Fully Non-interactive Onion Routing with Forward-Secrecy

  • Dario Catalano
  • Mario Di Raimondo
  • Dario Fiore
  • Rosario Gennaro
  • Orazio Puglisi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6715)


In this paper we put forward a new onion routing protocol which achieves forward secrecy in a fully non-interactive fashion, without requiring any communication from the router and/or the users and the service provider to update time-related keys. We compare this to TOR which requires O(n 2) rounds of interaction to establish a circuit of size n. In terms of the computational effort required to the parties, our protocol is comparable to TOR, but the network latency associated with TOR’s high round complexity ends up dominating the running time. Compared to other recently proposed alternative to TOR (such as the PB-OR and CL-OR protocols) our scheme still has the advantage of being non-interactive (both PB-OR and CL-OR require some interaction to update time-sensitive information), and achieves similar computational performances. We performed extensive implementation and simulation tests that confirm our theoretical analysis. Additionally, while comparing our scheme to PB-OR, we discovered a flaw in the security of that scheme which we repair in this paper.

Our solution is based on the application of forward-secure encryption. We design a forward-secure encryption scheme (of independent interest) to be used as the main encryption scheme in an onion routing protocol.


Encryption Scheme Forward Secrecy Symmetric Encryption Scheme Circuit Construction Onion Router 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Al-Riyami, S., Paterson, K.: Certificateless public key cryptography. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 452–473. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  2. 2.
    Anderson, R.: Two remarks on public key cryptology. In: ACM-CCS 1997 (1997) (invited lecture),
  3. 3.
    Boneh, D., Boyen, X., Goh, E.: Hierarchical Identity Based Encryption with Constant Size Ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Franklin, M.: Identity-Based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–615. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  5. 5.
    Camenisch, J., Lysyanskaya, A.: A Formal Treatment of Onion Routing. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 169–187. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Canetti, R., Halevi, S., Katz, J.: A Forward-Secure Public Key Encryption Scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Catalano, D., Fiore, D., Gennaro, R.: Certificateless Onion Routing. In: Proc. of the 16th ACM Conference on Computer and Comm. Security (CCS 2009), pp. 151–160. ACM Press, New York (2009)CrossRefGoogle Scholar
  8. 8.
    Chaum, D.: Untraceable Electronic Mail, return address and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  9. 9.
    Dai, W.: PipeNet 1.1,
  10. 10.
    Dent, A.W.: A designer’s guide to kEMs. In: Paterson, K.G. (ed.) Cryptography and Coding 2003. LNCS, vol. 2898, pp. 133–151. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  11. 11.
    Danezis, G., Goldberg, I.: Sphinx: A Compact and Provably Secure Mix Format. In: IEEE Symposium on Security and Privacy 2009, pp. 269–282 (2009)Google Scholar
  12. 12.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetCrossRefMATHGoogle Scholar
  13. 13.
    Dingledin, R., Mathewson, N.: Tor Protocol Specification (2008),
  14. 14.
    Dingledin, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proc. of the 13th USENIX Security Symposium, pp. 303–320 (2004)Google Scholar
  15. 15.
    Freedman, M., Morris, R.: Tarzan: A Peer-to-Peer Anonymizing Networ Layer. In: Proc. of 9th ACM Conference on Computer and Comm. Security (CCS 2002), pp. 193–206 (2002)Google Scholar
  16. 16.
    Goldberg, I.: On the Security of the Tor Authentication Protocol. In: Danezis, G., Golle, P. (eds.) PET 2006. LNCS, vol. 4258, pp. 316–331. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  17. 17.
    Goldschlag, D., Reed, M., Syverson, P.: Hiding Routing Informations. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 137–150. Springer, Heidelberg (1996)CrossRefGoogle Scholar
  18. 18.
    Goldschlag, D., Reed, M., Syverson, P.: Onion Routing for Anonymous and Private Internet Connections. Communications of the ACM 42(2), 84–88 (1999)CrossRefGoogle Scholar
  19. 19.
    Kate, A., Goldberg, I.: Using Sphinx to Improve Onion Routing Circuit Construction. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 359–366. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  20. 20.
    Kate, A., Zaverucha, G., Goldberg, I.: Pairing-Based Onion Routing. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 95–112. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  21. 21.
    Kate, A., Zaverucha, G., Goldberg, I.: Pairing-Based Onion Routing with Improved Forward Secrecy. ACM Transactions on Information and System Security (2009)Google Scholar
  22. 22.
    Lynn, B.: PBC: The Pairing-Based Crypto Library,
  23. 23.
    Möller, B.: Provably Secure Public-Key Encryptionfor Length-Preserving Chaumian Mixes. In: Joye, M. (ed.) CT-RSA 2003. LNCS, vol. 2612, pp. 244–262. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Øverlier, L., Syverson, P.F.: Improving Efficiency and Simplicity of Tor Circuit Establishment and Hidden Services. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 134–152. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  25. 25.
    Reed, M., Syverson, P., Goldschlag, D.: Anonymous Connections and Onion Routing. IEEE Journal on Selected Ares in Communications 16(4), 482–494Google Scholar
  26. 26.
    Renhard, M., Plattner, B.: Introducing MorphMix: Peer-toPeer based Anonymous Internet Usage with Collusion Detection. In: The Workshop on Privacy in the Electronic Society (WPES 2002), pp. 91–102. ACM, New York (2002)Google Scholar
  27. 27.
    Shamir, A.: Identity-Based Cryptosystems and Signature Schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  28. 28.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 1–16. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  29. 29.
    Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing. In: Symposium on Cryptography and Information Security, Okinawa, Japan (2000)Google Scholar
  30. 30.
    Yao, D., Fazio, N., Dodis, Y., Lysyanskaya, A.: ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption. In: Proc. of the ACM Conference on Computer and Comm. Security, CCS 2004 (2004)Google Scholar
  31. 31.
    NIST Recommendations for Key Management Part 1: General NIST Special Publication 800-57 (August 2005),
  32. 32.
    ECRYPT Yearly Report on Algorithms and Key Sizes (2007-2008) (July 2008),

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Dario Catalano
    • 1
  • Mario Di Raimondo
    • 1
  • Dario Fiore
    • 2
  • Rosario Gennaro
    • 3
  • Orazio Puglisi
    • 1
  1. 1.Dipartimento di Matematica ed InformaticaUniversità di CataniaItaly
  2. 2.École Normale SupérieureCNRS - INRIAParisFrance
  3. 3.Watson Research CenterIBM T.J.HawthorneUSA

Personalised recommendations