A Model of Onion Routing with
Provable Anonymity
Financial Cryptography ’07
2/12/07
Aaron Johnson
with
Joan Feigenbaum
Paul Syverson
0
Overview
• Formally model onion routing using
input/output automata
• Characterize the situations that provide
anonymity
1
Anonymous Communication
•
•
•
•
Mix Networks (1981)
Dining cryptographers (1988)
Onion routing (1999)
Anonymous buses (2002)
2
Anonymous Communication
•
•
•
•
Mix Networks (1981)
Dining cryptographers (1988)
Onion routing (1999)
Anonymous buses (2002)
2
Onion Routing
• Practical design with low latency and overhead
•
• Open source implementation (http://tor.eff.org)
• Over 800 volunteer routers
• Estimated 200,000 users
3
Anonymous Communication
Deployed
Analyzed
Mix Networks
Dining cryptographers
Onion routing
Anonymous buses
4
Related work
• A Formal Treatment of Onion Routing
Jan Camenisch and Anna Lysyanskaya
CRYPTO 2005
• A formalization of anonymity and onion routing
S. Mauw, J. Verschuren, and E.P. de Vink
ESORICS 2004
• I/O Automaton Models and Proofs for SharedKey Communication Systems
Nancy Lynch
CSFW 1999
5
Overview
• Formally model onion routing using
input/output automata
• Characterize the situations that provide
anonymity
6
Overview
• Formally model onion routing using
input/output automata
– Simplified onion-routing protocol
– Non-cryptographic analysis
• Characterize the situations that provide
anonymity
6
Overview
• Formally model onion routing using
input/output automata
– Simplified onion-routing protocol
– Non-cryptographic analysis
• Characterize the situations that provide
anonymity
– Send a message, receive a message,
communicate with a destination
– Possibilistic anonymity
6
How Onion Routing Works
1
2
u
User u running client
3
5
4
d
Internet destination d
Routers running servers
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
7
How Onion Routing Works
{{{m}3}4}1
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
{{m}3}4
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
4
d
{m}3
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
m
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
m’
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
4
d
{m’}3
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
u
2
{{m’}3}4
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
{{{m’}3}4}1
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged.
4. Stream is closed.
7
How Onion Routing Works
1
2
u
3
5
d
4
1. u creates 3-hop circuit through routers
2. u opens a stream in the circuit to d
3. Data is exchanged.
4. Stream is closed.
5. Circuit is changed every few minutes.
7
How Onion Routing Works
1
2
u
3
5
d
4
8
How Onion Routing Works
1
2
u
3
5
d
4
8
How Onion Routing Works
1
2
u
3
5
d
4
Main theorem: Adversary can only determine
parts of a circuit it controls or is next to.
8
How Onion Routing Works
1
2
u
3
5
d
4
u
1
2
Main theorem: Adversary can only determine
parts of a circuit it controls or is next to.
8
Anonymous Communication
• Sender anonymity: Adversary can’t
determine the sender of a given message
• Receiver anonymity: Adversary can’t
determine the receiver of a given message
• Unlinkability: Adversary can’t determine
who talks to whom
9
Adversaries
• Passive & Global
• Active & Local
10
Adversaries
• Passive & Global
• Active & Local
10
Adversaries
• Passive & Global
• Active & Local
10
Adversaries
• Passive & Global
• Active & Local
10
Model
• Constructed with I/O automata
– Models asynchrony
– Relies on abstract properties of cryptosystem
• Simplified onion-routing protocol
–
–
–
–
–
–
–
No key distribution
No circuit teardowns
No separate destinations
No streams
No stream cipher
Each user constructs a circuit to one destination
Circuit identifiers
11
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Automata Protocol
u
v
w
12
Creating a Circuit
u
1
2
3
13
Creating a Circuit
[0,{CREATE}1]
u
1
2
3
1. CREATE/CREATED
13
Creating a Circuit
u
1
2
3
[0,CREATED]
1. CREATE/CREATED
13
Creating a Circuit
u
1
2
3
1. CREATE/CREATED
13
Creating a Circuit
[0,{[EXTEND,2,{CREATE}2]}1]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
[l1,{CREATE}2]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
u
1
2
3
[l1,CREATED]
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
u
1
2
3
[0,{EXTENDED}1]
1. CREATE/CREATED
2. EXTEND/EXTENDED
14
Creating a Circuit
[0,{{[EXTEND,3,{CREATE}3]}2}1]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
[l1,{[EXTEND,3,{CREATE}3]}2]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
[l2,{CREATE}3]
u
1
2
3
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
u
1
2
3
[l2,CREATED]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
u
1
2
3
[l1,{EXTENDED}2]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Creating a Circuit
u
1
2
3
[0,{{EXTENDED}2}1]
1. CREATE/CREATED
2. EXTEND/EXTENDED
3. [Repeat with layer of encryption]
15
Input/Ouput Automata
• States
• Actions
– Input, ouput, internal
– Actions transition between states
•
•
•
•
Every state has enabled actions
Input actions are always enabled
Alternating state/action sequence is an execution
In fair executions actions enabled infinitely often
occur infinitely often
• In cryptographic executions no encrypted control
messages are sent before they are received unless
the sender possesses the key
16
I/O Automata Model
• Automata
– User
– Server
– Fully-connected network
of FIFO Channels
– Adversary replaces some
servers with arbitrary
automata
• Notation
– U is the set of users
– R is the set of routers
– N = U R is the set of all
agents
– A N is the adversary
– K is the keyspace
– l is the (fixed) circuit
length
– k(u,c,i) denotes the ith key
used by user u on circuit c
17
User automaton
18
User automaton
18
User automaton
18
User automaton
18
User automaton
18
User automaton
18
User automaton
18
Server automaton
19
Server automaton
19
Server automaton
19
Server automaton
19
Server automaton
19
Server automaton
19
Server automaton
19
Server automaton
19
Anonymity
Definition (configuration):
A configuration is a function URl mapping each
user to his circuit.
20
Anonymity
Definition (configuration):
A configuration is a function URl mapping each
user to his circuit.
Definition (indistinguishability):
Executions and are indistinguishable to
adversary A when his actions in are the same as
in after possibly applying the following:
: A permutation on the keys not held by A.
: A permutation on the messages encrypted by
a key not held by A.
20
Anonymity
Definition (anonymity):
User u performs action anonymously in
configuration C with respect to adversary A if, for
every execution of C in which u performs , there
exists an execution that is indistinguishable to A in
which u does not perform .
21
Anonymity
Definition (anonymity):
User u performs action anonymously in
configuration C with respect to adversary A if, for
every execution of C in which u performs , there
exists an execution that is indistinguishable to A in
which u does not perform .
Definition (unlinkability):
User u is unlinkable to d in configuration C with
respect to adversary A if, for every fair,
cryptographic execution of C in which u talk to d,
there exists a fair, cryptographic execution that is
indistinguishable to A in which u does not talk to
d.
21
Theorem: Let C and D be configurations for which there
exists a permutation : UU such that Ci(u) = Di((u)) if
Ci(u) or Di((u)) is compromised or is adjacent to a
compromised router. Then for every fair, cryptographic
execution of C there exists an indistinguishable, fair,
cryptographic execution of D. The converse also holds.
22
Theorem: Let C and D be configurations for which there
exists a permutation : UU such that Ci(u) = Di((u)) if
Ci(u) or Di((u)) is compromised or is adjacent to a
compromised router. Then for every fair, cryptographic
execution of C there exists an indistinguishable, fair,
cryptographic execution of D. The converse also holds.
C
u
v
1
2
3
5
4
22
Theorem: Let C and D be configurations for which there
exists a permutation : UU such that Ci(u) = Di((u)) if
Ci(u) or Di((u)) is compromised or is adjacent to a
compromised router. Then for every fair, cryptographic
execution of C there exists an indistinguishable, fair,
cryptographic execution of D. The converse also holds.
C
u
v
D
1
2
3
5
4
2
3
22
Theorem: Let C and D be configurations for which there
exists a permutation : UU such that Ci(u) = Di((u)) if
Ci(u) or Di((u)) is compromised or is adjacent to a
compromised router. Then for every fair, cryptographic
execution of C there exists an indistinguishable fair,
cryptographic execution of D. The converse also holds.
C
u
v
D
1
2
3
5
4
v
2
5
2
u
4
2
3
22
Theorem: Let C and D be configurations for which there
exists a permutation : UU such that Ci(u) = Di((u)) if
Ci(u) or Di((u)) is compromised or is adjacent to a
compromised router. Then for every fair, cryptographic
execution of C there exists an indistinguishable fair,
cryptographic execution of D. The converse also holds.
C
u
v
D
1
u
2
3
5
4
v
1
2
3
5
4
22
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
is an execution of D:
is fair:
is cryptographic:
is indistinguishable:
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
is an execution of D: Only actions by u, v, C1(u), and C1(v)
have been added. These actions are modified so that they remain
valid.
is fair:
is cryptographic:
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
is an execution of D: Only actions by u, v, C1(u), and C1(v)
have been added. These actions are modified so that they remain
valid.
is fair: No new actions have been added. Router enabling is
invariant under user permutations. Users only communicate with
first router.
is cryptographic:
23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
is an execution of D: Only actions by u, v, C1(u), and C1(v)
have been added. These actions are modified so that they remain
valid.
is fair: No new actions have been added. Router enabling is
invariant under user permutations. Users only communicate with
first router.
is cryptographic: Key permutations are applied to the entire 23
Lemma: Let u, v be two distinct users such that neither they nor the
first routers in their circuits are compromised in configuration C. Let
D be identical to C except the circuits of users u and v are switched.
For any fair, cryptographic execution of C there exists a fair,
cryptographic execution of D that is indistinguishable to A.
Proof: To construct :
1. Replace any message sent or received between u (v) and
C1(u) (C1(v)) in with a message sent or received between v (u)
and C1(u) (C1(v)).
2. Let the permutation send u to v and v to u and other users to
themselves. Apply to the encryption keys.
is an execution of D: Only actions by u, v, C1(u), and C1(v)
have been added. These actions are modified so that they remain
valid.
is fair: No new actions have been added. Router enabling is
invariant under user permutations. Users only communicate with
first router.
is cryptographic: Key permutations are applied to the entire 23
Unlinkability
Corollary: A user is unlinkable to its destination when:
24
Unlinkability
Corollary: A user is unlinkable to its destination when:
u
3
2
4?
5?
The last router is
unknown.
24
Unlinkability
Corollary: A user is unlinkable to its destination when:
u
3
2
4?
5?
The last router is
unknown.
2?
4?
5?
The user is unknown
and another
unknown user has an
unknown destination.
OR
2
5
1
4
24
Unlinkability
Corollary: A user is unlinkable to its destination when:
u
3
2
4?
5?
The last router is
unknown.
2?
4?
5?
The user is unknown
and another
unknown user has an
unknown destination.
OR
2
1
4
5
OR
2
1
5
1
4
2
The user is unknown
and another
unknown user has a
different destination.
24
Model Robustness
•
•
•
•
Only single encryption still works
Can remove circuit identifiers
Can include stream ciphers
May allow users to create multiple circuits
25
Future Work
• Construct better models of time
• Exhibit a cryptosystem with the desired
properties
• Incorporate probabilistic behavior by users
26
© Copyright 2026 Paperzz