 Cryptographic shallots, a formal treatment of repliable onion encryption. My name is Megumi Ando and this is joint work with Anna Lesianskaya. Suppose that Alice wants to send a message to David anonymously. Then encrypting the message can prevent an eavesdropper from learning the content of the message. But it won't prevent an adversary who can observe the network traffic from discerning that Alice is communicating with David. The adversary can simply trace the sequence of bits coming out of Alice's computer and going into David's. So what can Alice do to prevent the adversary from learning who she is communicating with? One practical approach is to use onion routing, which was originally proposed by Chum. To send a message to David, Alice first picks a routing path ending with David. In this example, the routing path is a sequence of parties Bob, Charlie, David. Then she forms a layered encryption object called an onion and sends it to the first party on the routing path, Bob. Bob decrypts just the outermost layer of the onion or peels the outermost layer of the onion. This reveals an inner onion, also known as the processed onion in blue, and the destination of the processed onion, Charlie. Charlie repeats this process. He peels the outermost layer of the onion, revealing the processed onion in pink, and the next destination for the onion, David. When David peels the processed onion, he obtains a message from Alice. Now if Alice sends her message via onion routing, the network adversary may not know who her recipient is. For example, if Charlie receives Alice's onion to David in purple, along with another onion in yellow, then the adversary cannot determine which outgoing onion corresponds to which incoming onion. Is the green onion the result of processing the purple onion and the white onion from processing the yellow onion? Or is it the other way around? In other words, onions that are batch processed at an honest party mix. An anonymity can be achieved so long as the onions sufficiently mix as they travel through the network. However, using public key encryption to form the onion encryption layers, as Chum envisioned it, is not exactly what we want. This is because the encryption of a message is necessarily strictly longer than the message. What this means is that onions with different numbers of hops to go don't mix. The adversary can trivially determine which outgoing onion corresponds to which incoming onion from the sizes of the onions. Cavanich and Lysianskaya formalized the notion of onion encryption by defining an onion encryption scheme as a triple of algorithms. A key generation algorithm G, an onion forming algorithm form onion, and an onion processing algorithm, PROC onion. They also provided the first formal security definitions for onion encryption. Onions generated using a secure onion encryption scheme mixed properly, regardless of how far they are for their destinations. However, the paper of a Cavanich and Lysianskaya and subsequent followup work did not tackle two-way channels. When Alice's recipient David received the message from Alice, there was no method for replying to her anonymously. Two-way communication is necessary for most internet applications, for example, for web browsing or for filling out a form online. So to conduct these applications anonymously, it is clear that we need anonymous two-way channels. The challenge with constructing a CCA secure replyable onion encryption scheme is that it is unclear how to do so when the return onions cannot be constructed by any one party. The return path must be supplied by the sender Alice, whereas a reply message must be supplied by the recipient, David. In this paper, we formalize the notion of replyable onion encryption. In this work, an onion is a pair consisting of the header and the content. A replyable onion encryption scheme consists of four algorithms, the key generation algorithm G, the onion forming algorithm form onion that takes as input the label, the message, the forward path from the sender to the recipient, the return path from the recipient to the sender, and the public keys of the parties on the routing path consisting of the forward and the return path. An output is a list of onions corresponding to the forward path and a list of headers corresponding to the return path. The onion processing algorithm PROC onion takes as input the onion to be processed, the processing party and a secret key, and outputs a role in an output. If the role is intermediary, the output is a processed onion, the next destination. If the role is recipient, the output is the message. If the role is sender, then the output is a label and a reply message. So the purpose of having labels is that the sender can use them to determine which message the reply message is a response for. Finally, there's a new type of algorithm for reply for forming a reply onion. It takes as input the reply message, the onion it is replying to, the recipient and a secret key, and outputs a return onion and first destination for the return onion. Our contributions are as follows. First, we define the ideal functionality for repliable onion encryption in Kennedy's UC model or more precisely in Kennedy Cohen and Lindel's simplified UC model. We call this FROs for replyable onion encryption scheme. Next, we present a game-based definition, replyable onion security, and prove that it is both sufficient and almost necessary for realizing FROs. And finally, we present the first provably secure replyable onion encryption scheme, shallot encryption scheme. Security in Kennedy's Universal Composability model is described with respect to an ideal functionality. The scheme is secure, the environment Z cannot tell whether it is operating in the real world that uses the scheme or in the ideal world that uses the ideal functionality instead. For onion encryption, the environment can instruct the honest parties to form an onion, to process an onion, or to form a reply. In the real world, the honest parties run the appropriate algorithm from the onion encryption scheme. In the ideal world, the honest parties relay the instruction to the ideal functionality, FROs. It is a job of the ideal functionality to form onions, process onions, and form replies. We chose to work specifically in the simplified UC model. First, because this choice simplifies the way we model communication. In the SUC model, the environment may communicate with the honest parties by writing into their input tapes and reading their output tapes. And the honest parties can communicate with the ideal functionality via a central router. Second, realizability of FROs in the SUC model implies realizability in the full UC model. So we don't really lose any generality by working in the simplified model. First, let us provide an intuition for our ideal functionality at FROs. In order to ensure that the onions mix at honest intermediaries, we want it to be impossible to match an incoming onion to its outgoing onion. Moreover, it should be impossible to tell whether these onions are forward onions or return onions. In the ideal world, this is guaranteed by generating the incoming onions and outgoing onions in an information theoretically independent way. To form an onion on behalf of honest party PI, the ideal functionality first partitions the forward path into segments, where each segment is a list that ends in the next honest party. Here, following the notational conventions of the paper, the honest parties are capitalized, whereas the adversarial ones are in lowercase. So in this example, the segments are the list consisting of P1, the list consisting of P2, P3, and P4, the list consisting of P5, and finally the list consisting of P6 and P7. Let OI denote the onion for party PI. The onions O1, O2, O5, and O6 are formed independently of each other. For example, O1 is formed without M or the rest of the routing path in its input. The first onion O1 is returned to the center PI. Let O4 be what P4 gets if O2 is processed correctly. If the ideal functionality is asked by P4 to process O4, it returns O5. Likewise, let O7 be what the recipient P7 gets if O6 is processed correctly. Then O7 gets processed to M. This is a message that was in the center PI's input to form onion. In order to respond to the onion O7 with the reply message M' on behalf of the recipient P7, the ideal functionality first retrieves the return path, which it maintained internally, and then forms onions using M' and the return path. This is done using the same approach that was used for forming the forward onions. Of course, the full description of the ideal functionality is much more involved. Please refer to the paper for more details. Since it can be cumbersome to directly prove that an onion encryption scheme realizes FROs, we also present a game-based security definition that proves to be both sufficient and almost necessary for realizing FROs. We now describe the salient points of the security game. First, the adversary picks two honest parties, I and S. Next, the adversary gets Oracle access to process onions and reply to onions on behalf of I and S. Then the adversary picks the parameters for the challenge onion, which includes the forward path and the return path. The honest party S must be the center of the challenge onion, and so the return path must end in S. And the honest party I must be somewhere else on the routing path, either as an intermediary on the forward path, the recipient, or an intermediary on the return path. The challenger samples a random bit. If the bit comes up zero, then the challenger forms the onion O as specified by the adversary. Otherwise, the challenger forms two onions. For example, if I is an intermediary on the forward path, then the first onion is formed using the forward path up to I, and the second onion is formed using the rest of the routing path. The adversary again gets Oracle access to process onions and reply to onions on behalf of I and S. However, this time, the oracles are patched in the event that B is equal to one. In this case, the challenge onion layer for I processes to O' rather than to a message. Finally, the adversary outputs a guest B' for B and wins if B' is equal to B. An onion encryption scheme is a replyable onion secure if every efficient adversary wins this game, only with negligible advantage. In the paper, we prove that if the onion encryption scheme Sigma is a replyable onion secure, then it SUC realizes the ideal functionality of ropes. This shows that the game-based definition is sufficient. We also prove that if Sigma SUC realizes at rows, then it is non-adaptably replyable onion secure. This shows that the game-based definition is almost necessary as well. Our construction is called shallot encryption scheme because the onions it generates are pairs of layered encryption objects. And so in that respect, these onions are more akin to shallots than onions. For the construction, we make use of the following cryptographic permatives. A CCA2 secure encryption scheme with tags, a message authentication code, a pseudo random permutation or block cipher, and a collision-resistant hash function. Each party generates his or her key pair by running the encryption scheme's key generation algorithm. Recall that each onion is a pair consisting of the header and the content. We now describe the steps for processing an onion OI, which consists of the header EI, BI1, BI2, and the content CI, when the processing party is an intermediary. First, decrypt the first block of the header EI to get the roll and the block cipher key KI. Then use KI to decrypt the other blocks of the header and the content. Finally, to make the last block of the processed header, decrypt the all zero string. Next, we describe how to form an onion using an example. Let the forward path be the list P1, P2, P3. And let the return path be the list P4, P5, P6. First, ascender Alice, who is also P6, picks block cipher keys K1 through K6 and MAC keys K3 and K6. We will use curly brackets to denote encryption and reverse curly brackets to denote decryption. To form the header H1 for the onion, we first form the header for the recipient. To obtain B31, we encrypt the all zero string under the key K1 and then encrypt the result under the key K2. B32 is a result of encrypting the all zero string under the key K2. The block E3 is the encryption of the roll recipient along with the decryption keys for the recipient. Next, we form the header H2 for the second intermediary P2. The block B21 is encryption of P3, the next destination after P2 and E3 under the key K2. And the block B22 is encryption of B31 under the key K2. The block E2 is the encryption of the roll intermediary along with P2's key K2. We repeat this one last time to get the header H1 for the first intermediary P1. To form the content C1, we first form the header for the returned onion in similar fashion. Then the meta message for the recipient, capital M, consists of Alice's message to David who is also P3, the keys for replying the first destination on the return path and the return header. The meta message along with the MAC tag for the message is encrypted first under the key K3, then the key K2, and finally the key K1. The onion for the first intermediary is O1 which is H1 and C1. To process the onion O3 as a recipient, David who is also P3, decrypts E3 to get the roll recipient and the key K3. Then K3 is used to obtain the meta message M. To reply to the message with the reply message M' David computes the content for the return onion by encrypting M by encrypting M' in the MAC tag forked. Finally, we show that shallot encryption scheme is replyable onion secure. That is, we show that experiment zero when B is equal to zero in the security game is indistinguishable from experiment one when B is equal to one. We do this via a sequence of hybrids. The high level idea is the following. In hybrid one, we form the onion for honest intermediary I and then wrap that onion with layers of shallot encryption to get the onion for the first intermediary P1. This produces an onion that is identically distributed to that in experiment zero. Hybrid two is the same as hybrid one except that I's key Kj is swapped out for the odd zero key. Hybrids one and two are indistinguishable because of the CCA2 security of the encryption scheme. Hybrid three is the same as hybrid two except that the blocks in the onion OJ are swapped out for truly random blocks. Hybrids two and three are indistinguishable because of the pseudorandomness of the pseudorandom permutation. Hybrid four is the same as hybrid three except that a second key Kj prime is sampled independently of Kj and the truly random blocks in OJ are swapped out for pseudorandom ones generated under Kj prime. Hybrids three and four are indistinguishable because of the pseudorandomness of PRPs. Hybrid five is the same as hybrid four except that the odd zero key is replaced with Kj prime. Hybrids four and five are indistinguishable because of the CCA2 security of the encryption scheme. Finally hybrid five and experiment one are indistinguishable because their outputs are identically distributed. The full proof with all the details can be found in the paper. To summarize in this paper we formalize the notion of repliable onion encryption. We define security for repliable onion encryption in the simplified UC model by providing a description of the ideal functionality f rows and presented a game-based definition that is sufficient and almost necessary for realizing f rows. Finally we gave the first construction of a provably secure repliable onion encryption scheme. This concludes the presentation of our paper. Thank you for your attention.