Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world

Authors: John M. Schanck (University of Waterloo and Security Innovation), William Whyte (Security Innovation), Zhenfei Zhang (Security Innovation)

Volume: 2016
Issue: 4
Pages: 219–236
DOI: https://doi.org/10.1515/popets-2016-0037

Download PDF

Abstract: We propose a circuit extension handshake for Tor that is forward secure against adversaries who gain quantum computing capabilities after session negotiation. In doing so, we refine the notion of an authenticated and confidential channel establishment (ACCE) protocol and define pre-quantum, transitional, and postquantum ACCE security. These new definitions reflect the types of adversaries that a protocol might be designed to resist. We prove that, with some small modifications, the currently deployed Tor circuit extension handshake, ntor, provides pre-quantum ACCE security. We then prove that our new protocol, when instantiated with a post-quantum key encapsulation mechanism, achieves the stronger notion of transitional ACCE security. Finally, we instantiate our protocol with NTRUEncrypt and provide a performance comparison between ntor, our proposal, and the recent design of Ghosh and Kate.

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.