The recently introduced Counter Galois Onion ( \(\textsf{CGO}\) ) is a new symmetric onion encryption scheme designed to replace the current one used by Tor, with integration in Tor’s Rust implementation Arti ongoing. Intuitively, \(\textsf{CGO}\) uses an updatable tweakable split-domain cipher as its building block, which provides it with the necessary non-malleability properties while attaining better performance than the alternative approach of realising it from a wide blockcipher (with full SPRP security). However, onion encryption as used in Tor with various functionality features and security trade-offs, is not that well-studied by the cryptographic community. As a result, the requirements of this important primitive which protects the privacy of millions of users on a daily basis, is not well understood and whether \(\textsf{CGO}\) fulfills all its security goals unclear. In this work, we initiate the study of real-world symmetric onion encryption by presenting a new security model capturing Tor’s leaky pipes functionality, associated data, and partial forward security, neither of which were covered previously. We then use this new security model to solidify the security claims of \(\textsf{CGO}\) in the forward direction by proving that if the underlying primitive is a suitably secure tweakable split-domain cipher, then \(\textsf{CGO}\) is a secure onion encryption scheme.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Secure Onion Encryption and the Case of Counter Galois Onion

  • Jean Paul Degabriele,
  • Alessandro Melloni,
  • Martijn Stam

摘要

The recently introduced Counter Galois Onion ( \(\textsf{CGO}\) ) is a new symmetric onion encryption scheme designed to replace the current one used by Tor, with integration in Tor’s Rust implementation Arti ongoing. Intuitively, \(\textsf{CGO}\) uses an updatable tweakable split-domain cipher as its building block, which provides it with the necessary non-malleability properties while attaining better performance than the alternative approach of realising it from a wide blockcipher (with full SPRP security). However, onion encryption as used in Tor with various functionality features and security trade-offs, is not that well-studied by the cryptographic community. As a result, the requirements of this important primitive which protects the privacy of millions of users on a daily basis, is not well understood and whether \(\textsf{CGO}\) fulfills all its security goals unclear. In this work, we initiate the study of real-world symmetric onion encryption by presenting a new security model capturing Tor’s leaky pipes functionality, associated data, and partial forward security, neither of which were covered previously. We then use this new security model to solidify the security claims of \(\textsf{CGO}\) in the forward direction by proving that if the underlying primitive is a suitably secure tweakable split-domain cipher, then \(\textsf{CGO}\) is a secure onion encryption scheme.