On the Complexity of Anonymous Communication Through Public Networks
Megumi Ando, Anna Lysyanskaya, Eli Upfal

TL;DR
This paper introduces the first onion routing protocol that guarantees fault-tolerance, efficiency, and anonymity even against active adversaries controlling a fraction of the network, with polylogarithmic complexity.
Contribution
The paper presents a novel onion routing protocol that achieves fault-tolerance, efficiency, and anonymity simultaneously under active adversarial conditions.
Findings
Protocol tolerates polylogarithmic onion drops while maintaining delivery.
Requires polylogarithmic rounds and onions per participant for security.
Introduces new security properties: mixing and equalizing, which imply anonymity.
Abstract
Onion routing is the most widely used approach to anonymous communication online. The idea is that Alice wraps her message to Bob in layers of encryption to form an "onion," and routes it through a series of intermediaries. Each intermediary's job is to decrypt ("peel") the onion it receives to obtain instructions for where to send it next, and what to send. The intuition is that, by the time it gets to Bob, the onion will have mixed with so many other onions, that its origin will be hard to trace even for an adversary that observes the entire network and controls a fraction of the participants, possibly including Bob. In spite of its widespread use in practice, until now no onion routing protocol was known that simultaneously achieved, in the presence of an active adversary that observes all network traffic and controls a constant fraction of the participants, (a) fault-tolerance,…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
On the Complexity of Anonymous Communication Through Public Networks
Megumi Ando and Anna Lysyanskaya and Eli Upfal MITRE, [email protected] Science Department, Brown University, [email protected] Science Department, Brown University, [email protected]
Abstract
Onion routing is the most widely used approach to anonymous communication online. The idea is that Alice wraps her message to Bob in layers of encryption to form an “onion,” and routes it through a series of intermediaries. Each intermediary’s job is to decrypt (“peel”) the onion it receives to obtain instructions for where to send it next, and what to send. The intuition is that, by the time it gets to Bob, the onion will have mixed with so many other onions, that its origin will be hard to trace even for an adversary that observes the entire network and controls a fraction of the participants, possibly including Bob.
In spite of its widespread use in practice, until now no onion routing protocol was known that simultaneously achieved, in the presence of an active adversary that observes all network traffic and controls a constant fraction of the participants, (a) fault-tolerance, where even if a few of the onions are dropped, the protocol still delivers the rest; (b) reasonable communication and computational complexity as a function of the security parameter and the number of participants; and (c) anonymity.
In this paper, we give the first onion routing protocol that meets these goals: our protocol (a) tolerates a polylogarithmic (in the security parameter) number of dropped onions and still delivers the rest; (b) requires a polylogarithmic number of rounds and a polylogarithmic number of onions sent per participant per round; and (c) achieves anonymity. We also show that to achieve anonymity in a fault-tolerant fashion via onion routing, this number of onions and rounds is necessary.
Of independent interest, our analysis introduces two new security properties of onion routing — mixing and equalizing — and we show that together they imply anonymity.
Keywords: Anonymity, privacy, onion routing.
1 Introduction
Suppose that Alice wishes to send a message anonymously to Bob. Informally, by anonymously, we mean that no one (not even Bob) can distinguish the scenario in which Alice sends a message to Bob from an alternative scenario in which it is Allison who sends a message to Bob. To begin with, Alice can encrypt the message and send the encrypted message to Bob so that only Bob can read the message. However, an eavesdropper observing the sequence of bits coming out of Alice’s computer and the sequence of bits going into Bob’s computer can still determine that Alice and Bob are communicating with each other if the sequences of bits match. Thus, encryption is not enough.
Onion routing [Cha81] is the most promising approach to anonymous channels to date. In onion routing, messages are sent via intermediaries and wrapped in layers of encryption, resulting in so-called onions; each intermediary’s task is to “peel off” a layer of encryption and send the resulting onion to the next intermediary or its final destination. The onion’s layers are unlinkable to each other, and so its route through the network cannot be traced from merely observing the sequences of bits that Alice transmits and Bob receives. However, even with Alice sending her message to Bob encoded as an onion, her communication can still be tracked by a resourceful eavesdropper with an extensive view of the network traffic (e.g., an ISP-level or an AS-level adversary) who can observe all Internet traffic.
An adversary who can observe all network traffic is called a network adversary. An adversary who, in addition to observing all network traffic, controls a subset of the participants, is called the passive adversary if it follows the prescribed protocol, or active if it does not. The three adversary models — the network adversary, the passive adversary, and the active adversary — are standard for analyzing cryptographic protocols such as multi-party computation (MPC) [GMW87]. The most desirable goal is to achieve security in the presence of the most powerful of these three adversaries, i.e., the active adversary, corrupting as large a fraction of the participants as possible.
It was known how to construct an onion routing protocol that is both efficient and anonymous from the passive adversary who corrupts a constant fraction of the parties; an example of this is the protocol [ALU18]. In , each user forms an onion bearing his message to its recipient; the users’ onions are routed independently and uniformly at random through a network of servers. is anonymous from the passive adversary provided that the onions travel for a superlogarithmic (in the security parameter) number of rounds, and the average number of onions per server per round is also superlogarithmic [ALU18] . However, isn’t anonymous from the active adversary who causes the parties under his control to deviate from the protocol. To see why this is the case, consider the following attack: Suppose that the adversary suspects that Alice is communicating with Bob. Because is active, he can disrupt Alice’s communication by dropping Alice’s outgoing onion in the event that Alice’s first intermediary is corrupt (the probability of this event is identical to the fraction of parties that are under the adversary’s control). If Bob doesn’t receive an onion at the end of the protocol, then can infer that her suspicion was correct: Alice’s interlocutor is Bob!
So what can we do instead? Of course, we could use general-purpose multi-party computation (MPC) [GMW87]. Every party will receive as input a message and its destination, and every party will receive as output the messages that were meant for him/her. In addition to perfect anonymity, this approach provides fault tolerance: in MPC that is secure against the active adversary, the honest parties are guaranteed to receive their output no matter how much the adversary deviates from the protocol. The problem with this approach that relies on general-purpose MPC is that it is too inefficient: the most efficient general MPC protocol still requires that at least some of the participants send and receive bits, where is the number of participants. (See Cramer, Damgård, and Nielsen [CDN15].)
Recently proposed protocols, Stadium [TGL*+*17] and Atom [KCDF17], are more efficient. However, they are not fault-tolerant: honest parties will abort the protocol run whenever even a single message packet is dropped. Thus, while this approach provides anonymity from the active adversary, it is also extremely fragile: if just one message is dropped (which could be the result of an innocuous fault), the entire network suffers a catastrophic failure. In contrast, we would like to design onion routing protocols that can tolerate faults. Thus, compared to MPC and Stadium-Atom-type protocols, onion routing appears attractive from the efficiency and fault tolerance points of view.
In this paper, we answer these fundamental questions: (1) Can an onion routing protocol be simultaneously anonymous, fault-tolerant, and efficient? (2) What is the communication complexity sufficient for anonymous and fault-tolerant onion routing? (3) What is the communication complexity required for this? We provide a lower bound and match it with a nearly optimal protocol.
1.1 Problem setting
Before describing our results in detail, let us first define our problem setting. Let denote the set of parties, participating in an onion routing protocol. We assume that the protocol progresses in global rounds and that an onion sent at round arrives at its destination prior to round . Moreover, the adversary is modelled with rushing, i.e., the adversary receives onions sent in round instantaneously in round .111 We do not consider the asynchronous communication model [CR93] in which Alice’s outgoing onions (including her onion to her recipient Bob) can be delayed indefinitely. In such a case, we cannot even guarantee correctness (i.e., message delivery when no party deviates from the protocol). We assume that the number of participants and every other quantity in the protocol is polynomially bounded in the security parameter .
Setup.
We define an onion routing protocol to be a protocol in which the honest parties form and process only message packets that are cryptographic onions. To do this, the honest parties use a secure onion encryption scheme, which is a triple of algorithms: . See Section 2.1 for more details and Camenisch and Lysyanskaya’s paper [CL05] and follow-up papers [KBS19, AL20] for formal definitions, including security definitions.
During setup of an onion routing protocol, each honest party generates a public-key pair using the onion encryption scheme’s key generation algorithm . Each party publishes his/her public key to a public directory so that everyone knows everyone else’s public keys.
Inputs: the simple input/output setting.
Let be the space of fixed-length messages.
An input to the protocol is a vector of inputs, where is a set of message-recipient pairs for party . For and , the inclusion of a message-recipient pair in input means that party is instructed to send message to recipient .
In this paper, we consider the following “benchmark” input space, dubbed the simple input/output setting (I/O). An input is in the simple I/O setting if there exists a permutation function such that each party is instructed to send a message to party and no other message, i.e., , s.t. .222 Why do we need a benchmark? As the following shows, without appropriately constraining the input space, the onion cost can be arbitrarily high: Suppose that the adversary observes the traffic (i.e., the onions) on all links but does not corrupt any of the parties. The adversary knows that each party will send a fixed-length message to the “central hub” (and no one else) but doesn’t know which party is . A protocol that is anonymous in this setting necessarily incurs a large communication overhead. This is because a party who receives fewer than onions cannot be , and so, all but one party must receive at least dummy onions.
The simple I/O setting is a superset of the spaces considered in prior works [vdHLZZ15, TGL*+*17, KCDF17, ALU18].
Adversary model.
Unless stated otherwise, the adversary is active and can observe the traffic on all communication channels and, additionally, can non-adaptively corrupt and control a constant fraction of the parties. By non-adaptively, we mean that the corruptions are made independently of any protocol run.333 If we were to allow the adversary to adaptively corrupt parties, then the adversary could easily block all of Alice’s onions. For every onion sent by Alice, the adversary can corrupt the party who receives in time to direct to drop the onion obtained from processing before the next round.
Without loss of generality, this type of corruption is captured by allowing the adversary to select the set of corrupted parties prior to the beginning of the protocol. Once the adversary corrupts a party, the adversary can observe the internal state and computations of the corrupted party and arbitrarily alter the behavior of the party.
Views and outputs.
By , we denote the adversary ’s view from interacting with protocol on input the security parameter and the instructions . The view consists of all the observations that makes during the run: the values and positions of every onion at every round, the states and computations of every corrupted party between every pair of consecutive rounds, the randomness used by , and the numbers of messages received by the honest parties. The view does not include the honest parties’ randomness. denotes ’s view given its choice for the corrupted parties. At the end of the protocol run, each honest party outputs the set of (non-empty) messages from the message space that receives from interacting with adversary in a run of protocol on input . We define the output of protocol in an interaction with adversary on input as the parties’ outputs:444Technically, the view and the output may depend on other parameters, such as the public parameters (denoted, ) and the parties’ states (denoted, ). Thus, we could be more precise by denoting the view and the output as and , but we will use the simpler notation for better readability.
1.2 Our results
We now describe our results in more detail. Our construction pertains to the problem setting described in Section 1.1. Our lower bound applies more generally to any arbitrary input set (not necessarily constrained to the simple I/O setting).
Anonymity, mixing, and equalizing.
Following prior work [vdHLZZ15, TGL*+*17, KCDF17, ALU18], we use a natural game-based definition of anonymity: A protocol is anonymous if the adversary cannot distinguish the scenario in which Alice sends a message to Bob while Carol sends one to David, from one in which Alice’s message goes to David while Carol’s goes to Bob. (See Definition 3.) More precisely, for any pair of inputs that agree on the inputs and outputs for the adversarial participants, , where “” denotes computational indistinguishability.
We relate anonymity of an onion routing protocol to two new concepts: An onion routing protocol mixes if it sufficiently shuffles the honest users’ onions making it infeasible for the adversary to trace a received message back to its sender. A protocol equalizes if the adversary cannot determine the input from the numbers of messages received by the parties; in other words, the number of messages output by each participant — or the fact that a participant did not receive an output at all — are random variables that are computationally unrelated to the input vector . (See Definitions 4 and 5.)
We show that in many cases, mixing and equalizing implies anonymity, i.e., an onion routing protocol that mixes and equalizes is anonymous. (See Theorem 1 for the formal theorem statement.) We use this to prove that our protocol is anonymous. Anonymity also implies equalizing; this observation is useful for proving a lower bound that (almost) matches our protocol.
Efficient, robust, and anonymous onion routing.
As we just explained, our strategy is to construct a protocol that mixes and equalizes.
Intuitively, mixing is the easier one to achieve: the onions need to sufficiently shuffle with other onions traveling over the network to ensure that each of them is hard to trace. This intuition is essentially correct, with the caveat that an active adversary can strategically interfere with this process by dropping onions. To ensure that each onion shuffles with a sufficiently large number of onions (formed by an honest party) a sufficiently large number of times, our protocol uses checkpoint onions [ALU18] that each intermediary expects to receive, and if a constant fraction (e.g., one-third) of them don’t arrive because the adversary dropped them, the protocol aborts.
An active adversary who controls a fraction of the participants can try to “isolate” an honest party Alice from the rest of the network by dropping all of the messages/onions received directly from Alice. In a fault-tolerant network protocol, the remaining participants may still be able to get their messages through to their destinations. Thus, based on who received an output, an adversary can infer who Alice’s intended recipient was. This attack explains why equalizing is difficult to achieve.
To overcome this attack, we introduce a new type of onions, called merging onions. When two merging onions belonging to the same pair arrive at some intermediary , recognizes that they are from the same pair (although, other than their next layer and destination, does not learn anything else about them). The protocol directs to discard one of them (chosen at random) while sending its mate along. If only one onion of the pair arrived at while its mate is missing (i.e. the adversary dropped it some time earlier in the protocol run), then simply sends along the mate that survived, and there is nothing to discard.
Why does this help? Suppose that both Alice and Allison created merging onions; at rounds , , , each of these onions (if it hasn’t been deleted yet) will meet a mate. Say, exactly one of Alice’s onions is dropped by the adversary at some point prior to round , so its mate (the onion it was supposed to pair with at round ) was not dropped. Also, suppose that none of Allison’s onions were dropped. Then at round all but one of Alice’s remaining merging onions will meet a mate, and half of them will be dropped, so exactly of Alice’s onions will remain in the system — which is exactly how many of Allison’s onions remain. Additional opportunities to merge account for the possibility that the adversary has dropped a larger number of Alice’s onions. Merging onions ensure that the number of Alice’s onions that remain in the system at the end of the protocol is the same as the number of Allison’s onions, i.e., that the protocol equalizes. The fact that Alice was targeted and many of her onions had been dropped doesn’t matter, because the protocol discards all but one of them anyway! (See Section 4 for a more in-depth description of merging onions and how to construct them.)
Positive result: We construct an onion routing protocol , pronounced “Pi-butterfly,” because it uses a butterfly network. takes advantage of the merging onions technique described above. It is (1) anonymous from the active adversary who can corrupt up to a constant fraction of the parties and (2) robust, i.e. whenever the adversary drops at most logarithmic (in the security parameter) number of message packets (i.e. onions), delivers the messages from honest senders with overwhelming probability. Moreover, (3) during the execution of the protocol, every honest party transmits up to a polylog (in the security parameter) number of onions: specifically onions, where is the number of participants, and is the security parameter. and are parameters that can be set as desired: increasing them increases the rate at which the maximum distance in the adversarial views for any two inputs shrinks. (See Theorem 3 for the precise relationship.)
Matching negative result.
Our protocol is essentially optimal as far as both the round complexity and the number of onions each participant sends out are concerned. For why anonymity requires superlogarithmic round complexity, we refer the reader to prior work [DMMK20, Chr20]. In Section 7, we explain why a protocol that is robust and anonymous in the presence of an active adversary that corrupts a constant fraction of participants requires a polylogarithmic number of onions sent out per participant.
1.3 Related work
Our work is inspired by the fact that Tor [DMS04], the most widely adopted anonymous communication system, is also known to have numerous security flaws [ØS06, JWJ*+*13, SEV*+*15, WSJ*+*18]: Tor is based on a highly efficient design that favors practicality over security and is not secure even from the passive adversary [DMMK18]. Moreover, it has been shown to be vulnerable to network traffic correlation attacks [ØS06, JWJ*+*13, SEV*+*15, WSJ*+*18]. Thus, our goal was to design a protocol that was as close to Tor’s efficiency and fault tolerance as possible, while also being provably anonymous.
We consider a very specific and narrow problem in the much larger field of anonymous messaging systems. Although our definition of anonymity and adversary models are standard in cryptography, other definitions have been considered [BKM*+*13, BFT04, CPP08, DRS04, AAC*+*11] and positive results for alternative models are known [BFT04, BGKM12, BKM*+*13].
Atom [KCDF17] is a current state-of-the-art anonymous protocol in the active adversary setting. It is similar to an onion-routing protocol555Like a cryptographic onion, each message packet in Atom is layered encryption object but without a sender-defined routing path. and comes in two variants. Atom uses a known random permutation network (e.g., a square network) to mix the message packets. Each node of the random permutation network is really a sufficiently large random sample of the parties, such that the probability that all parties in the sample are corrupt is very small. In Atom #1, to shuffle message packets at a node, every member of the node verifiably shuffles [FS01] the packets and broadcasts a proof to every other member of the node. If an honest party detects a discrepancy, the party aborts the protocol. This guarantees anonymity. The downside is that Atom #1 is highly fragile; the honest parties abort the protocol even if only a single packet is dropped. The second variant, Atom #2, uses threshold cryptography and so can tolerate some dropped messages at a cost in privacy; it only guarantees -anonymity.
A slightly older system, called Vuvuzela [vdHLZZ15], assumes that all messages travel through the same set of dedicated servers and is therefore impractical compared to Tor. Their solution is also highly fragile and cannot tolerate a single dropped onion. Stadium [TGL*+*17] is a distributed solution that uses verifiable shuffling as its underpinning. Unlike Vuvuzela, Stadium is a properly load-balanced solution but, like Vuvuzela, also suffers from fragility.
Vuvuzela, Stadium, and Atom #2 were not shown to be anonymous. In fact, since these protocols are unable to efficiently equalize, from Theorem 1, they cannot be anonymous: In Vuvuzela and in Stadium, the numbers of onions received at a dead-drop (an address at one of the servers) is a function of the number of conversing parties. Thus, adding a random (but polynomially-bounded) number of dummy onions can provide differential privacy but not anonymity. In Atom #2, the adversary can drop an honest message packet upfront (at its first hop) and know that any message received in the end was not sent by a particular sender. See Table 1.
Other provably anonymous systems exist [Cha88, RS93, CB95, CBM15], but they are not nearly as efficient. Achieving anonymous channels using heavier cryptographic machinery has been considered also. One of the earliest examples is Chaum’s dining cryptographer’s protocol [Cha88]. Rackoff and Simon [RS93] use secure multiparty computation for providing security from active adversaries. Other cryptographic tools used in constructing anonymity protocols include oblivious RAM (ORAM) and private information retrieval (PIR) [CB95, CBM15]. Corrigan-Gibbs et al.’s Riposte solution makes use of a global bulletin board with a latency of days [CBM15].
We are not the first to look into lower bounds on the complexity of anonymous messaging protocols (e.g., [DMMK18]). However, all other lower bounds are for the setting where every participant is guaranteed to receive an output, and don’t apply to protocols that allow aborts or that allow some participants to receive an output while others’ output doesn’t make it through.
2 Preliminaries: Onion routing protocols
For a set , we denote the cardinality of by , and denotes that is chosen from uniformly at random. For an algorithm , is the (possibly probabilistic) output from running on the input . In this paper, is the logarithm of base .
We say that a function is negligible in the parameter , written , if for a sufficiently large , decays faster than any inverse polynomial in . When is the security parameter, an event is said to occur with (non-)negligible probability if the probability of can(not) be bounded above by a function negligible in . An event occurs with overwhelming probability (abbreviated, w.o.p.) if its complement occurs with negligible probability. We use the standard notion of a pseudorandom function [Gol01, Chapter 3.6].
2.1 Onion encryption schemes
Our work on onion routing builds upon a secure onion encryption scheme [CL05, KBS19, AL20]. Recall that an onion encryption scheme is a triple: . The algorithm generates a participant key pair, i.e., a public key and a secret key. The algorithm forms onions, and the algorithm processes onions.
Let be a set of participants, and let be the set of corrupt parties. For every honest , let be the key pair generated for party , where is the security parameter, and , the public parameters. For every corrupt party , let denote ’s public key.
Let be the message space consisting of messages of the same fixed length, and let the nonce space consist of nonces of the same fixed length. These lengths may be a function of the security parameter . Here, a nonce is really any metadata associated with an onion layer.
The algorithm takes as input a message , an ordered list of parties from , the public keys associated with these parties, and a list of (possibly empty) nonces from associated with the layers of the onion.666Technically, the input/output syntax and constructions of [CL05, AL20] do not include the sequence of nonces but can easily be extended to do so; if we use layered CCA2-secure encryption instead of onion encryption — which is fine for this application — then incorporating the nonces is trivial. The party is interpreted as the recipient of the message, and the list is the routing path. The output of is a sequence of onions. Such a sequence is referred to as an evolution, but every in the sequence is an onion. Because it is convenient to think of an onion as a layered encryption object where processing an onion produces the next onion , we sometimes refer to the process of revealing the next onion as “decrypting the onion” or “peeling the onion.”
For every , only intermediary party can peel onion to reveal the next layer, which contains the peeled onion , the next destination of the onion, and the nonce . Only the recipient can peel the innermost onion to reveal the message,
In our constructions, a sender of a message to a recipient “forms an onion” by generating nonces and running the algorithm on the message , a routing path , the keys associated with the parties on the routing path, and the generated nonces; the formed onion is the first onion from the list of outputted onions. The sender (i.e., the party who formed the onion) can send to the first party on the routing path, who can process and send the peeled onion to the next destination , and so on. When the last onion is received by the recipient , can processes it to obtain the message .
Secure onion encryption.
Suppose that (honest) Alice generates an onion carrying a message for Bob. That is, she generates a string of nonces and runs the algorithm on the inputs: the message , the routing path , the public keys associated with the routing path, and the nonces. Let denote the onion for intermediary party , i.e., is the onion in the outputted evolution.
Suppose that (honest) Carol runs the algorithm on the inputs: the message , the routing path , the public keys associated with the routing path, and some nonces. Let denote the onion for intermediary party .
Provided that the onion encryption scheme is secure, if party receives onions and in the same round and consequently processes the two onions in the same batch, then the adversary cannot tell which processed onion resulted from processing , and which resulted from processing . In other words, onions formed by honest parties “mix” at honest parties. For a precise, cryptographic definition of secure onion encryption, see the recent paper by Ando and Lysyanskaya [AL20].
Remark.
Note that, in our protocol, the adversary already knows how many layers each onion has to begin with and how many remain at each round. Thus, the secure onion routing definitions [CL05, KBS19, AL20] give us even more security than we need. Onion encryption that satisfies them is good for our purposes, but a simpler and potentially more efficient construction will work too. Forming by encrypting under the public key of using a CCA2-secure cryptosystem will also work for our purposes.
2.2 Formal definition of an onion routing protocol
In an onion routing protocol, all the packets sent between protocol participants are treated as onions; i.e., upon receipt, they are fed to . Moreover, internally, there are type checks that ensure that these onions are processed properly.
There are two cases for processing an honestly formed onion properly: the case where peeling the onion reveals its next layer and destination, and the case where it reveals the message of which the processing party is the destination.
In an onion routing protocol, if runs and outputs the next layer of the onion (together with its destination and nonce ), then the only two options for what an onion routing protocol permits to do with is either send it to , or drop it (if then this send step is internal to ). Which of these actions are taken depends on the specifics of the algorithm, and also on the values , but those are the only options. In other words, the protocol for an onion routing scheme cannot have an onion sent to incorrect destinations or fed as input to another algorithm.
Further, if runs and outputs a message , then this message becomes (ultimately, at the end of the protocol) part of its output, i.e., it will be on the list of messages that have been sent to . In other words, the message that is the output of cannot be internal to the protocol, it must be the message that someone sent to via the protocol. Conversely, in an onion routing protocol, the only way that a message can be on the list of messages received by is if obtained it by peeling one of the onions it received.
These restrictions on protocol design are natural. Indeed, any implementation of onion routing would ensure that it is adhered to by using type checking of the objects created, sent, and processed by the algorithm. Without such a restriction, any protocol can be thought of as an instance of onion routing protocol, so limiting our attention in this way is meaningful.
Note that this places restrictions just on the protocol that the honest parties are executing; the adversary is still free to do anything he wishes: to mismatch types, to route onions incorrectly, to try to rewrap onions, to form and process onions adversarially, etc.
Correct and indifferent onion routing.
Onion routing serves a purpose: to route messages from senders to recipients. Therefore, it needs to satisfy correctness:
Definition 1**.**
A messaging protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)$ is correct if in an interaction with a passive adversary (i.e., when the adversary doesn’t deviate from the protocol), it delivers all the messages with overwhelming probability.
In this paper, we will consider only correct onion routing protocols, but we will analyze their interactions with active adversaries. Further, the protocols we design in this paper have an additional attractive property of being indifferent:
Definition 2** (Indifference).**
An onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\bot$” when it is peeled all the way.)
The intuition behind this notion is that the contents of the messages sent and received between parties have no bearing on how the messages are routed and transmitted. For protocol design, indifference is an attractive property that allows components of an onion to be in place (and possibly the bulk of the cryptographic computation finished) before the message contents even becomes known. Another attractive feature of indifferent protocols is that their security properties are easier to analyze, as we will explore in the next section.
Our negative results apply to all onion routing schemes, indifferent or not.
3 Security definitions: anonymity, equalizing, and mixing
A motivating example.
Consider Ando, Lysyanskaya, and Upfal’s very simple protocol (, for passive) in the passive adversary setting [ALU18]. Recall that corrupted parties also follow the protocol in this setting.
Let be the set of servers which is a subset of .
During the onion-forming phase, every party generates an onion from the message-recipient pair in ’s input by first choosing servers , each chosen independently and uniformly at random from . Next, forms an onion by running on the message , the routing path , the public keys associated with , and the sequence of empty nonces. At the first round of the execution phase, each party sends its formed onion to the first server on the routing path. For every round , each server does the following:
- •
Between the and rounds, processes all the onions it received at the round.
- •
At the round, sends the processed onions to their respective next destinations.
At the round, each party receives an onion that, once processed, reveals a message for the party.
is anonymous if the protocol sufficiently shuffles the onions during the execution phase. In prior work [ALU18], Ando, Lysyanskaya, and Upfal showed that sufficient shuffling occurs when the server load (i.e., the average number of onions received by a server at a round: ) and the number of rounds (i.e., ) are both superlogarithmic in the security parameter.
However, there is no parameter setting for which can be anonymous from the active adversary. If out of participants are corrupted, then with probability , the adversary can determine the recipient of any honest party, say Alice: Suppose that during the onion-forming phase, Alice picks a routing path that begins with an adversarial party . During the execution phase, the adversary can direct to drop Alice’s onion before the second round. In this case, the adversary can figure out who Alice’s recipient is (say, it’s Bob) by observing who does not receive an onion at the end of the protocol run.
The motivating example illustrates that while mixing (i.e. sufficiently shuffling onions) is helpful for achieving anonymity, it is not enough. To be anonymous, the protocol must also guarantee that the numbers of messages received by the parties don’t reveal the input. We call this property, equalizing.
Relating equalizing and mixing to anonymity.
Here, we provide formal game-based definitions of anonymity (Section 3.1), equalizing (Section 3.2), and mixing (Section 3.3). Given these definitions, it can be shown that for indifferent onion routing protocols, equalizing and mixing imply anonymity:
Theorem 1**.**
For any adversary class , an indifferent (Definition 2) onion routing protocol that mixes and equalizes for in the simple I/O setting is anonymous for in the simple I/O setting, provided that the underlying onion encryption is secure (i.e., UC-realizes the ideal functionality for onion encryption [AL20]).
The proof is by a reduction and can be found in Appendix A. We will use Theorem 1 to prove our upper bound in Section 6.3.
3.1 Anonymity
Anonymity is a property of a messaging protocol (i.e., doesn’t have to be an onion routing protocol).
The definition of anonymity is standard indistinguishability. Recall that indistinguishability is defined using a security game in which the adversary chooses any two inputs to the system: and . The system is secure if no adversary can distinguish between the two scenarios: running the system on input (scenario 0) and running the system on input (scenario 1).
In the anonymity game (for defining anonymity), the adversary necessarily learns the corrupt parties’ inputs and received messages. For example, let , and let be a corrupt party.
- •
Suppose that the adversary chooses as inputs and such that . Then, the adversary can determine the input from ’s input.
- •
Suppose that the adversary chooses as inputs and such that contains an instruction to send message to , whereas contains an instruction to send message to . Then, the adversary can determine the input from ’s received message.
Thus, the adversary’s choice for is constrained to pairs of inputs that differ only in the honest parties’ inputs and “outputs.” We define this formally by first defining equivalence classes for inputs as follows:
Input equivalence classes.
Let be a set of input vectors. Let be the adversary, and let be the set of parties controlled by . Fixing imposes an equivalence class on . Each equivalence class is defined by a vector . For each corrupted party , “fixes” the input for and also, the set of messages instructed to be sent from honest parties to . For each honest party , “fixes” the number of messages instructed to be sent from honest parties to . An input vector belongs to the equivalence class if for every , the input for is , the set of messages from honest parties to is , and ; and if for every , the number of messages from honest parties to is , and . Two input vectors and are equivalent w.r.t. the adversary’s choice for the corrupted parties, denoted , if they belong to the same equivalence class imposed by .
We define anonymity using the anonymity game (below) in which the adversary picks two inputs from the same equivalence class; the protocol is anonymous if this induces indistinguishable adversarial views.
The anonymity game.
The anonymity game is parametrized by the security parameter , a protocol , an adversary , and a set of input vectors.
First, the adversary and the challenger set up the parties’ keys: chooses a subset of the parties to corrupt and sends to the challenger . For each honest party in , generates a key pair for the party; the public keys of the honest parties are sent to . picks the keys for the corrupted parties and sends the corrupted parties’ public keys to .
Next, the input is selected: picks two input vectors such that and sends them to . chooses a random bit and interacts with in an execution of protocol on input with acting as the honest parties adhering to the protocol and controlling the corrupted parties.
At the end of the execution, computes a guess for from its view and wins the anonymity game if . See Figure 1.
The standard notion of anonymity is defined as follows:
Definition 3** (Anonymity).**
A messaging protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\mathbb{A}\Sigma\adv\in\mathbb{A}\mathsf{AnonymityGame}(1^{\lambda},\Pi,\adv,\Sigma)\left|\prob{\text{ wins }}-\frac{1}{2}\right|=\negl.$
The protocol is computationally (resp. statistically) anonymous if the adversaries in are computationally bounded (resp. unbounded).
3.2 Equalizing
Here, we introduce a new concept called equalizing, which is closely related to anonymity. Like anonymity, equalizing is a property of a messaging protocol .
Informally, equalizes if observing how many messages each party received during the protocol run does not reveal whether the protocol ran on or . In (in our motivating example), whether Bob receives a message or not exposes who was sending Bob the message: Alice or another party, Allison; so does not equalize. Instead, in an equalizing protocol, the probability that Bob receives a message doesn’t depend on the sender’s identity. Put another way, Bob is expected to receive the same number of messages in the scenario where Alice is the sender as the one where it is Allison. Formally, equalizing is defined with respect to the equalizing game (below).
The equalizing game.
The equalizing game is parametrized by the security parameter , a protocol , an adversary , a distinguisher , and a set of input vectors.
The challenger for the equalizing game first interacts with the adversary exactly the same way as the challenger for the anonymity game. (See the previous section, Section 3.1, for the description of the anonymity game.)
Recall that at the end of the anonymity game, each honest party outputs the set of (non-empty) messages from the message space that it obtained during the execution from processing onions. Let be the number of messages that received during the run, i.e., . (These statistics are part of the adversary’s view in the anonymity game.)
We define the statistics for the corrupt parties differently since does not get to observe how many messages the corrupt parties output; indeed it is not even clear what it means for a corrupt party to produce an output. For each recipient , let correspond to the number of onions that has routed to an adversarial participant such that (1) they had been formed by an honest participant with as the recipient; and (2) all the participants after on the remainder of this onion’s route are controlled by the adversary. In other words, is the number of onions from honest participants that would receive if, internal to the adversary, all the onions are processed and delivered to their next destinations. We define this formally below.
Let denote the set of message-sender pairs for . That is, for every , the input for includes the message-recipient pair , i.e., . Let be the following set of onions: An onion is in if there exists a message-sender pair such that
- i.
was formed by (on behalf of ) by running on input the message , a routing path ending in , the public keys of the parties on the path, and a sequence of nonces, i.e., where 2. ii.
letting denote the position of in the output of the call, either , or the intermediary on the routing path is honest; and 3. iii.
is “peelable all the way” by ; i.e., are all adversarial.
For each adversarial recipient , we define the statistic to be the number of onions in that the challenger sent out during the execution.
Let . provides these statistics alone (and not the rest of the view) to the distinguisher , who outputs a guess for the challenge bit and wins the game if , i.e. if it correctly determines whether the challenger ran the protocol on input or . See Figure 2.
The definition for equalizing is as follows.
Definition 4** (Equalizing).**
A messaging protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\mathbb{A}\Sigma\adv\in\mathbb{A}\ddv\ddv\mathsf{EqualizingGame}(1^{\lambda},\Pi,\adv,\ddv,\Sigma)\left|\prob{\text{ wins }}-\frac{1}{2}\right|=\negl.$
The protocol computationally (resp. statistically) equalizes if the adversaries and the distinguishers are computationally bounded (resp. unbounded).
Clearly, a protocol that satisfies anonymity must equalize:
Theorem 2**.**
For any adversary class , a protocol that is anonymous for w.r.t. the input set equalizes for w.r.t. .
Proof: If can guess based on the statistics alone, then the adversary who has access to the entire view of its interaction with can guess also. It is also easy to see that a protocol need not satisfy anonymity in order to satisfy equalizing. Thus, equalizing is necessary but not sufficient to achieve anonymity.
3.3 Mixing in the simple I/O setting
Mixing is a property of onion routing protocols. Informally, an onion routing protocol mixes if the protocol sufficiently shuffles the honest parties’ “message-bearing” onions. That is, once an honestly generated onion has traveled far enough, getting peeled at every intermediary, the adversary cannot trace it to the original sender. If the adversary is the recipient of the message contained in the onion, it should not be able to trace it to the sender provided the message itself does not reveal the sender.
Formally, mixing is defined with respect to the mixing game. To keep things simple, we present the definition in the simple I/O setting. This can be extended to any arbitrary input set.
The mixing game.
Let be a secure onion encryption scheme. The mixing game is parametrized by the security parameter , an onion routing protocol , and an adversary .
First, the adversary and the challenger set up the parties’ keys (exactly as we described above for the anonymity game): chooses a subset of the parties to corrupt and sends to . For each honest party in , generates a key pair for the party by running the onion encryption scheme’s key generation algorithm and sends the public keys of the honest parties to the adversary . picks the keys for the corrupted parties and sends the public-key portions to .
Next, the input is selected: identifies a set of honest target senders and a set , of target receivers. In addition to and , also decides part of the input; for every non-target sender , chooses a message and a unique non-target recipient such that ’s input becomes ; and for every target recipient , chooses a message to be sent to . We call the portion of the input that decides “the partial input vector,” and denote it . sends to the challenger . supplies the rest of the input vector by choosing a random bijection from to ; each is instructed to send the message to , i.e., where the message was supplied by as part of the partial input vector.
Next, interacts with in an execution of protocol on input with acting as the honest parties adhering to the protocol and controlling the corrupted parties. Whenever the protocol specifies for an onion to be formed or processed, runs the onion encryption scheme’s onion-forming algorithm or onion-processing algorithm .
Let be the set of onions received by the parties in .
At the end of the execution, chooses two onions and a target sender and outputs .
Let an onion be a “valid challenge onion” if (i) there exists a message and a target recipient such that is ’s choice for the message to be sent to , and (ii) is the last onion to be received by the recipient over the network in the onion evolution generated by on behalf of one of the target senders running on the message and a routing path ending in .
Let be the sender of , and let be the sender of . To maximize his chances of winning the game, the adversary wants both and to be valid challenge onions such that was sent by , while was not. Formally, if chose two valid challenge onions, and , then wins iff . Otherwise, if did not choose two valid challenge onions, or if or , then wins with probability one-half. See Figure 3 for a quick reference to the mixing game.
We now define mixing as follows.
Definition 5** (Mixing).**
An onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)E\mathbb{A}E\adv\in\mathbb{A}\mathsf{MixingGame}(1^{\lambda},\Pi,\adv)\left|\prob{\text{ wins }\mid E}-\frac{1}{2}\right|=\negl.$
The protocol computationally (resp. statistically) mixes if the adversaries in are computationally bounded (resp. unbounded).
Now that we have defined mixing formally, let us walk the reader through our definitional choices. The starting intuition is that this definition needs to capture that it should be hard for the adversary to pinpoint the origin of an onion received by one of the target recipients. This goal comes with a caveat that of course an adversary can determine the sender of an onion that one of the target senders has just created, or, more generally, that hasn’t traveled very far and hasn’t had a chance to mix with any onions from other target senders. Hence, we need to restrict the set of onions on which the adversary can win to a set of onions that have traveled far and have already had a chance to mix with other onions. This is why we have the requirement that the onion be a valid challenge onion. Intuitively, a valid challenge onion is one that was formed by a target sender and has already arrived at its destination, a target recipient, and now the adversary’s job is to figure out where it came from.
Next, let us explain why, to win the game, the adversary must produce two valid challenge onions, and correctly attribute one of them to a sender , while the other must have originated with another target sender. What does it mean that the adversary cannot trace an onion? One intuitive approach would be to say: the adversary’s chances of winning the game where he picks just one onion and guesses its origin are close to a simulator’s chances of winning a game where he just guesses a sender, and the challenger picks the onion uniformly at random and independently of the simulator’s guess. The problem with this approach is that we don’t know the best strategy for such a simulator and with what probability it would succeed.
So our approach is to have the adversary pick a sender and two onions. “Mixing” means that, if it so happens that exactly one of them comes from and the other comes from another target sender, then try as he may, the adversary cannot tell which is which any better than by guessing randomly. And if it doesn’t happen that way, then the adversary wins with probability one-half.
4 Main tools: checkpoint onions and merging onions
We describe the main ingredients for our constructions: checkpoint onions (a tool that was introduced in prior work [ALU18]) and a new tool: merging onions.
4.1 Checkpoint onions
Our goal is to achieve anonymity by ensuring that our protocol mixes and equalizes in the presence of an active adversary that drops onions. The challenge is: if the adversary drops too many onions, then the remaining ones don’t have enough onions to mix with, and so the resulting protocol will not mix. Checkpoint onions give the honest participants a way of checking that there are still enough onions in the system for mixing to be possible.
A checkpoint onion is a dummy onion formed by a party that travels through the network until, at a pre-determined checkpoint round , it arrives at the intermediary , who is expecting it. If it fails to arrive, then is alerted to the activity of an active adversary.
More precisely, let be a pseudo-random function over two inputs, keyed by which is a secret key shared between and . Let be a binary predicate. Let be the diagnostic rounds; the honest parties test whether enough onions remain in the system after these rounds. For each intermediary and each round , determines whether or not to create a checkpoint onion that will arrive at at round by computing , and then checking if ; if so, creates this checkpoint onion. Similarly, the intermediary will know to expect a checkpoint onion from at round by computing , and then checking if .
forms by running on input the empty message “,” a randomly chosen routing path , the public keys associated with parties on , and a sequence of nonces. The nonce which will be received by , is the value that will know to expect: ; the rest are random nonces. The reason that will know to expect is that can compute it too, since is shared between and .
Of course, the shared key need not be set up in advance: it can be generated from an existing PKI, e.g., using Diffie-Hellman (see prior work for details on checkpoint onions [ALU18]).
If the adversary drops an onion belonging to the same evolution as before it reaches , will detect it: it will detect that no onion with nonce was received in round . (Since is pseudorandom, it is highly unlikely that another onion peels to the same nonce value.)
Note: The number of checkpoint onions that generates is a pseudorandom variable that depends on the pseudo-random function and the binary function . For our mixing mechanism to work, we should choose and such that the frequency of forming a checkpoint onion for random party and a random round is , where by “,” we mean polylogarithmic in the the security parameter , and so the expected number of checkpoints that generates is . This ensures a strong correlation between the number of missing checkpoints observed by a party and the total number of checkpoint onions that have been dropped before the observation was made.
4.2 Merging onions
Checkpoint onions help with mixing, but not with equalizing. If our routing protocol just has every sender form one “message-bearing” onion to its recipient and send it along in addition to a set of checkpoint onions (as in the protocol of Ando, Lysyanskaya and Upfal [ALU18]), then an adversary who targets the sender Alice can cause Alice’s recipient Bob to receive the message with a smaller probability than her alternative recipient, Bill; so this protocol will not equalize, and from Theorem 2 has no hope of achieving anonymity.
So how can we design a protocol that equalizes? One approach is to detect when the adversary drops any onions at all (e.g., using verifiable shuffling) [TGL*+*17, KCDF17], and abort when that happens. While this approach equalizes, it is not at all fault-tolerant. To achieve fault tolerance and equalizing, the protocol must be able to react to the adversary dropping onions in a way that is less dramatic than total abort. This can be accomplished by using a new tool: merging onions.
The idea here is that a sender can create two onions, and that bear the same message to the same recipient . Further, they will be routed through the same intermediary , arriving at at the same round . Let (resp. ) denote the layer of (resp. ) that arrives at at round . When peels both and , discovers that they are (essentially) the same onion, and only forwards one of them to the next destination. If receives just one of them (because the other one had been dropped by the adversary), then it forwards it to the next destination, too.
Why does this approach help with equalizing? Suppose we have a protocol in which every participant creates two message-bearing onions that merge at round . Suppose that the adversary targets the sender Alice and succeeds in dropping one of her two outgoing merging onions. Since these onions were supposed to merge at round , after round , there are just as many onions for which Alice was the sender (namely, just one onion) as for any other participant.
In general, of course, the adversary may drop more than one onion belonging to Alice. In fact, in order to guarantee that any of Alice’s onions survive with overwhelming probability when the adversary controls a constant fraction of the network’s nodes, Alice needs to send out a superlogarithmic (in the security parameter ) number of onions. In order to equalize the number of onions that make it to each destination, our protocol will have to create not a pair, but merging onions, organized in a binary tree of height .
We now illustrate how to form merging onions through a toy example for . We first construct a binary tree graph of height . We label the root vertex of the tree , and the left-child and right-child of , and . More generally, the left-child of a vertex is , and the right-child of is , so that the leaf vertices are: , , , , , , , and . Each of these leaf vertices corresponds to a separate onion.
Let denote a fixed number of rounds; this will later correspond to the length of an “epoch.” Next, for each vertex of the graph, we choose a random sequence of parties and a random sequence of nonces, i.e., , and .
Let the “direct path from a leaf vertex to the root” be the path that begins with and recursively moves to its parent vertex until the root vertex is reached. For example, the direct path from to the root is .
Let the “sequence of intermediaries corresponding to leaf vertex ” be the sequence of parties corresponding to the parties on the direct path from to the root, e.g., for , it is where is the sequence of parties assigned to the root. See Figure 4.
Let the “sequence of nonces corresponding to leaf vertex ” be the sequence of nonces corresponding to the parties on the direct path from to the root, e.g., for , it is where is the sequence of nonces assigned to the root.
For each leaf vertex , we form an onion using the message from the input, the routing path where is the recipient from the input, the public key associated with the routing path, and the sequence of nonces. We can generalize this idea to generate an arbitrarily large set of merging onions by using an appropriately large binary tree.
5 A stepping stone construction,
Let us extend the toy example construction we just saw to a protocol, , which is a stepping stone for our main construction. is pronounced “Pi-tree” from the fact that the onions’ routing paths are structured like a binary tree graph and is parametrized by the number of merging onions per sender (this is also the expected number of checkpoint onions per sender), the number of rounds per epoch, and the threshold for missing checkpoint nonces per diagnostic round. (We will generally omit the superscript for better readability.)
The setup phase.
We use a secure onion encryption scheme as a building block (see Section 2 for a description of onion encryption schemes). During the setup phase, the participants set up their keys. Every honest party sets up his/her keys by running the onion encryption scheme’s key generation algorithm .
The onion-forming phase.
During the onion-forming phase, each honest party creates two types of onions: merging onions and checkpoint onions.
- •
On input , forms a set of merging onions using the number of rounds in an epoch, the message , and the recipient .
- •
In addition to merging onions, generates (on average) checkpoint onions using the set as the diagnostic rounds. (Appropriate functions are chosen for and such that generates checkpoint onions in expectation. See Checkpoint onions in Section 4 to recall how these functions are used for generating checkpoint onions.)
For both merging onions and checkpoint onions, the length of the routing path is fixed; it is . See Figure 5 for a summary of the setup and onion-forming phases.
Remark: The onion layers are tagged with their respective round number to prevent replay attacks. If by peeling an onion received at round , an honest relaying party observes a round number , the party “drops” the onion (doesn’t relay it to its next destination).
The execution phase.
All onions are created during the onion-forming phase and released simultaneously in the first round of the execution phase. After each round of the execution phase, peels all onions it received at the round and merges mergeable onions (i.e., if two onions peel to the same nonce value, drop one of them at random).
If is a diagnostic round (i.e., ), runs the following diagnostic test: Let denote the set of checkpoints that expects to see from peeling the onions between rounds and . counts how many checkpoints from are missing. If the number exceeds a fixed threshold value (i.e., the onions fail the test), then aborts. Otherwise (if the number of missing checkpoints is below ), continues for another round by sending the processed onions to their respective next destinations in random order.
At the end of the execution phase, peels the onions it received at the last round and outputs the set of (non-empty) messages it received.
Performance of .
As shown in Appendix C, is anonymous from the adversary who corrupts up to fraction of the parties when (a) the onion encryption scheme is secure, (b) the number of onions formed by each (honest) party is where , (c) the number of rounds per epoch is , and (d) the threshold is .
The reason that needs so many onions is that the adversary can target Alice and drop a lot of her onions before the honest participants realize (via checkpoint onions) the presence of an attack and abort. The protocol presented in the next section improves on this by giving the routing paths enough structure that missing onions can be detected sooner.
6 Our main construction,
In this section, we present our main construction (pronounced “Pi-butterfly”). uses a variant of a butterfly graph described below.
6.1 The butterfly network and variants
Recall [MU05, Chapter 4.5.2] that the butterfly network is a directed graph on vertices. The vertices are organized into rows and columns, so each vertex has an address where and . Vertices in column represent potential locations of a data packet (here, an onion) at epoch ; each participant has a dedicated row. An edge from to means that an onion can travel from participant to participant in epoch . The edges of the specific butterfly network that will be useful for us are
[TABLE]
Let and be two participants whose binary representation differs in bit only. In , epoch is dedicated to having an onion bounce times between and . This way, by the end of the epoch, the onions that and held at the beginning of the epoch will be mixed together if one of them is honest. More formally, the onions travel along the edges of a stretched butterfly network, defined as follows: its vertices are organized into rows and columns; and its edges are: E(\beta)=\{((P,j),(Q,j+1))\mid\mbox{for i=\lfloor j/y\rfloor((P,i),(Q,i+1))\in E(B)}\}.
However, what if both and are adversarial? Then sending the onions through the stretched butterfly network just once will result in the adversary knowing the bit of an onion’s destination! So to prevent this, we will send the onions through the iterated stretched butterfly network. For an integer , let denote the stretched butterfly network iterated times. More precisely, is a directed graph in which the vertices are organized into rows and columns, i.e., a vertex has an address where and . The edges are as follows: E(\beta^{z})=\{((P,j),(Q,j+1))\mid\mbox{for i=j\bmod ny((P,i),(Q,i+1))\in E(\beta)}\}.
To summarize, we begin with a butterfly network , then we stretch it by to get , then we iterate it times to get ; see Figure 6. By a “walk through ” we mean a sequence such that, for each , . A random walk from a node is a sequence that begins with such that for , each is a walk selected uniformly at random conditioned on the first elements being . A random walk starting at any address can be sampled efficiently. Moreover, we can also efficiently sample a random walk backwards from a given address . And we can sample a random walk that hits a given address at round efficiently as well, by walking backwards on the butterfly network from to and forward from to .
6.2 Description of the construction
Like , consists of the setup phase, the onion-forming phase, and the execution phase. It is parameterized by the number of merging onions per sender, the number of rounds per epoch, the number of iterations of a variant of a butterfly graph, and the threshold for missing checkpoint nonces. (We will generally omit the superscript for better readability.) The execution phase is divided into the mixing sub-phase and the equalizing sub-phase. The iterated stretched butterfly graph determines routing options for the mixing sub-phase.
The setup phase.
Let be a secure onion encryption scheme. During setup, each honest participant generates its public key pair using ’s key generation algorithm . (This is the same as the setup phase in . )
The onion-forming phase.
On input , each honest party generates exactly merging onions and (on average) checkpoint onions. To form an onion, first needs to pick a path for it. Each onion will (potentially) travel to parties to reach its destination: the first steps involve a random walk through the iterated stretched butterfly network (the mixing sub-phase), and the next steps will take the onion through the equalizing sub-phase and to the recipient.
To begin with, generates the merging onions as follows: Let be the binary tree of height . Let be an address of a node in (i.e., is a binary string of length at most ); let denote this node. I.e., V(T)=\{v_{k}\mid\mbox{k is a binary string, }|k|\leq\log x\}. To each non-leaf vertex in , assigns a sequence of random parties and random nonces; let denote the sequence of vertices and denote the sequence of nonces corresponding to vertex . (Up until this step, this is exactly how merging onions are formed in .) For each leaf vertex , picks a random walk through the iterated stretched butterfly and random nonces; let , denote the random walk, and let be the sequence of nonces.
Let be a leaf of . Let where is the -bit prefix of . I.e. and , and is the path from to the root of the tree, where .
will create an onion for each leaf . Its routing path is where is as defined above, where is the -bit prefix of , and is the recipient, and such that . Similarly, let denote the sequence of nonces corresponding to this path.
To form the onion corresponding to , runs the algorithm on the message , the routing path , the public keys associated with the routing path, and the nonce sequence .
After forming the merging onions, generates the checkpoint onions. Just as in , the execution phase consists of epochs, and the last round of every epoch is a diagnostic round. Here, each epoch lasts rounds, thus round is a diagnostic round if is a multiple of . For each diagnostic round and for each intermediary , uses the pseudorandom function to determine whether to form a checkpoint onion to send to at round , and if so, calculates the nonce .
When , generates a checkpoint onion to be verified by party in round . Recall that ; so round is the last round of the execution phase. Since the checkpoint onion should not be distinguishable from a merging one during the mixing sub-phase, it needs to travel over the edges of the iterated stretched butterfly network for the first rounds, and follow a random path through the network during the equalizing sub-phase, all the way until the last round .
As a result, for , generates the routing path by first picking a random walk through the iterated stretched butterfly network starting at a random node , and then choosing each participant on the next part of the path uniformly at random from . Next, , and each router on the remaining stretch of the path is, again, chosen uniformly at random from . So the resulting routing path is . chooses the corresponding nonces uniformly at random, sets , and gives the resulting routing path, sequence of nonces and the empty message to to obtain checkpoint onion .
If , then round occurs during the mixing sub-phase, as the onion is making its way through the butterfly network. So its path has to be formed in such a way that it arrives at at round ; but it needs to be a randomly chosen path conditioned on this event (so that a checkpoint onion’s path is distributed the same way as one of a merging onion). Let be a random walk through that is at address at round (see Section 6.1 for how to sample this walk efficiently). Let each intermediary in the sequence be chosen uniformly at random from . Again, for , , the nonce is chosen at random, while . Let . Run on input the routing path , sequence of nonces and the empty message to obtain checkpoint onion . See Figure 7.
Remark: As in , the onion layers are tagged with their respective round number to prevent replay attacks. If by peeling an onion received at round , an honest relaying party observes a round number , the party drops the onion. (We can, therefore, assume that replay attacks do not happen. We can safely do so since the security of the onion encryption scheme prevents the adversary from modifying the onions formed by honest participants in any meaningful way. See, for example Ando and Lysyanskaya’s work on onion encryption [AL20], for a sufficiently strong construction.)
The execution phase.
At the beginning of the execution phase, each party is live. ’s status will change from live to aborted if it ever receives a special abort message from another party. An aborted party sends the special abort message to a random sample of parties. (A slight technicality is that, since all messages must be onions, the special abort message is a specially formed onion.)
For each , each live honest party first peels all the onions it received at the round. It merges onions that are mergeable: if it received two onions that have the same nonce, then it drops one of them, selected at random, and sends the other one to its next destination.
If is a diagnostic round (i.e., a multiple of ), then runs the diagnostic test: compares the number of checkpoint onions it expects to receive with the number it received. For every participant , if , then expects to receive a checkpoint onion with nonce in this round. In the mixing sub-phase, if fewer than checkpoint onions are missing so far in the protocol run (not just in this round, but cumulatively), then continues the run by processing all the other onions. Otherwise, ’s status changes: it is no longer live but becomes an aborted party. In the equalizing sub-phase, change status to aborted if there are or more missing checkpoint onions in this round, else continue.
At the last round (round ) of the execution phase, peels the onions it received and outputs the set of (non-empty) messages it received.
6.3 Proof that is efficient, robust, and anonymous
In this section, we will prove that there exists a parameter setting (for , , , and ) such that is simultaneously efficient, fault-tolerant, and anonymous.
Our measure of efficiency is onion cost per user, which measures how many onions are transmitted by each user in the protocol. This is an appropriate measure when the parties pass primarily onions to each other. It is also an attractive measure of complexity because it is algorithm-independent: If we measured complexity in bits, it would change depending on which underlying encryption scheme was used. Since an onion contains as many layers as there are intermediaries, its bit complexity scales linearly with the number of intermediaries. (We assume that every message can be contained in a single onion.) To translate our lower bound from onion complexity to bits, we will consider onions to be at least as long (in bits) as the message being transmitted and the routing information. More formally,
Definition 6** (Onion cost).**
Let denote the number of onions formed by an honest party that party transmits directly to another party in a protocol run of with adversary , security parameter and .
The onion cost of is \mathsf{OC}^{\Pi,\adv}(1^{\lambda},\Sigma)\mathrel{\stackrel{{\scriptstyle\makebox[0.0pt]{\mbox{\tiny def}}}}{{=}}}\mathbb{E}_{\sigma,i,\}\left[\mathsf{out}^{\Pi,\adv}{i}{(1^{\lambda},\sigma)}\right].\sigma\sample\SigmaP{i}\sample\mathcal{P}$$ of the protocol.
For an adversary class , the onion cost of interacting with w.r.t. is the maximum onion cost over the adversaries in , i.e., .
Our formal notion of fault tolerance is robustness, defined below:
Definition 7** (Robustness).**
A messaging protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\Pi$ delivers all messages sent out by honest participants with overwhelming probability.
Let denote the class of active adversaries who can corrupt up to a constant fraction of the participants. In this section, we will prove the following upper bound on onion cost:
Theorem 3**.**
For any constants and , there is a setting of , , , and such that is robust and anonymous from the adversary class with onion cost at most (in the presence of ), where is the security parameter and is the number of participants.
Proof.
Recall that the number of corruptions is . Set such that and such that . Let ; and let , where is the expected number of (commutable) checkpoint nonces at a party at a diagnostic round.
Having set the parameters, we wish to show that the protocol (a) is robust; (b) has onion cost ; and (c) is anonymous, provided that the underlying onion encryption scheme is secure.
Part (a) is true by inspection.
To see why (b) follows, recall that each participant forms merging onions, and, on average checkpoint onions; let be the maximum number of onions formed by an honest party. Each of these onions will need to be processed in each round, so , where is the number of rounds. Using Chernoff bounds, with overwhelming probability. The number of rounds is ; for our setting of parameters, therefore, .
We show part (c) via a series of lemmas that follow. First, we invoke the UC composition theorem of Canetti [Can01] in order to replace cryptographic algorithms for onion encryption with ideal encryption; this allows our further analysis to assume that onions reveal nothing to an intermediary other than the information that is intended for (Lemma 1). Let be the resulting protocol. Next, we argue that is an indifferent onion routing protocol (Lemma 2). This is helpful because then we will be able to invoke Theorem 1. Third, we discard, for the purposes of analysis, all the checkpoint onions that are checked by the adversary; we show that if a protocol mixes (resp. equalizes) in this setting, then it mixes (resp. equalizes) (Lemmas 6 and 7 in Appendices B.1 and B.2). Finally, we show that in this setting, mixes (Lemma 3) and equalizes (Lemma 4). Then, putting it all together, we get our desired result. ∎
Lemma 1**.**
Let be onion routing protocol that makes use of an onion encryption scheme that is UC-secure [Can01] under a computational assumption . Let be the same protocol, but the onion encryption scheme is replaced by the ideal onion encryption functionality of Camenisch and Lysyanskaya [CL05]. If is anonymous, then is anonymous under assumption .
Proof.
The Lemma follows by the UC composition theorem of Canetti [Can01]. ∎
Remark.
Since CCA2-secure public-key encryption UC-realizes the ideal public-key encryption functionality of Canetti, and in the adversary already knows how many layers of a given onion have already been peeled, forming onions by using CCA2-secure encryption to encrypt each layer will also result in an anonymous .
Lemma 2**.**
* is indifferent.*
Proof.
In , the length of each routing path is fixed, and the intermediaries and nonces of honestly formed onion layers do not depend on the input to the protocol. The procedure for generating intermediaries and nonces (boxed in Figure 5) takes as input only the values , , and . Thus, by definition, is indifferent. ∎
For the subsequent lemmas (Lemmas 3-5), we analyze only commutable onions, where an onion (layer) is commutable if (i) an honest party formed it, and (ii) it is not a checkpoint onion for verification by an adversarial party (more precisely, it does not belong to the same evolution as a checkpoint onion for verification by an adversarial party).
Lemma 3**.**
With parameters , , , and defined as above, mixes for the adversary who corrupts up to half of the parties.
Proof sketch. If delivers messages in the final round , then w.o.p., the adversary dropped (at most) a constant fraction of the commutable checkpoint onions before the last epoch: The adversary cannot drop more than a constant fraction of all commutable onions without also dropping a proportional number of checkpoint onions. This is because if the adversary were to drop more than a constant fraction of all commutable onions, then, from known probability concentration bounds [HS05], w.o.p., the adversary would drop close to a proportional number of checkpoint onions, which, in turn, would cause all honest parties to abort the run. Combining this with Chernoff bounds we get: during each round of the penultimate epoch , each honest party processed a polylogarithmic (in the security parameter) number of commutable onions. From Chernoff bounds, we also get: during epoch , each commutable onion went to an honest party a polylogarithmic number of times. Thus, either the aborts, or it sufficiently shuffles the commutable onions during the penultimate epoch since shuffling for a polylogarithmic number of rounds with a polylogarithmic number of other onions is sufficient for mixing. Either way, mixes. See Appendix B.1 for the proof of Lemma 3. ∎
Lemma 4**.**
With parameters , , , and defined as above, equalizes for the adversary who corrupts up to half of the parties, who also receives everything about non-commutable onions as an auxiliary input.
Before proving Lemma 4, let us prove the following:
Lemma 5**.**
Let run with parameters , , , and are as defined above on input , with corrupting up to half of the participants, and receiving an auxiliary input about non-commutable onions as an auxiliary input. If there is an unaborted honest party at the beginning of the equalizing phase, then with overwhelming probability for each honest party , at least of ’s merging onions remained undropped by the adversary at the end of the mixing phase. (Recall that is the corruption rate.)
Proof sketch. In the first round, the adversary knows the sender of each commutable onion. As the protocol progresses, loses track of this information. Thus, ’s optimal tactic is to target Alice upfront by dropping every onion that might have come from Alice that is routed to an adversarial party during the first three rounds of the first epoch (as well as the last round of the epoch).
In the first round, some of Alice’s onions route to a corrupt party; drops all of these. However, from Chernoff bounds, w.o.p., at least a constant fraction of Alice’s onion go to an honest party first. Let be such an onion, and let be the honest party that receives in the first round. Recall that during each epoch of the mixing phase, shuffles onions back and forth with another party . can attempt to drop if is corrupt. However, even if is corrupt, cannot drop if it arrives at first and remains at during rounds and (and return to at round ) – so, using probability concentration bounds, of the time. Thus, even if employs the optimal tactic for dropping Alice’s onions, (at least) of Alice’s onions will make it to the equalizing phase. Since cannot do better than this, this proves Lemma 5. (See Appendix B.3 for the full proof.) ∎
Proof sketch of Lemma 4.
From Lemma 5, if continues into the equalizing phase, then a constant fraction of each honest party’s merging onions are still in play at the start of the equalizing phase. However, Lemma 5 does not guarantee that there will be an epoch such that the number of Alice’s merging onions at epoch , , will be close to that of Allison’s, . To prove that equalizes, we need to show that there exists an epoch such that (for any two parties Alice and Allison), . If doesn’t drop any commutable onions during the equalizing phase, then this condition is satisfied by the merging of onions.
So what can do? The only information that has for guessing where any commutable onion came from is which onions are part of a mergeable pair and which are not; this is because the onions are shuffled during the mixing phase and each epoch of the equalizing phase. Let a singleton be a commutable onion that is not part of a mergeable pair; note that it can be either a checkpoint onion or a merging onion. W.l.o.g., suppose that dropped more of Alice’s onions upfront (during the mixing phase) than Allison’s. Then, at the start of the equalizing phase, it is likely that more singletons are Alice’s merging onions than Allison’s merging onions. So, can attempt to prevent the numbers of merging onions from evening out by dropping singletons. We can show that the best that can do is to drop as many singletons as possible (without causing the protocol to be aborted) at the beginning of the equalizing phase. (Of course, could also drop onions that belong in a mergeable pair, but this would only help to even out the numbers of merging pairs.) Even if does this, there exists an epoch such that . (See Appendix B.4 for the full proof.)
Armed with Lemma 5 and the above analysis, we can prove that equalizes. If the adversary drops too many onions during the mixing phase, then equalizes since every honest party stops participating (Lemma 5), and so no one receives their message. Otherwise, equalizes since enough of each sender’s merging onions make it to the equalizing phase (Lemma 5), and the numbers of merging onions are eventually evened out by the merging of onions (above). ∎
7 Our lower bound: polylog onion cost is required
In this section, we present our lower bound: an onion routing protocol can be anonymous from the active adversary only if the onion cost is superlogarithmic in the security parameter. Our lower bound holds for protocols that are minimally functional for the active adversary. We call this notion weakly robustness, defined below. The reason this definition is weaker than robustness (Definition 7) is that here we only insist that the protocol guarantee delivery for senders whose onions are never dropped.
Definition 8** (Weakly robust).**
Let \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\adv\Pi\bigO{\log(\lambda)}\Pi\advPP$’s message will be delivered to its recipient with overehlming probability.
Theorem 4**.**
If the onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\advf(\lambda)=\bigO{\log(\lambda)}\Pi\adv\smallOmega{f(\lambda)}$.
Let us give the intuition for the proof of this theorem. If an honest sends out only onions, then an adversary that chooses which participants to corrupt uniformly at random has a chance of controlling each and every participant that ever receives an onion directly from . (This is because , since and are polynomially related.) Thus with non-negligible probability it can cut off entirely by dropping all of the onions it sends out, guaranteeing that the intended recipient of ’s message never receives the message; yet, by weak robustness (Definition 8), we can show that there will be some recipient whose probability of receiving his message is high. Therefore, will not equalize (Definition 4): based on who failed to receive the message, it is possible to determine whether ’s intended recipient was Bob or Bill. Since it does not equalize, by Theorem 2, it is not anonymous. The full proof is in Section D.
8 Conclusion and future work
Here, we mention a few extensions of our results: We proved that the required onion cost for an onion routing protocol to provide robustness and (computational) anonymity from the active adversary is polylogarithmic in the security parameter. Our proof for the lower bound can be used to prove the stronger result that polylogarithmic onion cost is required even when (1) the adversary observes the traffic on only fraction of the links and or when (2) the security definition is weakened to (computational) differential privacy. (3) Also, while we explicitly showed this to be the case for the simple I/O setting, the result holds more generally whenever any party can send a message to any other party.
We also proved the existence of a robust and anonymous onion routing protocol with polylogarithmic (in the security parameter) onion cost. (4) This result also extends beyond the simple I/O setting; our onion routing protocol is anonymous w.r.t. any input set where the size of each party’s input is fixed.
There is a small gap between our lower and upper bounds. A natural direction for future work is to close this gap.
Appendix A Proof that equalizing and mixing anonymity
Proof.
[Proof of Theorem 1] Suppose that equalizes. We wish to show that in this case, mixing implies anonymity. To show this, we will provide a reduction that wins the mixing game with non-negligible advantage using an adversary that wins the anonymity game with non-negligible advantage.
Without loss of generality we will only consider that always chooses swap-neighboring input vectors for the challenge input vectors and , where swap-neighboring means that there exist parties such that (i) for every party , (ii) , and (iii) .
By a straightforward hybrid argument, it follows that: The onion routing protocol anonymizes from the adversary class in the simply I/O setting if no every adversary that sets , to be swap-neighboring can win the anonymity game with non-negligible advantage.
So our goal is to construct a reduction that wins the mixing game with nonnegligible advantage from an adversary that wins the anonymity game with swap-neighboring with nonnegligible advantage.
Key setup:
- •
The adversary picks the set of corrupt parties. This information is relayed to the reduction who forwards it to the challenger of the mixing game.
- •
replies to with the public keys of the honest parties. forwards these public keys to .
- •
then picks the keys for the adversarial parties and sends the public-key portions to , who relays them to . 2. 2.
Input selection:
- •
picks swap-neighboring input vectors and such that . Let and be the (necessarily) honest parties whose inputs are swapped in and . sends the input vectors to .
- •
Let be the recipient of in , and let be the recipient of in . converts the information to the corresponding partial input vector , i.e., in , for . sends the partial input vector to .
- •
picks a random bijection from the set to the set to complete the input vector . 3. 3.
, , and interact in an execution of protocol on input (kept secret by ) with acting as the honest parties adhering to the protocol and (via ) controlling the corrupted parties. 4. 4.
Let be the set of honest onions received by , and let be the set of honest onions received by . Upon receiving a guess from , picks onions and and a sender as follows:
[TABLE]
guesses that onion was sent by and was not.
We now explain why the reduction works.
Let denote ’s advantage in winning the anonymity game, and let denote conditioned on event . Let be the event that each target recipient receives at least one challenge onion.
Claim: occurs with non-negligible probability, and is non-negligible, i.e., .
wins the mixing game if (i) picks two valid valid onions (one for and the other for ), and (ii) wins the anonymity game. Thus, if the claim holds, wins with non-negligible advantage since (i) occurs with non-negligible probability, and (ii) occurs with non-negligible advantage.
Thus, to prove that the reduction works, it suffices to show that the above claim holds. We do this below.
Let an onion be a cured onion if it can be processed into a challenge onion, i.e., letting denote the party who receives in the execution, produces a challenge onion .
Let be the event that there are cured onions for one of the target receivers. Given , the adversary has no advantage in winning the anonymity game:
If there are no cured onions for either or during the execution, then doesn’t observes any challenge onion/its destination. Since is indifferent (and the underlying onion encryption scheme is secure), this implies that everything observable by is statistically the same on input as it is on , and so cannot fare better than a random guess in winning the anonymity game.
The adversary’s advantage is also negligible in the case where there are cured onions for only one of the receivers. This is because a difference in the numbers of cured onions observed during the execution cannot relay any information regarding the input when is indifferent and equalizes (and the underlying onion encryption scheme is secure).
Let be the complement of . can be expanded as:
[TABLE]
and so is non-negligible in the security parameter.
Given , can reliably drop all challenge onions for one target receiver (w.l.o.g., ) but leave at least one challenge onion for the other target receiver () only if could directly win the mixing game with non-negligible advantage. This implies our claim above. ∎
Appendix B Proofs of Lemmas 3, 4, and 5, and 7
This section contains the full proofs of the lemmas used to prove that is anonymous (Theorem 3).
We prove that mixes in Appendix B.1 by proving that the protocol mixes commutable onions during the last epoch of the execution phase. In Appendix B.2, we define what it means for an onion routing protocol to equalize from commutable onions (Definition 10) and show that equalizing from commutable onions implies equalizing (Lemma 7). Appendices B.3 and B.4 contain the full proofs for Lemmas 5 and 4: these are used to support our claim that equalizes from commutable onions.
B.1 Proof that mixes
In this section, we prove Lemma 3: mixes.
To do this, we will prove that “sufficiently shuffles” the commutable onions, where a commutable onion is an onion that is formed by an honest party, which is not a checkpoint onion to be verified by an adversarial party. Formally, we define what this means using the following game.
The game.
Let be a secure onion encryption scheme. The mixing game is parametrized by the security parameter , an onion routing protocol , an adversary , and two round numbers and .
First, the adversary and the challenger set up the parties’ keys and select the input (exactly as we described for the original mixing game in Section 3.3).
Next, interacts with in an execution of protocol on input with acting as the honest parties adhering to the protocol and controlling the corrupted parties. Whenever the protocol specifies for an onion to be formed or processed, runs the onion encryption scheme’s onion-forming algorithm or onion-processing algorithm . Whenever forms a non-commutable onion (i.e., a checkpoint onion to be verified by an adversarial party), provides with the input and output of the algorithm : the message, the routing path, the keys associated with the parties on the path, the sequence of nonces, and the evolution of onion layers.
Let be the set of commutable onions received by the parties in round . Let be the set of (commutable) onions in round that “evolve” into an onion in ; that is, an onion is in iff a peeled version of is in .
At the end of the execution, provides with the following information: for each onion in , the onion’s evolution from the first round to round ; and for each onion in , the onion’s evolution from round to the final round. Based on this auxiliary information and its view, chooses two onions . picks a random bit and provides with the onion that evolves into , and outputs a guess for .
If and were formed by different senders and evolve into valid challenge onions (see the description of the original mixing game in Section 3.3 for a reminder of what a valid challenge onion is), and if , then wins with probability one. Otherwise, wins with probability one-half.
We now define what it means for an onion routing protocol to mix commutable onions from round to round .
Definition 9** (Mixing commutable onions from round to round ).**
Let \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\advr_{1}r_{2}\geq r_{1}E\mathsf{CommutableMixingGame}(1^{\lambda},\Pi,\adv,r_{1},r_{2})\Pir_{1}r_{2}E\advE\adv\mathsf{CommutableMixingGame}(1^{\lambda},\Pi,\adv,r_{1},r_{2})\left|\prob{\text{ wins },|,E}-\frac{1}{2}\right|=\negl.$
The protocol computationally (resp. statistically) mixes commutable onions from round to round if is computationally bounded (resp. unbounded).
We can relate Definition 9 to mixing (Definition 5) as follows:
Lemma 6**.**
Let \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\advr_{1}r_{2}\geq r_{1}E\mathsf{CommutableMixingGame}(1^{\lambda},\Pi,\adv,r_{1},r_{2})\Pir_{1}r_{2}E\adv\PiE\adv$.
Proof.
Suppose that can “break” mixing, i.e., can win the mixing game with non-negligible advantage. Then, for any rounds , we can construct a reduction that can win with non-negligible advantage as follows:
chooses the set of parties to corrupt. generates the keys for the honest parties, and picks the keys for the corrupt parties. Then, the adversary chooses the target senders , the target receivers , and the partial input vector , and samples a random input vector that “completes” . After interacting in a protocol run with (via ), outputs two onions and received by parties in and a party . determines the onions that “evolve” into and . ( can do this since is indifferent and, therefore, round cannot occur after the final round in which and are received.) relays to , and responds with the onion . If was formed by , then guesses ; otherwise, outputs a random bit for .
The reduction works since, conditioned on and ’s challenge being valid, wins half of the time that wins (when ). ∎
We now prove Lemma 3 via Lemma 6.
Proof.
[Proof of Lemma 3] Here, we prove that mixes. From Lemma 6, to prove that mixes, it suffices to show that the protocol mixes commutable onions from the the first round of the penultimate epoch, round , to the last round of the penultimate epoch, round .
Case 1. Let be the event that every honest party aborts by the first round the final epoch, round . Given , mixes since w.o.p., no honestly formed onion will be delivered. (With overwhelming probability, the latter half of each honestly formed onion contains an honest party who has already aborted the run.)
Case 2. Let be the complement of . That is, is the event that there is an unaborted honest party at the first round of the final epoch, round . Let us condition on . The adversary cannot drop more than a constant fraction of all commutable onions without also dropping a proportional number of checkpoint onions: if the adversary were to drop more than a constant fraction of all commutable onions, then, from known probability concentration bounds [HS05], w.o.p., the adversary would drop close to a proportional number of checkpoint onions, which, in turn, would cause all honest parties to abort the run. Therefore, the average number of commutable onions routed to any party at a round is superlogarithmic in the security parameter.
Let be the set of commutable onions at round . Suppose that is given and allowed to choose any two onions and in . Let and be onions at round that “evolve” into and . Below, we prove the claim: even if were provided the set (in addition to her view and ), the sequence of onion layers that preceded , and the sequence of onion layers that preceded , still wouldn’t be able to guess which onion in is the peeled version of with better than negligible advantage.
Proof of claim: For , let be the set of onions defined as follows: an onion iff there exists an onion such that we get by “peeling off” layers from .
For a round and a party , let denote the volume (i.e., number) of onions in located at .
Let be any commutable onion at round , and let denote the location of (i.e., the party who receives ). Let denote the (unbounded) adversary’s “best estimate” that the onion at round from which evolved is at party , and define . That is, is the “gap” in probabilities at round ; it is the difference between the highest (normalized) probability at round and the lowest. Assume for a moment that there are no corrupt parties. Then, using Chernoff bounds, we can show that the gap at least halves with every round, i.e., ; the proof is essentially the same argument made for proving an earlier result [ALU18, Theorem 10]. Since is superlogarithmic in , this implies that is negligible in . In other words, cannot be traced back to . This is still true when at most a constant fraction of the parties are corrupt; this is because w.o.p., any pair of commutable onions (formed by honest parties) both route to (possibly different) honest parties for at least a constant fraction of the rounds between and .
In conclusion, mixes either because it was aborted by all honest parties midway through the last epoch of the execution, or because the protocol sufficiently shuffles the commutable onions during the last epoch of the execution. The latter which implies that the protocol mixes conditioned on from Lemma 6. ∎
B.2 Proof that equalizing from commutable onions equalizing
First, we formally define what it means for the distinguisher to win the equalizing game then the adversary knows everything about non-commutable onions.
The game.
The game is parametrized by the security parameter , an onion routing protocol , an adversary , a distinguisher , and a set of input vectors.
The game starts exactly like the anonymity game (described in Section 3.1): First, the adversary and the challenger set up the parties’ keys. Then, selects two inputs and from (that are equivalent w.r.t. the set of corrupted parties), and picks a random bit .
The parties interact in an execution of protocol on input with acting as the honest parties adhering to the protocol and controlling the corrupted parties. Whenever the protocol specifies for an onion to be formed or processed, runs the onion encryption scheme’s onion-forming algorithm or onion-processing algorithm . Whenever forms a non-commutable onion (i.e., a checkpoint onion to be verified by an adversarial party), provides with the input and output of the algorithm : the message, the routing path, the keys associated with the parties on the path, the sequence of nonces, and the evolution of onion layers.
At the end of the execution, computes the statistics , where each represents the number of messages that party received during the execution. (See the description of the original equalizing game in Section 3.2 to recall how the statistics are computed for adversarial parties).
sends these statistics to the distinguisher , who outputs a guess for and wins the game if . We define equalizing from commutable onions as follows.
Definition 10** (Equalizing from commutable onions).**
An onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\mathbb{A}\Sigma\adv\in\mathbb{A}\ddv\ddv\mathsf{CommutableEqualizingGame}(1^{\lambda},\Pi,\adv,\ddv,\Sigma)\left|\prob{\text{ wins }}-\frac{1}{2}\right|=\negl.$ The protocol computationally (resp. statistically) equalizes from commutable onions if the adversaries and the distinguishers are computationally bounded (resp. unbounded).
If the distinguisher can win the equalizing game with non-negligible advantage, then she can also win the equalizing game from commutable onions (i.e., when the adversary is given auxiliary information). It follows that,
Lemma 7**.**
If the onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\mathbb{A}\Pi\mathbb{A}$.
B.3 Proof of Lemma 5
The adversary’s goal is to prevent the protocol from equalizing. The adversary can win if for any honest parties and , there is a strategy for dropping ’s message with probability noticeably higher than that of dropping ’s message. At the first round, the adversary still knows the sender of every onion. As the protocol progresses, the onions get shuffled, and the adversary loses track of who sent which onion. Thus, a conceivable attack by the adversary is to drop onions likely to have originated at upfront.
Lemma 5 states that if the adversary drops at most a logarithmic number of onions during the mixing phase, then a constant fraction of ’s onions will remain at the start of the equalizing phase. If the adversary drops many more onions than this, then every honest party will detect the attack and abort the protocol.
We now formally state and prove Lemma 5.
Let be the number of epochs in the mixing phase, and let “the start of the equalizing phase” be diagnostic round . (It is more precisely the end of the mixing phase.)
Formal statement of Lemma 5.
In , let the onion encryption scheme be perfectly secure; let ; and let , where is the number of participants, is the security parameter, and .
Let be a fixed constant, representing the “corruption rate.” Let be any set of participants in such that , and let be any active adversary who corrupts the set of parties.
Let be any input in the simple I/O setting.
For a party , let denote the number of ’s merging onions that remain at the start of the equalizing phase in an interaction between and on input . If there exists an honest party such that is unaborted after the start of the equalizing phase, then w.o.p., for all .
Proof.
[Proof of Lemma 5] Fix any target honest party .
We will first consider what happens when the adversary employs the following tactic . (Later on, we will analyze that happens when tries a different tactic.) In between the first and second rounds, drops every onion that sends to an adversarial party. In between the second and third rounds and between the third and fourth rounds, drops every onion that might have come from . For example, suppose that in the first round, sends an onion to an honest party. Then, drops every onion that the honest party sends to an adversarial party in the second round.
Let be any onion that first routes to an honest party, which we will denote . W.l.o.g., assume that is designed to shuffle between and an adversarial intermediary during the first epoch of the mixing phase. More precisely, the position of the peeled version of shuffles between and . (We can assume that is adversarial since otherwise is also honest.) By design, all honestly formed onions that first go to or shuffle randomly between and for the first epoch of the mixing phase.
By using tactic , the adversary drops too many onions for the protocol to continue. If drops every onion that sends to in the second and third rounds, then w.o.p., will detect this and abort the protocol run before the second epoch. (This follows from a known probability concentration bound for the hypergeometric distribution [HS05].) aborting the protocol run, in turn, will cause the network to be flooded with abort messages, and the remaining honest parties to eventually abort. (While at least half of the honest parties are unaborted, the number of aborted honest parties grows super-exponentially w.r.t. the number of rounds. This follows from recasting the problem as a martingale problem and applying the Azuma-Hoeffding inequality; see Lemma 8 below.)
At the end of the first epoch, the adversary can drop almost all of the onions he has. So the ’s onions that are “safe” are those that are routed to an honest party in the first round, and again to the same honest party in the second, third, and final rounds of the first epoch.
What fraction of ’s onions are “safe?” For an arbitrarily small positive constant , at least of ’s merging onions go to an honest party at the first round (Chernoff bounds), and at least fraction of these go to an honest party in the second, third, and final rounds (Chernoff bounds). In particular, these bounds hold for any . Thus, the answer is: w.o.p., at least .
We now consider what happens when behaves arbitrarily.
For every honest party , let denote the party that shuffles onions with during the first epoch. Let be the number of onions that drops during the first epoch that would have shuffled between and , and let .
Case 1: If , then w.o.p., the honest parties will abort the protocol for the same reason that they would in an interaction with an adversary employing tactic : drops too many onions.
Case 2: If , then either makes fewer targeted drops or delays targeted drops. Either way, cannot eliminate more of ’s onions than it would by employing tactic . Thus, in this case, . ∎
Lemma 8**.**
Let be the security parameter, and let be the number of honest parties (or locations). Let be the set of commutable onions at any round of the protocol execution. If and , then, with overwhelming probability in , at least parties receive at least one onion from .
Proof.
Let be the size of .
We recast this problem as a balls-and-bins problems, where the onions in are the balls, and the parties (or locations) are the bins. To prove the lemma, we show that when balls are thrown independently and uniformly at random into the bins, with overwhelming probability in , the number of non-empty bins is at least .
Let be the bins. For each , let be the indicator random variable that is one if the -th bin is empty (and zero, otherwise). The probability that remains empty is given as The total number of empty bins is the summation of all the ’s. By the linearity of expectation,
Let be the total number of non-empty bins; i.e., . Again by linearity of expectation,
[TABLE]
where (2) holds since is strictly less than the first three terms of its Laurent series, and (3) holds since by the hypothesis.
For every , let be the location of the -th ball, and let
[TABLE]
The sequence is a Doob martingale by construction, satisfying the Lipschitz condition with constant bound one, i.e., . Thus, we may apply the Azuma-Hoeffding inequality as follows: For ,
[TABLE]
where (4) follows directly from (3), and (5) holds since and from the hypothesis.
In other words, with overwhelming probability in ,
[TABLE]
Thus, it follows that, with overwhelming probability in ,
[TABLE]
where (6) follows directly from (3). ∎
B.4 Proof of Lemma 4.
Let be any small constant such that .
Recall that “” is the start of the equalizing phase. Let the “partway point” be the diagnostic round in epoch , where .
In this section, we prove the following: provided that there are enough of each honest sender’s merging onions at epoch , there exists an epoch such that w.o.p., for any honest parties and , the number of ’s merging onions will be statistically-close to ’s by the epoch:
Formal statement of Lemma 4.
In , let the onion encryption scheme be secure; let ; and let , where is the number of participants, is the security parameter, and .
Let be a fixed constant. Let be any set of participants in such that , and let be any active adversary who corrupts the set of parties.
Let be any input in the simple I/O setting.
For any party and epoch , let be the number of ’s merging onions that remain at the diagnostic round in an interaction between and on input . If for all , , then w.o.p., for all , where denotes the total variation (a.k.a. statistical) distance.
Proof.
[Proof of Lemma 4] A pair of commutable onions is mergeable if the onions arrive at the same place and time and produce the same nonce when processed (once). Let an commutable onion be a singleton if it does not belong in any mergeable pair.
At every round, observes some statistics on singletons and pairs of mergeable onions. With overwhelming probability, these are the only categories of commutable onions in the system; e.g., w.o.p., there cannot be three onions that produce the same nonce when peeled (once). This is because a pair of mergeable onions at the start of an epoch cannot remain unmerged for too long. Either drops one or both of the onions, or w.o.p., within the epoch (lasting rounds), an honest party merges the pair. This last fact follows from Chernoff bounds.
During the mixing phase and during each epoch of the equalizing phase, sufficiently shuffles the commutable onions. This produces the effect that the only useful information that has for determining the sender of an onion is whether it is a singleton or a merging onion. may know that fewer merging onions from one honest party, say , remain in the system compared with those from another honest party, ; in which case, might bet that more singletons are ’s merging onions than ’s. In an attempt to prevent the protocol from equalizing, might try dropping singletons during the equalizing phase. (See Appendix B.4.2 for a precise definition of what we mean by sufficiently shuffling and for the proof that sufficiently shuffles commutable onions.)
To prove Lemma 4, we will prove,
Claim. The adversary cannot prevent from equalizing by attacking singletons. No matter how many singletons the adversary drops and when, w.o.p., the probability that ’s recipient receives ’s message can be only negligibly different from that of ’s recipient receiving ’s message.
Proof of claim. Let be the set of commutable singletons in the first round of the epoch, and let be the (total) number of commutable checkpoint onions that are formed.
Suppose that for every epoch , the adversary drops fraction of the onions in . We expect that the adversary drops of the commutable checkpoint onions during epoch , and another of the remaining commutable checkpoint onions during epoch , and so on. Following this logic, by the epoch, we expect that fraction of the commutable checkpoint onions have been dropped, where is defined recursively as follows: , and for all .
Case 1: if . In this case, the adversary drops “many” onions. From repeated applications of probability concentration bounds, we can show that (1) the adversary essentially drops a random sample from the remaining singletons, (2) w.o.p., the actual fraction of dropped commutable checkpoint onions is close to , and (3) w.o.p., the number of missing checkpoint onions at a party and round is strongly correlated with . Thus, when , w.o.p., every honest party aborts the protocol run by the partway point, i.e., for every honest . (See Lemma 10 in Appendix B.4.2 for the formal proofs of these claims.)
Case 2: if . In this case, the adversary drops relatively few onions.
Fix any honest party .
Let be any epoch between the start of the equalizing phase and the partway point, and let be the ratio between the actual number of ’s onions at the diagnostic round and its upper bound, , which is necessarily superlogarithmic in the security parameter.
Fix , and let be any fraction between zero and . We will first analyze what happens when the adversary drops fraction of the remaining singletons during the epoch (between the diagnostic and the diagnostic) and another fraction of the remaining singletons during the epoch.
At the diagnostic round, there are an expected (approx.) paired onions and an expected (approx.) singletons. Since the actual quantities of mergeable pairs are close to the expected values (see Lemma 9 in Appendix B.4.1), if the adversary drops fraction of the singletons, then for any small constant , w.o.p.,
[TABLE]
At the diagnostic round, there are an expected (approx.) paired onions and an expected (approx.) singletons. So if the adversary drops fraction of the singletons, then (from Lemma 9 in Appendix B.4.1) w.o.p.,
[TABLE]
Taking the derivative of with respect to , we get
[TABLE]
since from (7). This last inequality follows because , since , and since .
From (8), the best that the adversary can do is to drop at most half of all the singletons upfront, in the epoch, in which case for every honest . This last follows from a known concentration bound for the hypergeometric distribution [HS05]. This concludes our proof of the claim.
From the analysis above, to complete our proof of Lemma 4, it suffices to show that it doesn’t help to also drop mergeable pairs.
Fix an epoch between the start of the equalizing phase (i.e., ) and the partway point (i.e., ).
Let be any two honest parties. Let . Let be the number of ’s merging onions at the first round of the epoch so that is the ratio between the number of ’s merging onions (i.e., ) and the maximum it could be (i.e., ). Likewise, let be the number of ’s merging onions at the first round of the epoch.
The adversary can identify an onion to be part of a mergeable pair only if she observes it to be so. The only mergeable onions that can drop are those that first arrive at adversarial parties (at the first round of the epoch). (Those that first arrive at honest parties are merged into singletons before the adversary can drop them.) Thus, can drop up to a random half of all mergeable onions since w.o.p., at least half of all mergeable pairs go to honest parties in the first round the epoch (Chernoff bounds).
If drops fraction of the mergeable pairs, then the expected number of ’s mergeable onions at the second round is given by , and the expected number of ’s mergeable onions at the second round is given by . W.l.o.g., let . (That is, we expect there to be fewer mergeable pairs among ’s merging onions than among ’s merging onions.) It can easily be checked that .
Since the actual quantities of mergeable pairs are close to the expected values (Lemma 9 in Supplementary materials), this implies that the protocol equalizes faster when also drops mergeable pairs compared to the scenario in which the adversary drops only singletons. ∎
This completes our proof of our upper bound, Theorem 3.
B.4.1 Lemma 9
To prove Lemma 4, we make use of Lemma 9, below. A consequence of Lemma 9 is that w.o.p., the number of an honest party’s mergeable pairs at the start of any epoch is close to what is expected given the number of the party’s merging onions at the start of the epoch.
Lemma 9**.**
Let be a set of balls paired into distinct pairs of balls, and let be a random subset of , such that is a constant factor. For any constant , w.o.p. in , the number of paired balls in is at least and at most .
Proof.
Let . For every , let be one if both onions that comprise the pair in are in , and zero otherwise.
[TABLE]
since there are ways to choose balls from balls; and likewise, there are ways of choosing balls from balls.
Let denote the number of pairs in From the linearity of expectation,
[TABLE]
Recall that . It follows that
[TABLE]
For each , let be the chosen ball in , and let
[TABLE]
Then, is a Doob martingale by construction satisfying the Lipschitz condition with bound . Thus, from the Azuma-Hoeffding inequality, for any ,
[TABLE]
This completes our proof. ∎
B.4.2 Lemma 10
For all of the lemmas in this section: let be a round between the start of the equalizing phase, “,” and partway through the equalizing phase, “,” and let be the upper bound on the corruption rate.
Recall that an commutable onion is either an honest merging onion or an honest checkpoint onion with a checkpoint for verification by an honest party, and that a singleton is an onion that does not belong in any mergeable pair; it is either a checkpoint onion, or a merging onion without a “mate.”
Let be the set of commutable singletons (onion evolutions) at epoch , and let be the number of commutable checkpoint onions (onion evolutions) that are formed.
Suppose that, for every epoch , the adversary drops fraction of the onions in . Then, we expect that the adversary drops of the commutable checkpoint onions during epoch , and another of the remaining commutable checkpoint onions during epoch , and so on. Following this logic, by epoch , we expect that fraction of the commutable checkpoint onions have been dropped, where is defined recursively as follows:
[TABLE]
From repeated applications of probability concentration bounds, we can show that if the adversary drops singletons during the equalizing phase, then (1) the adversary essentially drops a random sample from the remaining singletons (Lemma 11), (2) w.o.p., the actual fraction of dropped commutable checkpoint onions is close to (Lemma 12), and (3) w.o.p., the number of missing checkpoint onions at a party and round is strongly correlated with (Lemma 13). From these, it follows that,
Lemma 10**.**
In : Let be the fraction of remaining commutable singletons that the adversary drops during the epoch, and let be as defined by (9) and (10).
- i
If , then w.o.p., every honest party aborts by the diagnostic. 2. ii
Conversely, if there is an unaborted honest party after the diagnostic, then w.o.p., at least half of the commutable checkpoint onions remain in the system at the diagnostic round.
Below, we formally state and prove Lemmas 11-13, starting with Lemma 11.
Lemma 11**.**
In : No matter how many and which singletons the adversary drops, essentially drops a random sample of the remaining singletons at the start of the epoch.
We will prove Lemma 11 by showing that sufficiently shuffles the commutable onions during the prior epoch. Before proceeding with the proof, below, we formally define what we mean by “sufficiently shuffles” using the following game.
The game
Let be a secure onion encryption scheme. The mixing game is parametrized by the security parameter , an onion routing protocol , an adversary , and two round numbers and .
First, the adversary chooses a subset of the parties to corrupt and sends to the challenger . For each honest party in , generates a key pair for the party by running the onion encryption scheme’s key generating algorithm and sends the public keys of the honest parties to the adversary . picks the keys for the corrupted parties and sends the public keys portions to .
Next, picks the input vector and sends its choice to . interacts with in an execution of protocol on input with acting as the honest parties adhering to the protocol and controlling the corrupted parties. Whenever the protocol specifies for an onion to be formed or processed, runs the onion encryption scheme’s onion-forming algorithm or onion-processing algorithm . Whenever forms a non-commutable onion (i.e., a checkpoint onion to be verified by an adversarial party), provides with the input and output of the algorithm : the message, the routing path, the keys associated with the parties on the path, the sequence of nonces, and the evolution of onion layers.
Let be the set of commutable singletons received by the parties in round . Let be the set of (commutable) onions in round that “evolve” into an onion in ; that is, an onion is in iff a peeled version of is in .
At the end of the execution, provides with the following information: for each onion in , the onion’s evolution from the first round to round ; and for each onion in , the onion’s evolution from round to the final round. Based on this auxiliary information and its view, chooses two onions . picks a random bit and provides with the onion that evolves into , and outputs a guess for and wins if .
We now define what it means for an onion routing protocol to shuffle commutable singletons from round to round .
Definition 11** (Shuffling commutable singletons from round to round ).**
An onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)r_{1}r_{2}\mathbb{A}\adv\in\mathbb{A}\adv\mathsf{CommutableShufflingGame}(1^{\lambda},\Pi,\adv,r_{1},r_{2})\left|\prob{\text{ wins }}-\frac{1}{2}\right|=\negl.$
The protocol computationally (resp. statistically) shuffling commutable singletons from round to round if the adversaries in are computationally bounded (resp. unbounded).
We now prove Lemma 11.
Proof of Lemma 11.
To prove the lemma, it suffices to show that shuffles singletons from prior to the epoch. We do this by cases.
Case 1. In the first case, epoch is the first epoch of the equalizing phase. We show that sufficiently shuffles the commutable singletons during the mixing phase; that is, w.o.p., the adversary cannot trace any commutable singleton at the end of the mixing phase back to its sender:
Let denote the layer of the evolution to which belongs.
Let be the location of , and let be the bit of the binary representation of . Let the rounds that “affect ” be those that correspond to the stage of ; these are the rounds in epochs , , , …, . From the hypothesis, the number of iterations of the butterfly network is polylogarithmic in the security parameter; thus, from Chernoff bounds, w.o.p., every honestly formed onion goes to at least one honest party during a round that affects each . Moreover, mixes the onion with other onions (from honest parties) unless the adversary drops most onions that were meant to shuffle between and ’s shuffling partner during the epoch, in which case will detect this from the diagnostic test at the end of the epoch and abort. (This follows from a known probability concentration bound for the hypergeometric distribution [HS05].) aborting the protocol run, in turn, will cause the network to be flooded with abort messages, and the remaining honest parties to eventually abort. (While at least half of the honest parties are unaborted, the number of aborted honest parties grows super-exponentially w.r.t. the number of rounds. This follows from recasting the problem as a martingale problem and applying the Azuma-Hoeffding inequality; see Lemma 8 in Supplementary materials.)
Thus, from the adversary’s perspective, every bit of is equally likely to be zero as it is one.
Case 2. When epoch is after the first epoch of the equalizing phase, shuffles commutable singletons from the start of epoch to the end of epoch using an identical argument as our proof of Lemma 3. ∎
This next lemma states that the actual fraction is close to the expected, .
Lemma 12**.**
In : Let be the fraction of remaining commutable singletons that the adversary drops during the epoch, and let be as defined by (9) and (10). The fraction of all commutable checkpoint onions that the adversary drops by the epoch is close to , i.e., for all , with overwhelming probability,
[TABLE]
Proof.
The proof is by induction.
Base case (). This follows from a known concentration bound [HS05] for the hypergeometric distribution.
Inductive step (). Assume that .
Let be the fraction of the (remaining) commutable checkpoint onions that the adversary drops during the epoch.
[TABLE]
where (11) follows from the inductive hypothesis, (12) follows from a known concentration bound [HS05] for the hypergeometric distribution, and (13) follows because .
We obtain the upper bound in a similar fashion. ∎
If the adversary drops fraction of the commutable checkpoint onions by the diagnostic round, then every party would observe, on average, missing checkpoints at the diagnostic, where denotes the number of epochs in the equalizing phase. We now prove that, with overwhelming probability, the actual number of missing checkpoint onions is close to this expected quantity.
Lemma 13**.**
In : Suppose that the adversary drops at least a constant fraction of all commutable checkpoint onions before the diagnostic round (i.e., the round). If is a truly random function, then for all , with overwhelming probability, each party will notice at least between and missing checkpoints at the diagnostic round.
Proof.
We recast this problem as a two-colored-balls problem. The different categories of balls correspond to different categories of onions (explained below).
Fix a party and a diagnostic round .
The green balls/onions, , are all the commutable checkpoint onions for verification by party at the diagnostic; let .
Let be all the commutable checkpoint onions, including those in ; and let . The white onions/balls are the onions in ; these are the commutable checkpoint onions not for verification by at the diagnostic.
Since the onions in are commutable, if the adversary drops fraction of them, the adversary eliminates (or drops) a random sample of size .
Using a known concentration bound [HS05] for the hypergeometric distribution, when the expected number of green balls in is at least polylogarithmic in the security parameter, with overwhelming probability, the actual number of green balls in is close to , i.e., .
Let be the number of non-commutable checkpoint onions. If
Claim 1**.**
, , and are close to their respective expected values, i.e., for any , with overwhelming probability, , , and ;
then with overwhelming probability, at least checkpoints onions will be missing for party at the diagnostic.
To complete the proof, we now prove the claim above:
Let be the set of all (for all ’s) commutable checkpoint onions formed by party for verification by party , excluding the (possible) onion formed by party for verification by party at the diagnostic. Let .
Let be the set of all (for all ’s and all ’s) commutable checkpoint onions formed by party for verification by party , , excluding any onion for verification by party at the diagnostic as well as any onion formed by party for verification at the diagnostic. Let .
For every triple consisting of the index of a diagnostic round and honest parties and , let be one if party forms a checkpoint onion to be verified by party at the diagnostic (and zero, otherwise).
Since (i.e., party creates an onion to be verified by party at the epoch iff party creates a symmetric onion to be verified by party at the epoch), it follows that the total (over all ’s, all ’s, and all ’s) number of checkpoint onions formed by party for party is .
Let , and let . The total number of commutable checkpoint onions is given by
[TABLE]
If is a truly random function, the onions in , are i.i.d. Bernoulli random variables, each having probability of success. It follows that
[TABLE]
Using Chernoff bound for Poisson trials, for any :
[TABLE]
Thus, with overwhelming probability, (i) , (ii) , and (iii) .
Facts (ii) and (iii) imply
[TABLE]
where (18) follows (14) and (15)-(17), and (19) holds because
[TABLE]
and
[TABLE]
Following a similar argument as above, we have . This concludes are proof. ∎
Combining Lemmas 11 and 13 proves Lemma 10(ii). We now prove Lemma 10(i).
Proof of Lemma 10(i).
If , then with overwhelming probability, every honest party aborts the protocol before the epoch:
From Lemma 11, the adversary essentially drops a random sample of the remaining singletons. From Lemma 12, the actual fraction of commutable checkpoint onions that have been dropped by the epoch is close to the expected faction, . From Lemma 13, each party will notice close to the expected number of missing checkpoints: (for an arbitrarily small ). ∎
Appendix C Proof that is anonymous
The proof that is anonymous mirrors the proof of Theorem 3). is indifferent; see the boxed areas in Figure 5. So from Theorem 1, is anonymous if it mixes and equalizes.
For the analysis, we assume that replay attacks are not possible, and that the onion encryption is ideal (Simplifications 1 and 2 in the proof of Theorem 3). Given these simplifications, we show that for any two inputs and (from the same equivalence class), the adversarial view consisting of just the commutable onions on is statistically-close to that on . (Recall that an onion is commutable if it was generated by an honest party and is not a checkpoint onions to be verified by an adversarial party.)
mixes for the same reason that mixes; mixes because either a polylogarithmic number of commutable checkpoint onions shuffle with the remaining commutable merging onions for a polylogarithmic number of rounds during the penultimate epoch, or because not enough commutable onions remain by the last epoch, and so the protocol is aborted. (For the full proof, see Lemma 3 in Appendix B.1.)
From Theorem 1, it remains to prove that equalizes from commutable onions.
Lemma 14**.**
If the adversary drops at most a logarithmic (in the security parameter) number onions during the first epoch, then w.o.p., a constant fraction of each honest sender’s merging onions remain undropped by the start of the second epoch. Otherwise, if the adversary drops too many onions, then w.o.p., each honest participant detects that the adversary dropped too many onions and aborts the run. (See Appendix C.1 for the proof.)
Lemma 15**.**
If a constant fraction of each honest sender’s merging onions remain at the start of the second epoch, then w.o.p., the numbers of merging onions will “even out” by the end of the execution phase. That is, for any two honest parties and , the quantity of ’s merging onions will become statistically-close to that of ’s merging onions. (The proof is essentially the same as that of Lemma 4.)
If the adversary drops too many onions during the first epoch, then equalizes since every honest party stops participating (Lemma 5), and so no one receives their message. Otherwise, equalizes since enough of each sender’s merging onions make it to the second epoch (Lemma 5), and the numbers of merging onions are eventually evened out by the merging of onions (Lemma 4).
C.1 Proof of Lemma 14
Our proof of Lemma 14 essentially boils down to proving that the following undesirable events rarely happens: (1) For any honest party, the onions formed by the party do not travel together. (2) The first diagnostic fails to detect that the adversary dropped too many honest onions. Below, we show that events (1) and (2) can occur with only negligible probability.
Recall that a “commutable” onion is either an honest merging onion or an honest checkpoint onion with a checkpoint for verification by an honest party.
Recall that is the number of merging onions formed by each honest party, and let denote the number of diagnostic rounds (or the number of epochs)777e.g., when , there are two epochs, one corresponding to the leaf node and another to the root node of . in a full unaborted execution of .
Lemma 16**.**
In interacting with , suppose that the adversary drops fraction of all commutable onions before the first diagnostic such that . Then, for all , w.o.p., each honest party will notice at least missing checkpoints at the first diagnostic.
Proof.
We recast this problem as a three-colored-balls problem with green balls, white balls and red balls. The different categories of balls correspond to different categories of onions (explained below).
Fix an honest party .
Let be the set of all commutable checkpoint onions for verification by party at the first diagnostic. (These correspond to the green onions/balls. All other commutable checkpoint onions belong to the set and are the white onions/balls.) Let .
If is a truly random function,
[TABLE]
Using Chernoff bound for Poisson trials, for any :
[TABLE]
Thus, with overwhelming probability, falls between and .
Let be the set of all honest merging onions. (These correspond to the red onions/balls.)
Let be the set of all commutable onions, i.e., the set of all green, white and red onions/balls.
Since the adversary cannot distinguish between any two onions in , the cumulative set of commutable onions that are eliminated (or dropped) by the adversary by the first diagnostic is a random subset of the set of all honest onions.
Let be the fraction of onions in dropped by the adversary by the first diagnostic.
Using a known concentration bound for the hypergeometric distribution [HS05], when the expected number of green balls in is at least polylogarithmic in , i.e., , the actual number of green balls in is close to the expected value , i.e., for any , . Combining this with (20) above, with overwhelming probability, the number of green balls in the random sample falls between and .
By choosing an appropriate such that and , we obtain our desired bound. ∎
We now prove Lemma 14.
Proof.
[Proof of Lemma 14] Fix an input and an honest party .
Let be the number of parties, and let be the adversary who corrupts a random parties and at rounds and , drops every droppable (delivered to a corrupted node) onion that could have been formed by party (from the adversary’s perspective).
Let be the number of commutable onions at round that that could have been formed by party . In the first round, transmits onions. For any arbitrarily small , with overwhelming probability, because, with overwhelming probability, forms at least checkpoint onions with a checkpoint for an honest party (Chernoff bound) and merging onions.
Let the span at round , denoted , be the number of honest parties that receive an commutable onion that could have been formed by party at round . From Chernoff bound, at least of these onions go to honest parties. So, from Lemma 8 in Appendix B.3,
[TABLE]
Each of these parties receives at least commutable onions at round (Chernoff bound). Combining this with (21), there are at least commutable onions that could have originated from party at round 2; that is,
[TABLE]
At least of these onions are routed to corrupted parties at round (Chernoff bound); that is, the number of commutable onions from that go to corrupted parties is at least
[TABLE]
where , and . If all of them are dropped, the fraction of the commutable onions that drops is at least
[TABLE]
because there are fewer than commutable onions in total (Chernoff bound).
Let . From Lemma 16, each honest party will notice at least
[TABLE]
missing checkpoints and will, therefore, abort the protocol.
Any adversary that drops at least as many onions as will cause the honest parties to abort the protocol.
For the adversary , let denote the number of party ’s merging onions that remain at the end of the first epoch in a run of on input , interacting with adversary . An adversary that drops at most as many onions as can only do worse than ; if deviates from either by dropping fewer onions or waiting to drop onions, then
[TABLE]
For any , at least of party ’s merging onions are randomly routed through only honest parties in rounds and (Chernoff bound); it follows that
[TABLE]
Combining (22) and (23), we obtain our desired result. ∎
Appendix D Proof that polylogarithmic onion cost is required
To prove the Theorem 4, we make use of the following observation (Lemma 17, below): If an onion routing protocol is too efficient, then there exist many settings in which there exist parties and such that is neither a sender nor an intermediary node for recipient .
In a run of onion routing protocol interacting with adversary on input and security parameter :
- •
For an honest party , let denote the number of onions created by party and received by party that will reach party (if allowed to continue to ).
- •
For honest parties and , “ cannot affect ’s recipient” if
[TABLE]
where is the index of the recipient for .
Lemma 17**.**
Let denote the set of input vectors in the simple I/O setting.
If the onion cost of the onion routing protocol \Pi(1^{\lambda},\mathsf{pp},\mathsf{states},\,\sigma)\advN\mathsf{Inputs}\subseteq\mathsf{SimpleIO}|\mathsf{Inputs}|=\bigsmallO{|\mathsf{SimpleIO}|}\sigma\in\mathsf{Inputs}\mathsf{Senders}{\sigma}\subseteq\mathcal{P}|\mathsf{Senders}{\sigma}|=\bigsmallO{N}P_{i}\in\mathsf{Senders}_{\sigma}$,
- i.
\mathbb{E}_{\}\left[\mathsf{out}^{\Pi,\adv}_{i}{(1^{\lambda},\sigma)}\right]=\bigsmallO{1}\cdot\mathsf{OC}^{\Pi,\adv}(1^{\lambda})$, and 2. ii.
there exists a party such that cannot affect ’s recipient (as defined in (24)).
Proof.
We can prove Lemma 17 by applying Markov’s inequality several times.
Let denote the onion cost of interacting with .
From Markov’s inequality,
[TABLE]
Thus, there exists a set , s.t. for every , \mathbb{E}_{i,\}\left[\mathsf{out}^{\Pi,\adv}_{i}{(1^{\lambda},\sigma)}\right]<2\mathsf{OC}^{\Pi,\adv},\sigma\in\mathsf{Inputs}$,
[TABLE]
That is, there exists a set , s.t. for sufficiently large ,
[TABLE]
This shows that (i) is satisfied.
For every , there are at most distinct party , such that
[TABLE]
where is the recipient of in . If this weren’t the case, then the expected number of onions that party transmits would be at least , contradicting (25). Hence, we also satisfy (ii). ∎
For the proof of Theorem 4, below, we show that if the protocol is too efficient, then the adversary can “isolate” an honest party by blocking all network traffic originating from or passing through the party.
Proof of Theorem 4..
Fix the corruption rate . For a party , let be the adversary who corrupts a uniformly random set of parties and, additionally, drops every onion that party transmits directly to a corrupted party. Otherwise, follows the protocol.
Let be the adversary that chooses a random party to target and then follows ’s code.
Assume that is an onion routing protocol that is weakly robust and anonymous , and the onion cost of interacting with is .
W.l.o.g., assume . We assume this to be the case, since otherwise, there are known solutions with communication complexity, e.g., using general purpose MPC.
From Lemma 17, there exists an input , such that there exists a set , s.t. for every party ,
- i.
\mathbb{E}_{\}\left[\mathsf{out}^{\Pi,\adv}_{i}{(1^{\lambda},\sigma^{0})}\right]=\bigO{f(\lambda)}$, and 2. ii.
there exists a party such that cannot affect the recipient of .
We will now prove the following: In the event (with nonnegligible probability) that picks a party to target, can distinguish the setting on input from the setting on input which is the same as except that the inputs for parties and are swapped.
Let be the recipient of in (and also the recipient of in ), and let denote the number of messages that receives in a protocol run of interacting with adversary on input .
Let denote the event that manages to drop every onion that transmits.
On input : Conditioned on , never receives his message, i.e.,
[TABLE]
On input : Let denote the event that . From (ii), Combined with weak robustness, it follows that receives his message with nonnegligible probability, i.e.,
[TABLE]
If occurs with nonnegligible probability on input : Then, from combining (26) and (27), doesn’t equalize; and from Theorem 2, is not anonymous.
To complete our proof, it suffices to prove that the probability of is nonnegligible: From (i), \mathbb{E}_{\}[\mathsf{out}{i}^{\Pi,\adv}(1^{\lambda},\sigma^{0})]=\bigO{f(\lambda)}\alpha>0\mathsf{out}{i}^{\Pi,\adv}(1^{\lambda},\sigma^{0})\leq\alpha f(\lambda)$ with nonnegligible probability.
Let denote the event that , and let denote conditioned on .
The probability of is smallest when the location of each of the (at most) onions that transmits goes to a different location. This probability is bounded by the probability that a random -size sample from a set of balls, of them which are green, are all green. When for some positive constant ,
[TABLE]
which is nonnegligible in . Thus, is nonnegligible in . It follows that occurs with nonnegligible probability. ∎
We can also prove the weaker result that if an onion routing protocol is robust (Definition 7) and anonymous, then its onion cost is superlogarithmic (in the security parameter). The proof is a simpler contradiction showing that an onion routing protocol with logarithmic (in the security parameter) onion cost cannot be robust (rather than anonymous).
To prove the lower bound, we used the fact that the adversary knows the number of messages received by each honest party in the protocol run. However, the bound holds even when we exclude these statistics from the adversarial view. We can prove the stronger result by using in place of Theorem 2: If an onion routing protocol is anonymous from adversaries who corrupt up to parties, then it essentially equalizes for adversaries who corrupt up to parties.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[AAC + 11] Mário S. Alvim, Miguel E. Andrés, Konstantinos Chatzikokolakis, Pierpaolo Degano, and Catuscia Palamidessi. Differential privacy: on the trade-off between utility and information leakage. In FAST 2011 , pages 39–54. Springer, 2011.
- 2[AL 20] Megumi Ando and Anna Lysyanskaya. Cryptographic shallots: A formal treatment of repliable onion encryption. IACR Cryptol. e Print Arch. , 2020:215, 2020. URL https://eprint.iacr.org/2020/215 .
- 3[ALU 18] Megumi Ando, Anna Lysyanskaya, and Eli Upfal. Practical and provably secure onion routing. In Ioannis Chatzigiannakis, Christos Kaklamanis, Dániel Marx, and Donald Sannella, editors, ICALP 2018 , volume 107 of LIP Ics , pages 144:1–144:14. Schloss Dagstuhl, July 2018.
- 4[BFT 04] Ron Berman, Amos Fiat, and Amnon Ta-Shma. Provable unlinkability against traffic analysis. In Ari Juels, editor, FC 2004 , volume 3110 of LNCS , pages 266–280. Springer, Heidelberg, February 2004.
- 5[BGKM 12] Michael Backes, Ian Goldberg, Aniket Kate, and Esfandiar Mohammadi. Provably secure and practical onion routing. In Computer Security Foundations Symposium (CSF), 2012 IEEE 25th , pages 369–385. IEEE, 2012.
- 6[BKM + 13] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and Esfandiar Mohammadi. Anoa: A framework for analyzing anonymous communication protocols. In Computer Security Foundations Symposium (CSF), 2013 IEEE 26th , pages 163–178. IEEE, 2013.
- 7[Can 01] Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd FOCS , pages 136–145. IEEE Computer Society Press, October 2001.
- 8[CB 95] David A. Cooper and Kenneth P. Birman. Preserving privacy in a network of mobile computers. In 1995 IEEE Symposium on Security and Privacy , pages 26–38. IEEE Computer Society Press, 1995.
