Provable Security for the Onion Routing and Mix Network Packet Format Sphinx

TL;DR

This paper establishes a rigorous security proof for the Sphinx packet format used in onion routing, identifying the necessary cryptographic assumptions and demonstrating the format's security under the GDH assumption.

Contribution

It provides the first detailed security proof for Sphinx, correcting previous assumptions and proposing necessary adaptations to ensure sender privacy.

Findings

GDH assumption is required for security proof

A secure version of Sphinx is proposed with proven security

An attack on sender privacy is demonstrated without adaptations

Abstract

Onion routing and mix networks are fundamental concepts to provide users with anonymous access to the Internet. Various corresponding solutions rely on the efficient Sphinx packet format. However, flaws in Sphinx's underlying proof strategy were found recently. It is thus currently unclear which guarantees Sphinx actually provides, and, even worse, there is no suitable proof strategy available. In this paper, we restore the security foundation for all these works by building a theoretical framework for Sphinx. We discover that the previously-used DDH assumption is insufficient for a security proof and show that the Gap Diffie-Hellman (GDH) assumption is required instead. We apply it to prove that a slightly adapted version of the Sphinx packet format is secure under the GDH assumption. Ours is the first work to provide a detailed, in-depth security proof for Sphinx in this manner. Our adaptations to Sphinx are necessary, as we demonstrate with an attack on sender privacy that would be possible otherwise.