Post-Quantum Forward-Secure Onion Routing [chapter]

Satrajit Ghosh, Aniket Kate
2015 Lecture Notes in Computer Science  
The onion routing (OR) network Tor provides anonymity to its users by routing their encrypted traffic through three proxies (or nodes). The key cryptographic challenge, here, is to establish symmetric session keys using a secure key exchange between the anonymous user and the selected nodes. The Tor network currently employs a one-way authenticated key exchange (1W-AKE) protocol ntor for this purpose. Nevertheless, ntor as well as other known 1W-AKE protocols rely solely on some classical
more » ... -Hellman (DH) type assumptions for their (forward) security, and privacy of today's anonymous communication cannot be ensured once quantum computers arrive. In this paper, we demonstrate utility of lattice-based cryptography towards solving this problem for onion routing. In particular, we present a novel hybrid 1W-AKE protocol (HybridOR) that is secure under the lattice-based ring learning with error (ring-LWE) assumption or the gap DH assumption. Due to its hybrid design, HybridOR is not only resilient against quantum attacks but also allows the OR nodes to use the current DH public keys and subsequently requires no modification to the current Tor public key infrastructure. Moreover, thanks to the recent progress in lattice-based cryptography in the form of efficient ring-based constructions, our protocol is also computationally more efficient than the currently employed 1W-AKE protocol ntor, and it only introduces manageable communication overhead to the Tor protocol. Lattice-based cryptographic constructions have drawn an overwhelming amount of research attention in the last decade [7, 34, 36, 39, 43] . Their strong provable worst case security guarantee, apparent resistance to quantum attacks, high asymptotic efficiency and flexibility towards realizing powerful primitives (e.g., fully homomorphic encryption [21]) have been the vital reasons behind their popularity. Although the powerful primitives such as fully homomorphic encryption are still very far from being ideal for practical use, several recent efforts have demonstrated that performance of lattice-based constructions for basic encryption and authentication primitives is comparable with (and sometimes even better than) performance of corresponding primitives in the classical RSA or DLog settings [25, 32, 34] . As a result, some work has started to appear towards developing lattice-based version of real-world cryptographic protocols [6, 40, 48] . In this work, we explore the utility of plausibly quantum-secure yet highly efficient lattice-based cryptography to anonymous communication networks (ACNs). Over the last three decades, several ACNs have been proposed and few implemented [11, 12, 16, 23, 41, 44] . Among these, with its more than two million users and six thousand onion routing (OR) proxies 1 spread all across the world, the OR network Tor [16, 47] has turned out to be a huge success. Today, along with anonymous web browsing and service hosting, Tor is also extensively used for censorship-resistant communication [14] . A typical realization of an OR network (such as Tor) consists of an overlay network of proxies (or nodes) that routes their users' traffic to their Internet-based destinations. A user chooses an ordered sequence of OR nodes (i.e., a path) through the OR network using a path selection strategy, and constructs a cryptographic circuit using a public-key infrastructure (PKI) such that every node in the path shares a symmetric session key with the anonymous user. While employing the circuit to send a message anonymously to a destination, the user forms an onion by wrapping the message in multiple layers of symmetric encryption such that upon receiving the onion every node can decrypt (or remove) one of the layers and then forward it to the next node in the circuit. From the cryptographic point of view, the key challenge with an OR protocol is to securely agree upon the required session keys so that a user can individually authenticate the nodes in her circuits while maintaining her anonymity (except from the first node). Since its inception, Tor employed an interactive forwardsecret key-exchange protocol called the Tor authentication protocol (TAP) to agree upon those session keys in a telescoping (or multi-pass) construction [16] . Due to its atypical use of CPA-secure RSA encryption, TAP was considered weaker in terms of performance as well as security [22] . Recently, Goldberg, Stebila and Ustaoglu [24] formalized the OR key agreement security by introducing the concept of one-way authenticated key exchange (1W-AKE), and designed a provably secure 1W-AKE protocol called ntor. With its significantly better computation and communication efficiency, ntor has since replaced TAP in the realworld Tor implementation [15] . Security of ntor and other 1W-AKE protocols [3, 10, [27] [28] [29] requires some variant of Diffie-Hellman (DH) assumption in the classical discrete logarithm (DLog) setting. As the DLog problem and all of its weaker DH variants can be solved in polynomial time (in the security parameter) using quantum computers, the security of these 1W-AKE constructions and subsequently the confidentially and anonymity of the OR communications will be broken in the post-quantum world. Importantly, the current 1W-AKE protocols are also not forward-secure against the quantum attacks; the confidentially and anonymity of even today's OR communications can be violated once quantum computers arrive. Although this raises concern regarding the privacy of today's anonymous communication in the future, making drastic modifications to the current OR infrastructure by replacing the current 1W-AKE construction with a lattice-based construction may be injudicious; e.g., in Tor, this will require completely changing the public key infrastructure (PKI). As a result, it presents an interesting challenge to define a lattice-based 1W-AKE protocol that offers forward security in the post-quantum world without significantly affecting the current cryptographic infrastructure and performance.
doi:10.1007/978-3-319-28166-7_13 fatcat:67hl35pjhzenxmfs2irtnotku4