Walking Onions: Scaling Anonymity Networks while Protecting Users
Chelsea H. Komlo1, Nick Mathewson2, Ian Goldberg1
1 University of Waterloo 2 The Tor Project
USENIX Security Symposium, 13 August 2020 Tor is a privacy-enhancing tool to use the Internet privately and circumvent censorship.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 2 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 Create 1 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 1 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 Extend R5 5 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
5
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
5
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 5 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 Extend R6 6 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
Extend R6 6
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
6
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
6
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
6
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6 6 R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension
Current R2 R5 Consensus
R1 R6
R4
R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Tor’s Protection: All clients to maintain an up-to-date consensus copy.
I Route-Capture Attacks: When an adversary can influence users’ relay selection.
Tor’s Protection: Clients verify relay responses using signing keys in the consensus.
Tor Security Model: Security over Scalability
I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 I Route-Capture Attacks: When an adversary can influence users’ relay selection.
Tor’s Protection: Clients verify relay responses using signing keys in the consensus.
Tor Security Model: Security over Scalability
I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection.
Tor’s Protection: All clients to maintain an up-to-date consensus copy.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 Tor’s Protection: Clients verify relay responses using signing keys in the consensus.
Tor Security Model: Security over Scalability
I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection.
Tor’s Protection: All clients to maintain an up-to-date consensus copy.
I Route-Capture Attacks: When an adversary can influence users’ relay selection.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 Tor Security Model: Security over Scalability
I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection.
Tor’s Protection: All clients to maintain an up-to-date consensus copy.
I Route-Capture Attacks: When an adversary can influence users’ relay selection.
Tor’s Protection: Clients verify relay responses using signing keys in the consensus.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content).
I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today.
I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor.
What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic).
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today.
I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor.
What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic).
I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content).
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor.
What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic).
I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content).
I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic).
I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content).
I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today.
I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I How to build paths using oblivious relay selection?
I How to perform more efficient circuit construction?
What Improvements Does Walking Onions Make?
I How to represent relay information to enable oblivious selection and individual verification?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 I How to perform more efficient circuit construction?
What Improvements Does Walking Onions Make?
I How to represent relay information to enable oblivious selection and individual verification?
I How to build paths using oblivious relay selection?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 What Improvements Does Walking Onions Make?
I How to represent relay information to enable oblivious selection and individual verification?
I How to build paths using oblivious relay selection?
I How to perform more efficient circuit construction?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 What improvements does Walking Onions make?
I How to represent relay information to enable oblivious selection and individual verification?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 7 / 17 New Data Structure: Seperable Network Index Proof (SNIP)
Current Consensus Network Parameters
Relay Entries . .
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 New Data Structure: Seperable Network Index Proof (SNIP)
Current Consensus
[5284,5716) . .
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 New Data Structure: Seperable Network Index Proof (SNIP)
Current Consensus SNIPs
. . . .
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 ENDIVE: Efficient Network Directory with Independently Verifiable Entries
Current Consensus SNIPs ENDIVE
. . . .
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 9 / 17 ENDIVE: Efficient Network Directory with Independently Verifiable Entries
Current New Consensus Consensus SNIPs ENDIVE
. . . .
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 9 / 17 What improvements does Walking Onions make?
I How to represent relay information to enable oblivious selection and individual verification?
I How to build paths using oblivious relay selection?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 10 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5 1
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5 1
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5 2 2
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
2
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
2
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5
2, R2
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5 3 3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
3 3
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
3 R3
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
3 R3
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
3, R3
R1 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions
R4 R6
R2
R3
R1 R5
3, R3
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 What improvements does Walking Onions make?
I How to represent relay information to enable oblivious selection and individual verification?
I How to build paths using oblivious relay selection?
I How to perform more efficient circuit construction?
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 12 / 17 Single-Pass Walking Onions
R4 R6
R2
R3
R5 1, 1
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Single-Pass Walking Onions
R4 R6 k ← DH( , 5) ← R2 r VRF 5(DH( , 5)) R3
10 , 10 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Single-Pass Walking Onions
R R 40 0 6 k ← DH( , 3) 0 ← 0 R2 r VRF 3(DH( , 3)) 100 , 100 R3
R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Single-Pass Walking Onions
R4 R6
R2 6 R3
R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Single-Pass Walking Onions
R4 R6
R2
R3
3, 6, R6 R5
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Single-Pass Walking Onions
R4 R6
R2
R3
R 5, 3, 6, R3 , R65
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 13 / 17 Performance Evaluation
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 14 / 17 I Walking Onions requires 4–6 times less bandwidth than Vanilla Onion Routing at a network the size of Tor today. I Improvement of 25–40 times less bandwidth at a network 10 times the size of Tor.
Bandwidth Results for Tor Relays Relay total bytes each Relay total bytes each 5x107 1x1010 4.5x107 Vanilla Vanilla 4x107 Sing(M) Sing(M) 7 Tele(M) Tele(M) 3.5x10 1x109 3x107 Sing(T) Sing(T) 2.5x107 Tele(T) Tele(T) 7 2x10 Analytical 8 Analytical 1.5x107 1x10 1x107 5x106 0 1x107 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 15 / 17 I Improvement of 25–40 times less bandwidth at a network 10 times the size of Tor.
Bandwidth Results for Tor Relays Relay total bytes each Relay total bytes each 5x107 1x1010 4.5x107 Vanilla Vanilla 4x107 Sing(M) Sing(M) 7 Tele(M) Tele(M) 3.5x10 1x109 3x107 Sing(T) Sing(T) 2.5x107 Tele(T) Tele(T) 7 2x10 Analytical 8 Analytical 1.5x107 1x10 1x107 5x106 0 1x107 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
I Walking Onions requires 4–6 times less bandwidth than Vanilla Onion Routing at a network the size of Tor today.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 15 / 17 Bandwidth Results for Tor Relays Relay total bytes each Relay total bytes each 5x107 1x1010 4.5x107 Vanilla Vanilla 4x107 Sing(M) Sing(M) 7 Tele(M) Tele(M) 3.5x10 1x109 3x107 Sing(T) Sing(T) 2.5x107 Tele(T) Tele(T) 7 2x10 Analytical 8 Analytical 1.5x107 1x10 1x107 5x106 0 1x107 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
I Walking Onions requires 4–6 times less bandwidth than Vanilla Onion Routing at a network the size of Tor today. I Improvement of 25–40 times less bandwidth at a network 10 times the size of Tor.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 15 / 17 I Clients in Walking Onions save 10–15 times the bandwidth over Vanilla Onion Routing in a network the size of Tor today. I In a network 10 times the size of Tor, Walking Onions saves clients 90–150 times the bandwidth over Vanilla.
Bandwidth Results for Tor Clients Client total bytes each Client total bytes each 100000 1x108 90000 Vanilla Vanilla 80000 Sing(M) Sing(M) 1x107 70000 Tele(M) Tele(M) 60000 Sing(T) Sing(T) 50000 Tele(T) 1x106 Tele(T) 40000 Analytical Analytical 30000 100000 20000 10000 0 10000 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 16 / 17 I In a network 10 times the size of Tor, Walking Onions saves clients 90–150 times the bandwidth over Vanilla.
Bandwidth Results for Tor Clients Client total bytes each Client total bytes each 100000 1x108 90000 Vanilla Vanilla 80000 Sing(M) Sing(M) 1x107 70000 Tele(M) Tele(M) 60000 Sing(T) Sing(T) 50000 Tele(T) 1x106 Tele(T) 40000 Analytical Analytical 30000 100000 20000 10000 0 10000 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
I Clients in Walking Onions save 10–15 times the bandwidth over Vanilla Onion Routing in a network the size of Tor today.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 16 / 17 Bandwidth Results for Tor Clients Client total bytes each Client total bytes each 100000 1x108 90000 Vanilla Vanilla 80000 Sing(M) Sing(M) 1x107 70000 Tele(M) Tele(M) 60000 Sing(T) Sing(T) 50000 Tele(T) 1x106 Tele(T) 40000 Analytical Analytical 30000 100000 20000 10000 0 10000 0 500 1000 1500 2000 1000 10000 100000 Number of relays Number of relays
I Clients in Walking Onions save 10–15 times the bandwidth over Vanilla Onion Routing in a network the size of Tor today. I In a network 10 times the size of Tor, Walking Onions saves clients 90–150 times the bandwidth over Vanilla.
Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 16 / 17 I Removes the per-relay bandwidth and storage cost to clients I Offers the same security protections against epistemic and route capture attacks as prior designs that required a globally consistent view.
I Walking Onions:
I Tor has already begun the specification work to integrate Walking Onions into the Tor protocol.
Takeaways
I The design of Tor today imposes impractical overheads to clients as the network scales.
Find our paper and artifact at https://crysp.uwaterloo.ca/software/walkingonions Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 17 / 17 I Removes the per-relay bandwidth and storage cost to clients I Offers the same security protections against epistemic and route capture attacks as prior designs that required a globally consistent view.
I Tor has already begun the specification work to integrate Walking Onions into the Tor protocol.
Takeaways
I The design of Tor today imposes impractical overheads to clients as the network scales.
I Walking Onions:
Find our paper and artifact at https://crysp.uwaterloo.ca/software/walkingonions Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 17 / 17 I Offers the same security protections against epistemic and route capture attacks as prior designs that required a globally consistent view.
I Tor has already begun the specification work to integrate Walking Onions into the Tor protocol.
Takeaways
I The design of Tor today imposes impractical overheads to clients as the network scales.
I Walking Onions: I Removes the per-relay bandwidth and storage cost to clients
Find our paper and artifact at https://crysp.uwaterloo.ca/software/walkingonions Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 17 / 17 I Tor has already begun the specification work to integrate Walking Onions into the Tor protocol.
Takeaways
I The design of Tor today imposes impractical overheads to clients as the network scales.
I Walking Onions: I Removes the per-relay bandwidth and storage cost to clients I Offers the same security protections against epistemic and route capture attacks as prior designs that required a globally consistent view.
Find our paper and artifact at https://crysp.uwaterloo.ca/software/walkingonions Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 17 / 17 Takeaways
I The design of Tor today imposes impractical overheads to clients as the network scales.
I Walking Onions: I Removes the per-relay bandwidth and storage cost to clients I Offers the same security protections against epistemic and route capture attacks as prior designs that required a globally consistent view.
I Tor has already begun the specification work to integrate Walking Onions into the Tor protocol.
Find our paper and artifact at https://crysp.uwaterloo.ca/software/walkingonions Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 17 / 17