Asynchronous Provably-Secure Hidden Services

  • Philippe Camacho
  • Fernando Krell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10808)


The client-server architecture is one of the most widely used in the Internet for its simplicity and flexibility. In practice the server is assigned a public address so that its services can be consumed. This makes the server vulnerable to a number of attacks such as Distributed Denial of Service (DDoS), censorship from authoritarian governments or exploitation of software vulnerabilities.

In this work we propose an asynchronous protocol for allowing a client to issue requests to a server without revealing any information about the location of the server. In addition, our solution reveals limited information about the network topology, leaking only the distance from the client to the corrupted participants.

We also provide a simulation-based security definition capturing the requirement described above. Our protocol is secure in the semi-honest model against any number of colluding participants, and has linear communication complexity.

Finally, we extend our solution to handle active adversaries. We show that malicious participants can only trigger a premature termination of the protocol, in which case they are identified. For this solution the communication complexity becomes quadratic.

To the best of our knowledge our solution is the first asynchronous protocol that provides strong security guarantees.



We appreciate the anonymous reviewers for their helpful comments. We would also like to thank Marijn Vriens (Dreamlab Technologies AG) and Stefano Debenedetti (Dreamlab Technologies AG) for thoughtful discussions regarding the deployment of the protocol in real world environments, and Cyel AG in Switzerland for the commercial partnership.


  1. 1.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–90 (1981)CrossRefGoogle Scholar
  2. 2.
    Chaum, D.: The dining cryptographers problem: unconditional sender and recipient untraceability. J. Cryptol. 1(1), 65–75 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  3. 3.
    Pfitzmann, A., Pfitzmann, B., Waidner, M.: ISDN-mixes: untraceable communication with very small bandwidth overhead. In: Effelsberg, W., Meuer, H.W., Müller, G. (eds.) Kommunikation in Verteilten Systemen, pp. 451–463. Springer, Heidelberg (1991). CrossRefGoogle Scholar
  4. 4.
    Rackoff, C., Simon, D.R.: Cryptographic defense against traffic analysis. In: Proceedings of the Twenty-Fifth Annual ACM Symposium on Theory of Computing, pp. 672–681. ACM (1993)Google Scholar
  5. 5.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: the second-generation onion router. Technical report, Naval Research Lab, Washington DC (2004)Google Scholar
  6. 6.
    Murdoch, S.J., Danezis, G.: Low-cost traffic analysis of Tor. In: 2005 IEEE Symposium on Security and Privacy, pp. 183–195. IEEE (2005)Google Scholar
  7. 7.
    Levine, B.N., Reiter, M.K., Wang, C., Wright, M.: Timing attacks in low-latency mix systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004). CrossRefGoogle Scholar
  8. 8.
    Serjantov, A., Sewell, P.: Passive attack analysis for connection-based anonymity systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003). CrossRefGoogle Scholar
  9. 9.
    Zhu, Y., Fu, X., Graham, B., Bettati, R., Zhao, W.: On flow correlation attacks and countermeasures in mix networks. In: Martin, D., Serjantov, A. (eds.) PET 2004. LNCS, vol. 3424, pp. 207–225. Springer, Heidelberg (2005). CrossRefGoogle Scholar
  10. 10.
    Dolev, S., Ostrovsky, R.: Xor-trees for efficient anonymous multicast and reception. ACM Trans. Inf. Syst. Secur. 3(2), 63–84 (2000)CrossRefGoogle Scholar
  11. 11.
    Reiter, M.K., Rubin, A.D.: Crowds: anonymity for web transactions. ACM Trans. Inf. Syst. Secur. (TISSEC) 1(1), 66–92 (1998)CrossRefGoogle Scholar
  12. 12.
    Wright, M.K., Adler, M., Levine, B.N., Shields, C.: An analysis of the degradation of anonymous protocols. In: NDSS, vol. 2, pp. 39–50 (2002)Google Scholar
  13. 13.
    Shmatikov, V.: Probabilistic analysis of anonymity. In: 2002 15th IEEE Proceedings of the Computer Security Foundations Workshop, pp. 119–128. IEEE (2002)Google Scholar
  14. 14.
    Levine, B.N., Shields, C.: Hordes: a multicast based protocol for anonymity1. J. Comput. Secur. 10(3), 213–240 (2002)CrossRefGoogle Scholar
  15. 15.
    Goldschlag, D., Reed, M., Syverson, P.: Onion routing. Commun. ACM 42(2), 39–41 (1999)CrossRefGoogle Scholar
  16. 16.
    Overlier, L., Syverson, P.: Locating hidden servers. In: 2006 IEEE Symposium on Security and Privacy, p. 15. IEEE (2006)Google Scholar
  17. 17.
    Katti, S., Katabi, D., Puchala, K.: Slicing the onion: anonymous routing without PKI (2005)Google Scholar
  18. 18.
    Waidner, M.: Unconditional sender and recipient untraceability in spite of active attacks. In: Quisquater, J.-J., Vandewalle, J. (eds.) EUROCRYPT 1989. LNCS, vol. 434, pp. 302–319. Springer, Heidelberg (1990). Google Scholar
  19. 19.
    Akavia, A., LaVigne, R., Moran, T.: Topology-hiding computation on all graphs. Cryptology ePrint Archive, Report 2017/296 (2017).
  20. 20.
    Moran, T., Orlov, I., Richelson, S.: Topology-hiding computation. In: Dodis, Y., Nielsen, J.B. (eds.) TCC 2015. LNCS, vol. 9014, pp. 159–181. Springer, Heidelberg (2015). Google Scholar
  21. 21.
    Hirt, M., Maurer, U., Tschudi, D., Zikas, V.: Network-hiding communication and applications to multi-party protocols. Cryptology ePrint Archive, Report 2016/556 (2016).
  22. 22.
    Akavia, A., Moran, T.: Topology-hiding computation beyond logarithmic diameter. In: Coron, J.-S., Nielsen, J.B. (eds.) EUROCRYPT 2017. LNCS, vol. 10212, pp. 609–637. Springer, Cham (2017). Google Scholar
  23. 23.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000). CrossRefGoogle Scholar
  24. 24.
    Camacho, P., Krell, F.: Asynchronous provably-secure hidden services (2017).
  25. 25.
    Singh, A., et al.: Eclipse attacks on overlay networks: threats and defenses. In: IEEE INFOCOM. Citeseer (2006)Google Scholar
  26. 26.
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols, p. 136, October 2001Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Dreamlab Technologies AGBernSwitzerland

Personalised recommendations