Keywords

1 Introduction

Lattice-based cryptographic constructions have drawn an overwhelming amount of research attention in the last decade [7, 35, 37, 40, 44]. Their strong provable worst case security guarantee, apparent resistance to quantum attacks, high asymptotic efficiency and flexibility towards realizing powerful primitives (e.g., fully homomorphic encryption [21]) have been the vital reasons behind their popularity. Although the powerful primitives such as fully homomorphic encryption are still very far from being ideal for practical use, several recent efforts have demonstrated that performance of lattice-based constructions for basic encryption and authentication primitives is comparable with (and sometimes even better than) performance of corresponding primitives in the classical RSA or \({\text {DLog}}\) settings [26, 33, 35]. As a result, some work has started to appear towards developing lattice-based version of real-world cryptographic protocols [6, 41, 49]. In this work, we explore the utility of plausibly quantum-secure yet highly efficient lattice-based cryptography to anonymous communication networks (ACNs).

Over the last three decades, several ACNs have been proposed and few implemented [11, 12, 16, 24, 42, 45]. Among these, with its more than two million users and six thousand onion routing (OR) proxies spread all across the world, the OR network Tor [16, 48] has turned out to be a huge success. Today, along with anonymous web browsing and service hosting, Tor is also extensively used for censorship-resistant communication [14].

A typical realization of an OR network (such as Tor) consists of an overlay network of proxies (or nodes) that routes their users’ traffic to their Internet-based destinations. A user chooses an ordered sequence of OR nodes (i.e., a path) through the OR network using a path selection strategy, and constructs a cryptographic circuit using a public-key infrastructure (PKI) such that every node in the path shares a symmetric session key with the anonymous user. While employing the circuit to send a message anonymously to a destination, the user forms an onion by wrapping the message in multiple layers of symmetric encryption such that upon receiving the onion every node can decrypt (or remove) one of the layers and then forward it to the next node in the circuit.

From the cryptographic point of view, the key challenge with an OR protocol is to securely agree upon the required session keys so that a user can individually authenticate the nodes in her circuits while maintaining her anonymity (except from the first node). Since its inception, Tor employed an interactive forward-secret key-exchange protocol called the Tor authentication protocol (TAP) to agree upon those session keys in a telescoping (or multi-pass) construction [16]. Due to its atypical use of CPA-secure RSA encryption, TAP was considered weaker in terms of performance as well as security [23]. Recently, Goldberg, Stebila and Ustaoglu [25] formalized the OR key agreement security by introducing the concept of one-way authenticated key exchange (1W-AKE), and designed a provably secure 1W-AKE protocol called \({\mathsf {ntor}}\). With its significantly better computation and communication efficiency, \({\mathsf {ntor}}\) has since replaced TAP in the real-world Tor implementation [15].

Security of \({\mathsf {ntor}}\) and other 1W-AKE protocols [3, 10, 2830] requires some variant of Diffie–Hellman (DH) assumption in the classical discrete logarithm (\({\text {DLog}}\)) setting. As the \({\text {DLog}}\) problem and all of its weaker DH variants can be solved in polynomial time (in the security parameter) using quantum computers, the security of these 1W-AKE constructions and subsequently the confidentially and anonymity of the OR communications will be broken in the post-quantum world. Importantly, the current 1W-AKE protocols are also not forward-secure against the quantum attacks; the confidentially and anonymity of even today’s OR communications can be violated once quantum computers arrive.

Although this raises concern regarding the privacy of today’s anonymous communication in the future, making drastic modifications to the current OR infrastructure by replacing the current 1W-AKE construction with a lattice-based construction may be injudicious; e.g., in Tor, this will require completely changing the public key infrastructure (PKI). As a result, it presents an interesting challenge to define a lattice-based 1W-AKE protocol that offers forward security in the post-quantum world without significantly affecting the current cryptographic infrastructure and performance.

Our Contribution. In this paper, we resolve this challenge by presenting a novel hybrid 1W-AKE protocol (\({\mathsf {HybridOR}}\)) that combines lattice-based key exchange with the standard DH key exchange. The channel security of \({\mathsf {HybridOR}}\) relies on the (standard) ring variant of learning with error (ring-LWE) assumption or the gap Diffie–Hellman (GDH) assumption, while its forward secrecy and the security against an man-in-the-middle impersonator rely respectively on the ring-LWE assumption and the GDH assumption. Moreover, while achieving this enhanced security properties, \({\mathsf {HybridOR}}\) does not require any modifications to the current Tor public keys or directory infrastructure.

We observe that \({\mathsf {HybridOR}}\) is computationally more efficient than the currently employed \({\mathsf {ntor}}\) protocol; in particular, the efficiency improvement on both the client and the node sides is nearly \(33\,\%\). Although this improved security and efficiency comes at the cost of increased communication, both the client and the node will have to communicate three Tor cells each, which we find to be manageable for the Tor network today. Finally, along with apparent resistance to quantum attacks and the worst case security guarantee, as our \({\mathsf {HybridOR}}\) protocol is a 1W-AKE, it can also be used to realize a universally composable OR protocol [2].

2 Background

In this section, we present a brief overview of the OR protocol, the GDH assumption in the \({\text {DLog}}\) setting, and describe the lattice-based learning with errors problem.

2.1 Onion Routing

In the original OR protocol [42] circuits were constructed in a non-interactive manner. In particular, a user created an onion where each layer contained a symmetric session key for an OR node and the IP address of the successor OR node in the circuit, all encrypted with the original node’s public key such that each node can decrypt a layer, determine the symmetric session key and forward the rest of the onion along to the next OR node. Unless public keys are rotated frequently, this approach cannot guarantee forward security for the anonymous communication; thus, in the second generation OR network [16] (i.e., Tor), circuits are constructed incrementally and interactively, where symmetric session keys are established using a forward-secure authenticated Diffie–Hellman (DH) key exchange involving the OR node’s public key. In the second generation Tor protocol, circuits are constructed using the Tor authentication protocol (TAP) involving a CPA-secure RSA encryption and a DH key exchange. Currently, the third generation Tor network employs the provably secure (against the GDH assumption [38]) and significantly more efficient \({\mathsf {ntor}}\) protocol [25].

In related efforts, Backes et al. [2] observe that, with minor modifications, universally composable (UC) security [8] is possible for the existing Tor protocol, if the employed key agreement protocol is a one-way authenticated key exchange [25].

One-Way Authenticated Key Exchange—1W-AKE. Goldberg et al. introduce a security definition of (one-way anonymous) one-way authenticated key exchanges (1W-AKE) to facilitate design of provably secure session key agreement protocols for onion routing [25]. (See Sect. 3 for a complete 1W-AKE definition.)

They also fixed a key agreement protocol proposed in [39] to obtain a provably secure construction called the \({\mathsf {ntor}}\) protocol, which has replaced the TAP protocol in the current Tor network. In \({\mathsf {ntor}}\), the client sends a fresh ephemeral key \(g^x\) to the node. The node computes and sends a fresh ephemeral key \(g^y\) to the client and calculates the session key as \({\mathsf {H}} ((g^x)^y,(g^x)^b)\), where b is the long term secret key of the node.

Recently, Backes, Kate, and Mohammadi [3] introduced a 1W-AKE protocol Ace that improves upon the computational efficiency of \({\mathsf {ntor}}\). In \({\mathsf {Ace}}\) the client sends two fresh ephemeral keys \(g^{x_1}\) and \(g^{x_2}\) to the node. The node sends one fresh ephemeral key \(g^y\) to the client. The client and node compute the shared secret as \(g^{x_1b+x_2y} = (g^b)^{x_1}(g^y)^{x_2} = (g^{x_1})^b(g^{x_2})^y\). The source of efficiency in \({\mathsf {Ace}}\) comes from the fact that one can do two exponentiations at the same time using a multi-exponentiation trick. (See Fig. 3 in Appendix A for a pictorial illustration of \({\mathsf {ntor}}\) and \({\mathsf {Ace}}\).)

In contrast to the above interactive 1W-AKE protocol, a single-pass construction using a non-interactive key exchange is possible as well. However, achieving forward secrecy without regularly rotating the PKI keys for all Tor nodes is not possible [30], and periodic public key rotation should be avoided for scalability reasons. There have been attempts to solve this problem in the identity-based cryptography setting [30] or the certificate-less cryptography setting [10]. Nevertheless, as discussed in [2], key authorities required in these constructions can be difficult to implement in practice.

2.2 Gap Diffie-Hellman—GDH

Let \(\mathbb {G}\) be a multiplicative group with large prime order p and \(g \in \mathbb {G}\) be the generator of the group. Given a triple \((g,g^a,g^b)\) for \(a,b \in _r \mathbb {Z}_p^*\), the gap version of Diffie-Hellman (GDH) problem is to find the element \(g^{ab}\) with the help of a Decision Diffie-Hellman (DDH) oracle [38]. The DDH oracle \(\mathcal {O}^{ddh}\) takes input as \((G,g,g^a,g^b,z)\) for some \(z \in \mathbb {G}\) and tells whether \(z = g^{ab}\) or not, that is whether the tuple is a DH tuple or not. For the security parameter \(\lambda \), solving GDH problem in \(\mathbb {G}\) is assumed to be a hard problem. More formally,

Definition 1

(GDH Assumption). For all algorithm A, the advantage of solving GDH in the group G is defined as,

$$\begin{aligned} Adv^\textit{gdh}_A = \Pr [A^{\mathcal {O}^{ddh}}(p,g,g^a,g^b) = g^{ab}, (a,b) \in _r {\mathbb {Z}_p^*}^2]. \end{aligned}$$

The GDH assumption states that \(Adv^\textit{gdh}_A\) is a negligible function of the security parameter \(\lambda \) for all PPT algorithms A.

2.3 Learning with Errors—LWE

Learning with errors (LWE) is a problem of distinguishing noisy random linear equations from truly random ones, for a small amount of noise. It has been shown to be as hard as some worst case lattice problems [44], and its different variants have been employed in designing lattice-based cryptosystems [34, 36, 43, 44]. The main drawback of schemes based on LWE [44] is that they are based on matrix operations, which are quite inefficient and result in large key sizes. To overcome these problems, in last few years, special lattices with additional algebraic structures are used to construct cryptographic protocols.

LWE for Polynomial Ring. To reduce computation, communication and storage complexity, Lyubashevsky [35] propose an algebraic variant of LWE, ring-LWE, the problem is defined over a polynomial ring.

Let \(\mathbb {Z}_q\) be the set of integers from \(\lfloor -q/2 \rfloor \) to \(\lfloor q/2 \rfloor \), and let \(\mathbb {Z}[x]\) be the set of polynomials with coefficients in \(\mathbb {Z}\). Consider \(f(x) = x^n + 1 \in \mathbb {Z}[x]\), where the degree of the polynomial \(n \ge 1\) is a power of 2, which makes f(x) irreducible over the \(\mathbb {Z}\). Let \({R}= \mathbb {Z}[x]/\langle f(x) \rangle \) be the ring of integer polynomials modulo f(x) such that elements of \({R}\) can be represented by integer polynomials of degree less than n. Let \(q \equiv 1 \mod 2n\) be a sufficiently large public prime modulus (bounded by a polynomial in n), and let \({R}_q = \mathbb {Z}_q[x] / \langle f(x) \rangle \) be the ring of integer polynomials modulo both f(x) and q. The ring \({R}_q\) contains all the polynomials of degree less than n with coefficient in \(\mathbb {Z}_q\), along with two operations, polynomial addition and multiplication modulo f(x).

Let \(\chi \) be the error distribution over \({R}\), which is concentrated on small elements of \({R}\). See [35] for details of the error distribution for the security and the correctness of the system. We denote \(\mathbb {D}_{s,\chi }\) as the ring-LWE distribution over \({R}_q^2\), obtained by choosing uniformly random \(a \leftarrow {R}_q\) and \(e \leftarrow \chi \), and outputs \((a, a \cdot r + e )\) for some \(r \leftarrow {R}_q\).

Decision ring-LWE Problem. The decision version of ring-LWE is to distinguish between two distributions, \(\mathbb {D}_{ s,\chi }\), for uniformly random \(s \leftarrow {R}_q\) and a uniformly random distribution in \({R}_q \times {R}_q\) (denoted by \(U_{{R}_q \times {R}_q}\)), given a poly(n) number of independent samples. More formally,

Definition 2

(Decision ring-LWE Assumption). The decision ring-LWE problem for \(n,q,\chi \) is to distinguish the output of \(\mathcal {O}^{\mathbb {D}_{ s,\chi }}\) oracle from the output of an oracle \(U_{{R}_q \times {R}_q}\) that returns uniform random samples from \({R}_q \times {R}_q\). If A is an algorithm, the advantage of A is defined as

$$\begin{aligned} Adv^{drlwe}_A = |\Pr [A^{\mathcal {O}^{\mathbb {D}_{ s,\chi }}}(\cdot )] - \Pr [A^{\mathcal {O}^{U_{{R}_q \times {R}_q}}}(\cdot )]|. \end{aligned}$$

The decision ring-LWE assumption states that for given values of n, q, and \(\chi \), for every PPT adversary A, \(Adv^{drlwe}_A\) is negligible in the security parameter \(\lambda \).

The hardness results for the LWE problem are described in [35, 40, 44]. Brakerski et al. [7] show the classical hardness of the LWE problem. Ding et al. [13] mention that for any \(t \in \mathbb {Z}^{+}\), such that \(gcd(t,q)=1\), the LWE assumption still holds if we choose \(b = \langle \mathbf {a}, \mathbf {r} \rangle + t e\). We use \(t=2\) for our construction.

It is important to note that ring-LWE samples are pseudorandom even when the secret r is chosen from the error distribution [1, 37]. Ducas et al. [17] show that the ring-LWE problem is hard in any ring \(\mathbb {Z}[x]/\langle \varPhi _m \rangle \), for any cyclotomic polynomial \(\varPhi _m(x)\).

Robust Extractors. One of the important problems with the lattice-based key exchange protocols is the error correction (or reconciliation) of the shared secret. In literature, there are different methods [13, 20] to agree on a shared secret from noisy shared secret values. For our construction we adopt the method due to Ding et al. [13] and recall the corresponding concept of robust extractors and the signal functions below.

Definition 3

(Robust Extractors). An algorithm \(f(\cdot )\) is a robust extractor on \(\mathbb {Z}_q\) with error tolerance \(\delta \) with respect to a hint function \(h(\cdot )\) if:

  • \(f(\cdot )\) takes an input \(x \in \mathbb {Z}_q\) and a signal \(\alpha \in \{0,1\}\), and outputs \(k = f(x, \alpha ) \in \{0,1\}\).

  • \(h(\cdot )\) takes an input \(y \in \mathbb {Z}_q\) and outputs a signal value \(\alpha = h(y) \in \{0,1\}\).

  • \(f(x,\alpha ) = f(y,\alpha )\), for any \(x,y \in \mathbb {Z}_q\), such that \((x-y)\) is even and \(|x-y| \le \delta \), where \(\alpha = h(y)\).

We use the robust extractor as described in  [13]. For \(q > 2\) define \(\alpha _0: \mathbb {Z}_q \rightarrow \{0,1\}\) and \(\alpha _1: \mathbb {Z}_q \rightarrow \{0,1\}\) as follows:

$$\begin{aligned} \alpha _0(x)&= {\left\{ \begin{array}{ll} 0,&{} \text {if } x \in [-\lfloor \frac{q}{4} \rfloor ,\lfloor \frac{q}{4}\rfloor ];\\ 1, &{} \text {otherwise}. \end{array}\right. } \ \alpha _1(x)&= {\left\{ \begin{array}{ll} 0,&{} \text {if } x \in [-\lfloor \frac{q}{4} \rfloor + 1,\lfloor \frac{q}{4}\rfloor + 1];\\ 1, &{} \text {otherwise}. \end{array}\right. } \end{aligned}$$

The hint algorithm \(h(\cdot )\) generates the signal \(\alpha \) for some \(y \in \mathbb {Z}_q\) by tossing a random coin \(b \leftarrow \{0,1\}\) and computing \(\alpha = h(y) = \alpha _b(y)\). Finally the robust extractor computes the common value as:

$$\begin{aligned} f(x,\alpha ) = (x + \alpha \cdot \frac{q-1}{2}\mod q)\mod 2, \end{aligned}$$

where \(x \in \mathbb {Z}_q, |x-y| \le \delta \) and \(x-y\) is even. In [13], the authors prove that \(f(\cdot )\) is a randomness extractor with respect to \(h(\cdot )\) for an odd integer \(q > 8\) with error tolerance \(\delta = \frac{q}{4}-2\). Also if x is uniformly random in \(\mathbb {Z}_q\), then \(f(x,\alpha )\) is uniform in \(\{0,1\}\), where \(\alpha = h(x)\).

It is easy to extend this notion for ring settings. Any element in \({R}_q\) can be represented by a degree \(n-1\) polynomial. For example any \(a \in R_q\) can be written in the form \(a_0 + a_1x + \cdots + a_{n-1}x^{n-1}\). In that case the extractor can extract n bits from an element of \({R}_q\). We extend \(\alpha _{0}^{{R}}(a),\alpha _{1}^{{R}}(a): {R}_q \rightarrow {R}_2\) as follows:

$$\begin{aligned} \alpha _0^{{R}}(a) = \sum _{i=0}^{n-1} \alpha _0(a_i)x^i;\ \alpha _1^{{R}}(a) = \sum _{i=0}^{n-1} \alpha _1(a_i)x^i. \end{aligned}$$

The algorithm \(h^{{R}}(\cdot )\) can be defined in the same manner as \(h^{{R}}(a) = \alpha _b^{{R}}(a)\), for \(b \leftarrow \{0,1\}\). Similarly define the extractor in the ring settings \(f^{{R}}(a,\alpha ): {R}_q \rightarrow {R}_2\) as:

$$\begin{aligned} f^{{R}}(a,\alpha ) = (a + \alpha \cdot \frac{q-1}{2}\mod q)\mod 2. \end{aligned}$$

Authenticated Key Exchange in the Lattice Setting. Fujioka et al. [19] provide the first \(CK^+\) secure [9, 19, 31] authenticated key exchange (AKE) protocol from a key-encapsulation mechanism (KEM) based on ring-LWE problem in the standard model. However due to the huge communication cost (\(\approx 139625\) bytes) their lattice-based AKE is not suitable for real-world applications. In [20], Fujioka et al. propose a generic construction for AKE from OW-CCA KEMs in random oracle model. When instantiated with ring-LWE settings, their AKE protocol gives a much more efficient solution to the problem. Still, communication cost for [20] reaches about 10075 bytes. Peikert [41] proposes a new low-bandwidth error correction technique for ring-LWE based key exchange, and provides practical lattice based protocols for key transport and AKE. Ding et al. [13] propose another method for error correction and design a passively secure DH-like key exchange scheme based on both the LWE and the ring-LWE problem. Zhang et al. [49] extend the above AKE protocol to ideal lattice settings, and their lattice-based AKE protocol gives weak perfect forward secrecy in the Bellare-Rogaway model [4]. Recently Bos et al. [6] demonstrate the practicality of using ring-LWE based key exchange protocols in real life systems. They employ lattice-based key exchange in TLS protocol. Their implementation reveals that the performance price for switching from pre-quantum-safe to post-quantum-safe key exchange is not too high and can already be considered practical, which further motivates our efforts towards defining a 1W-AKE protocol in the lattice setting.

3 1W-AKE Security Definition

Goldberg et al. [25] define the security requirements for a one-way authenticated key exchange (1W-AKE) protocol, which are refined in [3]. In this section we recall the security requirements for a 1W-AKE protocol between an anonymous client and an authenticated node.

A 1W-AKE protocol is a tuple of ppt algorithms \(({\mathsf {SetUp}},\) \( {\mathsf {Init}}, {\mathsf {Resp}}, {\mathsf {CompKey}})\), where \({\mathsf {SetUp}} \) generates the system parameters and the static long-term keys for the node. The client calls \({\mathsf {Init}} \) to initiate the 1W-AKE protocol and the node uses \({\mathsf {Resp}} \) to respond to an \({\mathsf {Init}} \). Finally, the client uses \({\mathsf {CompKey}} \) to verify the key-confirmation message and compute the key. We assume that a PKI is given, that means for a node N all parties \(\{P_1, \ldots , P_m \}\) can obtain a certified public key \(pk_{N}\).

Along with protocol correctness, a secure 1W-AKE protocol should respect the following properties:

  • 1W-AKE Security. An attacker should not learn anything about the session key of an uncompromised session, even if it completely compromises several other sessions, introduces fake identities or even learn some uncompromised session secret.

  • 1W-anonymity. A node should not be distinguish between communicating with two different clients.

Fig. 1.
figure 1

W-AKE Security Challenger: \({\mathsf {Ch}} ^{{ \textsc {ke}}} _b(1^\lambda )\), where \(\lambda \) is the security parameter. If any invocation outputs \(\bot \), the challenger erases all session-specific information for that session and aborts that session. [3]

Full size image

3.1 Correctness

In a 1W-AKE protocol an anonymous client (denoted by \(\circledast \)) tries to establish a shared secret key with a node N. The client calls \({\mathsf {Init}} (N,pk_N,cs)\), which returns an output message m, session id \(\varPsi \) and session state st. The client sends m to N. \({\mathsf {Init}} \) takes a queue cs as input, where cs stores already chosen keys. If cs is empty then \({\mathsf {Init}} \) generates a fresh output message m. In response, N runs \({\mathsf {Resp}} (sk_N, N, m,cs)\) and outputs \((m',(k,\circledast ,\overrightarrow{v}), \varPsi _N)\), where \(m'\) is the response message to the client, k is the session key computed by N, and \(\overrightarrow{v}\) contains ephemeral public keys for the session \(\varPsi _N\). On receiving \(m'\), the client computes \((k',N,\overrightarrow{v}')\) by calling \({\mathsf {CompKey}} (pk_N, \) \(m', \varPsi , st)\), where \(k'\) is the session key computed by the client and \(\overrightarrow{v}'\) is the list of ephemeral public keys. An 1W-AKE protocol is correct if for every party N:

$$\begin{aligned} \Pr [&(m,st,\varPsi ) \leftarrow {\mathsf {Init}} (N,pk_N,cs), (m',(k,\circledast ,\overrightarrow{v}),\varPsi _N) \leftarrow {\mathsf {Resp}} (sk_N, N, m,cs),\\&(k',N,\overrightarrow{v}') \leftarrow {\mathsf {CompKey}} (pk_N, m', \varPsi , st): k=k' \wedge \overrightarrow{v}=\overrightarrow{v}')] =1. \end{aligned}$$

3.2 1W-AKE Security

The goal of the adversary in the 1W-AKE security experiment is to distinguish the session key of an uncompromised session from a random key. It requires an active attacker to not learn anything about the key or be able to impersonate an honest node.

In the security game, a challenger \({\mathsf {Ch}} ^{{ \textsc {ke}}} \) represents honest parties \((P_1,\ldots ,P_m)\) and allows the attacker a fixed set of queries described in Fig. 1. The challenger internally runs the 1W-AKE algorithm, and simulates each party. For the challenge, the adversary asks \({\mathsf {Ch}} ^{{ \textsc {ke}}} \) for the session key of an uncompromised session \(\varPsi \) for a party P by querying \(test^P(\varPsi )\) (one time query). \({\mathsf {Ch}} ^{{ \textsc {ke}}} \) sends the correct session key or a randomly chosen session key to the attacker with equal probability. The attacker’s task is to determine whether the given key corresponds to the real session \(\varPsi \) or is random.

For triggering the initiation session, triggering the response to a key exchange, and for completing a key exchange, the challenger allows the adversary to query \({\mathsf {{send}}} ^P(\cdot ,m)\). For the compromising parties, the attacker can ask the following queries:

  • \({\mathsf {reveal\_next}} ^P\): ask the party P to reveal the next public key that will be chosen.

  • \({\mathsf {partner}} ^P(X)\): ask for the secret key for a public key X.

  • \({\mathsf {sk\_reveal}} ^P(\varPsi )\): ask for the session key of a session \(\varPsi \).

  • \({\mathsf {establish\_certificate}} (N, pk_N)\): register new long-term public keys \(pk_N\) for an unused identity N.

The challenger maintains several variables for each party P:

  • \({ params } \) stores public parameters for the AKE protocol.

  • \({ ake\_st } ^P(\varPsi )\) stores the key exchange state for the party P in the session \(\varPsi \). It contains ephemeral keys that will be deleted after the completion of the key exchange.

  • \({ result\_st } ^P(\varPsi )\) stores the resulting state for the party P for a completed session \(\varPsi \). This result state contains the established session key k, the identity of the peer party, which is \(\circledast \) if the peer is anonymous, otherwise the identity of the peer. A state st that typically contains two vectors \(\overrightarrow{v_0},\overrightarrow{v_1}\) that contain the ephemeral and the long-term public keys used for establishing the session key of \(\varPsi \).

The attacker is a \({\mathsf {partner}} \) of a public key X if one of the following conditions hold:

  • X has not been used yet.

  • X is the public key that the attacker registered using a establish_certificate (N,X) query.

  • X was the response of a \({\mathsf {{send}}} ^P\) or \({\mathsf {reveal\_next}} ^P\) query and there is a successive query \({\mathsf {partner}} ^P(X)\).

In order to prevent the attacker from trivially winning the game, Goldberg et al. [25] propose the freshness notion for the challenge session. A challenge session is 1W-AKE fresh if the following conditions hold:

  1. 1.

    Let \((k, N, st) = { result\_st } ^P(\varPsi )\). For every vector \(\overrightarrow{v_i}\) in st there is at least one element X in \(\overrightarrow{v_i}\) such that the attacker is not a \({\mathsf {partner}} \) of X.

  2. 2.

    If \({ ake\_st } ^P(\varPsi )=(\overrightarrow{v},N)\) for the challenge session \(\varPsi \), the adversary did not issue \({\mathsf {sk\_reveal}} ^N(\varPsi ')\), for any \(\varPsi '\) such that \({ ake\_st } ^N(\varPsi ')=(\overrightarrow{v},\circledast )\).

After a successful key exchange with a party N, an anonymous client outputs a tuple \((k,N,\overrightarrow{v_0},\overrightarrow{v_1})\), where k is the session key. \(\overrightarrow{v_0},\overrightarrow{v_1}\) is the transcript of the protocol. The node N outputs \((k,\circledast ,\overrightarrow{v_0},\overrightarrow{v_1})\) to denote that the peer party is anonymous.

Definition 4

(1W-AKE Security). Let \(\lambda \) be a security parameter and let the number of parties \(m \ge 1\). A protocol \(\pi \) is said to be 1W-AKE secure if, for all probabilistic polynomial time (ppt) adversaries A, the advantage \(Adv_{A}^\textit{1w-ake}(\pi ,\lambda ,m)\) that A distinguishes a session of a 1W-AKE fresh session from a randomly chosen session key is negligible in \(\lambda \), where \(Adv_{A}^\textit{1w-ake}(\pi ,\) \(\lambda ,m)\) is defined as:

$$\begin{aligned} Adv_{A}^\textit{1w-ake}(\pi ,\lambda ,m) = |Pr(A(trans(\pi ),k)=1) - Pr(A(trans(\pi ),k')=1|, \end{aligned}$$

where \(trans(\pi )\) is the transcript of the protocol, k is the real session key and \(k'\) is the random session key.

Forward Secrecy. In key exchange forward secrecy ensures that a session key derived from long-term keys remains secret even if the long-term keys are compromised in the future. A 1W-AKE secure protocol provides forward secrecy if the long-term public keys of the participating parties appear in the output vector of the protocol [25]. In that case the adversary can be \({\mathsf {partner}} \) with a long-term public key, ensuring forward secrecy in the security game.

3.3 One-Way Anonymity

The purpose of one-way anonymity is that an adversary (even a node) cannot guess which client is participating in the key exchange. The client always knows that it is participating in a key exchange protocol with the node, but from the node’s point of view (or from the point of view of other nodes), the participating client must be anonymous. The proof for the 1W-anonymity property of our protocol is exactly the same as the proof of the 1W-anonymity of \({\mathsf {ntor}}\)  [25], and we refer the reader to [25] for the security definition and 1W-anonymity proof.

4 Our Protocol

In this section we describe the \({\mathsf {HybridOR}}\) protocol, a hybrid lattice-based onion routing protocol. We call this protocol hybrid as the long-term part of the key comes from a DH key exchange, whereas the ephemeral part of the key comes from a lattice based key exchange. Hence the security of the protocol essentially depends on the hard problems in either setting, namely the hardness of the GDH problem from the \({\text {DLog}}\) setting or the hardness of the ring-LWE problem from the lattice-based setting.

Fig. 2.
figure 2

A detailed description of the \({\mathsf {HybridOR}}\) protocol

Full size image

In our \({\mathsf {HybridOR}}\) protocol, The client generates fresh ephemeral keys \(p_C \in {R}_q\) and \(g^x \in \mathbb {G}\) and sends them to the node. The node generates a fresh ephemeral key \(p_N \in {R}_q\) and computes \(k_{1N} = p_C r_N + t e_N' \approx a r_C r_N\), a signal value \(\alpha = h^{{R}}(k_{1N})\). The node sends \(p_N\) and \(\alpha \) to the client. The client computes \(k_{1C} = p_N r_C + t r_C' \approx a r_C r_N\). Recall that \(t=2\). The client and node approximately agree on the shared secret value \(k_{1C}\) and \(k_{1N}\). To achieve exact agreement on the shared secret from the approximate shared secret, the robust extractor \(f^{{R}}(\cdot )\) is used. The client and node compute the shared secret \(k_1\), \(k_2\), and sk as follows:

$$\begin{aligned}&k_1 = f^{{R}}(k_{1N},\alpha ),\ k_2 = (g^x)^s,\ sk = H_1(k_1)\oplus H_2(k_2)\ \text {(node-side)} \\&k_1 = f^{{R}}(k_{1C},\alpha ),\ k_2 = (g^s)^x,\ sk = H_1(k_1)\oplus H_2(k_2)\ \text {(client-side)} \end{aligned}$$

4.1 Construction

Figure 2 provides a detailed description of the \({\mathsf {HybridOR}} \) protocol. The node N runs the \({\mathsf {SetUp}} \) algorithm (see Sect. 2.1) to generate the system parameters. In \({\mathsf {HybridOR}} \) the \({\mathsf {SetUp}} \) algorithm can be seen as a combination of two separate \({\mathsf {SetUp}} \) algorithms. One part generates the system parameters for the DH-like key exchange (as in [3, 25]) and the other part generates the parameters for the lattice based settings (as in [13]).

The \({\mathsf {SetUp}} \) algorithm generates a group \(\mathbb {G}\) with large prime order p, where the GDH [38] problem is hard. Let \(g \in \mathbb {G}\) be the generator of the group. The Setup algorithm further generates the public parameters for the lattice based settings as described in Sect. 2.3. It publishes the dimension n, the prime modulus q, the description of the ring \({R}\) and the error distribution \(\chi \) in the public parameter.

The node samples \(a \leftarrow {R}_q\) and \(s \leftarrow \mathbb {Z}_p^*\), computes \(g^s\), and publishes \(({R},n,q,t,\chi ,\) \(a,G,g,g^s)\) as the public parameter of the protocol. where \(g^s\) is the long term public key of the node with s as the secret key. The node also publishes \(H_{st}(\cdot ), H_1(\cdot ), H_2(\cdot )\) and a \(PRF(\cdot )\) in the public parameter, where \(H_{st}(\cdot )\) is a collision-resistant hash function, \(H_1(\cdot )\) is a randomness extractor and \(H_2(\cdot )\) is a random oracle. The \(PRF(\cdot )\) is a pseudorandom function that is used to generate the key confirmation message. Note that according to [18], we instantiate a randomness extractor with HMAC. However, we can also use the key derivation function HKDF [32] to instantiate \(H_1\).

To initiate a new key exchange session the anonymous client C calls the \({\mathsf {Init}} \) algorithm. \({\mathsf {Init}} \) randomly samples \(r_C\) and \(e_C\) from the error distribution \(\chi \) and x from \(\mathbb {Z}_p^*\). It computes the ephemeral key pair as \(pk_C = (p_C, g^x)\) and \(sk_C = (r_C, x)\), where \(p_C = {a r_C + t e_C} \mod q\). \({\mathsf {Init}} \) sets the local session identifier as \(\psi _C = H_{st}(p_C,g^x)\), where \(H_{st}\) is a collision-resistant hash function. The session information of the client is stored in the variable \(st(\psi )\) as \(st(\psi _C) = ({\mathsf {HybOR}},\) \(N,r_C,\) \(p_C,x,g^x)\). \({\mathsf {Init}} \) generates the outgoing message \(m_C = ({\mathsf {HybOR}},\) \( N, p_C, g^x)\), and sends \((\psi _C, m_C)\) to the node N over the network.

In response to the message the node runs \({\mathsf {Resp}} \), which verifies whether \(p_C \in {R}_q\) and \(g^x \in \mathbb {G}\). On successful verification it randomly samples \(r_N\) and \(e_N\) from the error distribution \(\chi \) and computes \(p_N = {a r_N + t e_N} \mod q\). \({\mathsf {Resp}} \) outputs the ephemeral key pair \((p_N, r_N)\), where \(p_N\) is the public part and \(r_N\) remains secret to the node. \({\mathsf {Resp}} \) further samples \(e_N' \leftarrow \chi \) and computes \(k_{1N} = {p_C r_N + t e_N'} \mod q\) and \({\alpha } = h^{{R}}(k_{1N})\). \(h^{{R}}(\cdot )\) is a randomized algorithm used to generate the signal value \(\alpha \), as described in Sect. 2.3. To ensure the correctness of the shared secret computation, N sends \({\alpha }\) to the client [13]. The node computes the short-term shared secret (\(k_1\)) and the long-term shared secret (\(k_2\)) as:

$$\begin{aligned}&k_1 = f^{{R}}(k_{1N},\alpha ),\ k_2 = (g^x)^s = g^{xs}, \end{aligned}$$

where \(f^{{R}}(\cdot )\) is the robust extractor as defined in Sect. 2.3. By short-term shared secret we mean the shared secret computed using the client’s ephemeral key and node’s ephemeral key. By long-term shared secret we mean the shared secret computed by using the client’s ephemeral key and node’s long-term or static key.

The node computes the session key sk, the PRF key \(sk_m\) and the key confirmation message \(t_N\) as:

$$\begin{aligned} (sk_m, sk) =&H_1(k_1,p_C,p_N,N,{\mathsf {HybOR}}) \oplus H_2(k_2, g^x, g^s, N, {\mathsf {HybOR}})\\ t_N =&PRF(sk_m, N, p_N, {\alpha }, p_C, g^x, {\mathsf {HybOR}}, {\mathsf {node}}). \end{aligned}$$

The tag \(t_N\) provides only a means for the key confirmation. \({\mathsf {Resp}} \) returns the session identifier \(\psi _N = H_{st}(p_N,\alpha )\) and a message \(m_N = ({\mathsf {HybOR}}, p_N,\alpha ,t_N)\). The node sends \((\psi _N, m_N)\) to the client. The node completes the session by deleting \((r_N,e_N,e_N')\) and outputting \((sk, \circledast , (\overrightarrow{v_0},\overrightarrow{v_1}))\), where \(\overrightarrow{v_0} = \{p_C, g^x\}\) and \(\overrightarrow{v_1}=\{p_N, g^s\}\). \(\circledast \) denotes that the identity of the client is not known to the node.

On receiving the message \((\psi _N, m_N)\) for the session \(\psi _C\), the client C calls the algorithm \({\mathsf {CompKey}} \) to compute the session key. \({\mathsf {CompKey}} \) first checks whether the session \(\psi _C\) is active; if so, it retrieves the required session information, namely \(r_C\), \(p_C\), x, \(g^x\) from \(st(\psi _C)\). Then it checks whether \(p_N \in {R}_q\). After successful verification \({\mathsf {CompKey}} \) computes the shared secrets \(k_1\), \(k_2\) as follows:

$$\begin{aligned}&k_{1C} = {p_N r_C + t e_C} \mod q,\\&k_1 = f^{{R}}(k_{1C},\alpha ),\ k_2 = (g^s)^x = g^{xs}. \end{aligned}$$

The client computes \((sk_m, sk) = H_1(k_1,p_C,p_N,\) \(N,{\mathsf {HybOR}})\oplus H_2(k_2,\) \(g^x, g^s, N, \) \({\mathsf {HybOR}})\), where sk is the session key and \(sk_m\) is the PRF key. It verifies the key-confirmation message \(t_N\) using the key \(sk_m\). After that the client completes the session \(\psi _C\) by deleting \(st(\psi _C)\) and outputting \((sk, N, (\overrightarrow{v_0},\overrightarrow{v_1}))\), where \(\overrightarrow{v_0} = \{p_C,g^x\}\) and \(\overrightarrow{v_1}=\{p_N, g^s\}\). If any verification fails during the session execution, the party erases all session-specific information and aborts the session.

In Fig. 3 in Appendix A, we compare \({\mathsf {HybridOR}}\) with the \({\mathsf {ntor}}\) and Ace protocols in the literature.

Correctness. To analyze the correctness of \({\mathsf {HybridOR}} \), we can see \({\mathsf {HybridOR}} \) as a combination of two key exchange protocols, namely the Diffie-Hellman key exchange protocol and the lattice-based protocol by Ding et al. [13]. Hence the correctness of \({\mathsf {HybridOR}} \) directly follows from the correctness of DH key exchange and the correctness of the lattice-based protocol [13].

For the DH part, the node computes \((g^x)^s = g^{xs}\) and the client computes \((g^s)^x = g^{xs}\). Further, both client and node computes \(H_2(g^{xs}, g^x, g^s, N, {\mathsf {HybOR}})\). For the lattice part the node computes \(k_{1N} = p_C r_N + t e_N' \approx a r_C r_N\) and the client computes \(k_{1C} = p_N r_C + t e_C \approx a r_C r_N\). The node also computes \({\alpha } = h^{{R}}(k_{1N})\) and sends it to the client. The client and node use \(\alpha \) to make sure that the shared secret \(k_1\) computed from \(k_{1N}\) (for the node) and \(k_{1C}\) (for the client) do not produce different results in modulo operation. They use the robust extractor \(f^{{R}}(\cdot )\) (see Sect. 2.3) and compute \(k_1 = f^{{R}}(k_{1N},\alpha ) = f^{{R}}(k_{1C},\alpha )\). More details of the robust extractor can be found in [13]. After computing the shared secret \(k_1\) the client and node both computes \(H_1(k_1,p_C,p_N,N,{\mathsf {HybOR}})\). Further, from both parts of the shared secret they compute the session key and PRF key for the protocol as \((sk_m, sk) = H_1(k_1,p_C,\) \(p_N,N,{\mathsf {HybOR}}) \oplus H_2(g^{xs}, g^x, g^s, N, {\mathsf {HybOR}})\).

5 Security Analysis

5.1 Type of Adversary

To analyze the 1W-AKE security of our protocol, we consider three types of 1W-AKE adversaries. We classify the type of adversary depending on the power of the adversary in the test session. For all other sessions the adversary can be partner to any public values, after respecting the freshness condition of the 1W-AKE security game.

  • Type-I Adversary. The first type of adversary cannot be partner to any of the public values in the test session. By proving security against this kind of adversary we show that an active adversary without the knowledge of any secret values used in the test session cannot learn anything about the session key.

  • Type-II Adversary. The second type of adversary can be the partner with only the ephemeral public key from a node N in the test session. By proving the security against this kind of adversary we give the security guarantee of the protocol against a man-in-the-middle adversary trying to impersonate the node N to the client.

  • Type-III Adversary. The third type of adversary can be partner with only the long term public key in the test session. This gives the guarantee of forward security of the protocol; i.e., even if some information about the long-term private key is known to the adversary, the adversary cannot learn any information about the already created session key.

5.2 Security Against Type-I Adversary

We show that \({\mathsf {HybridOR}}\) is secure against Type-I adversary under either the GDH or the ring-LWE assumption. The motivation of this security theorem is to show that even if the ring-LWE assumption or the GDH assumption (but not both) is broken, \({\mathsf {HybridOR}}\) remains secure against Type-I adversary.

Theorem 1

The protocol \({\mathsf {HybridOR}}\) is 1W-AKE secure against a PPT Type-I adversary under the GDH or the ring-LWE assumption, considering \(H_1\) as randomness extractor and \(H_2\) as random oracle. More precisely, for any PPT Type-I adversary A,

$$\begin{aligned} Adv_A^\textit{1w-ake} \le \min (Adv_{A \circ B_{0,1}}^\textit{drlwe} + Adv_{A \circ B_{1,2}}^\textit{drlwe}, Adv_{A \circ B'}^\textit{GDH}), \end{aligned}$$

where \(B_{0,1}\), \(B_{1,2}\) and \(B'\) are the reduction algorithms as described in the proof.

Proof

To prove the security against a Type-I adversary, first we define a sequence of three games \(G_0\) to \(G_2\). Let \(E_i\) be the event that the adversary guesses bit \(b^*\) in game \(G_i\).

\(G_0\): This is the original 1W-AKE security game, where the reduction algorithm B generates all the public values honestly in all the sessions.

\(G_1\): This game is identical to \(G_0\), except here \(p_C\) is generated uniformly at random in the test session.

\(G_2\): This game is similar to \(G_1\), except here \(p_N\) is generated uniformly at random in the test session and also the test session secret \(k_1\) is generated uniformly at random.

As \(G_0\) is the real 1W-AKE game, we can bound \(\Pr (E_0)\) as

$$\begin{aligned} Adv_A^\textit{1w-ake} = |\Pr (E_0) - 1/2|. \end{aligned}$$
(1)

Lemma 1

No PPT Type-I adversary can distinguish between \(G_0\) and \(G_1\) under the decision ring-LWE assumption, if \(H_1\) is a randomness extractor and \(H_2\) is a random oracle.

Proof

If there exists a PPT Type-I adversary A that can distinguish between \(G_0\) and \(G_1\), then we can construct a PPT reduction algorithm \(B_{0,1}\) that can efficiently distinguish between tuples from a ring-LWE distribution and a uniform distribution.

In \(G_0\), \((a, p_C)\) are samples from a ring-LWE distribution, such that \(p_C = a r_C + t e_C\). In \(G_1\), \((a, p_C)\) are samples from a uniform distribution over \(R_q \times R_q\). Under the decisional ring-LWE assumption these two distributions are indistinguishable.

Solving Decision ring-LWE. To simulate the 1W-AKE challenger for A the reduction algorithm \(B_{0,1}\) guesses \(\psi _i\) to be the test session. In the test session it honestly generates \((\mathbb {G},g,g^x,g^s)\). \(B_{0,1}\) also takes a pair \((a_0,u_0)\) from the ring-LWE challenger and sets \(a = a_0\) and \(p_C = u_0\). Now if \((a_0, u_0)\) is a ring-LWE sample, then there exists an \(r_C, e_C \in \chi \) such that \(p_C = a r_C + t e_C\) and in that case the output of \(B_{0,1}\) is distributed exactly as in \(G_0\). Whereas if \((a_0,u_0)\) is sample from a uniform distribution over \(R_q^2\), \(B_{0,1}\) simulates \(G_1\) for A. Thus, if A can distinguish \(G_0\) from \(G_1\), then \(A \circ B_{0,1}\) can distinguish ring-LWE samples from samples from a uniform distribution over \(R_q^2\). Thus if A can distinguish \(G_0\) from \(G_1\), \(A \circ B_{0,1}\) can solve the decision ring-LWE problem. Hence,

$$\begin{aligned} |\Pr (E_0) - \Pr (E_1) | \le Adv_{A \circ B_{0,1}}^\textit{drlwe}. \end{aligned}$$
(2)

\(\square \)

Lemma 2

No PPT Type-I adversary can distinguish between \(G_1\) and \(G_2\) under the decision ring-LWE assumption, if \(H_1\) is a randomness extractor and \(H_2\) is a random oracle.

Proof

If there exists a PPT Type-I adversary A that can distinguish between \(G_1\) and \(G_2\), then we can construct an PPT reduction algorithm \(B_{1,2}\) that can efficiently distinguish between tuples from a ring-LWE distribution and a uniform distribution.

In \(G_1\), \((a, p_N)\) are samples from a ring-LWE distribution, such that \(p_N = a r_N + t e_N\). In \(G_2\), \((a, p_N)\) are samples from a uniform distribution over \({R}_q \times {R}_q\). Under the decisional ring-LWE assumption these two distributions are indistinguishable. In \(G_2\), \(k_1\) is also distributed as a random element from \({R}_q\). In both the cases \(p_C\) is uniformly distributed over \({R}_q\).

Solving Decision ring-LWE. To simulate the 1W-AKE challenger for A the reduction algorithm \(B_{1,2}\) guesses \(\psi _i\) to be the test session. In the test session it honestly generates \((\mathbb {G},g,g^u,g^v)\). \(B_{1,2}\) also takes \(\{(a_0,u_0),(a_1,u_1)\}\) from the ring-LWE challenger and sets \(a = a_0\), \(p_C = a_1\), \(p_N = u_0\) and \(k_1 = u_1\). Now if \(\{(a_0,u_0),(a_1,u_1)\}\) are ring-LWE samples, then there exist \(r_N, e_N, e_N' \in \chi \) such that \(p_N = a r_N + t e_N\) and \(k_1 = p_C r_N + t e_N'\). In that case the output of \(B_{1,2}\) is distributed exactly as in \(G_1\). Whereas if \(\{(a_0,u_0),(a_1,u_1)\}\) are samples from uniform distribution over \(R_q^2\), \(B_{1,2}\) simulates \(G_2\) for A. Thus, if A can distinguish \(G_1\) from \(G_2\), then \(A \circ B_{1,2}\) can distinguish ring-LWE samples from samples from uniform distribution over \(R_q^2\).

Thus if a PPT Type-I adversary A can distinguish between \(G_1\) and \(G_2\), then we can construct a reduction \(B_{1,2}\) which can efficiently solve the ring-LWE problem. As a result we can write,

$$\begin{aligned} |\Pr (E_1) - \Pr (E_2) | \le Adv_{A \circ B_{1,2}}^\textit{drlwe}. \end{aligned}$$
(3)

\(\square \)

Analysis of \(G_2\). In \(G_2\) the adversary has to guess a \(b^*\) in the 1W-AKE game to distinguish between the real session key sk and randomly chosen session key \(sk'\). As \(p_C\), \(p_N\) and \(k_1\) are chosen uniformly at random from \({R}_q\), and \(H_1(\cdot )\) is a randomness extractor, the resulting session key sk is uniformly distributed over the key space. On the other hand, \(sk'\) is also chosen uniformly from the key space. As a result, the adversary has no information about \(b^*\), and hence

$$\begin{aligned} \Pr (E_2) = 1/2. \end{aligned}$$
(4)

By combining Eqs. (1)–(4), we can write:

$$\begin{aligned} Adv_A^\textit{1w-ake} \le Adv_{A \circ B_{0,1}}^\textit{drlwe} + Adv_{A \circ B_{1,2}}^\textit{drlwe}. \end{aligned}$$
(5)

Lemma 3

The protocol \({\mathsf {HybridOR}}\) is 1W-AKE secure against a PPT Type-I adversary under the GDH assumption in the random oracle model.

Proof

If there exists a PPT Type-I adversary A that can break the 1W-AKE security of the protocol, then we can construct a PPT reduction algorithm \(B'\) against the GDH challenger. A is allowed to make a polynomial number (\(poly(\lambda )\)) of session queries. \(B'\) also simulates the random oracle \(H_2\). Let \(\{\mathbb {G},g,g^u,g^v\}\) be the GDH challenge. \(B'\) has to compute \(g^{uv}\) in order to win the game.

The algorithm \(B'\) guesses \(\psi _i\) to be a test session. To simulate the \(\psi _i\), C runs the \({\mathsf {SetUp}} \) and generates \(({R},n,q,t,\chi )\). It uses the group G and generator g from the GDH challenger in the public parameters. \(B'\) samples \(a \leftarrow {R}\) sets \((a,g^u)\) as the static key pair of the server and simulates \(\psi _i\) session by setting:

$$\begin{aligned}&g^x = g^v,\ (p_C)_i = a r_C + t e_C,\ (p_N)_i = a r_N + t e_N,\\&(K_1)_i = (p_C)_i r_N + t e_N', ({\alpha })_i = Signal((k_1)_i), \end{aligned}$$

where, \(r_C, r_N, e_C, e_N, e_N' \in _r \chi \). \(B'\) tosses a coin and chooses \(b\in _r \{0,1\}\). If \(b = 0\) then \(B'\) computes the session key by computing \(H_1((k_1)_i,(p_C)_i,(p_N)_i,N,\) \({\mathsf {HybOR}}) \oplus H_2(\cdot , g^x, g^u, N, {\mathsf {HybOR}})\), where \(H_1(\cdot )\) is a randomness extractor and B programs \(H_2(\cdot )\) as a random oracle. B sends the session key to A. If \(b = 1\) then B sends a random session key to A.

But in order to compute the correct test session key and to win the game, A has to query the random oracle \(H_2(\cdot )\) with the same input. Otherwise A cannot distinguish a real session key from a random one, as \(H_2(\cdot )\) is modeled as a random oracle. Whenever A makes a query \(H_2(Z , g^x, g^u, N, \) \({\mathsf {HybOR}})\) for some \(Z\in \mathbb {G}\), \(B'\) asks the DDH oracle whether \((g^x,g^v,Z)\) is a valid DDH tuple. If that is the case, then \(Z = g^{uv}\) and \(B'\) sends the answer to the GDH challenger. Clearly the reduction \(B'\) is efficient. \(B'\) has to guess the test session with probability \(1/poly(\lambda )\), so if A breaks the 1W-AKE protocol with non-negligible probability then \(B'\) will be able to solve the GDH problem with significant probability. Hence we can write,

$$\begin{aligned} Adv_A^\textit{1w-ake} \le Adv_{A \circ B'}^\textit{GDH}. \end{aligned}$$
(6)

Note that for all other sessions with the same server, the reduction \(B'\) has to simulate the protocol correctly without the knowledge of the private key u. If not managed properly, simulation may fail due to inconsistent \(H_2\) queries. \(B'\) uses the DDH oracle to respond consistently to the \(H_2\) queries and the \({\mathsf {sk\_reveal}} \) queries for the sessions that involve \(g^u\). In particular for \(H_2\) queries that involve \(g^s\), \(B'\) first verifies using the DDH oracle that the shared secret are computed honestly before responding with the session key.\(\square \)

Conclusion. By combining Eqs. (5) and (6), we prove the result.

Note that the Type-I adversary A cannot be partner to any of the public values in the test session only. For all other sessions it can be a partner to almost all values after respecting the freshness criterion. So in order to simulate a 1W-AKE challenger for the adversary A, the reduction perfectly simulates all other sessions. As a result the challenger can satisfy any kind of queries (see Sect. 3.2) from the A during the simulation.\(\square \)

5.3 Security Against Type-II Adversary

In this section we show that in the pre-quantum computing era (today) \({\mathsf {HybridOR}}\) is secure against PPT Type-II adversary. Here we consider an active adversary which can actually become a partner with the ephemeral key of the server. We show that even in that case the adversary will not be able to win the 1W-AKE game.

Theorem 2

The protocol \({\mathsf {HybridOR}}\) is 1W-AKE secure against a PPT Type-II adversary under the GDH assumption in the random oracle model.

The proof of Theorem 2 is shifted to the full version of the paper [22]. Notice that this theorem directly imply that a Type-II adversary can break the 1W-AKE security of \({\mathsf {HybridOR}}\) in a quantum world. As in the quantum world the Type-II adversary can compute the discrete log of the long term secret \(g^s\) and it is already partner to the ephemeral secret \(p_N\) in the test session. Hence the adversary can compute the session key and wins the 1W-AKE game.

In order to make this protocol secure against Type-II adversary in a quantum world we need replace the long term key with a quantum secure component. But in that case we cannot use our current DH public keys and subsequently requires modification to the current Tor public key infrastructure. So, in today’s scenario it is sufficient to follow the \({\mathsf {HybridOR}}\) design in the current form. As we can deploy this easily in the current Tor network.

5.4 Security Against Type-III Adversary

A more important question to ask now is whether \({\mathsf {HybridOR}}\) provides forward security in the post-quantum world. If not, then the privacy of today’s anonymous communication cannot be ensured once quantum computers arrive. We prove that \({\mathsf {HybridOR}}\) is forward secure if the ring-LWE problem is hard. The motive of this theorem is to show that by using \({\mathsf {HybridOR}}\) in Tor we can aim at the privacy of today’s anonymous communication even after quantum computers arrive.

Theorem 3

\({\mathsf {HybridOR}}\) is 1W-AKE secure against a PPT Type-III adversary under the ring-LWE assumption. More precisely, for any PPT Type-III adversary A,

$$\begin{aligned} Adv_A^\textit{1w-ake} \le Adv_{A \circ B_{0,1}}^\textit{drlwe} + Adv_{A \circ B_{1,2}}^\textit{drlwe}, \end{aligned}$$

where \(B_{0,1}\) and \(B_{1,2}\) are the reduction algorithms as described in the proof.

The proof intuition of Theorem 3 is discussed in the full version [22].

Quantum Safe Reduction. In [47] Song pointed out that a post-quantum secure scheme against a classical adversary does not immediately guarantee that the scheme is also secure against a quantum adversary. Song gives conditions under which a classical proof can be lifted to provide quantum security. One of the condition is that the classical reduction is a straight-line reduction. That means that the reduction runs the adversary from start to end without any rewinding or restarting. Our reductions against Type-III adversary are straight-line, hence they satisfy Song’s criterion for security against a quantum adversary.

6 Performance Analysis

We analyze the performance of \({\mathsf {HybridOR}}\), and compare it with the \({\mathsf {ntor}}\) protocol.

Parameters. To achieve computational efficiency and to reduce the size of the public parameters, in \({\mathsf {HybridOR}}\) we use an algebraic variant of LWE called ring-LWE [35]. Similar to other ring-LWE based protocols [6, 41, 49], the security and performance of \({\mathsf {HybridOR}}\) essentially depend on the three factors: n, q, and \(\beta \). Here, n is the degree of the irreducible polynomial f(x), q is the prime modulus and \(\beta = \sqrt{2 \pi } \sigma \) for the standard deviation \(\sigma \) of the error distribution \(\chi \).

Lindner and Peikert [33] show how the parameters \((n,q,\beta )\) affect the security and performance of lattice based systems. They choose parameter set (256, 4093, 8.35) for medium security level and claimed that to be comparable with 128-bit AES security. Nevertheless, several implementations of lattice-based cryptographic primitives [20, 46] use \(n=512\) to achieve high security. To be on the safer side, we also choose a high security level, and use parameter set (512, 1051649, 8.00) (as used in [46]) in our implementation for \({R}_q\).

For the \({\text {DLog}}\) group \(\mathbb {G}\), we use the elliptic curve cryptographic (ECC) setting with points (compressed form) of size \(p = 256\) bits, such as provided by Curve25519 [5].

Computation Cost. We assume that the elements \(r_C\), \(e_C\), \(p_C\) and \(g^x\) are precomputed on the client side, and the elements \(r_N\), \(e_N\), \(e'_N\), and \(p_N\) are precomputed on the node side, e.g. in idle cycles. In our analysis, they are received by the code as an input. In that case, to compute the session secret \(\{k_1,k_2\}\), the client and the node each have to perform 1 multiplication and 1 addition in \({R}_q\) and 1 exponentiation in \(\mathbb {G}\).

Multiplications over \({R}_q\) can be performed efficiently using an FFT-based algorithm [35], which takes \(O(n \log n)\) for a serial implementation and \(O(\log n)\) time for a parallel implementation [26]. It is important to observe that these multiplications are more efficient than exponentiation in \(\mathbb {G}\) (even in ECC settings). As a result the total computation cost of the node (with precomputation) is mainly dominated by exponentiation in \(\mathbb {G}\).

As a proof of concept, we implement our protocol in a machine with a 6-core Intel Xeon (W3690) processor, each core running at 3.47 GHz. We use the GMP [27] library and the Tor library to implement the protocol. The code is compiled with -O3 optimizations using gcc 4.6.3.

For our choice of parameter set (512, 1051649, 8.00) and ECC Curve25519, both the client and the node require \(\approx 150\mu s\) to compute the shared secret. The multiplication along with one addition in \({R}_q\) only requires \(\approx 50\mu s\), and the exponentiation in \(\mathbb {G}\) requires \(\approx 100\mu s\).

The \({\mathsf {ntor}}\) protocol in Tor requires two exponentiations in \(\mathbb {G}\) on both sides, and correspondingly requires \(\approx 200\mu s\) to compute the shared secret. As a result, our unoptimized proof-of-concept \({\mathsf {HybridOR}}\) implementation is nearly 1.5 times faster than the \({\mathsf {ntor}}\) protocol used in Tor. Note that, for \({\mathsf {ntor}}\), using some parallelization technique both the node and the client can reduce the computation cost to 1.33 exponentiations (for \(\lambda = 128\)) [3]; however, the current Tor implementation does not employ these.

Communication Cost. In the \({\mathsf {HybridOR}}\) protocol the client has to send an element \(g^x \in \mathbb {G}\) and an element \(p_C \in {R}_q\) to the node. We require 32 bytes to represent an element on Curve25519. On the other hand, for an element in \({R}_q\), we require at most \(1/8(n \lg q)\) bytes, which is around 1280 bytes for the chosen parameter set (512, 1051649, 8.0). Therefore, the client communicates 1312 bytes to the server.

On the other hand, the node has to send an element \(p_N \in {R}_q\), an n-bit signal \(\alpha \), and the key confirmation message of 32 bytes to the client. That requires a total of \(1/8(n \lg q + n) +32\) bytes. For the chosen parameter set (512, 1051649, 8.0), the node has to send about 1376 bytes to the client.

The current Tor implementation employs 512-byte cells; thus, for \({\mathsf {HybridOR}}\), the client and the node each will have to communicate three cells. In comparison, for the currently employed \({\mathsf {ntor}}\) protocol, a single cell from the client and the server suffices. However, it is possible to use smaller value for q without affecting the security, which can reduce the communication overhead of the protocol.

7 Conclusion

Lattice-based cryptographic protocols are supposed to offer resilience against attacks by quantum computers, and the recent efficient ring-based constructions also put them in the realm of the practical use. In this paper, we demonstrated their utility to onion routing. In particular, we have presented a novel lattice-based 1W-AKE protocol \({\mathsf {HybridOR}}\), which extracts its security from both the classically secure GDH assumption and the quantum-secure ring-LWE assumption. On one hand, we based its security against man-in-the-middle impersonation attacks only on the GDH assumption as we do not expect an adversary to have quantum capabilities today, and it allows us to leverage the current Tor PKI in its current form. On the other hand, we base its forward secrecy on the arguably quantum-secure ring-LWE assumption, which allows us to make \({\mathsf {HybridOR}}\) more efficient compared to the currently employed \({\mathsf {ntor}}\) protocol.

We also analyzed performance of our protocol in terms of its computation and communication cost for the 128-bit security setting. Our performance analysis demonstrates that post-quantum 1W-AKE can already be considered practical for use today.

Finally, we view our efficient \({\mathsf {HybridOR}}\) construction to be of independent interest to other authenticated key exchange protocols as well as anonymous communication scenarios over the Internet, and we plan to explore some those scenarios in the future.