Attacking and Repairing the Improved ModOnions Protocol

  • Nikita Borisov
  • Marek Klonowski
  • Mirosław Kutyłowski
  • Anna Lauks-Dutka
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5984)


In this paper, we present a new class of attacks against an anonymous communication protocol, originally presented in ACNS 2008. The protocol itself was proposed as an improved version of ModOnions, which uses universal re-encryption in order to avoid replay attacks. However, ModOnions allowed the detour attack, introduced by Danezis to re-route ModOnions to attackers in such a way that the entire path is revealed. The ACNS 2008 proposal addressed this by using a more complicated key management scheme. The revised protocol is immune to detour attacks. We show, however, that the ModOnion construction is highly malleable and this property can be exploited in order to redirect ModOnions. Our attacks require detailed probing and are less efficient than the detour attack, but they can nevertheless recover the full onion path while avoiding detection and investigation. Motivated by this, we present a new modification to the ModOnion protocol that dramatically reduces the malleability of the encryption primitive. It addresses the class of attacks we present and it makes other attacks difficult to formulate.


Encryption Scheme Random Block Malicious Node Replay Attack Forwarding Path 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003)Google Scholar
  2. 2.
    Chaum, D.: Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  3. 3.
    Cramer, R., Shoup, V.: A Practical Public Key Cryptosystem Provably Secure Against Adaptive Chosen Ciphertext Attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998)Google Scholar
  4. 4.
    Danezis, G.: Breaking Four Mix-Related Schemes Based on Universal Re-encryption. In: Katsikas, S.K., López, J., Backes, M., Gritzalis, S., Preneel, B. (eds.) ISC 2006. LNCS, vol. 4176, pp. 46–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: design of a type III anonymous remailer protocol. In: IEEE Symposium on Security and Privacy, pp. 2–15 (2003)Google Scholar
  6. 6.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: The Second-Generation Onion Router. In: USENIX Security Symposium 2004, pp. 303–320 (2004)Google Scholar
  7. 7.
    Dolev, D., Naor, M.: Non-malleable cryptography. In: ACM Symposium on Theory of Computing, pp. 542–552 (1991)Google Scholar
  8. 8.
    Golle, P., Jakobsson, M., Juels, A., Syverson, P.F.: Universal Re-encryption for Mixnets. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 163–178. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Gomułkiewicz, M., Klonowski, M., Kutyłowski, M.: Onions Based on Universal Re-encryption — Anonymous Communication Immune Against Repetitive Attack. In: Lim, C.H., Yung, M. (eds.) WISA 2004. LNCS, vol. 3325, pp. 400–410. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Klonowski, M., Kutyłowski, M., Lauks, A., Zagórski, F.: Universal Re-encryption of Signatures and Controlling Anonymous Information Flow. In: WARTACRYPT 2004 Conference on Cryptology, vol. 33, pp. 179–188. Tatra Mountains Mathematical Publications (2006)Google Scholar
  11. 11.
    Klonowski, M., Kutyłowski, M., Lauks, A.: Repelling Detour Attack against Onions with Re-Encryption. In: Bellovin, S.M., Gennaro, R., Keromytis, A.D., Yung, M. (eds.) ACNS 2008. LNCS, vol. 5037, pp. 296–308. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Prabhakaran, M., Rosulek, M.: Rerandomizable RCCA encryption. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 517–534. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  13. 13.
    Pries, R., Yu, W., Fu, X., Wei Zhao, W.: A New Replay Attack Against Anonymous Communication Networks. In: Proceedings of IEEE International Conference on Communication, pp. 1578–1582 (2008)Google Scholar
  14. 14.
    Tsiounis, Y., Yung, M.: On the Security of ElGamal Based Encryption. In: Imai, H., Zheng, Y. (eds.) PKC 1998. LNCS, vol. 1431, pp. 117–134. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Nikita Borisov
    • 1
  • Marek Klonowski
    • 2
  • Mirosław Kutyłowski
    • 2
  • Anna Lauks-Dutka
    • 2
  1. 1.Department of Electrical and Computer EngineeringUniversity of Illinois at Urbana-Champaign 
  2. 2.Institute of Mathematics and Computer ScienceWrocław University of Technology 

Personalised recommendations