Secure Onion Encryption and the Case of Counter Galois Onion
摘要
The recently introduced Counter Galois Onion ( \(\textsf{CGO}\) ) is a new symmetric onion encryption scheme designed to replace the current one used by Tor, with integration in Tor’s Rust implementation Arti ongoing. Intuitively, \(\textsf{CGO}\) uses an updatable tweakable split-domain cipher as its building block, which provides it with the necessary non-malleability properties while attaining better performance than the alternative approach of realising it from a wide blockcipher (with full SPRP security). However, onion encryption as used in Tor with various functionality features and security trade-offs, is not that well-studied by the cryptographic community. As a result, the requirements of this important primitive which protects the privacy of millions of users on a daily basis, is not well understood and whether \(\textsf{CGO}\) fulfills all its security goals unclear. In this work, we initiate the study of real-world symmetric onion encryption by presenting a new security model capturing Tor’s leaky pipes functionality, associated data, and partial forward security, neither of which were covered previously. We then use this new security model to solidify the security claims of \(\textsf{CGO}\) in the forward direction by proving that if the underlying primitive is a suitably secure tweakable split-domain cipher, then \(\textsf{CGO}\) is a secure onion encryption scheme.