Reliable and Private Anonymous Routing for Satellite Constellations

TL;DR

The paper tackles metadata privacy in dynamic, shared LEO satellite networks by extending the Loopix mixnet with three core techniques: multi-path transmission using $(n,k)$ erasure codes to tolerate link volatility, a private route discovery protocol based on BFV-based Private Information Retrieval, and adaptive, centrality-aware delays to counter topology-driven traffic centralization. The approach yields near-zero message loss in simulation, feasible PIR latency (sub-2 seconds in optimized configurations for large route databases), and a practical path toward deployable high- anonymity communication on large commercial infrastructures. Theoretical models quantify entropy under mix nodes and path compromise, while extensive simulations in a 631-satellite OneWeb-like constellation demonstrate the trade-offs between anonymity, reliability, and overhead. Collectively, the work provides a validated blueprint for securely multiplexing sensitive operations within time-variant, multi-tenant satellite networks, with explicit guidance on system parameters, scalability, and potential future enhancements such as predictive routing and advanced cryptographic PIR variants.

Abstract

Shared, dynamic network infrastructures, such as dual-use LEO satellite constellations, pose critical threats to metadata privacy, particularly for state actors operating in mixed-trust environments. This work proposes an enhanced anonymity architecture, evolving the Loopix mix-network, to provide robust security and reliability in these volatile topologies. We introduce three primary contributions: (1) A multi-path transport protocol utilizing $(n, k)$ erasure codes, which is demonstrated to counteract the high link volatility and intermittent connectivity that renders standard mix-networks unreliable. (2) The integration of a computationally efficient Private Information Retrieval (PIR) protocol during route discovery. (3) The introduction of adaptive, centrality-based delay strategies that efficiently mitigate the inherent topological bias of LEO networks, providing a superior anonymity-to-latency trade-off. This mechanism provably prevents metadata leakage at the user-provider directory, mitigating profiling and correlation attacks. We validate this architecture via high-fidelity, packet-level simulations of a LEO constellation. Empirical results show our multi-path transport achieves near-zero message loss, establishing a quantifiable trade-off between reliability and bandwidth overhead. Furthermore, microbenchmarks of the PIR protocol quantify its computational and latency overheads, confirming its feasibility for practical deployment. This work provides a validated blueprint for deployable high-anonymity communication systems, demonstrating the viability of securely multiplexing sensitive operations within large-scale commercial network infrastructures.

Figures (16)

• Figure 1: Illustration of FEC in Loopix, where three different disjoint paths are taken through the network. The provider nodes are in charge of splitting and reconstructing the data from the user nodes using network coding.
• Figure 2: Percentage change in network topology edges over time. The solid line represents the median, and the shaded area denotes the 10–90% distribution range.
• Figure 3: Median percentage change in the database over time. The blue line indicates the median and the light blue region denotes the 10–90th percentile interval
• Figure 4: Visualization of node betweeness centrality. Each blue dot represents a satellite, with its size representing its betweeness centrality.
• Figure 5: Visualization of node betweeness centrality. Each blue dot represents a satellite, with its size representing its betweeness centrality.