On the Security of the Tor Authentication Protocol

  • Ian Goldberg
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4258)


Tor is a popular anonymous Internet communication system, used by an estimated 250,000 users to anonymously exchange over five terabytes of data per day. The security of Tor depends on properly authenticating nodes to clients, but Tor uses a custom protocol, rather than an established one, to perform this authentication. In this paper, we provide a formal proof of security of this protocol, in the random oracle model, under reasonable cryptographic assumptions.


Hash Function Shared Secret Random Oracle Random Oracle Model Knowledge Extractor 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)Google Scholar
  2. 2.
    Bellare, M., Palacio, A.: Towards Plaintext-Aware Public-Key Encryption without Random Oracles. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 48–62. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Rogaway, P.: Random Oracles are Practical: A Paradigm for Designing Efficient Protocols. In: ACM Conference on Computer and Communications Security, pp. 62–73 (1993)Google Scholar
  4. 4.
    Bellare, M., Rogaway, P.: Optimal Asymmetric Encryption—How to Encrypt with RSA. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, Springer, Heidelberg (1995)CrossRefGoogle Scholar
  5. 5.
    Bleichenbacher, D.: Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)Google Scholar
  6. 6.
    Coppersmith, D.: Modifications to the Number Field Sieve. Journal of Cryptology 6(3), 169–180 (1993)MATHCrossRefMathSciNetGoogle Scholar
  7. 7.
    Cramer, R., Shoup, V.: Design and Analysis of Practical Public-Key Encryption Schemes Secure against Adaptive Chosen Ciphertext Attack. SIAM Journal on Computing 33(1), 167–226 (2003)MATHCrossRefMathSciNetGoogle Scholar
  8. 8.
    Desai, A., Miner, S.: Concrete Security Characterizations of PRFs and PRPs: Reductions and Applications. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 503–516. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  9. 9.
    Dingledine, R.: Tor security advisory: DH handshake flaw (August 2005), http://archives.seul.org/or/announce/Aug-2005/msg00002.html
  10. 10.
    Dingledine, R., Mathewson, N.: Tor Protocol Specification, version 1.112 (January 2006), http://tor.eff.org/cvs/tor/doc/tor-spec.txt
  11. 11.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proceedings of the 13th USENIX Security Symposium (August 2004)Google Scholar
  12. 12.
    Fujisaki, E., Okamoto, T., Pointcheval, D., Stern, J.: RSA-OAEP is Secure under the RSA Assumption. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 260–274. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  13. 13.
    Hall, C., Goldberg, I., Schneier, B.: Reaction Attacks Against Several Public-Key Cryptosystems. In: International Conference on Information and Communication Security 1999 (November 1999)Google Scholar
  14. 14.
    Hoffstein, J., Silverman, J.H.: Reaction Attacks Against the NTRU Public Key Cryptosystem. NTRU Cryptosystems Technical Report #015, Version 2 (June 2000), http://www.ntru.com/cryptolab/pdf/NTRUTech015.pdf
  15. 15.
    Syverson, P.: Personal communicationGoogle Scholar
  16. 16.
    U.S. Department of Commerce, N.I.S.T. Secure Hash Algorithm. In: FIPS 180-1 (1995)Google Scholar
  17. 17.
    U.S. Department of Commerce, N.I.S.T. Advanced Encryption Standard (AES). In: FIPS 197 (2001)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ian Goldberg
    • 1
  1. 1.David R. Cheriton School of Computer ScienceUniversity of WaterlooWaterloo

Personalised recommendations