Untagging Tor: A Formal Treatment of Onion Encryption

  • Jean Paul Degabriele
  • Martijn Stam
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10822)


Tor is a primary tool for maintaining anonymity online. It provides a low-latency, circuit-based, bidirectional secure channel between two parties through a network of onion routers, with the aim of obscuring exactly who is talking to whom, even to adversaries controlling part of the network. Tor relies heavily on cryptographic techniques, yet its onion encryption scheme is susceptible to tagging attacks (Fu and Ling 2009), which allow an active adversary controlling the first and last node of a circuit to deanonymize with near-certainty. This contrasts with less active traffic correlation attacks, where the same adversary can at best deanonymize with high probability. The Tor project has been actively looking to defend against tagging attacks and its most concrete alternative is proposal 261, which specifies a new onion encryption scheme based on a variable-input-length tweakable cipher.

We provide a formal treatment of low-latency, circuit-based onion encryption, relaxed to the unidirectional setting, by expanding existing secure channel notions to the new setting and introducing circuit hiding to capture the anonymity aspect of Tor. We demonstrate that circuit hiding prevents tagging attacks and show proposal 261’s relay protocol is circuit hiding and thus resistant against tagging attacks.


Anonymity Onion routing Secure channels Tor Tagging attacks 



We would like to thank Matthew Green for suggesting this problem to us and Jonathan Katz for helpful initial discussions. We are indebted to Nick Matthewson for clarifying certain historical and practical aspects of Tor. We also thank the anonymous reviewers for their constructive feedback.

Degabriele was supported in part by EPSRC grant EP/M013472/1 (UK Quantum Technology Hub for Quantum Communications Technologies) and in part by the German Federal Ministry of Education and Research (BMBF) within CRISP.


  1. 1.
    Albrecht, M.R., Degabriele, J.P., Hansen, T.B., Paterson, K.G.: A surfeit of SSH cipher suites. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S., (eds.) ACM CCS 2016, pp. 1480–1491. ACM Press, October 2016Google Scholar
  2. 2.
    Dingledine (arma), R.: Tor security advisory: “relay early” traffic confirmation attack, July 2014.
  3. 3.
    Backes, M., Goldberg, I., Kate, A., Mohammadi, E.: Provably secure and practical onion routing. In: CSF, pp. 369–385. IEEE Computer Society (2012)Google Scholar
  4. 4.
    Bellare, M., Hofheinz, D., Yilek, S.: Possibility and impossibility results for encryption and commitment secure under selective opening. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 1–35. Springer, Heidelberg (2009). Scholar
  5. 5.
    Bellare, M., Kohno, T., Namprempre, C.: Authenticated encryption in SSH: provably fixing the SSH binary packet protocol. In: Atluri, V. (ed.) ACM CCS 2002, pp. 1–11. ACM Press, November 2002Google Scholar
  6. 6.
    Bellare, M., Namprempre, C.: Authenticated encryption: relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000). Scholar
  7. 7.
    Bellare, M., Ristenpart, T., Tessaro, S.: Multi-instance security and its application to password-based cryptography. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 312–329. Springer, Heidelberg (2012). Scholar
  8. 8.
    Daniel, J.: Bernstein, Mridul Nandi, and Palash Sarkar. HHFHFH, Dagstuhl (2016)Google Scholar
  9. 9.
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G., Van Keer, R.: Farfalle: parallel permutation-based cryptography. Cryptology ePrint Archive, Report 2016/1188 (2016).
  10. 10.
    Boldyreva, A., Degabriele, J.P., Paterson, K.G., Stam, M.: Security of symmetric encryption in the presence of ciphertext fragmentation. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 682–699. Springer, Heidelberg (2012). Scholar
  11. 11.
    Camenisch, J., Lysyanskaya, A.: A formal treatment of onion routing. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 169–187. Springer, Heidelberg (2005). Scholar
  12. 12.
    Canetti, R., Krawczyk, H., Nielsen, J.B.: Relaxing chosen-ciphertext security. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 565–582. Springer, Heidelberg (2003). Scholar
  13. 13.
    Chakravarty, S., Barbera, M.V., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: On the effectiveness of traffic analysis against anonymity networks using flow records. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 247–257. Springer, Cham (2014). Scholar
  14. 14.
    Chaum, D.: Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  15. 15.
    Danezis, G., Diaz, C., Syverson, P.: Systems for anonymous communication. In: CRC Handbook of Financial Cryptography and Security, p. 61 (2009)Google Scholar
  16. 16.
    Danezis, G., Dingledine, R., Mathewson, N.: Mixminion: design of a type III anonymous remailer protocol. In: 2003 IEEE Symposium on Security and Privacy, pp. 2–15. IEEE Computer Society Press, May 2003Google Scholar
  17. 17.
    Danezis, G., Goldberg, I.: Sphinx: a compact and provably secure mix format. In: 2009 IEEE Symposium on Security and Privacy, pp. 269–282. IEEE Computer Society Press, May 2009Google Scholar
  18. 18.
    Degabriele, J.P., Stam, M.: Untagging Tor: a formal treatment of onion encryption. Cryptology ePrint Archive, Report 2018/162 (2018).
  19. 19.
    Dingledine, R., Mathewson, N.: Tor protocol specification.
  20. 20.
    Dingledine, R., Mathewson, N., Syverson, P.F.: Tor: the second-generation onion router. In: USENIX Security Symposium, pp. 303–320. USENIX (2004)Google Scholar
  21. 21.
    Feigenbaum, J., Johnson, A., Syverson, P.F.: Probabilistic analysis of onion routing in a black-box model. ACM Trans. Inf. Syst. Secur. 15(3), 14:1–14:28 (2012)CrossRefGoogle Scholar
  22. 22.
    Fischlin, M., Günther, F., Marson, G.A., Paterson, K.G.: Data is a stream: security of stream-based channels. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 545–564. Springer, Heidelberg (2015). Scholar
  23. 23.
    Freedman, M.J., Morris, R.: Tarzan: a peer-to-peer anonymizing network layer. In: Atluri, V. (ed.) ACM CCS 2002, pp. 193–206. ACM Press, November 2002Google Scholar
  24. 24.
    Fu, X., Ling, Z.: One cell is enough to break Tor’s anonymity. In: Proceedings of Black Hat DC 2009, p. 10 (2009)Google Scholar
  25. 25.
    Goldschlag, D.M., Reed, M.G., Syverson, P.F.: Hiding routing information. In: Anderson, R. (ed.) IH 1996. LNCS, vol. 1174, pp. 137–150. Springer, Heidelberg (1996). Scholar
  26. 26.
    Hoang, V.T., Krovetz, T., Rogaway, P.: Robust authenticated-encryption AEZ and the problem that it solves. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 15–44. Springer, Heidelberg (2015). Scholar
  27. 27.
    The invisible internet project (I2P).
  28. 28.
    Johnson, A., Wacek, C., Jansen, R., Sherr, M., Syverson, P.F.: Users get routed: traffic correlation on Tor by realistic adversaries. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, pp. 337–348. ACM Press, November 2013Google Scholar
  29. 29.
    Levine, B.N., Reiter, M.K., Wang, C., Wright, M.: Timing attacks in low-latency mix systems. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 251–265. Springer, Heidelberg (2004). Scholar
  30. 30.
    Marson, G.A., Poettering, B.: Security notions for bidirectional channels. IACR Trans. Symm. Cryptol. 2017(1), 405–426 (2017)Google Scholar
  31. 31.
    Mathewson, N.: Proposal 202: two improved relay encryption protocols for Tor cells, June 2012.
  32. 32.
    Mathewson, N.: Proposal 261: AEZ for relay cryptography, December 2015.
  33. 33.
    Murdoch, S.J., Zieliński, P.: Sampled traffic analysis by internet-exchange-level adversaries. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 167–183. Springer, Heidelberg (2007). Scholar
  34. 34.
    Nielsen, J.B.: Separating random Oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002). Scholar
  35. 35.
    The23rd Raccoon. How I learned to stop ph34ring NSA and love the base rate fallacy, September 2008.
  36. 36.
    The23rd Raccoon. Analysis of the relative severity of tagging attacks, March 2012.
  37. 37.
    Reed, M.G., Syverson, P.F., Goldschlag, D.M.: Proxies for anonymous routing. In: ACSAC 1996, pp. 95–104. IEEE Computer Society (1996)Google Scholar
  38. 38.
    Rennhard, M., Plattner, B.: Practical anonymity for the masses with MorphMix. In: Juels, A. (ed.) FC 2004. LNCS, vol. 3110, pp. 233–250. Springer, Heidelberg (2004). Scholar
  39. 39.
    Rogaway, P., Zhang, Y.: Onion-AE: foundations of nested encryption. Cryptology ePrint Archive, Report 2018/126 (2018).
  40. 40.
    Serjantov, A., Sewell, P.: Passive attack analysis for connection-based anonymity systems. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 116–131. Springer, Heidelberg (2003). Scholar
  41. 41.
    Shrimpton, T., Terashima, R.S.: A modular framework for building variable-input-length Tweakable ciphers. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013. LNCS, vol. 8269, pp. 405–423. Springer, Heidelberg (2013). Scholar
  42. 42.
    Syverson, P.F., Goldschlag, D.M., Reed, M.G.: Anonymous connections and onion routing. In: 1997 IEEE Symposium on Security and Privacy, pp. 44–54. IEEE Computer Society Press (1997)Google Scholar
  43. 43.
    Syverson, P., Tsudik, G., Reed, M., Landwehr, C.: Towards an analysis of onion routing security. In: Federrath, H. (ed.) Designing Privacy Enhancing Technologies. LNCS, vol. 2009, pp. 96–114. Springer, Heidelberg (2001). Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  1. 1.Department of Computer ScienceTU DarmstadtDarmstadtGermany
  2. 2.Department of Computer ScienceUniversity of BristolBristolUK

Personalised recommendations