1. Aaron Johnson with Joan Feigenbaum Paul Syverson
A Model of Onion Routing with Provable Anonymity Financial Cryptography ’07 2/12/07
Aaron Johnson
with
Joan Feigenbaum
Paul Syverson

2. Overview Formally model onion routing using input/output automata
Characterize the situations that provide anonymity 1

3. Anonymous Communication
Mix Networks (1981)
Dining cryptographers (1988)
Onion routing (1999)
Anonymous buses (2002) 2

4. Anonymous Communication
Mix Networks (1981)
Dining cryptographers (1988)
Onion routing (1999)
Anonymous buses (2002) 2

5. Onion Routing Practical design with low latency and overhead
Open source implementation (
Over 800 volunteer routers
Estimated 200,000 users 3

6. Anonymous Communication
Deployed
Analyzed
Mix Networks
Dining cryptographers
Onion routing
Anonymous buses 4

7. Related work
A Formal Treatment of Onion Routing Jan Camenisch and Anna Lysyanskaya CRYPTO 2005
A formalization of anonymity and onion routing S. Mauw, J. Verschuren, and E.P. de Vink ESORICS 2004
I/O Automaton Models and Proofs for Shared-Key Communication Systems Nancy Lynch CSFW 1999 5

8. Overview Formally model onion routing using input/output automata
Characterize the situations that provide anonymity 6

9. Overview Formally model onion routing using input/output automata
Simplified onion-routing protocol
Non-cryptographic analysis
Characterize the situations that provide anonymity 6

10. Overview Formally model onion routing using input/output automata
Simplified onion-routing protocol
Non-cryptographic analysis
Characterize the situations that provide anonymity
Send a message, receive a message, communicate with a destination
Possibilistic anonymity 6

11. How Onion Routing Works1 2 u d 3 5
User u running client
Internet destination d 4
Routers running servers 7

12. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers 7

13. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers 7

14. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers 7

15. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d 7

16. How Onion Routing Works
{{{m}3}4}1 1 2 u d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

17. How Onion Routing Works1 2 u d 3 5
{{m}3}4 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

18. How Onion Routing Works1 2 u d 3 5
{m}3 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

19. How Onion Routing Works1 2 u m d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

20. How Onion Routing Works1 2 u d m’ 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

21. How Onion Routing Works1 2 u d 3 5 4
{m’}3
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

22. How Onion Routing Works1 2 u
{{m’}3}4 d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

23. How Onion Routing Works1 2
{{{m’}3}4}1 u d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged 7

24. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged.
Stream is closed. 7

25. How Onion Routing Works1 2 u d 3 5 4
u creates 3-hop circuit through routers
u opens a stream in the circuit to d
Data is exchanged.
Stream is closed.
Circuit is changed every few minutes. 7

26. How Onion Routing Works1 2 u d 3 5 4 8

27. How Onion Routing Works1 2 u d 3 5 4 8

28. How Onion Routing Works1 2 u d 3 5 4
Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

29. How Onion Routing Works1 2 u d 3 5 4 u 1 2
Main theorem: Adversary can only determine parts of a circuit it controls or is next to. 8

30. Anonymous Communication
Sender anonymity: Adversary can’t determine the sender of a given message
Receiver anonymity: Adversary can’t determine the receiver of a given message
Unlinkability: Adversary can’t determine who talks to whom 9

31. Adversaries
Passive & Global
Active & Local 10

32. Adversaries
Passive & Global
Active & Local 10

33. Adversaries
Passive & Global
Active & Local 10

34. Adversaries
Passive & Global
Active & Local 10

35. Model Constructed with I/O automata Simplified onion-routing protocol
Models asynchrony
Relies on abstract properties of cryptosystem
Simplified onion-routing protocol
No key distribution
No circuit teardowns
No separate destinations
No streams
No stream cipher
Each user constructs a circuit to one destination
Circuit identifiers 11

36. Automata Protocol u v w 12

37. Automata Protocol u v w 12

38. Automata Protocol u v w 12

39. Automata Protocol u v w 12

40. Automata Protocol u v w 12

41. Automata Protocol u v w 12

42. Automata Protocol u v w 12

43. Automata Protocol u v w 12

44. Automata Protocol u v w 12

45. Automata Protocol u v w 12

46. Creating a Circuit u 1 2 3 13

47. Creating a Circuit
[0,{CREATE}1] u 1 2 3
CREATE/CREATED 13

48. Creating a Circuit u 1 2 3
[0,CREATED]
CREATE/CREATED 13

49. Creating a Circuit u 1 2 3
CREATE/CREATED 13

50. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[0,{[EXTEND,2,{CREATE}2]}1] u 1 2 3
CREATE/CREATED
EXTEND/EXTENDED 14

51. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[l1,{CREATE}2] u 1 2 3
CREATE/CREATED
EXTEND/EXTENDED 14

52. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED [l1,CREATED]14

53. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED14

54. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[0,{{[EXTEND,3,{CREATE}3]}2}1] u 1 2 3
CREATE/CREATED
EXTEND/EXTENDED
[Repeat with layer of encryption] 15

55. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[l1,{[EXTEND,3,{CREATE}3]}2] u 1 2 3
CREATE/CREATED
EXTEND/EXTENDED
[Repeat with layer of encryption] 15

56. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[l2,{CREATE}3] u 1 2 3
CREATE/CREATED
EXTEND/EXTENDED
[Repeat with layer of encryption] 15

57. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[l2,CREATED]
CREATE/CREATED
EXTEND/EXTENDED
[Repeat with layer of encryption] 15

58. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[l1,{EXTENDED}2]
CREATE/CREATED
EXTEND/EXTENDED
[Repeat with layer of encryption] 15

59. Creating a Circuit u 1 2 3 CREATE/CREATED EXTEND/EXTENDED
[Repeat with layer of encryption] 15

60. Input/Ouput Automata States Actions Every state has enabled actions
Input, ouput, internal
Actions transition between states
Every state has enabled actions
Input actions are always enabled
Alternating state/action sequence is an execution
In fair executions actions enabled infinitely often occur infinitely often
In cryptographic executions no encrypted control messages are sent before they are received unless the sender possesses the key 16

61. I/O Automata Model Automata Notation User Server
Fully-connected network of FIFO Channels
Adversary replaces some servers with arbitrary automata
Notation
U is the set of users
R is the set of routers
N = U  R is the set of all agents
A  N is the adversary
K is the keyspace
l is the (fixed) circuit length
k(u,c,i) denotes the ith key used by user u on circuit c 17

62. User automaton 18

63. User automaton 18

64. User automaton 18

65. User automaton 18

66. User automaton 18

67. User automaton 18

68. User automaton 18

69. Server automaton 19

70. Server automaton 19

71. Server automaton 19

72. Server automaton 19

73. Server automaton 19

74. Server automaton 19

75. Server automaton 19

76. Server automaton 19

77. Anonymity
Definition (configuration): A configuration is a function URl mapping each user to his circuit. 20

78. Anonymity
Definition (configuration): A configuration is a function URl mapping each user to his circuit.
Definition (indistinguishability): Executions  and  are indistinguishable to adversary A when his actions in  are the same as in  after possibly applying the following:
: A permutation on the keys not held by A.
: A permutation on the messages encrypted by a key not held by A. 20

79. Anonymity
Definition (anonymity): User u performs action  anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform . 21

80. Anonymity
Definition (anonymity): User u performs action  anonymously in configuration C with respect to adversary A if, for every execution of C in which u performs , there exists an execution that is indistinguishable to A in which u does not perform .
Definition (unlinkability): User u is unlinkable to d in configuration C with respect to adversary A if, for every fair, cryptographic execution of C in which u talk to d, there exists a fair, cryptographic execution that is indistinguishable to A in which u does not talk to d. 21

81. Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. 22

82. Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. C u 1 2 v 3 5 4 22

83. Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable, fair, cryptographic execution  of D. The converse also holds. C D u 1 2 v 3 5 2 3 4 22

84. Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable fair, cryptographic execution  of D. The converse also holds. C D u 1 2 v 2 5 2 v 3 5 u 4 2 3 4 22

85. Theorem: Let C and D be configurations for which there exists a permutation : UU such that Ci(u) = Di((u)) if Ci(u) or Di((u)) is compromised or is adjacent to a compromised router. Then for every fair, cryptographic execution  of C there exists an indistinguishable fair, cryptographic execution  of D. The converse also holds. C D u u 1 2 1 2 v v 3 3 5 5 4 4 22

86. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A. 23

87. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 23

88. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys. 23

89. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D:  is fair:  is cryptographic:  is indistinguishable: 23

90. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair:  is cryptographic:  is indistinguishable: 23

91. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic:  is indistinguishable: 23

92. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic.  is indistinguishable: 23

93. Lemma: Let u, v be two distinct users such that neither they nor the first routers in their circuits are compromised in configuration C. Let D be identical to C except the circuits of users u and v are switched. For any fair, cryptographic execution  of C there exists a fair, cryptographic execution  of D that is indistinguishable to A.
Proof: To construct : 1. Replace any message sent or received between u (v) and C1(u) (C1(v)) in  with a message sent or received between v (u) and C1(u) (C1(v)). 2. Let the permutation  send u to v and v to u and other users to themselves. Apply  to the encryption keys.  is an execution of D: Only actions by u, v, C1(u), and C1(v) have been added. These actions are modified so that they remain valid.  is fair: No new actions have been added. Router enabling is invariant under user permutations. Users only communicate with first router.  is cryptographic: Key permutations are applied to the entire sequence, and the original sequence was cryptographic.  is indistinguishable:The permutation needed to make  look like  to A is just the reverse of the key permutation used to create . 23

94. Unlinkability Corollary: A user is unlinkable to its destination when:24

95. Unlinkability
Corollary: A user is unlinkable to its destination when: 4?
The last router is unknown. u 3 2 5? 24

96. Unlinkability
Corollary: A user is unlinkable to its destination when: 4?
The last router is unknown. u 3 2 5? OR
The user is unknown and another unknown user has an unknown destination. 2 1 4 2? 5 4? 5? 24

97. Unlinkability
Corollary: A user is unlinkable to its destination when: 4?
The last router is unknown. u 3 2 5? OR
The user is unknown and another unknown user has an unknown destination. 2 1 4 2? 5 4? 5? OR
The user is unknown and another unknown user has a different destination. 2 1 4 5 2 1 24

98. Model Robustness Only single encryption still works
Can remove circuit identifiers
Can include stream ciphers
May allow users to create multiple circuits 25

99. Future Work Construct better models of time
Exhibit a cryptosystem with the desired properties
Incorporate probabilistic behavior by users 26