Onion-AE: Foundations of Nested Encryption

Authors: Phillip Rogaway (Department of Computer Science, University of California, Davis.), Yusi Zhang (Department of Computer Science, University of California, Davis.)

Volume: 2018
Issue: 2
Pages: 85–104
DOI: https://doi.org/10.1515/popets-2018-0014

Download PDF

Abstract: Nested symmetric encryption is a well-known technique for low-latency communication privacy. But just what problem does this technique aim to solve? In answer, we provide a provable-security treatment for onion authenticated-encryption (onion-AE). Extending the conventional notion for authenticated-encryption, we demand indistinguishability from random bits and time-of-exit authenticity verification. We show that the encryption technique presently used in Tor does not satisfy our definition of onion-AE security, but that a construction by Mathewson (2012), based on a strong, tweakable, wideblock PRP, does do the job. We go on to discuss three extensions of onion-AE, giving definitions to handle inbound flows, immediate detection of authenticity errors, and corrupt ORs.

Keywords: Anonymity, authenticated encryption, onion routing, privacy, oracle silencing, provable security, Tor

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.