T0RTT: Non-In­ter­ac­tive Im­me­dia­te For­ward-Se­cu­re Sin­gle-Pass Cir­cuit Con­struc­tion

Se­bas­ti­an Lauer, Kai Gel­lert, Ro­bert Mer­get, To­bi­as Han­dirk, Jörg Schwenk

Ab­stract

Main­tai­ning pri­va­cy on the In­ter­net with the pre­sence of power­ful ad­ver­sa­ries such as na­ti­on-sta­te at­ta­ckers is a chal­len­ging topic, and the Tor pro­ject is cur­rent­ly the most im­portant tool to pro­tect against this­thre­at. The cir­cuit con­struc­tion pro­to­col (CCP) ne­go­tia­tes cryp­to­gra­phic keys for Tor cir­cuits, which over­lay TCP/IP by rou­ting Tor cells over n onion rou­ters. The cur­rent cir­cuit con­struc­tion pro­to­col pro­vi­des strong se­cu­ri­ty gua­ran­tees such as for­ward secrecy by ex­chan­ging O(n^2) mes­sa­ges. For se­ver­al years it has been an open ques­ti­on if the same strong se­cu­ri­ty gua­ran­tees could be achie­ved with less mes­sa­ge over­head, which is de­s­i­ra­ble be­cau­se of the in­herent la­ten­cy in over­lay net­works. Se­ver­al pu­bli­ca­ti­ons de­scri­bed CCPs which re­qui­re only O(n) mes­sa­ge ex­chan­ges, but si­gni­fi­cant­ly re­du­ce the se­cu­ri­ty of the re­sul­ting Tor cir­cuit. It was even con­jec­tu­red that it is im­pos­si­ble to achie­ve both mes­sa­ge com­ple­xi­ty O(n) and for­ward secrecy im­me­dia­te­ly after cir­cuit con­struc­tion (so-cal­led im­me­dia­te for­ward secrecy). In­spi­red by the la­test ad­van­ce­ments in zero round-trip time key ex­chan­ge (0-RTT), we pre­sent a new CCP pro­to­col Tor 0-RTT (T0RTT). Using mo­dern cryp­to­gra­phic pri­mi­ti­ves such as punc­tura­ble en­cryp­ti­on allow to achie­ve im­me­dia­te for­ward secrecy using only O(n) mes­sa­ges. We im­ple­men­ted these new pri­mi­ti­ves to give a first in­di­ca­ti­on of pos­si­ble pro­blems and how to over­co­me them in order to build prac­tical CCPs with O(n) mes­sa­ges and im­me­dia­te for­ward secrecy in the fu­ture.

Tags: