Walking Onions: Scaling Anonymity Networks while Protecting Users Chelsea H. Komlo1, Nick Mathewson2, Ian Goldberg1 1 University of Waterloo 2 The Tor Project USENIX Security Symposium, 13 August 2020 Tor is a privacy-enhancing tool to use the Internet privately and circumvent censorship. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 2 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 Create 1 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 1 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 Extend R5 5 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus 5 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus 5 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 5 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 Extend R6 6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus Extend R6 6 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus 6 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus 6 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus 6 R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Current Tor Path Selection and Circuit Extension Current R2 R5 Consensus R1 R6 R4 R3 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 3 / 17 Tor’s Protection: All clients to maintain an up-to-date consensus copy. I Route-Capture Attacks: When an adversary can influence users’ relay selection. Tor’s Protection: Clients verify relay responses using signing keys in the consensus. Tor Security Model: Security over Scalability I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 I Route-Capture Attacks: When an adversary can influence users’ relay selection. Tor’s Protection: Clients verify relay responses using signing keys in the consensus. Tor Security Model: Security over Scalability I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection. Tor’s Protection: All clients to maintain an up-to-date consensus copy. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 Tor’s Protection: Clients verify relay responses using signing keys in the consensus. Tor Security Model: Security over Scalability I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection. Tor’s Protection: All clients to maintain an up-to-date consensus copy. I Route-Capture Attacks: When an adversary can influence users’ relay selection. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 Tor Security Model: Security over Scalability I Epistemic Attacks: Users with different views of the network can be distinguished by their relay selection. Tor’s Protection: All clients to maintain an up-to-date consensus copy. I Route-Capture Attacks: When an adversary can influence users’ relay selection. Tor’s Protection: Clients verify relay responses using signing keys in the consensus. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 4 / 17 I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content). I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today. I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor. What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic). Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today. I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor. What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic). I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content). Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor. What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic). I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content). I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 What Contributions Does Walking Onions Make? I Constant-Size Client Overhead. Client bandwidth overhead remains constant even as new relays join (or at worst logarithmic). I Maintains Tor’s Existing Security Model. One variant has no change, the other a slight loosening of forward secrecy (for path selection, not content). I Immediate Performance Improvements. Demonstrates improvements at networks the size of Tor today. I Generally Applicable. Aspects of Walking Onions apply to network designs beyond Tor. Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 5 / 17 I How to build paths using oblivious relay selection? I How to perform more efficient circuit construction? What Improvements Does Walking Onions Make? I How to represent relay information to enable oblivious selection and individual verification? Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 I How to perform more efficient circuit construction? What Improvements Does Walking Onions Make? I How to represent relay information to enable oblivious selection and individual verification? I How to build paths using oblivious relay selection? Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 What Improvements Does Walking Onions Make? I How to represent relay information to enable oblivious selection and individual verification? I How to build paths using oblivious relay selection? I How to perform more efficient circuit construction? Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 6 / 17 What improvements does Walking Onions make? I How to represent relay information to enable oblivious selection and individual verification? Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 7 / 17 New Data Structure: Seperable Network Index Proof (SNIP) Current Consensus Network Parameters Relay Entries : : Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 New Data Structure: Seperable Network Index Proof (SNIP) Current Consensus [5284,5716) : : Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 New Data Structure: Seperable Network Index Proof (SNIP) Current Consensus SNIPs : : : : Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 8 / 17 ENDIVE: Efficient Network Directory with Independently Verifiable Entries Current Consensus SNIPs ENDIVE : : : : Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 9 / 17 ENDIVE: Efficient Network Directory with Independently Verifiable Entries Current New Consensus Consensus SNIPs ENDIVE : : : : Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 9 / 17 What improvements does Walking Onions make? I How to represent relay information to enable oblivious selection and individual verification? I How to build paths using oblivious relay selection? Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 10 / 17 Telescoping Walking Onions R4 R6 R2 R3 R1 R5 1 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions R4 R6 R2 R3 R1 R5 1 Chelsea Komlo, Nick Mathewson, Ian Goldberg Walking Onions 13 August 2020 11 / 17 Telescoping Walking Onions R4 R6 R2 R3 R1 R5 2 2 Chelsea Komlo, Nick Mathewson,