Breaking and (Partially) Fixing Provably Secure Onion Routing

Abstract: After several years of research on onion routing, Camenisch and Lysyanskaya, in an attempt at rigorous analysis, defined an ideal functionality in the universal composability model, together with properties that protocols have to meet to achieve provable security. A whole family of systems based their security proofs on this work. However, analyzing HORNET and Sphinx, two instances from this family, we show that this proof strategy is broken. We discover a previously unknown vulnerability that breaks anonymity… Show more

“…Further, the adversary in the Trilemma is not strictly weaker than the one for the Dropping-Bound. They indeed are incompatible, as the latter is stronger with 19 Even though the Dropping-Bound argues that dropping is the most important attack vector as a timeout causes delayed messages to be dropped and modified onions cannot be peeled by the next relay, we suspect that timings cannot be handled that easily with timeouts. Even smaller delays that do not cause a timeout might be recognizable by the adversary or otherwise we need to timeout so early that we expect it to threaten availability.…”

“…The cost for unlinking sender and message in the Trilemma is higher than unlinking sender and receiver in the Dropping-Bound although the latter assumes an active adversary. The reasons are that the Trilemma is tailored to this special case and that timing observations are exploited 19 in the Trilemma. Further, the adversary in the Trilemma is not strictly weaker than the one for the Dropping-Bound.…”

“…either this order or this order batch 0 batch 1 Figure 4: Batches in M SM illustrated as in [19] Single Setting For reasons of compatibility with the analyzed papers, we extend [18] by introducing an X 1 for each notion X. It expresses that every sender sends exactly once in each batch for a sender notion (SŌ, (SM )L), each receiver receives exactly once for a receiver notion (RŌ), and each sender and receiver send/receive exactly once in each batch for an impartial notion (CŌ, (SR)L).…”

SoK on Performance Bounds in Anonymous Communication

“…Further, the adversary in the Trilemma is not strictly weaker than the one for the Dropping-Bound. They indeed are incompatible, as the latter is stronger with 19 Even though the Dropping-Bound argues that dropping is the most important attack vector as a timeout causes delayed messages to be dropped and modified onions cannot be peeled by the next relay, we suspect that timings cannot be handled that easily with timeouts. Even smaller delays that do not cause a timeout might be recognizable by the adversary or otherwise we need to timeout so early that we expect it to threaten availability.…”

“…The cost for unlinking sender and message in the Trilemma is higher than unlinking sender and receiver in the Dropping-Bound although the latter assumes an active adversary. The reasons are that the Trilemma is tailored to this special case and that timing observations are exploited 19 in the Trilemma. Further, the adversary in the Trilemma is not strictly weaker than the one for the Dropping-Bound.…”

“…either this order or this order batch 0 batch 1 Figure 4: Batches in M SM illustrated as in [19] Single Setting For reasons of compatibility with the analyzed papers, we extend [18] by introducing an X 1 for each notion X. It expresses that every sender sends exactly once in each batch for a sender notion (SŌ, (SM )L), each receiver receives exactly once for a receiver notion (RŌ), and each sender and receiver send/receive exactly once in each batch for an impartial notion (CŌ, (SR)L).…”

SoK on Performance Bounds in Anonymous Communication

“…It is common in the field to treat the packet format used for OR and mix protocols separately from the protocols' mechanisms: Since the basic operating principles of OR and mixing stay the same between protocols, one packet format can be reused between protocols [3,12]. There is a significant body of work in the field that strives to define and create these packet formats in a provably secure context [1,5,19,20,26]. Many of these works formalize security using both an ideal functionality for the protocols as well as gamebased security properties.…”

“…Authors of OR and mix network schemes use these formalizations to design new packet formats and prove their security [1,9,10,12,19,20], but there are significant hurdles here: The existing formalizations are spread over many works that target different variants of OR, with differing network and adversary models, functionalities, and protections. Identifying the right formalization to base one's work upon is difficult, especially since some of these papers build upon each other and correct mistakes in earlier works even when targeting a new variant [20,26].…”

A Framework for Provably Secure Onion Routing against a Global Adversary

Machine Learning and Deep Learning Models for Privacy Management and Data Analysis in Smart Cites