Anonymous return route information for onion based mix-nets

Transcription

1 Anonymous etun oute infomation fo onion based mix-nets ABSTRACT Yoshifumi Manabe NTT Communication Science Laboatoies NTT Copoation Atsugi Kanagawa Japan This pape poposes a etun oute infomation encyption scheme fo onion-based systems and mix-nets Ou scheme has the following two popeties (1) It allows any node on the message oute to send eply messages to the sende of the message This popety is necessay fo sending eo eplies (2) It allows the eplying node to send multiple eply messages fom one piece of etun oute infomation This popety is necessay when esponding with lage amounts of data using multiple messages In ode to constuct a etun oute infomation scheme we must conside a new type of attack namely the eplace attack A malicious node obtains infomation about the oute by eplacing secet infomation that only the node can ead This pape descibes the new type of attack and shows that pevious schemes ae vulneable to it Ou scheme pevents eplace attacks In addition we show that by slightly modifying ou scheme malicious nodes cannot distinguish whethe a message is a fowad message o a eply message thus impoving the secuity of the outing scheme Categoies and Subject Desciptos E3 [Data]: Data EncyptionPublic key cyptosystems; C22 [Compute-Communication Netwoks]: Netwok PotocolsRouting Potocols Geneal Tems Secuity Theoy Keywods anonymous communication oute infomation etun addess mix-nets 1 INTRODUCTION systems ae widely used in business and daily life The names of the sende and eceive of each ae Pemission to make digital o had copies of all o pat of this wok fo pesonal o classoom use is ganted without fee povided that copies ae not made o distibuted fo pofit o commecial advantage and that copies bea this notice and the full citation on the fist page To copy othewise to epublish to post on seves o to edistibute to lists equies pio specific pemission and/o a fee AlPACa 2008 Septembe Istanbul Tukey Copyight 2008 ACM ISBN $500 Tatsuaki Okamoto NTT Infomation Shaing Platfom Laboatoies NTT Copoation Musashino Tokyo Japan okamototatsuaki@labnttcojp povided in plain text in the heade Thus evey node in the netwok can obtain the names of the sende and the eceive when an is elayed (This pape does not discuss spam s that foge the name of the sende) We sometimes want to send anonymously fo example when whistle-blowing If we ae to achieve anonymity no node in the netwok should be able to obtain infomation about the sende o eceive of an although the nodes must be able to obtain the oute infomation needed to elay the Onion-based mix-nets[1][3][8][10][11][12][13][15][19] is a mechanism fo sending s anonymously which is one of the techniques of anonymous communication [6] In onion-based mix-net schemes oute infomation is appended to each message thus multiple messages with the same pai of the sende and the eceive might be sent by dieent outes Note that as an altenative mechanism many woks fo example Onion-outing[9] and To [7] have been caied out to ceate a vitual cicuit that can be used fo bidiectional anonymous communication[6] The poblem of sending eply messages using onion-based mix-net has not been caefully discussed Most of pevious woks consideed sending one eply message fom the destination node Two impotant popeties multiple eply sendes and multiple eply messages must be consideed Let us conside the st poblem the sende of the eply messages Thee ae two cases whee a eply is sent The st is whee the eply is sent by the eceive This type of eply is necessay fo example when esponding to whistleblowes The second case involves sending eo messages fom the nodes on the oute This type of eply message is necessay when the addess used by the sende is incoect o the node/link fo elaying the message is down Without an eo eply mechanism the sende cannot know that the message was not sent coectly This type of eo message is necessay even if the netwok is obust and eos aely occu Since it is not ealistic fo the entie system to suppot onion-based outing the easiest implementation fo the cuent Intenet may be a mix-net opeated by a numbe of voluntee seves Messages between seves ae sent via the Intenet using encyption between the seves A message sende andomly selects a sequence of seves and appends the sequence befoe the nal destination Since the seves ae povided voluntaily some seves might suddenly stop poviding the sevice Thus such mix-nets need a mechanism fo sending eo eplies to infom the sende that a seve is not opeating The second poblem is sending multiple eply messages fom one eplying node Evey onion-based mix-net scheme

2 assumes that the size of the message content is xed in ode to pevent malicious nodes obtaining the oute of a message fom its size Thus the eply needs to be sent by multiple messages if its size is lage (eg image data) Howeve many schemes such as those in [1][2] the eplying node cannot andomize the obtained etun oute infomation thus elaying nodes can detect that the same oute infomation is used multiple times (Note that in [1] the elaying nodes discad messages that have same oute infomation to pevent a eplay attack Thus it is impossible to send multiple eply messages with the same oute infomation) Some mechanisms that allows multiple eplies wee poposed [4][14] Ou scheme allows any elaying node to send multiple eply messages with the same oute infomation Fo the etun oute infomation a malicious node can execute a new type of attack the eplace attack A malicious node obtains infomation about the oute by eplacing secet infomation that only the node can ead Ou scheme pevents the eplace attack In addition with a slight modication the scheme descibed in this pape can become symmetic with espect to fowad and eply messages with the esult that malicious nodes cannot distinguish these messages 2 DEFINITION OF PROBLEM The denition in [1] does not conside the ability to send eply messages fom any node on the oute thus we need to edene the poblem The netwok topology is epesented by an undiected gaph G = (V E) whee V is the set of nodes and E is the set of edges Each node v V acts as a sende a eceive and a message elaye Edge e = (v i v j) is a bidiectional communication channel between v i and v j G is public infomation Note that G is a complete gaph when any node can diectly send messages to any othe node Each node v i encodes a special chaacte i (meaning v i is the destination of the message) and edges connected to v i to a message space M i In the est of the pape when an edge e appeas in encypted oute infomation e is not a pai of nodes but an encoded message A message M consists of message content m and oute heade h When a node S sends message content m to a node R S st obtains a path on G p = v 0 (= S) e 1 v 1 v n 1 e n v n(= R) fom S to R whee e i = (v i 1 v i) E(1 i n) Let p(s R) denote a path fom S to R Thoughout this pape we use this path fo explanation Thee ae two ways to obtain a oute heade fo a cetain path The st consists of S selecting a path p(s R) on G fom S to R and encypting it The second consists of obtaining a oute heade while elaying o eceiving a message We call the fome type of oute infomation fowad oute infomation and the latte type of oute infomation etun oute infomation A message sent using fowad (etun) oute infomation is called as a fowad (etun) message When node v eceives message M and elays it to the next edge it obtains new oute heade h fom v to M's oiginal sende that is h is an encyption of p(v S) In addition when R eceives a message M whose destination is R R obtains new oute heade h fom R to M's oiginal sende that is h is an encyption of p(r S) We denote h(m) as the heade of message M and pa(m) as the path epesented by h(m) Each node geneates a pai consisting of a public key and a pivate key Let A be an advesay A can coupt any node and modify the incoming messages at the coupted nodes Assume that A neve efuses to elay a message It neve discads messages o ewites the heades that pevent messages being sent to the coect eceive Note that this assumption does not exclude a message denial attack This pape discusses the advesay's action befoe the day of a message denial attack Befoe that day the advesay does not want to be detected as an advesay thus it is honest about elaying messages but it ties to collect oute infomation fom the elaying messages On the attack day using the collected oute infomation the advesay stops elaying messages whose destination is specied nodes (o executes some othe type of attack) Without collecting such infomation the advesay can only execute a tivial message denial attack fo example it can only stop sending all messages o andomly selected messages Advesay might study the timings of messages moving though the system to nd coelations To pevent timing analysis we assume that thee is a sucient volume of backgound message tac on evey edge by employing a method such as those descibed in [16][17][18] The anonymity of oute infomation demands that no message be linked to any othe message by anyone We descibe an unlinkability expeiment Exp A as follows Thee is a oute infomation oacle O When O eceives a oute heade fom A O decypts it and esponds to A Expeiment Exp A (1) A st selects any path p(s R) and foces S to send a message M to R by p(s R) By sending M evey node v i on p(s R) obtains a etun oute heade h i fo path p(v i S) A can foce any (non-coupted o coupted) node v i to send a message using h i In addition A can ask oute infomation oacle O to decypt the oute heade h of any message on any edge A can execute this pocedue as many times as A wants (2) A outputs eithe (2-1) a non-tivial elation Rel between two messages o (2-2) a non-tivial elation Rel between a message and a node (3) A then executes step (1) again except fo the limitation that A cannot use oacle O (4) A outputs two messages M 1 and M 2 o a pai consisting of message M 1 and a node v accoding to whethe Rel o Rel is output in (2) These messages ae those that A obseves duing step (3) The advantage of A Adv ul (A) is dened as P ob[rel(m 1 M 2)] (o P ob[rel (M 1 v)]) Advesay A (t ϵ)-beaks the unlinkability poblem if it uns in time at most t and Adv ul (A) is at least ϵ The oute infomation system is (t ϵ)-secue if no advesay A (t ϵ)-beaks the unlinkability poblem The tivial elation between two messages T Rel(M 1 M 2 ) is as follows M i (i = 1 2) ae obseved at dieent edges e i (i = 1 2) M 1 's oute pa(m 1 ) contains e 1 and e 2 and all nodes on pa(m 1 ) between e 1 and e 2 ae coupted by A It is easy to detect whethe M 1 and M 2 ae the same message fom the above coupt condition Similaly the tivial elation between a message and a node T Rel (M v) is as follows M is obseved at edge e M's oute pa(m) contains v and all nodes on pa(m) between e and v ae coupted by A We conside the following non-tivial elations when not

3 evey node on the path is coupted (1) M 1 obseved at e 1 and M 2 obseved at e 2 ae the same message (2) M 1 and M 2 use the same oute infomation (3) M 2 is a eply message to M 1 (4) pa(m 1 ) contains v i This pape povides some assumptions to solve the poblem Assumption 1 At step (4) of Exp A A must not output message M whose sende o eceive is coupted Assumption 2 A must not coupt a pai of adjacent nodes The eason of these assumptions ae shown late Finding a way to eliminate these assumptions equies futhe study 3 PREVIOUS RESULTS A simple implementation fo sending eply messages is as follows Each elaying node ecods a tuple (M 0 M 1 e 1) consisting of an incoming message M 0 an outgoing message M 1 and the edge e 1 fom which M 0 aived in its local log When a node wants to send eply message M to message M k the initiato of M sends the pai (M M k ) to the edge fom which M k aived The node that eceives eply message (M M k ) seaches the log and nds a tuple (M k 1 M k e k ) then it elays (M M k 1 ) to e k By epeating this pocedue M will aive at the oiginal sende of M This mechanism is not secue because a malicious node can obtain the elationship between a message and its eply Thee solutions have aleady been epoted that enable the eceive node to send a eply message Chaum [2] poposed a etun addess as follows (we omit the message content pat): K n(e n K n 1(e n 1 K 1(e 1 K 0( 0)) ) whee K i is the public key of v i v i (i = n n 1 1) decypts the infomation encypted by K i and obtains e i Fo v i to obtain e i this oute infomation must be decypted by v n v n 1 v i+1 in advance When v i needs to send an eo message because v i+1 (o e i+1 ) is down v i cannot obtain e i because the oute infomation is encypted by the key of v i+1 In ode to use this type of etun oute infomation v 0 needs to pepae one piece of etun oute infomation oiginating at each intemediate node K n(e n K n 1(e n 1 K 1(e 1 K 0( 0)) ) K n 1(e n 1 K n 2(e n 2 K 1(e 1 K 0( 0)) ) K n 2(e n 2 K n 3(e n 3 K 1(e 1 K 0( 0)) ) and so on Thus the total size of the etun oute infomation is O(n 2 ) We need a mechanism that does not incease the size of the oute infomation Camenisch et al [1] poposed an onion-based message outing scheme and its eply mechanism Howeve in thei etun oute infomation scheme the pocedue at each node is deteministic that is when a message aived at v the output fom v is uniquely dened Replay attack is avoided by destoying messages that use the same heade twice This means that the eceive node cannot send multiple eply messages to a given message In addition thei scheme needs a non-standad assumption on the pseudoandom pemutations they use Toiyama et al [19] poposed a mechanism fo obtaining etun oute infomation while messages ae fowaded by onion-based message outing v j adds etun edge infomation e j to message M while sending M The following eplace attack can be pefomed on thei scheme A malicious node v j adds e j instead of e j v j can detect that message M is a eply to M by obtaining edge e j instead of e j (and continues sending messages coectly by elaying this eply message to e j) v j can thus obtain the elationship between a message and its eply To pevent the eplay attack the etun oute infomation must be set by the oiginal sende S 4 FORWARD ROUTE INFORMATION Fist we outline the ElGamal type oute infomation andomization mechanism descibed in [19] which is modied fom that in [10] which is poved to be insecue in [5] Ou scheme uses the following mechanism fo the fowad oute infomation The main idea is exactly the same as standad onion outing namely that the oute infomation that v j must use e j+1 is encypted as Enc(pk 1 Enc(pk 2 Enc(pk j e j+1 ) )) Evey node decypts it by using its secet key and v j obtains e j+1 Let g be a geneato of cyclic goup G whose ode is a lage pime Node v j selects x R j Zp and sets y j g x j The public key of v j is y j and the pivate key of v j is x j The basic ElGamal encyption scheme is as follows Fo a given plaintext (encoded edge infomation) e j+1 andomly selects R Zp and the ciphetext (X Y ) is (g e j+1 yj ) Fo a ciphetext (X Y ) obtain the plaintext by Y/X x j The scheme in [19] modies the scheme such that encyption is pefomed by (X Y ) (g y e j+1 j ) and decyption is pefomed by seaching fo the value e j+1 that satises Y = X x j e j+1 Since in the oute infomation scheme the set of edges (the message space) v j is connected to is a elatively small xed set this type of encyption/decyption is possible The main idea of [19] is as follows The oute infomation that v j must obtain e j+1 is encypted at the sende node as (g y1 y2 yj 1 y e j+1 j ) When v 1 eceives this infomation v 1 patially decypts it and obtains (g y2 yj 1 y e j+1 j ) Then v 2 v 3 decypts it and when this message comes to v j the oute infomation becomes (g y e j+1 j ) and v j can obtain e j+1 To hide the elationship between incoming messages and outgoing messages this oute infomation is andomized at each node The details ae povided below (Initialization) Let us conside a case whee a node S sends a message m to a node R by the oute p(s R) de- ned above Fom the public keys S geneates message (β α 1 α 2 α N γ 1 γ 2 γ 3 γ 4 ) as follows S chooses R Zp and sets β g α i (y 1 y 2 y i 1 ) y e i+1 i (1 i n 1) and α n (y 1 y 2 y n 1 ) y n+1 n n+1 indicates that v n is the destination of the message that is n+1 is a special value that dies fom all the values fo edges connected to v n α n+1 α n+2 α N ae dummy values to hide the length of the actual oute γ i(i = ) caies the message content m S selects 1 R 2 Zp and sets γ 1 m (y 1 y 2 y n 1 y n ) 1 γ 2 g 1 γ 3 (y 1 y 2 y n 1 y n ) 2 and γ 4 g 2 S pemutes α i (1 i N) and sends the message to e 1

4 (Decyption) When a message (β α 1 α N γ 1 γ 2 γ 3 γ 4 ) aives at node v j it decypts the oute heade and obtains the next edge to elay this message v j then e-encypts all the values and sends them to the next edge The pocedue is shown below v j seaches fo α i (1 i N) that satises α i = β e j+1 x j fo some e j+1 o α i = β j+1 x j Let α k be the element that satises the above condition If the latte condition is satised v j is the destination of this message v j obtains the message content m by calculating γ 1/γ j 2 x If the fome condition is satised e j+1 is the edge to which v j must elay this message v j decypts evey element of the heade α i (1 i N i k) by calculating ᾱ i α i /β x j α k is no longe necessay thus v j sets ᾱ k as a andom dummy value Fo the elements γ i (i = ) that cay the message content v j calculates γ 1 γ 1/γ x j 2 and γ 3 γ 3/γ x j 4 (Re-andomization) To pevent a eplay attack evey block must be andomized at v j Let (β ᾱ 1 ᾱ 2 α N γ 1 γ 2 γ 3 γ 4) be the message afte the above decyption is pefomed v j selects 0 1 R 2 Zp and calculates eα i ᾱ 0 i (1 i N) eβ β 0 eγ 1 γ 1 γ 1 3 eγ 2 γ 2 γ 1 4 eγ 3 γ 2 3 and eγ 4 γ 2 4 ( β e fα 1 fα 2 fα N eγ 1 eγ 2 eγ 3 eγ 4) is the new message (Pemutation) Afte the above e-andomization v j pemutes fα 1 fα 2 fα N at andom In the scheme in [10] each edge value e i is stoed in an independent block that is e i is stoed in (α 0 β 0 α 1 β 1) whee β 0 g 0 α 0 e i+1 (y 1 y 2 y i 1 y i ) 0 β 1 g 1 and α 1 (y 1 y 2 y i 1 y i ) 1 The decyption at v j is ᾱ 0 α 0 /β x j 0 An attack on this scheme is descibed in [5] Since (α 1 β 1 ) is an encyption of plaintext `1' the elaying node can add a false oute to the malicious node e x by executing β 0 β 1 α 0 e xα 1 β 1 β1 and α 1 α 1 The above attack cannot be applied to the scheme descibed by Toiyama et al because thee is no encyption of `1' in the oute infomation In thei scheme evey block uses the common value β v j cannot eplace α k with valid oute infomation because v j does not know Zp that satises β = g On the othe hand the message block is just the same as that in [10] thus the following eplay attack [5] is possible if some node on the oute and the eceive R ae malicious Message m is stoed in (γ 1 γ 2) whee γ 1 = m y 0 i y 0 i+1 y 0 n and γ 2 = g 0 fo some 0 The malicious node v i sends a new message with (γ1 t γ2) t which is a ciphetext of m t When eceive R obtains m and m t it detects that the oute contains v i Thus this pape assumes that the eceive of the message is not coupted in Assumption 1 Note that this scheme is not secue if A coupts the sende S and some node v j on the oute S uses a special value e j+1 instead of e j+1 in α j When v j decypts the data and obtains the special value e j+1 v j can detect that this message was sent by S v j can continue elaying this message to e j+1 by heaing the next edge fom S using some method Using the infomation A can discad all messages whose sende is not A This type of attack cannot be pevented in schemes those descibed in [1][2][19] One way to pevent this type of attack is fo S to ask a tusted thid paty to obtain the oute infomation Howeve this might not be pactical fo all uses to ask fo the oute infomation fom a tusted thid paty Thus Assumption 1 excludes the case whee the sende of a message helps to detect the oute infomation Finding a way to eliminate this assumption will equie futhe study 5 PROPOSED RETURN ROUTE INFORMATION SCHEME A natual implementation of the etun oute infomation may be exactly the same as fo the fowad oute infomation in the pevious section Let us conside a case whee the etun oute infomation (θ δ j ) is encypted so that v j can obtain e j that is (θ δ j ) = (g y1 y2 yj 1 y e j j ) To decypt this oute infomation each node executes δ j δ j/θ x i Thus δ j becomes y e j j at v j and v j can obtain etun oute infomation e j When this message goes beyond v j without eplacing with a dummy value δ j is decypted using the secet keys x j+1 x j+2 that wee not encypted at all as δ j δ j /θ x i Thus δ j becomes y e j j /(yj+1 yj+2 y j ) at v j When v j sends a eply message this unnecessay decyption can be cancelled out by executing δ j δ j θ x i while elaying the eply at v i Thus when the eply message aives at v j δ j becomes y e j j again and v j can obtain e j Although this mechanism seems to wok we must conside the eplace attack descibed below In the above pocedue v j sees the same edge infomation e j twice: once while elaying a fowad message and once while elaying its eply message Thus the following eplace attack is possible When v j A decypts e j fom δ j while elaying a fowad message M it eplaces e j with a special value e j by calculating δ j e δ j j /e j When v j eceives a eply message M it can detect that M is a eply message fo M if it obtains e j Theefoe the elationship between these two messages can be detected The idea fo peventing the eplace attack is as follows When v j wants to send a eply message M to the eceived message M it is unnecessay fo v j to calculate the next edge to send M It should simply etun M to the edge M aived fom This mechanism does not equie a log that must be kept fo a long time by intemediate nodes because each intemediate node can detect instantly whethe o not the next node o edge is down At the destination node R the edge infomation needed to send a eply to message M can be kept by R togethe with M On the othe hand when a eply message is elayed to v j fom some othe node it is necessay fo v j to obtain the next edge Thus etun oute infomation e j is unnecessay until M is fowaded to v j+1 which is the next node on the fowad oute e j is encypted using x 1 x 2 x j and x j+1 so that v j cannot decypt e j when v j eceives M fom v j 1 e j is encypted as follows (θ δ j) = (g y1 y2 yj 1 y (e j +1) j y j+1) whee y j+1 is the exta tem At v j this

5 oute infomation becomes (θ δ j ) = (g y (e j +1) j yj+1) as a esult of the decyption at v 1 v 2 v j 1 v j cannot obtain e j fom this oute infomation because of the exta tem yj+1 Since v j cannot know that this is the etun oute infomation fo v j v j executes δ j /θ x j which is the pocedue fo the othe etun oute infomation Then this oute infomation becomes (g y e j j yj+1) When this oute infomation is sent to v j+1 v j+1 convets it by a special exta decyption ule descibed late to (g y e j j /yj+1) which is the nomal fom of the etun oute infomation at v j+1 When this oute infomation is sent to v j+2 and then etuned to v j+1 the etun oute infomation becomes (g y e j j /yj+1) again Then v j+1 executes δ j θ x j+1 and the oute infomation becomes (g y e j j ) and v j can obtain e j By employing this mechanism v j sees e j just once and a eplace attack becomes impossible The above mechanism needs v j+1 to execute an exta decyption fo the block δ j that encypts e j To infom v j+1 of the necessity of an exta decyption pais of (α i+1 δ i)(0 i n 1) ae made whee α i+1 is the encyption of e i+2 in the fowad oute infomation Since edge infomation e j+2 is obtained fom α j+1 only at v j+1 it can be used to infom v j+1 that it needs to execute an exta decyption to δ j The following descibes the poposed system in detail Conside the case when a node S sends a message m to node R via p(s R) (Initialization) Note that the fowad oute infomation β α 1 α 2 α N γ 1 γ 2 γ 3 and γ 4 ae calculated in the same way as in the pevious section Fom the public keys S geneates the combined oute infomation (β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) whee B i = (α i+1 δ i)(0 i N 1) as follows S chooses R Zp (note that the andom numbes must be dieent fom those fo fowad oute infomation) and sets θ g δ 0 y 0 0 y1 and δ i (y 1 y 2 y i 1 ) y (e i+1) i yi+1(1 i n 1) B n B n+1 B N 1 ae dummy values λ 1 λ 2 ae used to cay the message content of the eply S geneates R Zp and sets λ 1 y0 and λ 2 g S pemutes B i (0 i N 1) andomly The message M is (β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2 ) v 0 sends M to e 1 (Decyption) When a message aives at node v j v j seaches fo a block B i = (α i+1 δ i )(0 i N 1) that satises α i+1 = β e j+1 x j fo some e j+1 o α i+1 = β j+1 x j Let α k = (α k+1 δ k ) be the block that satises the above condition If the latte condition is satised v j is the destination of this message Then v j obtains the message content m by x calculating γ 1/γ j 2 If the fome condition is satised e j+1 is the edge to which v j must elay this message If v j wants to send a eply message to S the pocedue fo initialization on etun should be employed Othewise v j decypts evey block B i = (α i+1 δ i )(i k) by calculating α i+1 α i+1 /β x j and δ i δ i /θ x j v j calculates δ k δ k /θ 2 x j which is the exta decyption α k+1 is no longe necessay thus v j sets α k+1 as a andom dummy value Fo the elements γ i (i = ) and λ i (i = 1 2) that cay the message content v j calculates γ 1 γ 1 /γ x j 2 γ 3 γ 3/γ x j 4 and λ 1 λ 1 λ x j 2 (Re-andomization) Let (β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) whee B i = ( α i+1 δ i) is the message afte the above decyption has been pefomed v i e-andomizes the message with the following pocedue v j selects R 4 Zp and calculates eα i ᾱ 0 i (1 i N) eβ β 0 eδ i δ 1 i (0 i N 1) eθ θ 1 eγ 1 γ 1 γ 2 3 eγ 2 γ 2 γ 2 4 eγ 3 γ 3 3 eγ 4 γ 3 4 fλ 1 λ 4 1 and fλ 2 λ 4 2 The message afte e-andomization is ( β e θ e B f 0 B f 1 ^B N 1 eγ 1 eγ 2 eγ 3 eγ 4 λ f 1 λ f 2) whee fb i = ( gα i+1 δ e i)(0 i N 1) (Pemutation) Afte the e-andomization v j pemutes the blocks B i(0 i N 1) at andom Afte the pemutation v j sends the message to e j+1 (Initialization on etun) When v j decides to send a eply message the fowad oute infomation is no longe used thus it is discaded The following pocedue is executed to send a eply message to S δ k δ k /θ x j to decypt the exta encyption Re-andomize the etun oute infomation by choosing R Zp and setting eδ i δi (0 i N 1) and eθ θ In ode to append the eply message content m v j executes the following v j chooses 0 R 1 Zp and calculates fλ 1 m λ 0 1 fλ 2 λ 0 2 fλ 3 λ 1 1 and fλ 4 λ 1 2 Now the eply message is ( θ e δ e 0 δ e 1 ]δ N 1 λ f 1 λ f 2 λ f 3 λ f 4 ) v j pemutes δ e i (0 i N 1) at andom v j sends the eply message to e j fom which the elaying message aived When v j eceives a eply message (θ δ 0 δ 1 δ N 1 λ 1 λ 2 λ 3 λ 4) it executes the following pocedue (Decyption on etun) v j seaches fo an element δ i(0 i N 1) such that δ i = θ x j e j fo some e j o δ i = θ x j j Let δ k be the element that satises the above condition If the latte condition is satised v j is the destination of the eply message v j then decypts the message m by λ 1 /λ x j 2 If the fome condition is satised e j is the edge to which v j must elay this eply message Then v j decypts evey element by calculating δ i δ i θ x j Fo the message content v j decypts the elements by cal-

6 culating λ 1 λ 1 /λ x j 2 and λ 3 λ 3 /λ x j 4 (Re-andomization on etun) Fo the message (θ δ 0 δ 1 δ N 1 λ 1 λ 2 λ 3 λ 4 ) afte the above decyption v j executes the following e-andomization v j selects R Zp and calculates eδ i δ i (1 i N 1) and eθ θ v j then selects 0 R 1 Zp and e-andomize them by fλ 1 λ 1 λ 0 3 fλ 2 λ 2 λ 0 4 fλ 3 λ 1 3 and fλ 4 λ 1 4 ( θ e δ e 0 δ e 1 ]δ N 1 λ f 1 λ f 2 λ f 3 λ f 4 ) is the andomized message (Pemutation on etun) Afte the e-andomization v j pemutes δ e i at andom 6 PROOF OF SECURITY This section povides poof of the secuity of the poposed scheme We ecall the decisional Die-Hellman assumption on which the secuity of ou outing scheme is based Denition 1 Let q be a lage pime Let G be a cyclic goup of ode q and g be a geneato of G The decisional Die-Hellman (DDH) poblem is dened as follows Dene D and R as follows: D = {(g g x g y g xy ) G 4 x y Z q } R = {(g g x g y g z ) G 4 x y z Z q } Advesay A outputs 0 o 1 on input (g A B R) G 4 A's advantage Adv DDH (A) is dened as Adv DDH (A) = P ob[a(g A B R) = 1 (g A B R) D] P ob[a(g A B R) = 1 (g A B R) R] Advesay A (t ϵ)-beaks the DDH poblem if A uns in time at most t and Adv DDH(A) is at least ϵ The (t ϵ)-ddh assumption holds if no advesay A (t ϵ)-beaks the DDH poblem Theoem 1 The poposed oute infomation scheme is secue unde the DDH assumption if no node is coupted (Sketch of poof) Since A coupts no node it cannot ewite messages using pivate keys fo some nodes Assume that thee is an advesay A that can beak unlinkability Using A we can obtain an advesay B that solves the DDH poblem Fo a given instance (g A B R) G 4 of the DDH poblem B andomly selects a node v k and sets B as the public key of v k B geneates pivate key x j fo v j (j k) and sets y j g x j Now conside elation (1): M 1 at e 1 and M 2 at e 2 ae the same message The poof fo the othe cases can also be shown similaly If v k is not between e 1 and e 2 B teminates Othewise B geneates message M seen at the incoming edge of v k as follows B andomly selects R 0 R 1 R 2 R 3 R R 4 Zp and M (β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) whee B i = (α i+1 δ i) β A R 0 α i d(andom value) (1 i k 1) α k R R 0 e k+1 α i R R0 A x k+1 R0 A x i 1 R0 A x i e i+1 R 0 (k + 1 i n 1)) α n R R0 A x k+1 R0 A x n 1 R0 A x n n+1 R 0 θ A R 1 δ 0 A R 1 x 0 0 /(A x 1 R1 A x 2 R1 A x k 1 R 1 ) δ i A R 1 x i e i /(A x i+1 R1 A x i+2 R1 A x k 1 R 1 )(1 i k 2) δ k 1 A R 1 x k 1 e k 1 R R 1 δ k R R 1 (e k +1) A R 1 x k+1 δ i R R1 A R 1 x k+1 A R 1 x i 1 A R 1 x i (e i +1) A R 1 x i+1 (k+ 1 i n 1) γ 1 m R R2 A x k+1 R2 A x n R 2 γ 2 A R 2 γ 3 R R3 A x k+1 R3 A x n R 3 γ 4 A R 3 λ 1 A x 0 R4 A x 1 R4 A x k 1 R 4 and λ 2 A R 4 Note that B knows the values R 0 R 1 R 2 R 3 R 4 and is able to geneate a message obseved at any node befoe v k on the oute that is consistent with this message B geneates the message afte decyption at v k (β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) whee B i = ( α i+1 δ i ) as follows ᾱ k d(andom value) ᾱ i A x k+1 R0 A x i 1 R0 A x i e i+1 R 0 (k +1 i n 1) α n A x k+1 R0 A x n 1 R0 A x n n+1 R 0 δ 0 A R 1 x 0 0 /(A x 1 R1 A x 2 R1 A x k 1 R1 R R 1 ) δ i A R 1 x i e i /(A x i+1 R1 A x i+2 R1 A x k 1 R1 R R 1 )(1 i k 2) δ k 1 A R 1 x k 1 e k 1 /R R 1 δ k R R 1 ek A R 1 x k+1 δ i A R 1 x k+1 A R 1 x i 1 A R 1 x i (e i +1) A R 1 x i+1 (k + 1 i n 1) γ 1 m A x k+1 R2 A x n R 2 γ 3 A x k+1 R3 A x n R 3 and λ 1 A x 0 R4 A x 1 R4 A x k 1 R4 R R 4 B then e-andomizes and continues elaying this message The pocedue fo elaying the etun message can be pefomed similaly If (g A B R) D then the simulation is pefect that is the oute infomation is the eal infomation Thus A can detect whethe M 1 = M 2 with non-negligible advantage ϵ If (g A B R) R then these blocks ae andom blocks and A's advantage is 0 Thus if the poposed etun oute infomation scheme is not secue the DDH poblem can be solved with nonnegligible pobability If two neighboing nodes v j and v j+1 ae coupted the following attack is possible When v j+1 eceives message M fom v j and detects α i+1 = β e j+2 x j+1 fom B i = (α i+1 δ i ) it knows that δ i = θ x j+1 θ x j e j Thus x j+1 eplaces δ i with δ i = θ x j+1 θ x j e j and continues the decyption pocedue When v j decypts e j it can detect that this message is a eply to M Thus Assumption 2 is intoduced fo couption 7 SYMMETRIC SCHEME FOR FORWARD AND REPLY MESSAGES The above scheme is asymmetic that is the pocedues fo fowad messages and eply messages die Thus any node can detect whethe a message is a fowad message

7 o a eply message This section discusses a modication to pevent this type of detection We need the additional assumption that the eplying node is not coupted The main idea is as follows The ElGamal encyption is symmetic that is encyption and decyption can be exchanged as follows: (Public-key and pivate-key) x R i Zp y i g x i x i is the pivate key and y i is the public key (Scheme 1) Encyption: R Zp (g m yi ) is the ciphetext Decyption: Given (X Y ) execute Y/X x i and obtain m (Scheme 2) Encyption: R Zp (g m/yi ) is the ciphetext Decyption: Given (X Y ) execute Y X x i and obtain m When encyption is executed by the decyption can be pefomed by / and vice vesa The pocedue in the pevious section pefoms δ/θ x i fo fowad messages and δ θ x i fo eply messages We can make anothe scheme that uses δ θ x i fo fowad messages and δ/θ x i fo eply messages The sende andomly chooses these two schemes then it becomes impossible fo a node to detect whethe a given message is a fowad message o a eply message The details ae as follows (Initialization) Fist sende node S chooses a andom bit b R {0 1} R Zp and geneates the message S chooses M = (b β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2 ) whee B i = (α i+1 δ i ) as follows (Case 1) when b = 0: β g α i (y 1 y 2 y i 1 ) y e i+1 α n (y 1 y 2 y n 1) y n+1 i (1 i n 1) n θ g δ 0 y 0 0 y1 δ i (y 1 y 2 y i 1 ) y (e i+1) i yi+1(1 i n 1) γ 1 m (y 1 y 2 y n 1 y n ) 1 γ 2 g 1 γ 3 (y 1 y 2 y n 1 y n ) 2 γ 4 g 2 λ 1 y 1 0 and λ 2 g 1 (case 2) when b = 1: β g α i (y 1 y 2 y i 1 ) y e i+1 i (1 i n 1) α n (y 1 y 2 y n 1 ) y n+1 n θ g δ 0 y 0 0 y 1 δ i (y 1 y 2 y i 1) y (e i 1) i y i+1 (1 i n 1) γ 1 m (y 1 y 2 y n 1 y n) 1 γ 2 g 1 γ 3 (y 1 y 2 y n 1 y n) 2 γ 4 g 2 λ 1 y 1 0 and λ 2 g 1 B n B n+1 B N 1 ae dummy values S pemutes B i(0 i N 1) andomly v 0 sends M to e 1 (Decyption) When a message (b β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) aives at node v j v j seaches fo a block B i = (α i+1 δ i)(0 i N 1) that satises α i+1 = β e j+1 x j fo some e j+1 o α i+1 = β j+1 x j Let B k = (α k+1 δ k ) be the block that satises the above condition If the latte condition is satised v j is the destination of this message Then v j obtains the message content m by x calculating γ 1 /γ j 2 If the fome condition is satised e j+1 is the edge to which v j must elay this message If v j wants to send a eply message to S the pocedue fo the initialization on etun should be employed Othewise execute the following pocedue Fo the elements γ i (i = ) and λ i (i = 1 2) v j calculates γ 1 γ 1 /γ x j 2 γ 3 γ 3 /γ x j 4 and λ 1 λ 1 λ x j 2 Fo B i v j executes the following pocedue accoding to the value of b (Case 1) when b = 0: v j decypts evey block B i = (α i+1 δ i)(i k) by calculating α i+1 α i+1/β x j and δ i δ i/θ x j v j calculates δ k δ k /θ 2 x j which is the exta decyption (Case 2) when b = 1: v j decypts evey block B i = (α i+1 δ i )(i k) by calculating α i+1 α i+1 β x j and δ i δ i θ x j v j calculates δ k δ k θ 2 x j which is the exta decyption (Re-andomization) (the same fo b = 0 and b = 1) Let (b β θ B 0 B 1 B N 1 γ 1 γ 2 γ 3 γ 4 λ 1 λ 2) whee B i = ( α i+1 δ i) is the message afte the above decyption is pefomed v i e-andomizes the message with the following pocedue v j selects R 4 Zp and calculates eα i ᾱ 0 i (1 i N) eβ β 0 eδ i δ 1 i (0 i N 1) eθ θ 1 eγ 1 γ 1 γ 2 3 eγ 2 γ 2 γ 2 4 eγ 3 γ 3 3 eγ 4 γ 3 4 fλ 1 λ 4 1 and fλ 2 λ 4 2 The message afte e-andomization is (b β e θ e B f 0 B f 1 ^B N 1 eγ 1 eγ 2 eγ 3 eγ 4 λ f 1 λ f 2) whee B f i = ( gα i+1 δ e i) (Pemutation) Afte the e-andomization v j pemutes the blocks B i (0 i N 1) at andom Afte the pemutation v j sends the message to e j+1 (Initialization on etun) When v j decides to send a eply message m to S the following pocedue is executed (Case 1) when b = 0: v j sets α k+1 δ k /θ x j (Case 2) when b = 1: v j sets α k+1 δ k θ x j The following is the common pocedue fo b = 0 and b = 1 Fo each B i = (α i+1 δ i)(i k) v j sets α i+1 δ i

8 v j e-andomizes them by choosing R Zp and setting eβ θ and eα i ᾱ i (0 i N 1) The fowad oute infomation is eplaced with dummy values as follows: v j sets δ e i g i (0 i N 1) and θ g N whee g R i G(0 i N) ae andomly selected elements In ode to append the eply message content m v j executes the following v j chooses 0 R 1 Zp and calculates eγ 1 m λ 0 1 eγ 2 λ 0 2 eγ 3 λ 1 1 and eγ 4 λ 1 2 The oiginal message is also eplaced with a dummy value λ 1 g N+1 λ 1 g N+2 whee g N+1 g R N+2 G Now the etun message is (1 b β e θ e B f 0 B f 1 ^B N 1 eγ 1 eγ 2 eγ 3 eγ 4 λ f 1 λ f 2) whee B f i = ( gα i+1 δ e i)(0 i N 1) v j pemutes B f i(0 i N 1) at andom v j sends the eply message to e j fom which the elaying message aived Note that the value of b is also eplaced with 1 b to indicate whethe o / is applied The pocedue fo eceiving eply messages is the same as that fo fowad messages When etuning a message the fowad oute infomation is not emoved but eplaced with a dummy value If a malicious node v i eplaces α i = g x ie i with α i = g x ie i and v j does not eplace it with a dummy value v i can decypt e i when this message is etuned to v i fom δ i 1 (which was oiginally α i) Thus it is necessay fo the etun node v j to honestly eplace fowad oute infomation with a dummy value 8 CONCLUSION This pape pesented a etun oute infomation encyption scheme fo onion-based mix-nets The poposed scheme is the st one that (1) allows any node to send a eply message to the oiginal sende and (2) allows multiple eply messages The emaining poblem includes nding a way to eliminate the couption assumptions 9 REFERENCES [1] J Camenisch and A Lysyanskaya: A Fomal Teatment of Onion Routing Poc of Cypto 2005 LNCS Vol 3621 pp (Aug 2005) [2] DL Chaum: Untaceable Electonic Mail Retun Addesses and Digital Pseudonyms Communications of the ACM Vol 24 No 2 pp (1981) [3] R Clayton: Impoving Onion Notation 3d Wokshop on Pivacy Enhancing Technologies LNCS Vol 2760 pp (Ma 2003) [4] G Danezis R Dingledine and N Mathewson: Mixminion: Design of a Type III Anonymous R e Potocol Poc of IEEE Symposium on Secuity and Pivacy pp2-15 (May 2003) [5] G Danezis: Beaking Fou Mix-elated Schemes Based on Univesal Re-encyption Poc of 9th Infomation Secuity Confeence LNCS Vol 4176 pp (Aug 2006) [6] G Danezis and C Diaz: A Suvey of Anonymous Communication Channels Micosoft Reseach Technical Repot MSR-TR (Feb 2008) [7] R Dingledine N Mathewson and P Syveson: To: The Second-Geneation Onion Route Poc of 13th USENIX Secuity Symp p21 (Aug 2004) [8] P Golle M Jakobson A Juels and P Syveson: Univesal Re-encyption fo Mixnets CT-RSA 2004 LNCS Vol 2964 pp (2004) [9] D M Goldschlag M G Reed and P F Syveson: Onion Routing fo Anonymous and Pivate Intenet Connections Communications of the ACM Vol 42 No 2 pp39-41 (Feb 1999) [10] M Gomuªkiewicz M Klonowski and M Kutyªowski; Onions Based on Univesal Re-encyption - Anonymous Communication Immune Against Repetitive Attack WISA 2004 LNCS Vol 3325 pp (2004) [11] C Gülcü and G Tsudik: Mixing with BABEL Poc of IEEE Symp on Netwok and Distibuted System Secuity pp 2-16 (Feb 1996) [12] M Klonowski M Kutylowski and F Zagoski: Anonymous Communication with On-line and O-line Onion Encoding Poc of Cuent Tends in Theoy and Pactice of Infomatics (SOFSEM 2005) LNCS Vol 3381 pp (Jan 2005) [13] T Lu B Fang Y Sun and L Guo: Some Remaks on Univesal Re-encyption and A Novel Pactical Anonymous Tunnel Poc of ICCNMC LNCS Vol 3619 pp (2005) [14] C A Melcho and Y Deswate: Fom DC-Nets to pmixes: Multiple Vaiants fo Anonymous Communications Poc of 5th Symp on Netwok Computing and Applications(NCA) pp (July 2006) [15] K Peng J M Nieto Y Desmedt and E Dawson: Klein Bottle Routing: An Altenative to Onion Routing and Mix Netwok ICISC 2006 LNCS Vol 4296 pp (2006) [16] V Shmatikov and M-H Wang: Timing Analysis in Low-Latency Mix Netwoks: Attacks and Defenses ESORICS 2006 LNCS Vol 4189 pp (Sep 2006) [17] B Timmeman: A Secuity Model fo Dynamic Adaptive Tac Masking Poc of 1997 wokshop on New secuity paadigms pp (1997) [18] B Timmeman: Secue Dynamic Adaptive Tac Masking Poc of 1999 wokshop on New secuity paadigms pp (1999) [19] H Toiyama N Kunihio and K Ohta: Retun Message-Receivable Anonymous Routing Scheme without Reveal of Sende ID SCIS2007 3B4-6 (Jan 2007)