Anycast messaging (i.e., sending a message to an unspecified receiver) has long been neglected by the anonymous communication community. An anonymous anycast prevents senders from learning who the receiver of their message is, allowing for greater privacy in areas such as political activism and whistleblowing. While there have been some protocol ideas proposed, formal treatment of the problem is absent. Formal definitions of what constitutes anonymous anycast and privacy in this context are however a requirement for constructing protocols with provable guarantees. In this work, we define the anycast functionality and use a game-based approach to formalize its privacy and security goals. We further propose Panini, the first anonymous anycast protocol that only requires readily available infrastructure. We show that Panini allows the actual receiver of the anycast message to remain anonymous, even in the presence of an honest but curious sender. In an empirical evaluation, we find that Panini adds only minimal overhead over regular unicast: Sending a message anonymously to one of eight possible receivers results in an end-to-end latency of 0.76s.

翻译：任播通信（即向未指定接收者发送消息）长期以来被匿名通信领域所忽视。匿名任播可防止发送者获悉其消息的接收者身份，从而在政治活动、举报等场景中实现更高程度的隐私保护。尽管已有若干协议方案被提出，但该问题缺乏形式化处理。然而，要构建具备可证明保障的协议，必须首先对匿名任播及其隐私概念进行形式化定义。本文定义了任播功能，并采用基于博弈的方法形式化其隐私与安全目标。我们进一步提出Panini——首个仅需现有基础设施即可运行的匿名任播协议。实验表明，即使面对诚实但好奇的发送者，Panini仍可确保任播消息的真实接收者保持匿名。实证评估显示，Panini相较于常规单播仅引入极小的额外开销：在8个潜在接收者中匿名发送一条消息的端到端延迟为0.76秒。