mixnet in the presence of global passive adversaries that can additionally passively compromise some parties in the protocol based on the two definitions mentioned above ( §6.2, §5.2).For our proofs, we consider generic and representative versions of continuous mixnets ( §3) adopted from Loopix [8], but without its active attack resistance or other additional features.As corollaries, we derive the range of parameters for which provable strong anonymity (negligible adversarial advantage) is achieved.Our proofs and results provide useful insights: 1) We identify a sufficient condition for two messages mixing with each other; this could be useful to prove anonymity guarantees for other variations of similar designs.2) We show that a single cascade mixnet design without compromised nodes achieves exactly the same level of anonymity as a trusted third party for the same delay parameters.3) When we consider pairwise unlinkability, increasing the number of hops provide diminishing returns for anonymity.4) the presence of compromised nodes and choice of multiple paths drastically degrades pairwise unlinkability.5) With user unlinkability, the protocol does not face the above problems and can provide strong anonymity (negligible adversarial advantage) if the client sends messages at a rate proportional to the rate parameter of the (exponential) delay distribution.

Existing analyses for continuous mixnets
There are earlier analyses [14], [15] on continuous mixnets that focus on analyzing the mixing on a single honest node.They provide some very useful insights: 1) they analyze the correlation between the incoming and outgoing messages of the single mixnode; 2) if the input messages are generated using Poisson distribution and the delays are sampled from exponential distribution, the mixnode acts as an M/M/∞ queue.
The first end-to-end analysis for continuous mixnets came in the form of Loopix [8].They provide an empirical analysis based on experimental evaluations with setup of 100 client and a stratified topology of 3 layers and 3 nodes per layer.However, such an analysis only provides some evidence for the anonymity properties; and cannot answer questions like how that guarantee would scale for different numbers of users, different topology, different number of nodes per layer etc.Additionally, the specific probabilities also depend on the specific nodes that are compromised for the experimental instance.Our work provides a thorough formal treatment to continuous mixnets.

System model
In a mixnet-based AC protocol, we consider a set of clients U who act as senders of messages, and are denoted by u 1 , . . ., u N .They make use of a set of mixnodes I that are responsible for routing the messages to finally deliver them to the intended recipients.Since our analysis focuses on the study of sender anonymity, we consider a single recipient party R. In the following paragraphs, we explain how this setting is instantiated in the continuous mixing paradigm.Clients.In our system, each honest client acts independently of all other clients.Each client u i generates traffic at a rate of λ u following Poisson distribution.Routing.We consider a source-routed mixnet based architecture [8] allowing clients to send messages anonymously using an overlay network of mixnodes, each sender of a message selects the route through the network until it reaches the receiver.Preparing a message for sending requires encrypting it with public key material of the mixnodes selected by the sender as intermediaries in the route.Upon receiving a message, mixnodes use their private keys to strip a layer of encryption and discover the next hop in the route.In source-routing, the client picks all the mixnodes for the path of a message, for a given path length k (where k is specified as a protocol parameter), independent of all other messages by the same client or other clients.Continuous Mixing.Each message is delayed on every hop using exponential delays [8], [16].The delay for every hop of a message is sampled typically, by the sender independent of all other hops and all other messages, and encoded in the Sphinx headers.Upon receiving and decrypting a message, a mixnode extracts the delay from the header, holds it for that amount of time, and then forwards it to its next destination.Intuitively, such delays lead to a pool of messages within a mixnode, and the messages within the pool can be considered 'mixed' with each other.We do not consider any cover traffic from the users or the mixnodes for our proofs.Adversary.We consider a probabilistic polynomial time (PPT) adversary that can observe (but not alter) all network traffic.The adversary can also perform passive and static corruptions of senders, the recipient R, and a subset of mixnodes.Passive and static corruption means that the adversary chooses the subset of corrupted parties before the protocol starts; the adversary then has access to the internal states of these c mixnodes, including all of their keys and random choices; however, the compromised parties still follow the protocol specifications.
We focus on provable anonymity guarantees against global passive adversaries and do not consider active attacks.How to model all possible active attacks (not only for continuous mixnets, but in general for anonymous communication) still remains an open problem.Additionally, we consider that cryptography is perfect, and we do not consider any fingerprinting attacks in our model.

Security Goals
In this work, we consider sender anonymity properties in the anonymous broadcast setting.Achieving sender anonymity also implies relationship anonymity for bidirectional communications [12].We expect to see similar guarantees for recipient anonymity; however, the exact details are left for future work.We consider two versions of security definition for sender anonymity: User Unlinkability.In our first definition, the adversary does not control the time when the challenge messages are released, and the content of any other messages from the honest users.This more closely captures the surveillance scenario where the adversary observes an interesting/disturbing message received by the recipient and then tries to figure out who among Alice and Bob could have sent that message.Informally, the protocol achieves anonymity according to this definition as long as a target message from Alice is 'mixed' with at least one message from Bob. Pairwise Unlinkability.Our second definition is stronger; here, we consider that the adversary controls the time when the challenge messages are released to the challenge users, the content of all other messages from the honest users, and then tries to distinguish who among them have sent which of the challenge messages after they are received by the recipient.Such a definition is useful to capture a strong adversarial scenario in the context of whistleblowing where the adversary might release fake/tagged documents and observe the time of its release to identify the whistleblower.
In one of our main results, we prove that in continuous mixnets, by controlling the time of release, the adversary can exploit the fact that whichever message goes into the AC network first, comes out first with good probabilitywhich we formally denote as the FIFO attack ( §4).

Challenges Towards Provable Anonymity for Continuous Mixnets
Existing mixnet designs that attempt to provide provable anonymity guarantees mainly rely on (1) batch processing, and (2) round based communication model.Because of the round based communication model, all the messages that arrive to an honest mixnode in a given round are shuffled by the mixnode and forwarded to the next mixnodes/destination.Therefore, two messages are shuffled with each other if they have met in an honest mixnode at least once.With batch processing, the protocol waits for all (or a threshold number of) users to send their messages, and then all those messages stay in the protocol for the same number of rounds -thus avoiding any leakage from end-to-end time correlations.
However, continuous mixnets introduce interesting challenges towards formally proving the anonymity guarantees since they do not implement any rounds or batches.Each user generates their own messages independent of all other users, and each message is delayed on a mixnode independent of all other messages.Therefore, there are no explicit shuffles (that happens in round-based models) among messages in continuous mixnet designs.Additionally, different messages arriving the mixnet at different times could leak significant information to the adversary, which we formalize as First In First Out or FIFO attack in Section 4.2.As part of our proof technique, we identify the explicit conditions for mixing and quantify the leakage from FIFO attack to derive the provable guarantees for continuous mixnets.Additionally, dealing with continuous random variables for delays has its own mathematical challenges: 1) the probability of two messages mixing/meeting on a hop is dependent on all previous hops; 2) traditional combinatorial techniques are not applicable anymore, and computing the conditional probabilities becomes significantly more difficult; 3) the convolutions of the random variables do not always have closed form expressions.We overcome those hurdles in our proofs to derive our bounds.

Proof Technique And Interesting Results
Our proof technique in general consists of the following steps: 1) We identify a set of sufficient conditions (good event) which 'mixes' two messages on a mixnode, so that the adversary cannot tell except negligible probability which of them was sent by which user even if the rest of mixnodes on the paths for both messages are compromised.
2) Then we compute the probability of such a good event for a specific hop of a given message.
3) That allows us to compute the probability that no such good event occurred over the whole path of a given message -which directly translates to the maximum success probability of a global passive adversary.Sufficient Conditions for Mixing.When delays are sampled from exponential distribution, based on the memoryless property of the distribution, it can be shown that two honest messages are 'mixed' in the view of an adversary if they meet at an honest mixnode (the second message enters the mixnode before the first message departs), and they have the same number of hops remaining when they meet.If this happens, the two messages are mixed with each other even if the rest of the paths of both of the messages are completely compromised.We call this the sufficient condition for mixing.If the delays are sampled from a distribution which is not memoryless, these conditions are not sufficient for mixing anymore.Quantifying FIFO Attack.We show that there is an inherent leakage from the different arrival (to the mixnet) time of the messages -with significant probability they preserve the same order as they entered.We show that, even against a trusted third party anonymizer, a global passive adversary has an inherent advantage when the delays are sampled from Erlang distribution Erl(k, λ) (equivalent delay of a k-hop mixnet).The result about our FIFO attack can be considered as an improvement over the generic impossibility results [17], [18] for AC protocols.Results about user unlinkability.We show that continuous mixnets can provide user unlinkability with δ < For this proof we model the mixnet as a Jackson network [19] with each mixnode acting as an M/M/∞ queue, and derive the bounds assuming a steady state of the network.
Results about pairwise unlinkability.With pairwise unlinkability, we start with a single cascade mixnet with no compromised mixnodes, and show that it achieves the exact same level of pairwise unliankability as a trusted third party anonymizer for the same end-to-end delay distribution.
When the adversary can compromise some mixnodes in the mixnet, the quality of mixing degrades.However, because of the diminishing returns with the increased number of hops, there can be a significant (non-negligible) leakage to the adversary.
When there are many mixnodes to choose from for every hop of a message, we show that the chances for two messages meeting each other degrades drastically (even compared to single cascade mixnets).

Preliminaries
The exponential distribution.The exponential distribution Exp(λ) with parameter λ ∈ R + has probability density function f λ (x) := λe −λx , where x ≥ 0 , and cumulative distribution function The mean of a random variable X following Exp λ (x) is 1/λ.In addition, X satisfies the memoryless property: The Erlang distribution.The Erlang distribution Erl(k, λ) with parameters k ∈ Z + and λ ∈ R + can be seen as the sum of k independent random variables following Exp(λ).We recall that Erl(k, λ) has probability density function and cumulative distribution function We observe that Exp(λ) matches the Erlang Erl(1, λ).
For the security analysis of our protocols, we will apply the following useful equalities.
The above equality follows directly from the definition of the Erlang distribution Erl(k, λ).For the following equalities, the proofs are in Appendices A. 1  2 k+n = 1 .

Model of continuous mixing protocols
To explain our proofs easily, we consider two representative versions of continuous mixing protocols.Both protocols use exponential delay sampling and mainly differ in the mixnode path selection process.The first protocol represents a simple study case, called cascade continuous mixing protocol, where the path is fixed according to a cascade of k mixnodes.This construction is mostly of theoretical interest and allows us to explore the essence and strength of continuous mixing as an anonymization technique.The second protocol, called multi-path continuous mixing protocol, captures a full-fledged protocol in the realistic setting where multiple paths in the mixnet are used by different users depending on their own trusts and the overall scalability requirement of the protocol.

The cascade continuous mixing protocol. Let CCM k,λ,λu denote the cascade continuous mixing protocol,
where k is a positive integer and λ, λ u are positive real values.The execution of CCM k,λ,λu is carried as follows: 1) Each message travels through a fixed cascade of k hops, denoted by MX 1 → • • • → MX k , before getting delivered to the recipient. 2 2) The sender then onion encrypts the message (using Sphinx [20] packet structure) for the cascade (including the recipient), and sends it to the first of the mixnode in the cascade, MX 1 , after some delay sampled from exponential distribution Exp(λ u ). 3) Each mixnode delays the messages also following an exponential distribution Exp(λ).Remark 1. Generating messages with intervals sampled from exponential distribution Exp(λ u ) yields a message rate following Poisson distribution with average rate λ u .Remark 2. The aggregate delay imposed by the k mixnodes follows the Erlang distribution Erl(k, λ).

The multi-path continuous mixing protocol. Let
MCM k,λ,λu denote the multi-path continuous mixing protocol, where k is a positive integer and λ, λ u are positive real values.The execution of MCM k,λ,λu is carried as follows: 1) Following the designs of Loopix [8] and Nym [9], we consider a stratified topology where mixnodes are arranged in a number of layers, such that mixnodes in layer i receives messages from mixnodes in layer i − 1 and sends messages to mixnodes in layer i+1.The path length of message routes is determined by the number of layers, and is denoted by k.Further, we consider that each layer has exactly K mixnodes.
2) The sender of the message picks a path of length k by picking one mixnode uniformly at random from each layer, independent of the choices of other users or other messages.
3) The sender samples k independent values x 1 , . . ., x k from Exp(λ).They then onion encrypt the message for the path (including the recipient), and embed the values in the onions header such that only i-th mixnode can see the x i value.Then they send it to the first of the mixnodes in the path after a delay sampled from Exp(λ u ).4) Each mixnode delays a message for the amount of time specified by x i .
We want to highlight that, even though we consider such a stratified topology for our analysis, our results are also valid for free-routing where the users can choose a hop for a message from all the available mixnodes in the whole mixnet.That case can be considered as a special case of stratified topology where each layer contains the same set of node.We elaborate on this further in Section 6.2.4.Remark 3. In MCM k,λ,λu , given that the the packets are onion encrypted, a compromised mixnode only learns the previous and the next party on the path of a message.

Conditions for mixing
Based on the description of CCM k,λ,λu and MCM k,λ,λu in Subsections 3.2.1 and 3.2.2,respectively, we provide sufficient conditions for the mixing of two messages in our protocols.In particular, we show that if the following conditions are true (and they all have to be true) on a mixnode for two messages, then the adversary cannot distinguish if the messages went out in the same order as they came in or they are swapped: 1) the two messages are honest messages, 2) they meet at an honest mixnode (which means the second message enters the mixnode before the first message leaves), 3) the two messages have the same number of hops remaining when they meet.
The justification behind the above set of conditions comes from two facts: (i) exponential distribution is memoryless, (ii) an honest mixnode does not reveal the mapping between the input and output messages unless the adversary deduce them from external information.Suppose, the first message enters the mixnode at time t 1 and the second message at time t 2 .The first message leaves at time t ′ 1 and the second at time t ′ 2 .There are three possible cases: t ′ 1 ≤ t 2 : the first message leaves before the second message can arrive, and hence, they do not meet.
the second message arrives before the first message leaves, and hence they meet.However, the first message leaves before the second message -they preserve order.
the first message leaves after the second message leaves -which means they are swapped.
In the first case, they do not meet and our conditions for mixing are not satisfied.Also, it is trivial in this case for the adversary to identify the mapping between the input and output messages.In the second and third case, our conditions for mixing are satisfied.The only thing that remains to argue is that those two cases are equally likely.That follows from the memorylessness of the exponential distribution.Given t 2 < t ′ 1 , the probability that t ′ 1 < t ′ 2 is 0.5, since both the delays follow the same exponential distribution.Formally, we prove the following lemma (proof in A.3).
Then, the following hold: 1) , the probability that the two messages do not meet in the mixnode is 1 − e −λτ ). 2) , the probability that the first message leaves the mixnode first is 0.5, given the two messages meet).

A golden standard for mixing: Trusted Third Party Anonymizer
A trusted third party (TTP) anonymizer receives messages and shuffles them.Since we are analyzing continuous mixnets, our TTP will shuffle messages by adding random delays -whenever a messages comes it adds a random delay to that message, and releases the message after that chosen delay.If there are sufficient number of messages received by the TTP regularly, then each message will mix with enough number of other messages.However, different messages arriving at different times tend to somewhat preserve the order when they leave.And that inherently provides linkability to any adversary who is observing the incoming and outgoing messages.However, if a set messages are received by the TTP exactly at the same moment, their output order will not reveal anything to the adversary; and we could say that those messages are "shuffled" with each other.We want to show that our protocol closely (only with negligible difference) mimics such a TTP.
In our case, we want to prove mixing property for a continuous mixnet that delays message on every node following an exponential distribution.So, the overall delay of a message follows a gamma distribution for a certain number of hops k (same for every message).Our goal is show the range of values of k for which our protocol mimics a TTP that follows a similar gamma distribution for delay for every message, without leaking any additional information.Which means, two honest messages entering the TTP at the same time will come out of the TTP in a random order.

A trusted third party for continuous mixing
The trusted third party TTP k,λ interacts with the senders in U and the recipient R, and is parameterized by latency k and delay λ.The senders provide TTP k,λ with their messages over a secure channel, so that no information about the message content is leaked to the adversary.TTP k,λ acts as a central mixing node that delivers the messages to R The trusted third party TTP k,λ .
Event: Receive(message m, sender u ∈ U) Read the internal time as Cl.
Add the pair (m, Cl + d) in the priority queue Υ in an increasing order of Cl + d.
Send m to R. Figure 1: The trusted third party TTP k,λ interacting with the senders in U and the recipient R, parameterized by k, λ.
after adding a delay sampled from the Erlang distribution Erl(k, λ), as described in Figure 1.
Assuming that the central mixing node is honest, the power of the adversary is limited to an observer that monitors incoming and outgoing traffic.As this sets the minimum power for a global passive adversary, the security of TTP k,λ serves as an optimistic bound of the security expected by a typical continuous mixing construction, such as CCM k,λ,λu and MCM k,λ,λu described in Subsections 3.2.1 and 3.2.2.Therefore, it is meaningful to explore the level of security that TTP k,λ offers.
We define the protocol TTP k,λ,λu as the one that naturally derives from the description of TTP k,λ in Figure 1, when the delay from the sender to TTP k,λ follows the exponential Exp(λ u ) distribution.
In the following subsection, we present an attack on TTP k,λ,λu .Intuitively, this sets a threshold on the pairwise unlinkability that CCM k,λ,λu and MCM k,λ,λu can promise, as it will be formally presented in Section 6.2.

The FIFO attack
4.2.1.The setting.We consider a simplified setting with (i) two senders u 0 , u 1 , (ii) a single recipient R, and (iii) TTP k,λ as described in Figure 1.The system state is as follows: each sender has a single message in her buffer and the queue is empty, i.e. there are no prior pending messages.The senders u 0 , u 1 send their messages to the recipient R that receives messages m 0 , m 1 .The goal of the mix is to provide sender anonymity against an adversary that controls R and is a global observer, i.e. to hide whether communication occurs in 1) a "direct" manner: i.e., u 0 , u 1 sent m 0 , m 1 to R, respectively, or 2) a "cross" manner: i.e., u 0 , u 1 sent m 1 , m 0 to R, respectively.
In the above setting, the messages m 0 , m 1 are delivered to the R with the following delays added: (i) the delay from the sender to TTP k,λ follows the exponential Exp(λ u ) distribution, and (ii) the delay from TTP k,λ till the recipient destination follows the Erlang Erl(k, λ) distribution.

Description of the FIFO attack. The adversary
A begins observation at some given time when the messages m 0 , m 1 are in the sender's queues and are about to be delivered.By the memoryless property of Exp(λ u ) and the description of the system state, we may assume that observation begins at time 0.Then, A executes the following steps: 1) It waits until it records the following time values: a) t s,0 : when u 0 sends her (encrypted) message to TTP k,λ ; b) t s,1 : when u 1 sends her (encrypted) message to 2) Then, it decides as follows: • If t s,0 < t s,1 and t r,0 < t r,1 , then it outputs 'direct'., then it outputs 'direct'.In a nutshell, A guesses based on the prediction that messages input earlier to the mixing node are more likely to be delivered earlier to the intended recipient.This adversarial strategy relies on the following interesting observation: the overall end-to-end network traffic observed by a global observer is NOT memoryless, as delays added by TTP k,λ follow the Erl(k, λ) distribution.This distribution has a significant "FIFO" bias, as it is fully analyzed in the following subsection.

Analysis of the FIFO attack.
Without loss of generality, assume that u 0 , u 1 provide the messages m 0 , m 1 , respectively, in a "direct" manner to R (due to symmetry and independence, the "cross" case can be analysed similarly).We denote the following random variables: 1) The delay x 0 until m 0 is sent to TTP k,λ by u 0 .
2) The delay x 1 until m 1 is sent to TTP k,λ by u 1 .
3) The delay y 0 of TTP k,λ until m 0 is forwarded to R, i.e., the time m 0 stays in the continuous mix.4) The delay y 1 of the Poisson mix until m 1 is forwarded to R, i.e., the time m 1 stays in the continuous mix.
Clearly, x 0 , x 1 ∼ Exp(λ u ) while y 0 , y 1 ∼ Erl(k, λ).By the description in Section 4.2.2, we have that t s,0 , t s,1 , t r,0 , t r,1 are the time values of x 0 , x 1 , x 0 +y 0 , x 1 + y 1 , that A observes, in the direct case.Thus, A wins when either one of the following events happen: The following theorem provides a concrete evaluation of the success probability of the FIFO attack.
Theorem 1.Let λ u ≥ λ.The FIFO attack on TTP k,λ described in Section 4.2.2 has success probability When λ u = ρλ for a constant ρ > 1 we have the alternative expression We refer to Appendix A.4 for the detailed proof of Theorem 1.For notation simplicity, we will use ϕ(k) when λ, λ u are implicit.Analysis of the sequence ϕ(k).In order to analyze ϕ(k) we plot the function in Fig. 2 for different values of ρ for a range of k ∈ [1,100].We observe in those plots that ϕ(k) decreases as k increases, for a given value of ρ.In our plots, ϕ(k) approaches close to 0.5 for large k and ρ ≥ 4. With smaller ρ values (e.g., 1 and 2), ϕ(k) values are still > 0.51 for the range of of the plotted k values.However, they also show a trend to decline with k, and we can expect them to approach 0.5 as k becomes very large.
For each of the plots, ϕ(k) rapidly drops for the smaller values of k; then, with increased values of k, ϕ(k) does not drop that rapidly.This shows that increasing the number of hops provide diminishing returns in terms of the probability of two messages being swapped in TTP k,λ , and in continuous mixnets in general.
We can observe that even when ρ = 64, the success probability ϕ(k) for the adversary remains 0.500442 for k = 100.This means that the adversary still has over ≈ 2 −11  advantage over a random guess.For ρ = 64 and k = 20, the success probability ϕ(k) is still more than 0.501.For ρ = 1, the success probability ϕ(k) remains above 0.525 even for k = 100.Thus, the question remains whether protocols with such continuous mixing strategy can still achieve meaningful anonymity guarantees; we formally investigate this in the later sections.Case λ u < λ.We observe in Fig. 2 that the success probability ϕ λ,λu (k) for the adversary increases as ρ decreases.This indicates that ϕ λ,λu (k) is strictly greater than Intuitively, if λ u is smaller, t s,0 and t s,1 have high variances; and therefore, there is a high chance of them being far apart, which makes it more difficult for them to swap.Since the advantage of the adversary is already significant for λ u = λ, we skip a formal derivation for the case λ u < λ and mainly focus on the case λ u ≥ λ for the rest of the paper.However, as part of our proof in Appendix A.4 we also add a mathematical explanation about why this inequality holds (c.f.A.4.1).

User unlinkability of continuous mixnets
We study the anonymity of continuous mixnets, in the context of our first security notion that we name User Unlinkability.Our formal treatment includes a game-based definition of the said notion and a rigorous assessment of the guarantees that multi-path continuous mixing provides.

User unlinkability definition
We assume an honest-but-curious global network level attacker that can eavesdrop on a fraction of the nodes (statically chosen), and has strong background knowledge about the behavior of the clients; formally, the attacker controls all but two users.
In user unlinkability, we formalize the question if a target message could have beeen swapped with a message from another user along the way.The adversary is not allowed to control the inception time for the target messages, and allows the honest users to choose the content of all other messages.We present our indistinguishability-based definition of user unlinkability via the corresponding game described in Fig. 3.In the user unlinkability game, the adversary does not control when the challenge message is generated, and only tries to backtrack the message after it is received by R. A message from Alice can be mixed with any of the messages sent by Bob.This property aims to capture the essence of real-world surveillance scenarios.
• The challenger Ch provides the adversary A with the description of Π (that includes the description of the user set U, the recipient R, and the mixing node set I).
• A statically corrupts the recipient R, all users in U except from a pair of users u 0 , u 1 , and a subset of I denoted by I corr .It provides Ch with (i) the description of I corr ; (ii) the identities of u 0 , u 1 .
• Ch generates the queues of messages for u 0 and u 1 , those messages will be used for the protocol run.
• Challenge: before the start of the protocol run, A sends a challenge message m * to Ch.In turn, Ch chooses a random bit b ∈ {0, 1} and makes the following adjustments: -Pick a random spot x in the queue of u b .
-Add m * to the queue of u b at position x.In any case, the recipient of all transmissions is R.
• Ch and A engage in an execution of Π where Ch first specifies the mixnet topology for the execution and acts on behalf of u 0 , u 1 and the mixing nodes in I \ I corr , while A controls the corrupted parties and monitors the network traffic as a global passive adversary.Definition 1 (User Unlinkability).Let Π be a mixnet-based AC protocol with N > 2 users and a set of mixing nodes I. Let c be a non-negative number in [0, 1).We say that Π provides user unlinkability w.r.t.c with error δ(•), if it holds that

Analysis for User Unlinkability
In order to analyse the user unlinkability guarantees, we first analyze some properties of the network flows in the mixnet.Based on those propoerties, we derive our bounds.

5.2.1.
Estimates About Network Flows.In our case, the message generation is a Poisson process, and the processing on the mixnodes follows an exponential delay distribution.We prove our bounds by showing that the overall mixnet can be modeled as a Jackson network [19] with each node acting as an independent M/M/C queue.Jackson Networks [19].A network of H interconnected nodes is a Jackson network if it has the following properties: • external arrival to each node i in the network follows a Poisson process with rate µ i .• All service times are exponentially distributed with rate parameter e i and the service discipline is first-come, first-served (FCFS).• A job leaving node i will either move to some new node j with probability P i,j or leave the network with probability q i , where q i + H j=1 P i,j = 1.
If the above conditions are satisfied, in the steady state of the network, it is known that each node i can be considered as as independent M/M/C queue with arrival rate ν i = µ i + H j=1 ν j P j,i and the average number of jobs in the queue of node i follows Poisson distribution with νi ei .Lemma 2. For k ≥ 1 and λ u , λ ∈ R + , assuming constant delays on the network links, for the stream of messages sent by each client the cascade continuous mixnet CCM k,λ,λu in the steady state has the followings properties: 1) each mixnode acts as an independent M/M/C queue with arrival rate λ u ; 2) at any time the number of messages held by a mixnode follows Poisson distribution with average rate λu λ .Proof by construction.First we show that the cascade continuous mixnet CCM k,λ,λu can be modeled as a Jackson network with k nodes.We consider the stream of messages from a single client u 1−b .We map the i-th mixnode on the cascade to the i-th node in the Jackson network.Each node i has the following properties: 1) If i = 1, we have µ i = λ u .Otherwise, µ i = 0.
2) If each mixnode has a capacity to buffer up to C messages, the node i in the Jackson network can serve maximum C jobs in parallel, and each job takes time following exponential distribution with parameter e i = λ.3) When a message leaves a node i, it goes to node i + 1 with probability P i,i+1 = 1 for i < k; and P i,j = 0 for j ̸ = i + 1.The job exits the network with probability q k = 1 for i = k, otherwise (when i < k) q i = 0. From the above observation, and the additional assumption that mixnodes process messages in FCFS manner, we can say that each mixnode in CCM k,λ,λu acts as an M/M/C queue with arrival rate ν i = µ i + H j=1 ν j P j,i = λ u .From the properties of the Jackson network, we can also say that the number of messages in the queue of a node follows Poisson distribution with parameter Remark 4. In the above proof we assume that the networklink delays are constant.If the network-link delays are not constant, the mixnodes behave as •/M/C queues instead of M/M/C queues.In that case, based on Kleinrock independence approximation [21], Lemma 2 is still a good approximation.We skip the detailed derivation of variable networklink delays or the exact accuracy of that approximation for future work.
Special Case..If we consider that each mixnode has an infinite memory buffer, i.e., it can accept up to infinite number messages, we have a special case of Jackson network where each node act as an M/M/∞ queue.In practice, a mixnode can have a system/memory limitation, and beyond that limit messages will be dropped.However, the number is generally high enough to avoid such message drops, and the approximation remains valid.In the following proofs in this section, we consider that approximation and assume that each mixnode acts an an independent M/M/∞ queue in the steady state.
Lemma 3. Let K, k be non-negative integers and λ u , λ ∈ R + , assuming constant delays on the network links, and each mixnode has an infinite memory buffer, the multipath continuous mixnet MCM k,λ,λu in the steady state has the followings properties: 1) each mixnode acts as an independent M/M/∞ queue with arrival rate λu K ; 2) at any point of time the number of messages held by a mixnode follows Poisson distribution with rate parameter λu λK .Proof Sketch.The proof of this lemma is very similar to Lemma 2, except now each layer of the Jackson network has K nodes.Therefore, for a node i in layer h and another node j in layer h + 1, P i,j = 1 K (assuming the node on each layer is chosen uniformly at random).And the rest of the proof follows Lemma 2.

Anonymity Proof.
With Lemma 3 at our disposal, we derive the user unlinkability guarantee provided by MCM k,λ,λu .To prove user unlinkability, we first estimate the probability of at least one message from u 1−b present in a mixnode when the challenge message m * arrives there.Then we compute the overall probability of m * to meet at least one message from u 1−b on a path of length k.Lemma 4. For k ≥ 1 and λ u , λ ∈ R + , in a steady state of MCM k,λ,λu , if a message m * sent by u b reaches i-th hop, the probability that there exists at least one message from user u 1−b also on i-th hop and on the same mixnode as m * is given by, Proof.From Lemma 3 we know that the number of messages in a mixnode on hop i from each user follows Poisson distribution with parameter λu Kλ .Therefore, when the message m * reaches a mixnode on i-th hop, the probability that the mixnode holds at least one message from u 1−b on the same i-th hop is given by, In the above lemma, if λu λK is a constant, the quantity f is also a constant.This means that the challenge message from Alice will encounter at least one message from Bob with significant probability, independent of the layer/hop i.
Theorem 2. For k ≥ 1 and λ u , λ ∈ R + , assuming a steady state of the network, MCM k,λ,λu provides user unlinkability as defined in Definition 1 with error Proof.According to Lemma 4, the challenge message m * on its i-th hop meets at least one message (also on i-th hop) from u 1−b with probability f = 1 − e − λu λ•K .Since c fraction of mixnodes are compromised, and the mixnode on each hop is chosen uniformly at random, the probability that the i-th hop of m * is honest is given by (1−c).Suppose, M ′ i denotes the event that m * does not mix with any message from Bob on its i-th hop.The probability that m * does not mix with any message from u 1−b on any hops is given by, The above implies that Therefore, MCM k,λ,λu achieves user unlinkability with error Insights.We draw the following insights from Theorem 2: 1) If f and c are constants, (1 − f (1 − c)) is also constant.So, the adversarial advantage δ declines rapidly with higher values of k.
3) If λu λ is constant, f will go closer to 0 as K increases.To maintain the same level of δ, the number of hops k needs to grow with K. Typically, K increases with the number of users to support the increased number of users.
4) k needs to grow approximately proportional to c to maintain the same level of δ, i.e., the increased fraction of compromised mixnodes can be compensated with increased end-to-end latency.

Pairwise unlinkability of continuous mixing
In this section, we provide a formal study of the anonymity of continuous mixing, as captured by the description of CCM k,λ,λu and MCM k,λ,λu (cf.Subsections 3.2.1 and 3.2.2,respectively), under a stronger security notion that we name Pairiwse Unlinkability.As in the case of user unlinkability, we begin by introducing a game-based definition of pairwise unlinkability.Subsequently, we investigate the level of anonymity that CCM k,λ,λu and MCM k,λ,λu can (or fail to) support.

Pairwise Unlinkability definition
As in Subsection 5.1, we assume an honest-but-curious global network level attacker that can eavesdrop on a fraction of the nodes (statically chosen), and has strong background knowledge about the behavior of the clients; formally, the attacker controls all but two users.
In pairwise unlinkabiltiy, we formalize the question if the adversary could distinguish whether or not two messages, that travelled the same number of hops in the protocol, could have been swapped along the way.This property is close to message indistinguishability properties from the literature, such as tail indistinguishability by Kuhn et al. [13].We present our definition via the corresponding game described in Figure 4.In the pairwise unlinkability game, the adversary controls when the messages are initiated and observes when they are received by R.This reflects the background knowledge of the adversary about when a message of interest could have been generated, and the adversary can observe whose message (among Alice and Bob) enters first after that message has been generated.That helps us capture the essence of the FIFO attack that we detail in Section 4.2.
Definition 2 (Pairwise unlinkability).Let Π be a mixnetbased AC protocol with N > 2 users and a set of mixing nodes, I. Let c be a non-negative number in [0, 1).We say that Π provides pairwise unlinkability w.r.t.c with error δ(•), if it holds that We say that a protocol achieves strong pairwise unlinkability if δ is negligible in the security parameter η.

Analysis for Pairwise Unlinkability
The definition of pairwise unlinkability is closely related to the FIFO attack presented in Section 4.2, except the adversary can now observe the (encrypted) messages after each intermediate hops, and some mixnodes might be corrupted.As we show in the next subsection, the success probability ϕ λ,λu (k) in the FIFO attack against TTP k,λ directly translates to the success probability max against a k-hop cascade continuous mixnet CCM k,λ,λu when there are no corrupted mixnodes (i.e., c = 0).We extend our analysis for CCM k,λ,λu with c > 0 and MCM k,λ,λu in the subsequent subsections.6.2.1.The advantage of a global observer in CCM k,λ,λu without any corrupted nodes.We prove that an adversary that acts as a global observer (but corrupts no mixing nodes) has no further advantage than a FIFO attacker, i.e., the FIFO attack is the best possible attack (in terms of pairwise unlinkability as defined in Definition 2) that can be launched in CCM k,λ,λu when monitoring the network traffic.We prove that based on the following lemma.
• The challenger Ch provides the adversary A with the description of Π (that includes the description of the user set U, the recipient R, and the mixing node set I).
• A statically corrupts the recipient R, all users in U except from a pair of users u 0 , u 1 , and a subset of I denoted by I corr .It provides Ch with (i) the description of I corr ; (ii) the identities of u 0 , u 1 .
• Ch and A engage in an execution of Π where Ch first specifies the mixnet topology for the execution and acts on behalf of u 0 , u 1 and the mixing nodes in I \ I corr , while A controls the corrupted parties and monitors the network traffic as a global passive adversary.
• Challenge phase: at any time, A sends a pair of challenge messages m 0 , m 1 to Ch.In turn, Ch chooses a random bit b ∈ {0, 1} and initiates two concurrent challenge transmissions according to the following cases: -If b = 0, then u 0 (resp.u 1 ) will begin the transmission of m 0 (resp.m 1 ).
-If b = 1, then u 0 (resp.u 1 ) will begin the transmission of m 1 (resp.m 0 ).In any case, the recipient of both challenge transmissions is R.  Lemma 5. Let m x , m y be a pair of messages concurrently leaving from their senders to enter the same path in a khop continuous mix-net.Let x 0 , . . ., x k (resp.y 0 , . . ., y k ) be the delays added to m x (resp.m y ) by the sender and the k-hops.Let M denote the event that m x and m y meet with each other at least in one of the hops.Then, M and ϕ λ,λu (k) (as defined in Thm. 1) are related as follows: We present the detailed proof in Appendix A.5.Based on the above lemma, we can prove the following theorem about the anonymity guarantees of CCM k,λ,λu when c = 0.

Theorem 3. For every
Therefore, the cascade continuous mix-net CCM k,λ,λu and the trusted third party anonymizer protocol TTP k,λ,λu provide pairwise unlinkability w.r.t.c = 0 with error ϕ λ,λu (k) − 1 2 .Proof.Every attack against TTP k,λ,λu can be directly translated to an attack against CCM k,λ,λu with no mix-node corruptions (the attacker monitors the traffic at the end points of the communication) by using the FIFO adversary A fifo in the pairwise unlinkability game.A fifo engages in the game G TTP k,λ,λu ,A fifo ,0 PU (1 η ) as follows: when provided the user set U, it sets (i) I corr = ∅; (ii) a fixed pair (u 0 , u 1 ) as the uncorrupted challenge senders (e.g., the first two identities in lexicographic order); (iii) the recipient R. At any time of its choice, it chooses a pair of distinct challenge messages m 0 , m 1 and engages in the execution as described in Section 4.2.2.Instead of outputting 'direct' or 'cross', A fifo outputs 0 or 1 respectively.Therefore, we get the following inequality: Since there are no corrupted mixnodes in our current consideration and the adversary against CCM k,λ,λu only observes the encrypted messages entering and exiting the mixnodes for the intermediate hops, the probability of not satisfying the conditions for mixing (as specified in Section 3.3) is exactly same as Pr[¬M ], where M denotes the event that the two messages meet with each other at least once.Therefore, for CCM k,λ,λu with c = 0 we can say, From Lemma 5 we know that the probability Pr[¬M ] is related to the probability of those two messages swapping with each other.That directly translates to the success probability of A fifo in the pairwise unlinkability game: By Eq. ( 3) and ( 4), the proof is complete.
The following corollary of Lemma 5 simplifies the results for specific values of k = 1, 2, 3 which could be relevant to designs like Loopix [8] and Nym [9] where they consider k = 3.
Corollary 1.Let m x , m y be a pair of messages concurrently leaving from their senders to enter the same path in a k-hop continuous mix-net with delay parameter λ.
Let x 0 , . . ., x k (resp.y 0 , . . ., y k ) be the delays added to m x (resp.m y ) by the sender and the k-hops.Let M j , j = 1, . . ., k be the event that m x and m y meet at the j-th hop.Then, if we assume λ u = ρ • λ, where ρ ≥ 1, for the first three layers, it holds that Proof.Let us define the following two quantities: • T is a random variable that denotes the total number of times the two challenge messages would meet in the protocol CCM k,λ,λu based on the chosen delays.If T = 0, the two messages would not meet in CCM k,λ,λu , and the adversary definitely wins.• F (t) denotes the probability that t randomly chosen nodes are all compromised.Even if the two challenge messages meet total t times, if those nodes are all compromised, the messages do not mix.
Since, The actual value of F (t) depends on how the k nodes in the cascase are chosen; however, we can say that F (t + 1) ≤ F (t) since 0 ≤ F (t) ≤ 1, and F (1) = c.
Let us denote δ * as the error for pairwise unlinkability provided by CCM k,λ,λu when the adversary does not compromise any nodes.We know from Theorem 3 that , where M denotes the event that the two challenge messages meet on at least one node.
For our current scenario, we can say the following about the event M ′ that the messages mix with each other : ( From the above equation we can say, The inequality step in Eq. ( 5) is untight and the error increases with large k values.However, for small values of c and small integers k our bound provides a reasonable upper bound on the adversarial advantage against the protocol.Remark 5.The maximum imprecision introduced in the inequality step cannot be more than k•Pr[¬M ] since exactly k terms are replaced with a larger quantity Therefore, the total imprecision introduced cannot be more than k • Pr[¬M ′ ].Therefore, we can say that our derived upper bound on the adversarial advantage δ is at most (k + 1) • δ.
6.2.3.Pairwise unlinkability of MCM k,λ,λu .Now we consider our multi-path continuous mixing protocol MCM k,λ,λu : the formation of the message path is done via sampling one mixnode uniformly from each of the k layers.In the following theorem, we formally show the level of pairwise unlinkability expected in MCM k,λ,λu .Theorem 5. Let K, k be non-negative integers, λ, λ u ∈ R + , λ u ≥ λ, and c ∈ [0, 1).The multipath continuous mixnet MCM k,λ,λu provides pairwise unlinkability w.r.t.c with error δ where The proof of this theorem is very similar to that in Section 6.2.2, however the quantity F (t) would be slightly different.With a single cascade, as long as the two messages have overlapping delays on a hop, they will meet.However, with many possible paths, meeting requires that the two messages also choose the same node on a given hop.This new factor in the proof captures this additional requirement, besides the necessity for the node being honest, for the two messages to meet.We include the detailed proof in Appendix A.6.
Note that, for large values of K and c, C = 1 − 1−c K has a large value (close to 1).With K = 100, we have C ≥ 0.99 -which makes the bound really untight.However, the theorem still provides an upper bound of adversarial advantage over tossing a random coin; and for small K values it is still a good estimate.Additionally, The bound specified in Remark 5 is also valid for MCM k,λ,λu .
6.2.4.Free routing.When the user picks the paths from all the available mixnodes in the mixnet, instead of following a stratified topology, the bounds remain the same if they choose the mixnodes on the path uniformly at random with replacement.The free routing topology with a total of K mixnodes can be considered as a special case of stratified topology where all the nodes are part of each layer.Since the user picks the nodes on the message path with replacement, all the probabilities in our bounds still hold.If the user picks a strategy to pick the mixnodes that is strictly better than selecting with replacement, the upper bound on adversarial advantage still holds.Note that the same argument also holds for the bounds with user unlinkability in Section 5.2.6.2.5.Analysis and comparison with user unlinkability.In Theorem 5, the upper bound on the error δ does not go to negligible for constant values of c and K, when c > 0 or K > 1.In Fig. 5, we plot the adversarial success probability for CCM k,λ,λu and MCM k,λ,λu with respect to the pairwise unlinkability game based on our proofs.Those plots indicate that the messages will not mix with high probability (close to 1) for large values of K.For practical values of c and K the upper bound of the adversarial success probability remains significantly high.Note that, for an overall adversarial success probability of 0.9 in the plot indicates 0.4 as an upper bound on δ.We know that our bound on δ is at most (k + 1) times the actual value.Therefore, for k = 20, the plots indicate a high actual adversarial advantage of at least 0.02.
We also plot in Fig. 5d the adversarial success probability with respect to the user unlinkability game, and the probability drops rapidly even for small values of ρ.Which provides strong confidence for the protocol when user unlinkability notion is used as the anonymity metric.

Comments About Round-based protocols
Round-based protocols [4], [5], [6], [7] assume some kind of batching or threshold model (where all the users send messages before the protocol starts a batch, or the protocol waits for a threshold number of messages) to achieve their provable security guarantees.There are no formal analyses about anonymity guarantees when the clients are allowed to send their messages in different rounds in a continuous manner, except the generic impossibility bounds [17], [18].Although we have not derived the formal bounds, we conjecture that a protocol will have a leakage similar to our analysis in Section 6.2 for pairwise unlinkability when the clients send their messages following a Poisson distribution and the delays (in number of rounds) are sampled from geometric distribution 3 .In such a setting, if messages stay on a node for only one round for each hop, the anonymity guarantees will be worse.A thorough analysis of such a setting for round-based mixnets is out of scope of this work and left for future work.Therefore, a verdict about which type of protocols (protocols with rounds or continuous mixnets) can provide better anonymity properties is not out yet.

Limitations and Future Work
Our results provide a formal treatment for continuous mixnets for the first time and confirm strong guarantees for user unlinkability (Thm.2).For pairwise unlinkability, we have a pessimistic upper bound (Thm.5), and a tight lower bound (Thm 3) on the success probability of the adversary.However, the treatment has room for improvements -below we describe those gaps and possible directions towards solving them: • Our results assumes constant delay on the network links, which is not true in reality.However, we argue that network delays are clearly visible to global passive adversaries, and variable network delays does not change the insights significantly.A detailed mathematical derivation with variable network delays is left for future work.
• Our main positive result (in 5.2) requires the steady state assumption for the network.The assumption is valid for most practical purposes.However, a really persistent adversary might decide to observe the network before it reaches the steady state.In that case, the adversary might gain some additional insight.This problem can be easily avoided if the users do not start sending real messages until the network reaches the steady state.
• If multiple challenge messages are considered for our pairwise unlinkability game, δ will linearly grow with the number of challenges.However, with the user unlinkability game, the relation is not so straight forward, since multiple challenge message from Alice might mix with the same message from Bob.Nonetheless, it still directly translates to deniability for the user.Additionally, increasing the value of λ u would alleviate the problem.The exact relationship between the single challenge and multi-challenge game for user unlinkability is left for future work.
The objective of this work is to investigate the anonymity that continuous mixing provides, i.e., when relying on the exponential delay technique.Nonetheless, it would also be an interesting future work to consider cover traffic and formally analyze the effect on the anonymity guarantees.
Thus, the equality follows from the above equality.
By Eq. ( 9), ( 18) and the fact that Pr[E 0<1 ] = Pr[E 0≥1 ], we conclude that A.4.1.The case λ u < λ.Note that, when λ u < λ, the quantity A 2 is strictly less than the r.h.s. of Eq. 16 (we can say that based on the properties of the CDF of exponential distribution).Similarly and consequently, A 3 is also strictly less than the r.h.s. of Eq. 17.From there we can deduce that ϕ λu,λ (k) < ϕ λ,λ (k) when λ u < λ.

A.5. Proof of Lemma 5
Proof.Let M j , j = 1, . . ., k denote the event that m x and m y meet at the j-th hop.Further, let Y n = n i=0 y i and X n = n i=0 x i for n ≤ k.We want to prove that Pr ¬M + 1 2 Pr M = ϕ(k), since: Observe that, if the two messages do not meet they cannot swap, since, On the other hand, if two messages meet with each other for n times, we prove by induction that they swap with probability 0.5 for every 1 ≤ n ≤ k.
We can model this with coin-toss experiments with n fair trials.Let us denote with H the case that the two messages exit the node in the opposite order (swap) than they enter the node, given that they meet in that node.Similarly, Let us denote with T the case that the two messages exit the node in the same order as they enter they node, given they meet in that node.For a general n, this random experiment will generate an n-bit string X n .If X n has even number of H, the messages exit the mixnode in the same order as the enter.If X n has odd number of H, they messages will be swapped.Let S n denote the set of all possible such strings.Further, let O n denote the set of strings in S n with odd number of H, and E n denote the set of strings with even number of H. Proof of Claim .For the base case of n = 1, this directly follows from Lemma 1, since the two messages swap with probability 0.5.We have S(1) = {H, T }.
By inductive hypothesis, after h trials we have |O h | = |E h |.For (h + 1)-th trial, the two messages switch their order with probability 0.5 (By Lemma 1) -and corresponds to two possible outcomes H and T .Therefore O h+1 will contain all the strings from O h concatenated with T at the tail, plus all the strings from E h concatenated with H at the tail.Similarly, E h+1 will contain all the strings from O h concatenated with H at the tail, plus all the strings from E h concatenated with T at the tail.In other words, where || denotes concatenation operation.And that concludes our inductive proof.⋄ Finally, ϕ(k) denotes the probability that the two messages are not swapped.Therefore, according to Theorem 1, (24) And that completes the proof of our lemma.
A.6.Proof of Theorem 5 Proof.Analogous to the proof of Theorem 4, let us define the following two quantities: • T is a random variable that denotes the total number of times the two challenge messages have overlapping delays on a hop.In CCM k,λ , the two messages would meet in such a condition, however, in MCM k,λ the two messages might still end up choosing different nodes for the hop and not meet each other.If T = 0, the two messages definitely do not meet, and the adversary definitely wins.
• F (t) denotes the probability that, for t randomly chosen hops from the path of one challenge message, other challenge message does not choose the same nodes for those hops or the node is compromised whenever they choose the same node.
Since each layer is independent of other layers in the mixnet, F (t) = F (1) t .If V denotes the event that the two messages choose the same node for a given hop, and W denotes the event that the chosen node is honest, Let us denote δ * as the error for pairwise unlinkability provided by CCM k,λ when the adversary does not compromise any nodes.We know from Theorem 3 that δ * = 1 2 × P r[¬M ].For our current scenario, we can say the following about the event M ′ that the messages 'mix' with each other : (25) From the above equation we can say, Therefore, the protocol CCM k,λ with at most c compromised nodes provides pairwise unlinkability with an error bounded by δ ≤ 1
• A can terminate the game any time by outputting a bit b * .The game returns a bit which is 1 if and only if the following conditions hold true: C.1 |I corr | ≤ c • |I| (i.e., no more than c fraction of mixing nodes are corrupted).C.2 b * = b (i.e., A guesses correctly).

Figure 3 :
Figure 3: The User Unlinkability game for protocol Π with N users against adversary A that corrupts up to a fraction of c mixing nodes.
• A can terminate the game any time by outputting a bit b * .The game returns a bit which is 1 if and only if the following conditions hold true: C.1 |I corr | ≤ c • |I| (i.e., no more than c fraction of mixing nodes are corrupted).C.2 b * = b (i.e., A guesses correctly).

Figure 4 :
Figure 4: The Pairwise Unlinkability game for protocol Π with N users against adversary A that corrupts up to a fraction of c mixing nodes.

Figure 5 :
Figure 5: Analysis of the adversarial success probability of CCM k,λ,λu and MCM k,λ,λu in different settings.
and A.2.For every n ∈ N and k ∈ Z + , it holds that 3. 6.2.2.Pairwise Unlinkability of CCM k,λ,λu against static corruptions.We analyze the level of anonymity that the cascade continuous mix-net provides against adversaries that (statically) corrupts a certain number of mixing nodes.Formally, we prove the following theorem.Theorem 4. Let k be non-negative integer, c ∈ [0, 1), λ, λ u ∈ R + and λ u ≥ λ.The cascade continuous mixnet CCM k,λ,λu provides pairwise unlinkability w.r.t.c with error δ where