Abstract
Onion routing (OR) protocols are a crucial tool for providing anonymous internet communication. An OR protocol enables a user to anonymously send requests to a server. A fundamental problem of OR protocols is how to deal with replies: ideally, we would want the server to be able to send a reply back to the anonymous user without knowing or disclosing the user’s identity.
Existing OR protocols do allow for such replies, but do not provably protect the payload (i.e., message) of replies against manipulation. Kuhn et al. (IEEE S&P 2020) show that such manipulations can in fact be leveraged to break anonymity of the whole protocol.
In this work, we close this gap and provide the first framework and protocols for OR with protected replies. We define security in the sense of an ideal functionality in the universal composability model, and provide corresponding (less complex) game-based security notions for the individual properties.
We also provide two secure instantiations of our framework: one based on updatable encryption, and one based on succinct non-interactive arguments (SNARGs) to authenticate payloads both in requests and replies. In both cases, our central technical handle is an implicit authentication of the transmitted payload data, as opposed to an explicit, but insufficient authentication (with MACs) in previous solutions. Our results exhibit a new and surprising application of updatable encryption outside of long-term data storage.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
This name stems from the fact that in order to get to the message, several layers of encryption have to be “peeled”.
- 2.
There are also OR protocols that allow the receiver to be unaware of the protocol and provide anonymization as a service. In such a protocol, the last relay recovers both the plaintext and the receiver address. We however focus our work on the model with a protocol aware receiver.
- 3.
The one exception is a work by Ando and Lysyanskaya [1]. We discuss their work, and why we believe that their solution is not sufficient, below.
- 4.
For example, we accept a packet format solution that transforms a modification attack into a dropping attack, e.g. by recognizing the modification and dropping the according onion. As dropping attacks can be solved with additional measures, this does not weaken the protocol.
- 5.
Although being a variant of symmetric encryption, UE schemes typically make use of public-key techniques to achieve updatability through malleability.
- 6.
Note that our scope is a secure message format. Traffic analysis protection, like e.g. recognizing duplicated onions, has to happen additionally to our message format, but assuming that such a protection is in place allows for simplified proofs even for the message format.
- 7.
Practically, this assumption is often ensured by storing the seen headers in an efficient way, e.g. Bloom filters, until a router’s key pair is changed or the current epoch expires if the protocol works in time epochs. The change of key pairs can be expressed in our framework by replacing a router identity by a fresh one (“Bob2020” becomes “Bob2025”).
- 8.
Note that our adversary model trusts the sender and hence this assumption is merely a restriction of how the protocol works and the sender does not need to prove a correct choice to anyone.
- 9.
During normal operation only \(i=1\) is used. The possibility to form onion layers for \(i>1\) (without using \(\text {ProcOnion}\)) is needed for our security definitions and proofs.
- 10.
We define \(\mathrm {RecognizeOnion}\) and the duplicate detection on the header as this is common practice.
- 11.
We assume that a token \(\varDelta _e\) also enables downgrades of ciphertexts from epoch \(e+1\) to epoch e.
- 12.
We use the parameter m of \(\text {FormOnion}\) for the reply message if \(i>n+1\), as the forward message is not needed to construct the reply.
- 13.
Those public parameters can be either chosen by a trusted party, agreed upon with an initial multi-party computation, or, if SNARG and the re-randomizable encryption scheme have dense keys, be derived from a public source of trusted randomness (like, e.g., sunspots).
- 14.
We will describe \(\text {ProcOnion}\) only below, but it will be clear that the header, payload, and partial ring buffer part of the processing can be reversed with the secret key \(SK_{i-1}\) of the processing party. We additionally run \(\text {ProcOnion}_{\text {partial}}\) to re-check MAC values.
References
Ando, M., Lysyanskaya, A.: Cryptographic shallots: a formal treatment of repliable onion encryption. eprint (2020). https://eprint.iacr.org/2020/215.pdf
Backes, M., et al.: Provably secure and practical onion routing. In: Computer Security Foundations Symposium, pp. 369–385 (2012)
Bitansky, N., et al.: From extractable collision resistance to succinct non-interactive arguments of knowledge, and back again. In: ITCS (2012)
Camenisch, J., Lysyanskaya, A.: A formal treatment of onion routing. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 169–187. Springer, Heidelberg (2005). https://doi.org/10.1007/11535218_11
Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_33
Catalano, D., et al.: Fully non-interactive onion routing with forward secrecy. Int. J. Inf. Secur. 12(1), 33–47 (2013)
Catalano, D., Fiore, D., Gennaro, R.: A certificateless approach to onion routing. Int. J. Inf. Secur. 16(3), 327–343 (2016). https://doi.org/10.1007/s10207-016-0337-x
Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM (1981)
Chen, C., Asoni, D.E., Barrera, D., Danezis, G., Perrig, A.: HORNET: high-speed onion routing at the network layer. In: ACM CCS (2015)
Chen, C., et al.: TARANET: traffic-analysis resistant anonymity at the NETwork layer. In: IEEE EuroS&P (2018)
Danezis, G., Goldberg, I.: Sphinx: a compact and provably secure mix format. In: IEEE S&P (2009)
Danezis, G., Laurie, B.: Minx: a simple and efficient anonymous packet format. In: WPES (2004)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, Naval Research Lab Washington DC (2004)
Feigenbaum, J., Johnson, A., Syverson, P.: Probabilistic analysis of onion routing in a black-box model. ACM TISSEC (2012)
Fuchsbauer, G.: Subversion-zero-knowledge SNARKs. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 315–347. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-76578-5_11
Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Hiding routing information. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 137–150. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-61996-8_37
Groth, J., Maller, M.: Snarky signatures: minimal signatures of knowledge from simulation-extractable SNARKs. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 581–612. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_20
Hayden, M.: The price of privacy: re-evaluating the NSA. In: Johns Hopkins Foreign Affairs Symposium, April 2014
Kate, A., Zaverucha, G.M., Goldberg, I.: Pairing-based onion routing with improved forward secrecy. ACM TISSEC 13 (2010)
Klooß, M., Lehmann, A., Rupp, A.: (R)CCA secure updatable encryption with integrity protection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11476, pp. 68–99. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17653-2_3
Kuhn, C., Beck, M., Strufe, T.: Breaking and (Partially) fixing provably secure onion routing. In: IEEE S&P (2020)
Kuhn, C., Hofheinz, D., Rupp, A., Strufe, T.: Onion routing with replies. Cryptology ePrint Archive, Report 2021/1178 (2021). https://ia.cr/2021/1178
Mauw, S., Verschuren, J.H.S., de Vink, E.P.: A formalization of anonymity and onion routing. In: Samarati, P., Ryan, P., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 109–124. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30108-0_7
Micali, S.: CS proofs (extended abstracts). In: 35th FOCS, pp. 436–453 (1994)
Piotrowska, A.M., Hayes, J., Elahi, T., Meiser, S., Danezis, G.: The Loopix anonymity system. In: USENIX (2017)
Shimshock, E., Staats, M., Hopper, N.: Breaking and provably fixing minx. In: PETS (2008)
Acknowledgements
This work was supported by funding from the topic Engineering Secure Systems (Subtopic 46.23.01) of the Helmholtz Association (HGF), by the KASTEL Security Research Labs, by the Cluster of Excellence ’Centre for Tactile Internet with Human-in-the-Loop’ (EXC 2050/1, Project ID 390696704), and by the ERC grant 724307.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 International Association for Cryptologic Research
About this paper
Cite this paper
Kuhn, C., Hofheinz, D., Rupp, A., Strufe, T. (2021). Onion Routing with Replies. In: Tibouchi, M., Wang, H. (eds) Advances in Cryptology – ASIACRYPT 2021. ASIACRYPT 2021. Lecture Notes in Computer Science(), vol 13091. Springer, Cham. https://doi.org/10.1007/978-3-030-92075-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-92075-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92074-6
Online ISBN: 978-3-030-92075-3
eBook Packages: Computer ScienceComputer Science (R0)
