ADAT: Adaptive Dynamic Anonymity and Traceability via Privacy-Aware Random Forest and Truncated Local Differential Privacy in a Trusted Execution Environment (TEE)

Abstract

In current mobile networks, users’ identity privacy is threatened by long-term observation attacks. To resist such attacks, identity-anonymity technology has been proposed. However, existing anonymity schemes cannot adapt to diverse, dynamic business scenarios because of their rigid anonymity strategies. This leads to wasted computing and communication resources in low-risk scenarios or privacy leaks in high-risk scenarios. To address this problem, we propose an Adaptive Dynamic Anonymity and Traceability scheme based on privacy-aware random forest and local differential privacy in a Trusted Execution Environment. We first construct a convex optimization model to seek the optimal balance between privacy risk and performance cost. Subsequently, we train a privacy-aware random forest model to intelligently predict the optimal Time-To-Live of the anonymous identifier based on the real-time context. Lastly, to resist long-term observation attacks, our scheme uses a lightweight symmetric encryption algorithm to generate pseudo-random, anonymous identifiers and applies truncated local differential privacy to ensure the indistinguishability of the timing patterns of anonymous identifier updates. We formally prove that our scheme can resist long-term observation attacks. Experimental results show that, compared with fixed Time-To-Live schemes, our scheme significantly reduces the comprehensive cost while maintaining the same level of security. Furthermore, compared with traditional public-key schemes, it greatly improves the generation speed of anonymous identifiers and reduces communication costs.

1. Introduction

With the deep integration of 5G mobile internet and intelligent terminals, users are increasingly relying on mobile devices to handle sensitive transactions, such as mobile financial payments, location-based services (LBS), and remote medical consultations. However, these interactions inevitably involve a large amount of users’ identity data. By eavesdropping on communication channels or hijacking network nodes, attackers can obtain users’ private identity data, which poses a serious threat to users’ privacy [1,2]. To address this issue, identity anonymity technology has been proposed. Identity anonymity aims to sever the links between data streams and users’ real identities, ensuring that even if attackers obtain users’ transmitted data streams, they cannot identify the users’ real identities. However, malicious users may employ anonymous identities to launch cyberattacks or spread false information. Therefore, while ensuring anonymity, it is necessary to empower law enforcement agencies [3] to trace anonymous users with malicious behaviors.

To achieve a balance between anonymity and traceability, many approaches have been proposed. Early research primarily focused on k-anonymity [4,5], which hides a user in a group with k users. However, this approach is often difficult to trace user identities and is vulnerable to background knowledge attacks [6]. Consequently, cryptographic solutions have gained increasing attention. Group signature schemes [7,8,9] allow users to sign on behalf of the group while allowing designated administrators to reveal users’ true identities when necessary. To eliminate reliance on centralized trusted authorities, ring signcryption [10,11] has also been widely adopted, enabling decentralized, traceable anonymity [12,13].

Despite these advancements, existing traceable anonymity schemes still face two significant challenges. One is the “privacy–performance trade-off”. Current schemes generally rely on public-key cryptography, such as group or ring signatures. Due to high computational costs, the public-key-based schemes are unsuitable for resource-constrained edge devices. The other one is the “one-size-fits-all” anonymity strategies, failing to adapt to changes in different business scenarios or privacy risks. These inflexible schemes waste significant computational resources in low-risk scenarios and incur privacy leakages in high-risk scenarios. Moreover, the fixed update patterns of their anonymous IDs also make them highly vulnerable to long-term observation (LO) attacks. Attackers can easily associate and deanonymize target users by statistically analyzing the update patterns of anonymous IDs over time.

To address the above challenges of “excessive computational cost” and “static, rigid anonymity strategies”, this paper proposes an Adaptive Dynamic Anonymity and Traceability (ADAT) scheme. This scheme deeply integrates context awareness, machine-learning-driven decision making, local differential privacy, and TEE to achieve secure, efficient, and adaptive dynamic anonymity. The main contributions of this paper are summarized as follows:

• Establishing a theoretical framework of the privacy–performance joint optimization: We first construct an objective function that quantifies the trade-off between privacy risk and performance cost. Then, we derive the theoretically optimal TTL using convex optimization. Subsequently, we use the theoretically optimal TTL as the label to train an offline privacy-aware random forest (PARF) model. This lightweight learning model can capture the nonlinear relationship between contextual features and the optimal anonymity strategy, providing intelligent guidance for online decision making.
• Achieving real-time adaptive anonymity decision making based on PARF: For dynamically varying network environments, we propose an online anonymity strategy prediction mechanism. This mechanism can dynamically predict the optimal TTL based on the user’s current contextual features by using a pretrained PARF model. This achieves a shift from a “fixed anonymity strategy” to a “high-precision adaptive anonymity strategy”, effectively breaking the attacker’s dependence on specific time patterns of anonymity IDs.
• Constructing an efficient execution architecture resistant to LO attacks: We design an anonymous ID execution architecture based on a TEE that integrates a truncated local differential privacy (LDP) mechanism and a high-efficiency AES-GCM encryption engine. The truncated LDP mechanism injects noise into the predicted TTL to mathematically guarantee the indistinguishability of anonymous ID update time patterns and fundamentally resist LO attacks. Experimental results show that, compared to fixed TTL schemes, ADAT reduces the comprehensive cost by 33.6% while maintaining the same security level. Compared to the state-of-the-art ring-signature-based cryptography scheme, ADAT improves the speed of anonymous ID generation by approximately three orders of magnitude and reduces communication cost by 81.6%.

The remainder of this paper is organized as follows. Section 2 reviews some related works. Section 3 introduces the necessary preliminaries. Section 4 outlines the system, threat, and security models. Section 5 gives the overview, construction, and security analysis of our proposed scheme, and Section 6 presents the experimental results and evaluation. Finally, Section 7 provides the discussion, and Section 8 concludes the paper.

2. Related Works

Current identity privacy protection mainly includes two categories: one is based on k-anonymity and the other is based on cryptography. For k-anonymity [4,5], it is essential to ensure that the anonymity set contains k users, and that each user’s data is indistinguishable from that of the other k − 1 users. To achieve a higher level of anonymity protection, more users’ data must be added to the anonymity set, potentially increasing communication costs. Furthermore, kt-anonymity typically does not support traceability and is vulnerable to background knowledge attacks [6]. For example, an attacker knows that the target possesses a rare attribute based on acquired background knowledge and can identify the target using this attribute. Therefore, to improve anonymity and achieve traceability for anonymous users, numerous cryptographic anonymity protection schemes have been proposed.

Cryptographic traceable anonymity schemes are generally divided into group signature and ring signature schemes. Group signature schemes [7,8] can determine whether a signer is a member of a group, but cannot determine their real identities. Simultaneously, it can make the authorized administrator reveal the signer’s identity when traceability is needed. Therefore, the group signature technology is widely used in traceable anonymity schemes. Cai et al. [9] presented a bilinear pairing-based group signature scheme. It achieves both anonymity and traceability without frequent certificate or public-key updates, making it particularly suitable for heterogeneous networks. To prevent a single group administrator from being compromised as a malicious node, Devidas et al. [14] used a decentralized group signature method based on the discrete logarithm problem to achieve anonymity and traceability. Xu et al. [15] combined the group signature algorithm with the certificate cryptographic system [16] to implement a “one-time registration, dynamic tracking” regulatory framework, ensuring that key leakage did not compromise the security of historical signatures.

In order to eliminate the reliance on trusted authorities, increasingly more researchers have started to use ring signcryption [10,11] for anonymization and traceability. Wei et al. [11] designed a traceable and anonymous scheme based on a ring signature. In this scheme, the Key Generation Center (KGC) can identify the real sender within the ring by pre-embedded traceability clues. Guo et al. [17] proposed a certificateless anonymity verification scheme that improves traceability efficiency via batch verification. Liu et al. [12] proposed a linkable ring signature scheme. This scheme achieves information–theoretic anonymity while ensuring traceability by verifying whether multiple signatures are from the same signer. The anonymous scheme proposed by Cai et al. [18] caused malicious users to destroy traceability by manipulating traceable parameters. Therefore, Zhan et al. [13] designed a secure traceability scheme, EMMCRS, based on ring signcryption, which rejects any attempts to manipulate the tracking parameters. The scheme implements three different levels of message anonymity: full anonymity, linkable anonymity, and revocable anonymity. The sender can flexibly choose the appropriate mode according to the message category or the receiver’s specific requirements.

However, the above schemes mostly use public-key encryption for anonymity and traceability, which results in high computational cost and low efficiency. Furthermore, they typically employ fixed anonymity protection strategies that cannot be adjusted to different scenarios. This leads to overprotection in low-risk contexts—which wastes considerable computational resources—and inadequate protection in high-risk scenarios—which risks information leakage. Therefore, it is an urgent issue to adaptively adjust anonymity protection strategies based on different scenarios to balance anonymity and performance.

3. Preliminaries

3.1. Trusted Execution Environment (TEE)

A Trusted Execution Environment (TEE) [19,20] is a technology that provides a hardware-isolated execution zone within a computing device. The purpose of this zone is to ensure that computing operations within it can be protected, enabling the secure execution of data and code. TEE creates a trusted isolation zone based on a combination of hardware security modules and software controls. This zone is typically not directly accessible to external software, operating systems, or attackers, thereby ensuring the confidentiality and integrity of data and computing processes.

TEE can provide trusted code execution and data protection. Even if the device’s operating system or hardware is attacked, the data and applications in the TEE can still remain secure. At present, TEE technology has been widely adopted by multiple hardware platforms and processor manufacturers, such as ARM’s TrustZone and Intel’s SGX.

In practical applications, TEE not only provides higher security but also improves performance through a dedicated hardware acceleration module. It is widely used in high-security environments, such as online payments and identity authentication, and plays a vital role in ensuring data security.

3.2. Random Forest

Random forest [21,22] is a machine learning method commonly used for classification or regression, which is widely used in recommendation systems and anomaly detection [23]. Random forest adopts an ensemble learning approach. It consists of multiple randomized decision trees; each is a classifier, and across N trees there will be N classification results. Random forest selects its result with the most votes in these N classification results as its final output, which is the bagging idea of random forest.

During the training phase, random forest samples from the original dataset are used to train each decision tree of the random forest independently. During the prediction phase, the data samples to be classified are fed into each decision tree of the random forest in parallel. Next, the random forest integrates the prediction results of all decision trees and takes the classification result with the most votes as its final output. Random forest can effectively capture the influence of single variables or multivariate interactions, and is particularly suitable for processing high-dimensional data.

4. System, Threat, and Security Model

4.1. System Model

The system architecture of ADAT involves three distinct entities, as illustrated in Figure 1.

• User Equipment (UE): The UE is the terminal device used by the data owner and holds the user’s real identity $RID$. The UE can capture the current context vector $\mathbf{x}$ (e.g., sensitivity, frequency, time period) and initiate anonymous service requests.

  -

  AMS-TEE: To ensure security, the UE hosts the Anonymity Management System (AMS-TEE) within a hardware-isolated Trusted Execution Environment (TEE). The AMS-TEE is inaccessible to the UE’s OS or external attackers. The AMS-TEE is responsible for: (1) maintaining a globally symmetric system Key $K_{sys}$ and using $K_{sys}$ to generate the dynamic anonymous identity $AID$; (2) keeping PARF model parameters ${\mathcal{M}}_{RF}$ and using these parameters to execute the PARF inference.

• Service Provider (SP): The SP is an untrusted or semi-trusted server. It receives anonymous request data packets (containing $AID$ and data) from the UE and provides corresponding services.
• Trusted Authority (TA): The TA generates the system symmetric key $K_{sys}$ and is a strictly regulated entity. It possesses the privilege to audit or trace users by decrypting $AID$ using $K_{sys}$ only under authorized conditions.

4.2. Threat Model

The adversary $\mathcal{A}$ is modeled as a global, polynomial-time passive attacker. The adversary’s capabilities and goals are defined as follows:

• Capabilities: $\mathcal{A}$ has global eavesdropping capabilities, and can monitor all encrypted traffic transmitted over the public channels between the UE and SP. Specifically, $\mathcal{A}$ can observe the anonymous IDs and their update time patterns. However, we assume the TEE is secure, and $\mathcal{A}$ cannot access the TEE.
• Goals: The primary objective of $\mathcal{A}$ is to break the unlinkability of the anonymous sessions. By performing long-term observation (LO) attacks, $\mathcal{A}$ attempts to correlate distinct anonymous IDs ($AI{D}_i,AI{D}_j$) to the same underlying user ($RID$) by exploiting the specific frequency fingerprints (i.e., the regularity of TTL expiration) exposed during AID updates.

4.3. Security Model

To formally evaluate the security of ADAT, we define the $ϵ$-local differential privacy as follows.

Definition 1

($ϵ$-local differential privacy [24]). Suppose a randomized scheme $\mathcal{M}$, it satisfies ϵ-local differential privacy if for any two inputs $x,x^{\prime }\in \mathcal{X}$ and any output $y\in \mathcal{Y}$, the following double-sided inequality holds:

$$e^{-ϵ}Pr[\mathcal{M}\left(x^{\prime }\right)=y]\le Pr[\mathcal{M}\left(x\right)=y]\le e^{ϵ}Pr[\mathcal{M}\left(x^{\prime }\right)=y],$$

(1)

where $ϵ\in [0,+\infty )$ is the privacy budget parameter indicating the strength of privacy protection.

5. Proposed Scheme

In this section, we propose an Adaptive Dynamic Anonymity and Traceability (ADAT) scheme based on privacy-aware random forest (PARF) [21,22,23] and local differential privacy (LDP), which is executed in a Trusted Execution Environment (TEE). First, we provide an overview of ADAT. Next, we offer a detailed description of the ADAT construction. Lastly, we conduct a security analysis for our ADAT.

5.1. Overview

To address the privacy–performance trade-off of anonymous IDs, we propose an Adaptive Dynamic Anonymity and Traceability scheme, ADAT, as shown in Figure 2. The core design idea of ADAT lies in the deep integration of dynamic context awareness, machine-learning-driven intelligent decision making, local differential privacy protection, and hardware-enforced secure execution. First, ADAT constructs a privacy–performance joint optimization objective function and derives the theoretically optimal Time-To-Live (TTL) using convex optimization. Using the optimal TTL as the training label and collecting historical context information, an offline privacy-aware random forest model is trained to provide the optimal TTL for the PARF model. Then, based on the extracted current context feature vector $\mathbf{x}$ and the pretrained privacy-aware random forest (PARF) model, the optimal TTL is accurately predicted in real-time online within the TEE. Finally, AES-GCM encryption is used to protect the user’s real identity, and a truncated local differential privacy mechanism is used to add noise to the online-predicted optimal TTL to prevent attackers from identifying the user’s real identity by observing the time-update patterns of anonymous IDs.

5.2. Our Construction

The ADAT primarily consists of three tightly coupled parts: offline optimization and training, online adaptive intelligent decision making, and dynamic anonymous ID (AID) generation and traceability.

5.2.1. Offline Optimization and Training

This phase is executed within the TEE, which aims to construct an intelligent decision engine capable of dynamically adjusting anonymity strategies. First, based on the feature vector $\mathbf{x}=(s,m,t)$ (business scenario sensitivity s, access frequency m, and time period t) of historical contextual data, a privacy risk function R and a performance cost function C have been established. By minimizing the comprehensive cost $J\left(\tau \right)=\alpha R+(1-\alpha )C$ with $\alpha \in [0,1]$, an analytical solution for the optimal TTL ${\tau }^{*}$ is derived based on convex optimization theory. Subsequently, the optimal TTL $\tau$ is used as the training label to train a privacy-aware random forest (PARF) model. The PARF employs a cost-decreasing gain criterion during node splitting, ensuring the decision tree structure directly serves to minimize the comprehensive cost.

Step 1: Cost Modeling and Optimal TTL Derivation.

• Input: Extract input features $\mathbf{x}=(s,m,t)$ from historical context data. The vector $\mathbf{x}$ is a 3-dimensional vector, including business scenario sensitivity s, access frequency m, and time period t.
• Modeling: Construct a privacy leakage risk function $R(\mathbf{x},\tau )$ and a performance cost function $C\left(\tau \right)$.

  $$R(\mathbf{x},\tau )={\omega }_{s}S\left(s\right)+{\omega }_{m}log(1+m)+{\omega }_{\tau }\tau ,$$

  (2)

  $$C\left(\tau \right)=\beta {\displaystyle \frac{1}{\tau }}+\gamma ,$$

  (3)
  For the risk function $R(\mathbf{x},\tau )$, $S\left(s\right)$ denotes the normalized sensitivity, and the context vector $\mathbf{x}=(s,m,t)$ is a three-dimensional vector, where s is the business scenario sensitivity, m is the access frequency, and t represents the time period. In the risk function $R(\mathbf{x},\tau )$, the component ${\omega }_{s}S\left(s\right)$ measures the inherent privacy leakage risk determined by the data’s sensitivity; ${\omega }_{m}log(1+m)$ measures the exposure risk brought by high-frequency interactions; and ${\omega }_{\tau }\tau$ measures the exposure risk to long-term observation (LO) attacks caused by a long valid duration ($\tau$) of the anonymous ID. The parameters ${\omega }_s,{\omega }_m, \mathrm{and}{\omega }_{\tau }$ are the weighted coefficients of S, m, and $\tau$ to the privacy leakage risk, respectively, and ${\omega }_s+{\omega }_m+{\omega }_{\tau }=1$ with ${\omega }_i\in [0,1]$. Additionally, the function $C\left(\tau \right)$ measures the performance cost. A shorter TTL ($\tau$) means generating and updating anonymous IDs more frequently. Thus, the term $\beta {\displaystyle \frac{1}{\tau }}$ quantifies the cost incurred by high-frequency anonymous ID updates. The constant $\gamma$ accounts for fixed costs such as the length of the anonymous ID and basic processing. $\beta$ represents the unit cost coefficient associated with each ID update operation, and $\gamma$ represents the constant cost associated with the anonymous ID length.
• Optimization and solution: Establish the comprehensive cost objective function $J\left(\tau \right)=\alpha R+(1-\alpha )C$. Then, substitute Equations (2) and (3) into $J\left(\tau \right)$ and take the first-order partial derivative with respect to $\tau$. As a result, we can get: ${\displaystyle \frac{\partial J\left(\tau \right)}{\partial \tau }}=\alpha {\omega }_{\tau }-(1-\alpha )\beta {\displaystyle \frac{1}{{\tau }^2}}$. Finally, by setting the derivative to zero based on the convex optimization theory [25,26], we obtain the analytical solution for the theoretically optimal TTL: ${\tau }^{*}=\sqrt{{\displaystyle \frac{(1-\alpha )\beta }{\alpha {\omega }_{\tau }}}}$.

Step 2: Privacy-Aware Random Forest (PARF) Training. Train a PARF model based on the labeled dataset $\mathcal{D}=\left\{({\mathbf{x}}_i,{\tau }_i^{*})\right\}$.

• Cost-Reduction Splitting: To enable decision trees to optimize the comprehensive cost directly, we propose a Cost Reduction Gain ($\Delta J$). For any node, $\Delta J$ is defined as the average comprehensive cost difference of before and after the node split:

  $$\Delta J=J_{parent}-\left({\displaystyle \frac{N_L}{N}}{J}_L+{\displaystyle \frac{N_R}{N}}{J}_R\right),$$

  (4)

  where $J_{parent}$, $J_L$, and $J_R$ are the average comprehensive costs. Specifically, $J_{parent}$ is the baseline cost, and it is calculated over all N samples in the node before splitting. Conversely, $J_L$ and $J_R$ are the costs after applying a candidate split, and they are calculated over the specific subsets of samples routed to the left child node and the right child node. Here, N, $N_L$, and $N_R$ are not predefined constants but their corresponding sample sizes. They are dynamically calculated by counting the actual number of samples during the tree construction, strictly satisfying $N=N_L+N_R$. The larger $\Delta J$ is, the more the split reduces the comprehensive cost. During training, the algorithm iterates over all possible splitting cases and selects the feature with the largest $\Delta J$ for splitting, thereby guiding the model to minimize the comprehensive cost. For example, during training, if a historical data sample indicates a highly sensitive scenario (e.g., $s=5$ for medical data), the PARF algorithm will calculate the Cost-Reduction Gain ($\Delta J$) for different split thresholds. It will learn to split the node such that high-sensitivity samples are routed to a leaf node with a very short TTL, thereby minimizing the privacy risk component of the comprehensive cost.
• Ensemble Strategy: Train $N_{tree}$ trees and output the TTL weighted average prediction of these $N_{tree}$ trees.

  $${\widehat{\tau }}^{*}={\displaystyle \frac{1}{N_{tree}}}\sum _{j=1}^{N_{tree}}{\mathrm{Tree}}_j\left(\mathbf{x}\right).$$

  (5)
• TEE’s PARF model parameters: After training, the lightweight PARF model parameters ${\mathcal{M}}_{\mathrm{RF}}$ are encrypted and securely deployed to the device’s TEE for online decision making. Notably, ${\mathcal{M}}_{\mathrm{RF}}$ includes tree structure, splitting features, thresholds, leaf node predictions, etc.

5.2.2. Online Adaptive Decision

When a user terminal initiates an anonymous service request, the current context feature vector $\mathbf{x}$ (including business scenario sensitivity s, access frequency m, time period t, etc.) is first extracted. Under the hardware-isolation protection of the TEE, a predeployed PARF model performs a real-time inference on $\mathbf{x}$ to predict the optimal TTL ${\tau }_{curr}^{*}$ that minimizes the expected comprehensive cost J. The specific implementation process is as follows:

Step 1: Feature capture. The user device’s operating system captures the current context feature vector ${\mathbf{x}}_{curr}$, for example, “medical data, sensitivity $s=3$, and access frequency $m=high$”.

Step 2: PARF online decision. ${\mathbf{x}}_{curr}$ is transmitted to the TEE and input to the built-in PARF model. The PARF model uses it to calculate the comprehensive cost and predict the optimal TTL ${\tau }_{curr}^{*}=\mathrm{PARF}({\mathbf{x}}_{curr},{\mathcal{M}}_{RF})$.

5.2.3. Dynamic Anonymous ID Generation and Traceability

This phase is the implementation stage of the scheme. Firstly, for the user’s real identity identifier (RID), AES-GCM is used to encrypt it to generate a semantically secure anonymous ID ciphertext. Subsequently, for the optimal Time-To-Live (TTL) of the anonymous ID ciphertext, a truncated Laplace mechanism is leveraged to process it for $ϵ$-locally differential privacy ($ϵ$-LDP) and resistant to long-term observation attacks. The specific implementation process is as follows:

Step 1: System initialization. The Trusted Authority (TA) generates a global system symmetric key $K_{sys}$. When a user $U_i$ registers, the TA verifies the integrity of the user’s AMS-TEE through remote authentication and then sends $K_{sys}$ to the $U_i$’s AMS-TEE via a secure channel.

Step 2: Optimal TTL generation with $ϵ$-local differential privacy. To defend against long-term observation (LO) attacks, AMS-TEE adds noise to the deterministic optimal TTL ${\tau }_{\mathrm{curr}}^{*}$ by employing a local Laplace mechanism with global clamping. Specifically,

• Noise Parameter Settings: The noise scale b is proportional to the optimal TTL value ${\tau }_{curr}^{*}$:

  $$b={\displaystyle \frac{\delta ·{\tau }_{curr}^{*}}{ϵ}},$$

  (6)

  where $ϵ$ is the privacy budget and $\delta$ is the sensitivity factor. Here, $ϵ$ is the exact same privacy budget parameter defined in Equation (1).
• Noise Injection: We sample noise $\eta$ from the Laplace distribution $Lap(0,b)$, whose probability density function is $f\left(\eta \right)={\displaystyle \frac{1}{2b}}\exp \left(-{\displaystyle \frac{\left|\eta \right|}{b}}\right)$ and add it to ${\tau }_{curr}^{*}$, obtaining the initial noisy TTL value ${\tau }_{raw}$:

  $${\tau }_{raw}={\tau }_{curr}^{*}+\eta .$$

  (7)
• Global Clamping: To prevent ${\tau }_{raw}^{*}$ from boundary leakage and being negative or infinitely large, we clamp ${\tau }_{raw}^{*}$ to a system-wide effective range $[T_{min},T_{max}]$ (e.g., $[0.5s,60s]$). Then, we obtain the final execution TTL ${\tau }_{exe}$.

  $${\tau }_{exe}=\min (\max ({\tau }_{raw},T_{min}),T_{max}).$$

  (8)

Note that since the system boundaries always satisfy $T_{min}\le T_{max}$, the composition of the min and max clamping functions in Equation (8) satisfies the commutative property (i.e., changing the order of bounding does not affect the final output ${\tau }_{exe}$).

Step 3: Anonymous ID generation and hopping. The AMS-TEE uses AES-GCM to generate an anonymous identity $AI{D}_i={\mathrm{AES}-\mathrm{GCM}}_{Enc}(K_{sys},RID\left|\right|r_i\left|\right|T{S}_i)$, where $r_i$ is a random number and $T{S}_i$ is a timestamp. Due to the introduction of $r_i$ and $T{S}_i$, it ensures that each generated $AI{D}_i$ is completely random and unlinkable. Meanwhile, $AI{D}_i$ is only valid during the ${\tau }_{exe}$ period. After expiration of $AI{D}_i$, repeat steps 2 and 3 to regenerate a new $AI{D}_{i+1}$, obtaining the next anonymous ID.

Step 4: Traceability. When it comes to traceability, since the TA possesses the key $K_{sys}$, it can directly execute the decryption operation and obtain the real identity $RI{D}_i$:

$$RI{D}_i\left|\right|r_i\left|\right|T{S}_i={\mathrm{AES}-\mathrm{GCM}}_{Dec}(K_{sys},AI{D}_i)$$

(9)

In this phase, the AES-GCM encryption serves two critical roles. Firstly, by encrypting the user’s real identity ($RI{D}_i$) into a randomized and indistinguishable anonymous ID ($AI{D}_i$), AES-GCM ensures confidentiality. Secondly, the Galois/Counter Mode (GCM) prevents malicious users from forging or tampering with the anonymous IDs. Moreover, AES’s high-speed cryptographic operations make it essential for resource-constrained edge devices.

5.3. Security Analysis

This paper considers a global passive attacker who correlates disjoint anonymous sessions by observing and analyzing the update time patterns of anonymous IDs (i.e., TTLs). To defend against such attackers’ long-term observation (LO) attacks, our ADAT applies a truncated Laplace mechanism that satisfies $ϵ$-differential privacy to the optimal TTL value. This prevents attackers from correlating anonymous IDs based on time patterns, thereby protecting the users’ identity privacy.

Privacy Guarantee: Let $\mathcal{M}$ denote the truncated Laplace mechanism of ADAT, which consists of the following two steps:

• Noise Injection: Given the optimal TTL ${\tau }^{*}$, we generate an intermediate noisy value:

  $${\tau }_{\mathrm{raw}}={\tau }^{*}+\eta ,\mathrm{where}\eta \sim \mathrm{Lap}(0,b)\mathrm{and}b={\displaystyle \frac{\Delta }{ϵ}}$$

  (10)
  Here, the noise $\eta$ is sampled from the Laplace distribution $Lap(0,b)$, whose probability density function is $f\left(\eta \right)={\displaystyle \frac{1}{2b}}\exp \left(-{\displaystyle \frac{\left|\eta \right|}{b}}\right)$. $\Delta$ represents the sensitivity of the optimal TTL, which is the maximum absolute difference between any two possible optimal TTL values. Since the standard local Laplace mechanism satisfies $ϵ$-local differential privacy, for any two optimal TTL values ${\tau }_1^{*},{\tau }_2^{*}\in \mathbb{R}$ and any output $t\in \mathbb{R}$:

  $${\displaystyle \frac{f_{\mathrm{Lap}({\tau }_1^{*},b)}\left(t\right)}{f_{\mathrm{Lap}({\tau }_2^{*},b)}\left(t\right)}}\le e^{ϵ}$$

  (11)
• Range Truncation: To avoid TTL boundary leakage issues and ensure that the TTL value is within a reasonable range, ${\tau }_{\mathrm{raw}}$ is truncated to $[T_{\min },T_{\max }]$:

  $${\tau }_{\mathrm{exe}}=\min (\max ({\tau }_{\mathrm{raw}},T_{\min }),T_{\max })$$

  (12)
  Since the truncation operation is a deterministic function independent of the input ${\tau }^{*}$, $\mathcal{M}$ maintains $ϵ$-LDP according to the post-processing invariance of differential privacy.

Defense against LO attacks: The core assumption of long-term observation attacks is that user behavior patterns (for example, the anonymous ID update time) are unique. Through the $ϵ$-LDP guarantee, ADAT disrupts the LO attacks’ assumption as follows:

• Statistical Indistinguishability: For any two users with similar anonymous ID update time patterns, $ϵ$-LDP makes their perturbed TTL sequences statistically indistinguishable.
• Session independence: Even for the same user who has the identical anonymous ID update time pattern across different sessions, the Laplace noise injection ensures that TTL values are randomized independently for each session. This prevents an adversary from establishing correlations across sessions based on the AID update time (TTL).

Consequently, attackers cannot establish reliable correlations by observing anonymous ID update time patterns, thereby defending against long-term observation attacks.

6. Experiment and Evaluation

In this section, we have demonstrated the effectiveness of our ADAT scheme through a series of extensive experiments.

6.1. Experimental Setup

We implemented a complete ADAT system prototype in Python 3.8. This prototype integrates an offline training module (based on Scikit-learn) for strategy optimization and an online execution module for real-time decision making. To simulate a secure deployment environment for ADAT, the system’s trust root is designed as an Intel SGX 2-based TEE. For cryptographic implementation, all underlying primitives, especially AES-GCM used to generate anonymous IDs, are built using standard cryptographic libraries and uniformly configured with a 256-bit security level to ensure the high-strength security of the anonymous ID ciphertexts.

Dataset. For the experimental dataset, we use a Monte Carlo simulation to generate a large-scale synthetic dataset for the robustness evaluation. This dataset comprises 800 users and 15,000 interaction requests, strictly adhering to real-world statistical distributions, such as the Poisson distribution. The experimental data scenarios cover business types of varying sensitivity levels, such as financial transactions, health monitoring, and entertainment.

Evaluation Metrics. In experiments, we used the following metrics to evaluate the security and global trade-off efficiency of our ADAT scheme, and their specific definitions are as follows:

Definition 2

(Attack Success Rate, ASR). The ratio of the number of session pairs successfully linked by the attacker to the total number of attempted linking session pairs, calculated as:

$$\mathit{ASR}={\displaystyle \frac{N_{\mathit{success}}}{N_{\mathit{total}}}},$$

(13)

where $N_{\mathit{success}}$ denotes the number of session pairs successfully linked by the attacker and $N_{\mathit{total}}$ is the total number of session pairs attempted for linking.

Definition 3

(Comprehensive Cost). The weighted sum of normalized privacy risks and performance costs, averaged over the entire dataset. It serves as the primary metric to evaluate the global trade-off efficiency:

$${\mathit{Cost}}_{\mathit{total}}={\displaystyle \frac{1}{\left|\mathcal{D}\right|}}\sum _{i\in \mathcal{D}}\left[\alpha ·\tilde{R}({\mathbf{x}}_i,{\tau }_i^{exe})+(1-\alpha )·\tilde{C}\left({\tau }_i^{exe}\right)\right],$$

(14)

where $\mathcal{D}$ denotes the test dataset, ${\tau }_i^{exe}$ is the actual executed TTL (after DP perturbation), and $\tilde{R}$ and $\tilde{C}$ are the normalized privacy risk and performance cost, respectively.

6.2. PARF Model Performance

6.2.1. Dataset Analysis and Ablation Study

Dataset Analysis. The synthetic dataset used for modeling contains 15,000 interaction requests. Contextual features follow real-world statistical distributions. For example, access frequency (m) is modeled using a Poisson distribution. Moreover, to reflect dynamic fluctuations in user behavior, sensitivity (s) is biased with Gaussian noise.

Model Evaluation and Ablation Study. To evaluate the PARF model’s accuracy and necessity, we conducted an ablation study. In this study, we use the coefficient of determination ($R^2$) as an evaluation metric.

The PARF model achieved high prediction accuracy with $R^2$ of 0.942 on the test set. As a comparison, we removed the ensemble mechanism and retained only a single decision tree. The results presented in Figure 3a show that $R^2$ decreased significantly to 0.875. This proves that the ensemble learning approach of PARF is crucial for ensuring stable, accurate predictions of anonymity strategies.

6.2.2. Feature Importance and Correlation Analysis

To verify the logical correctness of the PARF model, we tested 10 features that play an important role in PARF decision making, as well as their correlations.

Feature importance. We listed the 10 features that contributed most to the model’s decision-making process and obtained their importance scores, as shown in Figure 3b. The results indicate that dominant performance metrics, such as the reciprocal of TTL ($1/\tau$), the optimal TTL, and the TTL category, have the highest importance scores. This perfectly matches that performance cost is inversely proportional to TTL, as shown in Equation (3). Meanwhile, it also confirms that the PARF model successfully captures the main drivers of system performance cost. Similarly, privacy risk-related features, such as the Sens TTL ratio and weighted sensitivity, also rank highly. These results demonstrate that ADAT’s PARF model not only focuses on performance metrics but also considers privacy risk factors.

Correlation analysis. To validate the correctness of the privacy-aware random forest (PARF) model, we analyzed the Pearson correlation coefficients between key feature variables, as illustrated in Figure 3c. The results show that the optimal TTL has a significantly negative correlation ($r=-0.85$) with the privacy risk, confirming that the PARF model correctly drives the system to reduce TTL as privacy risk increases. Similarly, the optimal TTL also has a strong negative correlation ($r=-0.58$) with the scene sensitivity, indicating that the PARF model correctly enlarges TTL to decrease performance cost. These statistical results effectively ascertain the correctness of the Random Forest (PARF) model. Moreover, from the results that comprehensive cost exhibits strong positive correlations with privacy risk ($r=0.99$) and performance cost ($r=0.94$), the correctness of the PARF model is further verified.

6.3. Comprehensive Cost and Adaptability Analysis

We compared ADAT with a baseline fixed-TTL strategy to evaluate the trade-off between privacy and performance in the PARF model. Furthermore, to validate the PARF model’s adaptability, we tested its TTL distribution across different scenarios.

Comprehensive cost comparison. To verify ADAT’s advantages in terms of balancing privacy and performance, we compare its comprehensive cost with that of the benchmark strategy (fixed TTL = 1 s), providing the same level of security across all scenarios. As shown in Figure 4a, ADAT’s comprehensive cost is 0.197, representing a significant reduction of 33.6% compared to the benchmark strategy (0.297). This result demonstrates that ADAT can achieve a better balance between privacy and performance than the fixed TTL strategy. The reason is that ADAT can intelligently identify scenarios with different risk levels and can allocate more suitable TTLs adaptively. Thus, ADAT avoids the severe waste of computation and communication caused by the fixed TTL “one-size-fits-all” strategy.

Scenario adaptability. Figure 4b illustrates the TTL’s adaptive distribution of the PARF model under different business scenarios. In high-risk scenarios such as financial and health, the TTL distributions are very compact and maintain a mean of less than two seconds, indicating the stringent privacy security requirements of users in high-risk business scenarios. In low-risk business scenarios such as entertainment, the TTL distribution range is wider, and the mean is larger (>8 s), reflecting the emphasis on and high requirements for performance cost in low-risk scenarios. Through the TTL distributions of business scenarios, it is demonstrated that ADAT can adaptively adjust the TTL value according to the privacy and performance requirements of the business scenarios, achieving “on-demand anonymity”.

6.4. Empirical Security Analysis Against LO Attacks

While Section 5 theoretically proves the IND-LO security of ADAT, this section empirically evaluates LO attacks through extensive simulations. To empirically validate the mathematical threat model defined in Section 4.2, we simulated a persistent adversary who attempts to link consecutive anonymous IDs to the same user by analyzing the time patterns of ID updates. By measuring the attack success rate (ASR), we quantitatively validate the system’s defensive capabilities.

Sensitivity analysis of local differential privacy. To effectively defend against LO attacks, we use local differential privacy to protect the time update pattern (TTL) of anonymous IDs. To obtain the optimal differential privacy parameter, we assessed the performance cost and attack success rate (ASR) under different privacy budgets $ϵ$, as shown in Figure 5a. As the blue dashed line shows, the attack success rate (ASR) generally grows as $ϵ$ increases. Due to less noise on the TTL of anonymous IDs as $ϵ$ becomes larger, it makes attackers identify the real identity of anonymous IDs with higher probability based on the time patterns. Conversely, the performance cost tends to be stable as $ϵ$ increases, as shown by the red solid line in Figure 5a. To balance security and performance, we identify an equilibrium point at $ϵ=1.0$. Therefore, it is rational to choose $ϵ=1.0$ as the default parameter.

Attack success rate by strategy. As illustrated in Figure 5b, we compared the attack success rate (ASR) of ADAT against three baseline strategies: Fixed-Low ($TTL=20$ s), Fixed-medium ($TTL=10$ s), Fixed-High ($TTL=3$ s), and a Random strategy. The results show that our ADAT maintains a low ASR, outperforming the Fixed-Low, Fixed-Medium, and random strategies. This is because our ADAT introduces truncated Laplace noise, breaking the determinism of TTL. This design makes it impossible for attackers to predict the next ID update time accurately and prevents attackers from linking the same user’s anonymous ID by observing time-series information. Meanwhile, the ADAT’s ASR is only 0.1% lower than the most aggressive “Fixed-High” strategy, but without the high-frequency update cost that the “Fixed-High” strategy always introduces. These experimental results confirm the effectiveness of ADAT in preventing LO attacks and are consistent with our theoretical IND-LO proof.

6.5. Cryptographic Cost Analysis

We have conducted a comparative analysis between our ADAT and the state-of-the-art certificate-free ring signature scheme EMMCRS [13]. Considering that EMMCRS can form an effective anonymity set when $n\ge 6$ (n denotes the number of ring members), and its computational complexity increases linearly with n, we selected EMMCRS with $n=6$ as a reference. To provide a comprehensive evaluation, we analyzed encryption costs across multiple dimensions and summarized the results in

Table 1. Cryptographic costs of our ADAT VS. EMMCRS [13].

Metric	EMMCRS	Our ADAT	Improvement
Computational Time	≈104 ms	<0.1 ms	≈1000× Faster
Communication Size	348 Bytes	64 Bytes	$81.6\%$ Reduction
Resource Utilization	High (Pairings)	Low (AES-NI)	Highly Efficient
Key, Ciphertext & Sig. Size	Large Ring Sig.	256-bit Key, 64B Ciphertext, 0 Sig.	Eliminated Sig. cost
Scalability	Linear $\mathcal{O}\left(n\right)$	Constant $\mathcal{O}\left(1\right)$	Density-Independent

.

Computational Time. The generation time for a single anonymous ID is drastically reduced from 104.17 ms for EMMCRS to <0.1 ms for ADAT. These results indicate that ADAT provides a speedup of approximately three orders of magnitude. This improvement is attributed to ADAT’s use of the efficient AES-GCM algorithm and its full utilization of modern processor hardware instruction set optimizations (such as AES-NI). In contrast, EMMCRS uses computationally expensive bilinear pairing operations.

Communication Size. The ADAT’s anonymous ID ciphertext is approximately 64 bytes long, which consists of a 32-byte AES-GCM ciphertext, a 16-byte tag, a 12-byte IV, and a 4-byte timestamp. Even compared with EMMCRS in fully anonymous mode, with a minimum communication cost of 348 bytes, ADAT still achieves an 81.6% reduction in communication cost. This is mainly because ADAT abandons the complex ring signature structure and instead adopts a highly efficient symmetric encryption mechanism based on TEE.

Resource Utilization (CPU and Energy Consumption). ADAT employs the AES-GCM encryption algorithm, which is hardware-friendly and supports AES-NI instruction sets. This results in an extremely low CPU/memory footprint and energy consumption. In contrast, EMMCRS relies on computationally intensive pairing operations, leading to high CPU load and high energy consumption, which is detrimental to resource-constrained edge devices.

Key, Ciphertext, and Signature Size. ADAT uses a 256-bit symmetric key and limits ciphertext to 64 bytes. Since ADAT utilizes symmetric authentication rather than traditional public-key signatures, it eliminates the high transmission and storage costs of the large ring signatures used in EMMCRS.

Scalability. The computational complexity of EMMCRS increases linearly with the required anonymity set size (n) ($\mathcal{O}\left(n\right)$). However, the ADAT is unrelated to the anonymity set size, and maintains a constant $\mathcal{O}\left(1\right)$ complexity. This demonstrates ADAT has excellent scalability.

Therefore, ADAT minimizes the system resources consumed by encryption operations, thereby achieving extremely high scalability and making it particularly suitable for high-concurrency, resource-constrained edge network scenarios.

7. Discussions

Applicable Scenarios. ADAT is well-suited for highly mobile and resource-constrained edge networks, such as vehicular ad hoc networks (VANET) and Internet of Things (IoT) systems. In these scenarios, devices require extremely low-latency authentication and dynamically adjust privacy protection levels based on varying context risks.

Implementation and Challenges. ADAT’s implementations rely on modern hardware supporting TEEs, such as Intel SGX or ARM TrustZone. However, deploying this architecture faces numerous challenges, for example, secure key configuration and a secure isolation zone to avoid potential hardware-side channel attacks.

Future Directions. In the future, we plan to address privacy issues when collecting historical context data for PARF training. Furthermore, we will integrate Federated Learning (FL) with ADAT to collaboratively train PARF models locally without uploading raw context data to a centralized server.

8. Conclusions

In this paper, we propose ADAT to address the trade-off between privacy protection and performance cost in the anonymity field. Firstly, the theoretically optimal TTL is obtained by the privacy–performance joint optimization, and an offline privacy-aware random forest (PARF) model is trained based on the theoretically optimal TTL and contextual features. Secondly, ADAT intelligently and dynamically adjusts the Time-To-Live (TTL) strategies for anonymous IDs based on the pretrained PARF model. Finally, the scheme uses lightweight AES-GCM and truncated local differential privacy to ensure the security of anonymous IDs and defend against long-term observation (LO) attacks. Security analysis shows our ADAT resistance to LO attacks. Furthermore, experimental results show that our scheme reduces the comprehensive cost by 33.6% compared with fixed Time-To-Live schemes under the same security level. Compared with traditional public-key schemes, it improves the speed of anonymous identifier generation by approximately three orders of magnitude and reduces communication costs by 81.6%.