Cryptographic Shallots: A Formal Treatment of Repliable Onion Encryption

Abstract

Onion routing is a popular, efficient, and scalable method for enabling anonymous communications. To send a message m to Bob via onion routing, Alice picks several intermediaries, wraps m in multiple layers of encryption—a layer per intermediary—and sends the resulting onion to the first intermediary. Each intermediary peels off a layer of encryption and learns the identity of the next entity on the path and what to send along; finally Bob learns that he is the recipient and recovers the message m.

   Despite its wide use in the real world, the foundations of onion routing have not been thoroughly studied. In particular, although two-way communication is needed in most instances, such as anonymous Web browsing or anonymous access to a resource, until now no definitions or provably secure constructions have been given for two-way onion routing. Moreover, the security definitions that existed even for one-way onion routing were found to have significant flaws.

   In this paper, we (1) propose an ideal functionality for a repliable onion encryption scheme; (2) give a game-based definition for repliable onion encryption and show that it is sufficient to realize our ideal functionality; and finally (3), our main result is a construction of repliable onion encryption that satisfies our definitions.

A Security Game for Variants (b) and (c)

Variant (b). Below, we provide a description of steps 4 and 5 of the repliable-onion security game, \(\mathsf {ROSecurityGame}\), in Sect. 4 for case (b).

1. 4.

   \(\mathcal {A}\) chooses a label \(\ell \in \mathcal {L}(1^\lambda )\) and a message \(m \in \mathcal {M}(1^\lambda )\). \(\mathcal {A}\) also chooses a forward path \(P^{\rightarrow }= (P_1, \dots , P_d)\) and a return path \(P^{\leftarrow }= (P_{d+1}, \dots , P_s)\) such that (i) if \(P^{\leftarrow }\) is non-empty, then it ends with \(S\), (ii) \(I\) appears in the routing path, and (iii) the first time it appears in the path is at the recipient \(P_d\). \(\mathcal {A}\) sends to \(\mathcal {C}\) the parameters for the challenge onion: \(\ell \), m, \(P^{\rightarrow }\), the public keys \(\mathsf {pk}(P^{\rightarrow })\) of the parties in \(P^{\rightarrow }\), \(P^{\leftarrow }\), and the public keys \(\mathsf {pk}(P^{\leftarrow })\) of the parties in \(P^{\leftarrow }\).

2. 5.

   \(\mathcal {C}\) samples a bit .    If \(b = 0\), \(\mathcal {C}\) runs \(\mathsf {FormOnion}\) on the parameters specified by \(\mathcal {A}\), i.e., \( ((O_1^0, \dots , O_d^0), H^\leftarrow , \kappa ) \leftarrow \mathsf {FormOnion}(\ell , m, P^{\rightarrow }, \mathsf {pk}(P^{\rightarrow }), P^{\leftarrow }, \mathsf {pk}(P^{\leftarrow })) . \) In this case, the oracles—\(\mathcal {O}.\mathsf {PO}_{\mathsf {I}}(\cdot )\), \(\mathcal {O}.\mathsf {FR}_{\mathsf {I}}(\cdot , \cdot )\), \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}(\cdot )\), and \(\mathcal {O}.\mathsf {FR}_{\mathsf {S}}(\cdot , \cdot )\)—remain unmodified.     Otherwise, if \(b = 1\), \(\mathcal {C}\) performs the “switch” at honest recipient \(P_d\). \(\mathcal {C}\) runs \(\mathsf {FormOnion}\) on input a random label , a random message , the forward path \(P^{\rightarrow }\), and the empty return path “()”, i.e., \( ((O_1^1, \dots , O_d^1), (), \kappa ) \leftarrow \mathsf {FormOnion}(x, y, P^{\rightarrow }, \mathsf {pk}(P^{\rightarrow }), (), ()) . \)     We modify the oracles as follows. \(\mathcal {O}.\mathsf {FR}_{\mathsf {I}}\) does the following to “form a reply” using message \(m'\) and onion \(O=O_d^1\): \(\mathcal {O}.\mathsf {FR}_{\mathsf {I}}\) runs \(\mathsf {FormOnion}\) on a random label \(x'\), a random message \(y'\), the return path \(P^{\leftarrow }\) as the forward path, and the empty return path “()”, i.e., \( ((O_{j+1}^{m'}, \dots , O_s^{m'}), (), \kappa ^{m'}) \leftarrow \mathsf {FormOnion}(x', y', P^{\leftarrow }, \mathsf {pk}(P^{\leftarrow }), (), ()), \) stores the pair \((O_s^{m'}, m')\) (such that the pair is accessible by \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}\)), and returns \((O_{j+1}^{m'}, P_{j+1})\). \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}\) does the following to “process” an onion O:

   1. i.

      If \(O = O'\) for some stored pair \((O', m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) = (\mathsf {R}, m')\), then return \((\mathsf {S}, (\ell , m'))\).

   2. ii.

      If \(O = O'\) for some stored pair \((O', m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) \not = (\mathsf {R}, m')\), then fail.

   3. iii.

      If \(O \not = O'\) for any stored pair \((O', m')\) but \(O = (H', C)\) for some stored pair \(((H', C'), m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) = (\mathsf {R}, \bot )\), then return \((\mathsf {S}, \bot )\).

   4. iv.

      If \(O \not = O'\) for any stored pair \((O', m')\) but \(O = (H', C)\) for some stored pair \(((H', C'), m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) \not = (\mathsf {R}, \bot )\), then fail.

   All other queries are processed as before.

Variant (c). Below, we provide a description of steps 4 and 5 of the repliable-onion security game, \(\mathsf {ROSecurityGame}\), in Sect. 4 for case (c).

1. 4.

   \(\mathcal {A}\) chooses a label \(\ell \in \mathcal {L}(1^\lambda )\) and a message \(m \in \mathcal {M}(1^\lambda )\). \(\mathcal {A}\) also chooses a forward path \(P^{\rightarrow }= (P_1, \dots , P_d)\) and a return path \(P^{\leftarrow }= (P_{d+1}, \dots , P_s)\) such that (i) if \(P^{\leftarrow }\) is non-empty, then it ends with \(S\), (ii) \(I\) doesn’t appear on the \(P^{\rightarrow }\), and (iii) \(I\) appears somewhere on \(P^{\leftarrow }\). \(\mathcal {A}\) sends to \(\mathcal {C}\) the parameters for the challenge onion: \(\ell \), m, \(P^{\rightarrow }\), the public keys \(\mathsf {pk}(P^{\rightarrow })\) of the parties in \(P^{\rightarrow }\), \(P^{\leftarrow }\), and the public keys \(\mathsf {pk}(P^{\leftarrow })\) of the parties in \(P^{\leftarrow }\).

2. 5.

   \(\mathcal {C}\) samples a bit .    If \(b = 0\), \(\mathcal {C}\) runs \(\mathsf {FormOnion}\) on the parameters specified by \(\mathcal {A}\), i.e., \( ((O_1^0, \dots , O_d^0), H^\leftarrow , \kappa ) \leftarrow \mathsf {FormOnion}(\ell , m, P^{\rightarrow }, \mathsf {pk}(P^{\rightarrow }), P^{\leftarrow }, \mathsf {pk}(P^{\leftarrow })) . \) In this case, the oracles—\(\mathcal {O}.\mathsf {PO}_{\mathsf {I}}(\cdot )\), \(\mathcal {O}.\mathsf {FR}_{\mathsf {I}}(\cdot , \cdot )\), \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}(\cdot )\), and \(\mathcal {O}.\mathsf {FR}_{\mathsf {S}}(\cdot , \cdot )\)—remain unmodified.     Otherwise, if \(b = 1\), \(\mathcal {C}\) performs the “switch” at honest party \(P_j\) on the return path \(P^{\leftarrow }\), where \(P_j\) is the first appearance of \(I\) on the routing path. \(\mathcal {C}\) runs \(\mathsf {FormOnion}\) on input a random label , the message m (that had been chosen by \(\mathcal {A}\) in step 4), the forward path \(P^{\rightarrow }\), and the “truncated” return path \(p^\leftarrow = (P_{d+1}, \dots , P_j)\), i.e., \( (O^\rightarrow , (H_{d+1}^1, \dots , H_j^1), \kappa ) \leftarrow \mathsf {FormOnion}(x, m, P^{\rightarrow }, \mathsf {pk}(P^{\rightarrow }), p^\leftarrow , \mathsf {pk}(p^\leftarrow )) . \)     We modify the oracles as follows. \(\mathcal {O}.\mathsf {PO}_{\mathsf {I}}\) does the following to “process” an onion O:

   1. i.

      If \(O = (H_j^1, C)\) for some content C and \(\mathsf {ProcOnion}(O, P_j, \mathsf {sk}(P_j)) = (\mathsf {R}, m')\) for some message \(m'\) (possibly equal to “\(\bot \)”), then runs \(\mathsf {FormOnion}\) on a random label \(x'\), a random message \(y'\), the remainder the return path \(q^\leftarrow = (P_{j+1}, \dots , P_s)\) as the forward path, and the empty return path “()”, i.e., \( ((O_{j+1}^{m'}, \dots , O_s^{m'}), (), \kappa ^{m'}) \leftarrow \mathsf {FormOnion}(x', y', q^\leftarrow , \mathsf {pk}(q^\leftarrow ), (), ()), \) stores the pair \((O_s^{m'}, m')\) (such that the pair is accessible by \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}\)), and returns \((O_{j+1}^{m'}, P_{j+1})\).

   2. ii.

      If \(O = (H_j^1, C)\) for some content C and \(\mathsf {ProcOnion}(O, P_j, \mathsf {sk}(P_j)) \not = (\mathsf {R}, m')\) for some message \(m'\), then fails.

   \(\mathcal {O}.\mathsf {PO}_{\mathsf {S}}\) does the following to “process” an onion O:

   1. iii.

      If \(O = O'\) for some stored pair \((O', m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) = (\mathsf {R}, m')\), then return \((\mathsf {S}, (\ell , m'))\).

   2. iv.

      If \(O = O'\) for some stored pair \((O', m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) \not = (\mathsf {R}, m')\), then fail.

   3. v.

      If \(O \not = O'\) for any stored pair \((O', m')\) but \(O = (H', C)\) for some stored pair \(((H', C'), m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) = (\mathsf {R}, \bot )\), then return \((\mathsf {S}, \bot )\).

   4. vi.

      If \(O \not = O'\) for any stored pair \((O', m')\) but \(O = (H', C)\) for some stored pair \(((H', C'), m')\) and \(\mathsf {ProcOnion}(O, P_s, \mathsf {sk}(P_s)) \not = (\mathsf {R}, \bot )\), then fail.

   All other queries are processed as before.