Untagging Tor: A Formal Treatment of Onion Encryption

Jean Paul Degabriele; Martijn Stam

doi:10.1007/978-3-319-78372-7_9

Untagging Tor: A Formal Treatment of Onion Encryption

Jean Paul Degabriele, Martijn Stam

Cryptography and Information Security

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

6 Citations (Scopus)

Abstract

Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher.

We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261's relay protocol is circuit hiding and thus resistant against tagging attacks.

Original language	English
Title of host publication	Advances in Cryptology - EUROCRYPT 2018
Subtitle of host publication	37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I
Editors	Jesper Buus Nielsen , Vincent Rijmen
Publisher	Springer
Pages	259-293
Number of pages	35
ISBN (Electronic)	9783319783819
ISBN (Print)	9783319783802
DOIs	https://doi.org/10.1007/978-3-319-78372-7_9
Publication status	Published - 2 Jun 2018

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer International Publishing AG Switzerland
Volume	10820
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3394

Keywords

Anonymity
Onion Routing
Secure Channels
Tor
Tagging Attacks

Access to Document

10.1007/978-3-319-78372-7_9

https://eprint.iacr.org/2018/162Licence: CC BY

Handle.net

Persistent link

Embargoed Document

Full-text PDF (accepted author manuscript)
Accepted author manuscript, 516 KB
Licence: Unspecified

Cite this

Degabriele, J. P., & Stam, M. (2018). Untagging Tor: A Formal Treatment of Onion Encryption. In J. Buus Nielsen , & V. Rijmen (Eds.), Advances in Cryptology - EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I (pp. 259-293). (Lecture Notes in Computer Science; Vol. 10820). Springer. https://doi.org/10.1007/978-3-319-78372-7_9

Degabriele, Jean Paul ; Stam, Martijn. / Untagging Tor : A Formal Treatment of Onion Encryption. Advances in Cryptology - EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I. editor / Jesper Buus Nielsen ; Vincent Rijmen . Springer, 2018. pp. 259-293 (Lecture Notes in Computer Science).

@inproceedings{28a635e6754449988ee4cabc2c0730c2,

title = "Untagging Tor: A Formal Treatment of Onion Encryption",

abstract = "Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261's relay protocol is circuit hiding and thus resistant against tagging attacks. ",

keywords = "Anonymity, Onion Routing, Secure Channels, Tor, Tagging Attacks",

author = "Degabriele, \{Jean Paul\} and Martijn Stam",

year = "2018",

month = jun,

day = "2",

doi = "10.1007/978-3-319-78372-7\_9",

language = "English",

isbn = "9783319783802",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "259--293",

editor = "\{Buus Nielsen \}, Jesper and \{Rijmen \}, \{Vincent \}",

booktitle = "Advances in Cryptology - EUROCRYPT 2018",

address = "United States",

}

Degabriele, JP & Stam, M 2018, Untagging Tor: A Formal Treatment of Onion Encryption. in J Buus Nielsen & V Rijmen (eds), Advances in Cryptology - EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I. Lecture Notes in Computer Science, vol. 10820, Springer, pp. 259-293. https://doi.org/10.1007/978-3-319-78372-7_9

Untagging Tor: A Formal Treatment of Onion Encryption. / Degabriele, Jean Paul; Stam, Martijn.
Advances in Cryptology - EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I. ed. / Jesper Buus Nielsen ; Vincent Rijmen . Springer, 2018. p. 259-293 (Lecture Notes in Computer Science; Vol. 10820).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Untagging Tor

T2 - A Formal Treatment of Onion Encryption

AU - Degabriele, Jean Paul

AU - Stam, Martijn

PY - 2018/6/2

Y1 - 2018/6/2

N2 - Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261's relay protocol is circuit hiding and thus resistant against tagging attacks.

AB - Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling, 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher. We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261's relay protocol is circuit hiding and thus resistant against tagging attacks.

KW - Anonymity

KW - Onion Routing

KW - Secure Channels

KW - Tor

KW - Tagging Attacks

U2 - 10.1007/978-3-319-78372-7_9

DO - 10.1007/978-3-319-78372-7_9

M3 - Conference Contribution (Conference Proceeding)

SN - 9783319783802

T3 - Lecture Notes in Computer Science

SP - 259

EP - 293

BT - Advances in Cryptology - EUROCRYPT 2018

A2 - Buus Nielsen , Jesper

A2 - Rijmen , Vincent

PB - Springer

ER -

Degabriele JP, Stam M. Untagging Tor: A Formal Treatment of Onion Encryption. In Buus Nielsen J, Rijmen V, editors, Advances in Cryptology - EUROCRYPT 2018: 37th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tel Aviv, Israel, April 29 - May 3, 2018 Proceedings, Part I. Springer. 2018. p. 259-293. (Lecture Notes in Computer Science). doi: 10.1007/978-3-319-78372-7_9

Untagging Tor: A Formal Treatment of Onion Encryption

Abstract

Publication series

Keywords

Access to Document

Handle.net

Embargoed Document

Fingerprint

Cite this