2026-ratliff-mirage

Mirage: Private, Mobility-based Routing for Censorship Evasion

Zachary Ratliff, Ruoxing (David) Yang, Avery Bai, Harel Berger, Micah Sherr, James Mickens · Network and Distributed System Security · 2026

canonical link →

Tags

censors: generic
techniques: dpi flow-correlation
defenses: domain-fronting decoy-routing

findings extracted from this paper

MIRAGE's differentially private routing function provably bounds adversary inference: for a routing protocol satisfying ε-DP with ε = ln(4), any hypothesis test achieving a true positive rate of 80% necessarily incurs a false positive rate of at least 20%. The TPR-to-FPR ratio is bounded by e^ε for any ε-DP routing function, providing a formal privacy guarantee against routing-level statistical disclosure attacks.

§V–VI defense generic
Embedding explicit TTL values in mesh-routed messages leaks proximity information — a recipient can infer that a high-TTL message originator was recently nearby. MIRAGE mitigates this with memoryless TTLs: carriers independently discard messages with probability q per epoch, implementing a branching process with replication factor R ≤ nmax·(1−q). Setting q > 1 − 1/nmax ensures sub-critical message extinction with expected lifetime ≈ −ln(nmax)/ln(R) epochs.

§VI-C defense traffic-shape generic
MIRAGE delivers 15× more messages than random-walk protocols and significantly outperforms probabilistic flooding in delivery rate. On the pedestrian YJMob100K dataset at p=0.6, MIRAGE achieved a delivery rate of 36.9%, compared to 9.1% for probabilistic flooding (4.1×) and 3.2% for handoff (11.5×). MIRAGE incurs substantially lower network load than maximal flooding (86.9% delivery) while maintaining better delivery rates than all non-flooding baselines.

§VII-B evaluation generic
The PPBR (probabilistic profile-based routing) protocol leaks user community membership through observable routing decisions: in a controlled experiment with 800 majority and 200 minority users, a statistical disclosure attack achieved a true positive rate of 100% and false positive rate of 0% when identifying minority users. Even under a conservative PPBR configuration (top 1/3 fraction acceptance), the attack achieved 100% TPR and only 0.4% FPR.

§V detection ml-classifiertraffic-shape generic
MIRAGE constructs a global mobility graph using locally differentially private per-user submissions, requiring only O(ln(|M|/β) / (α²ε²)) users to achieve per-edge accuracy α with probability 1−β. For a 100-district map with ε=0.05 and α=0.5, fewer than 1 million users suffice for top-2 district reporting; for top-3 districts the requirement drops to under 200K users.

§VI-B defense generic