a model of onion routing with provable anonymity financial cryptography 07 2/12/07 aaron johnson...

A Model of Onion Routing with Provable Anonymity

Financial Cryptography ’072/12/07

Aaron Johnson

with

Joan Feigenbaum

Paul Syverson

0

Overview

• Formally model onion routing using input/output automata

• Characterize the situations that provide anonymity

1

Anonymous Communication

• Mix Networks (1981)

• Dining cryptographers (1988)

• Onion routing (1999)

• Anonymous buses (2002)

2

Onion Routing

• Practical design with low latency and overhead

•

• Open source implementation (http://tor.eff.org)

• Over 800 volunteer routers

• Estimated 200,000 users

3


Mix Networks

Dining cryptographers

Onion routing

Anonymous buses

Deployed Analyzed

4

Related work• A Formal Treatment of Onion Routing

Jan Camenisch and Anna LysyanskayaCRYPTO 2005

• A formalization of anonymity and onion routingS. Mauw, J. Verschuren, and E.P. de VinkESORICS 2004

• I/O Automaton Models and Proofs for Shared-Key Communication SystemsNancy LynchCSFW 1999

5

Overview

• Formally model onion routing using input/output automata


6

Overview

• Formally model onion routing using input/output automata– Simplified onion-routing protocol– Non-cryptographic analysis


6

Overview

• Formally model onion routing using input/output automata– Simplified onion-routing protocol– Non-cryptographic analysis

• Characterize the situations that provide anonymity– Send a message, receive a message,

communicate with a destination– Possibilistic anonymity

6

How Onion Routing Works

User u running client Internet destination d

Routers running servers

u d

1 2

3

45

7


u d

1. u creates 3-hop circuit through routers

1 2

3

45

7


u d


2. u opens a stream in the circuit to d

1 2

3

45

7


u d



3. Data is exchanged

{{{m}3}4}1 1 2

3

45

7


u d




{{m}3}4

1 2

3

45

7


u d




{m}3

1 2

3

45

7


u d




m

1 2

3

45

7


u d




m’

1 2

3

45

7


u d




{m’}3

1 2

3

45

7


u d




{{m’}3}4

1 2

3

45

7


u d




{{{m’}3}4}11 2

3

45

7


u d



3. Data is exchanged.

4. Stream is closed.

1 2

3

45

7


u



3. Data is exchanged.

4. Stream is closed.

5. Circuit is changed every few minutes.

1 2

3

45

d

7


u

1 2

3

45

d

8


u

1 2

3

45

d

Main theorem: Adversary can only determine parts of a circuit it controls or is next to.

8


u

1 2

3

45

d

Main theorem: Adversary can only determine parts of a circuit it controls or is next to.

u 1 2

8


• Sender anonymity: Adversary can’t determine the sender of a given message

• Receiver anonymity: Adversary can’t determine the receiver of a given message

• Unlinkability: Adversary can’t determine who talks to whom

9

Adversaries

• Passive & Global

• Active & Local

10

Model• Constructed with I/O automata

– Models asynchrony– Relies on abstract properties of cryptosystem

• Simplified onion-routing protocol– No key distribution– No circuit teardowns– No separate destinations– No streams– No stream cipher– Each user constructs a circuit to one destination– Circuit identifiers

11

Automata Protocol

u

v

w

12

Creating a Circuit

u 1 2 3

13

Creating a Circuit

[0,{CREATE}1]

1. CREATE/CREATED

u 1 2 3

13

Creating a Circuit

[0,CREATED]

1. CREATE/CREATED

u 1 2 3

13

Creating a Circuit

1. CREATE/CREATED

u 1 2 3

13

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[0,{[EXTEND,2,{CREATE}2]}1]

u 1 2 3

14

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[l1,{CREATE}2]

u 1 2 3

14

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[l1,CREATED]u 1 2 3

14

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

[0,{EXTENDED}1]u 1 2 3

14

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED

3. [Repeat with layer of encryption]

[0,{{[EXTEND,3,{CREATE}3]}2}1]

u 1 2 3

15

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


u 1 2 3[l1,{[EXTEND,3,{CREATE}3]}2]

15

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l2,{CREATE}3]

u 1 2 3

15

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l2,CREATED]u 1 2 3

15

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[l1,{EXTENDED}2]u 1 2 3

15

Creating a Circuit

1. CREATE/CREATED

2. EXTEND/EXTENDED


[0,{{EXTENDED}2}1]u 1 2 3

15

Input/Ouput Automata• States• Actions

– Input, ouput, internal

– Actions transition between states

• Every state has enabled actions• Input actions are always enabled• Alternating state/action sequence is an execution• In fair executions actions enabled infinitely often

occur infinitely often• In cryptographic executions no encrypted control

messages are sent before they are received unless the sender possesses the key

16

I/O Automata Model

• Automata– User

– Server

– Fully-connected network of FIFO Channels

– Adversary replaces some servers with arbitrary automata

• Notation– U is the set of users

– R is the set of routers

– N = U R is the set of all agents

– A N is the adversary

– K is the keyspace

– l is the (fixed) circuit length

– k(u,c,i) denotes the ith key used by user u on circuit c

17

User automaton

18

Server automaton

19

AnonymityDefinition (configuration):

A configuration is a function URl mapping each user to his circuit.

20

Anonymity

Definition (indistinguishability):Executions and are indistinguishable to adversary A when his actions in are the same as in after possibly applying the following:

: A permutation on the keys not held by A. : A permutation on the messages encrypted by

a key not held by A.

Definition (configuration):A configuration is a function URl mapping each user to his circuit.

20

AnonymityDefinition (anonymity):

User u performs action anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform .

21

Anonymity

Definition (unlinkability):User u is unlinkable to d in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talk to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d.

Definition (anonymity):User u performs action anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform .

21

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable, fair, cryptographic execution of D. The converse also holds.

22

Cu

v

1 2

3

45


22

u

v

1 2

3

45

32

C D


22

u

v

1 2

3

45

32

C Dv

u

2 25

4

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds.

22

u

v

1 2

3

45

C D

Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution of C there exists an indistinguishable fair, cryptographic execution of D. The converse also holds.

u

v

1 2

3

45

22

Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution of C there exists a fair, cryptographic execution of D that is indistinguishable to A.

23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)).


23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys.


23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D:

is fair:

is cryptographic:

is indistinguishable:


23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid. is fair:

is cryptographic:



23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic:



23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic. is indistinguishable:


23

Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation send u to v and v to u and other users to themselves. Apply to the encryption keys. is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid. is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router. is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic. is indistinguishable:The permutation needed to make look like to A is just the reverse of the key permutation used to create .


23

UnlinkabilityCorollary: A user is unlinkable to its destination when:

24

Unlinkability

23u 4?5?

The last router is unknown.

Corollary: A user is unlinkable to its destination when:

24

OR

Unlinkability

23u 4?5?


12 4The user is unknown and another unknown user has an unknown destination.

5 2?5?

4?


24

OR

OR

12 4The user is unknown and another unknown user has a different destination.

5 1 2

Unlinkability

23u 4?5?


12 4The user is unknown and another unknown user has an unknown destination.

5 2?5?

4?


24

Model Robustness

• Only single encryption still works

• Can remove circuit identifiers

• Can include stream ciphers

• May allow users to create multiple circuits

25

Future Work

• Construct better models of time

• Exhibit a cryptosystem with the desired properties

• Incorporate probabilistic behavior by users

26

a model of onion routing with provable anonymity financial cryptography 07 2/12/07 aaron johnson...

Documents

onion routing works

onion routing works

model of onion routing

model onion routing

onion routing practical

circuit teardowns

automata protocol u

volunteer routers