Maintaining privacy on the Internet with the presence of powerful adversaries such as nation-state attackers is a challenging topic, and the Tor project is currently the most important tool to protect against this threat. The circuit construction protocol (CCP) negotiates cryptographic keys for Tor circuits, which overlay TCP/IP by routing Tor cells over n onion routers. The current circuit construction protocol provides strong security guarantees such as forward secrecy by exchanging 𝒪(n2) messages.
For several years it has been an open question if the same strong security guarantees could be achieved with less message overhead, which is desirable because of the inherent latency in overlay networks. Several publications described CCPs which require only 𝒪(n) message exchanges, but significantly reduce the security of the resulting Tor circuit. It was even conjectured that it is impossible to achieve both message complexity 𝒪(n) and forward secrecy immediately after circuit construction (so-called immediate forward secrecy). Inspired by the latest advancements in zero round-trip time key exchange (0-RTT), we present a new CCP protocol Tor 0-RTT (T0RTT). Using modern cryptographic primitives such as puncturable encryption allow to achieve immediate forward secrecy using only 𝒪(n) messages. We implemented these new primitives to give a first indication of possible problems and how to overcome them in order to build practical CCPs with 𝒪(n) messages and immediate forward secrecy in the future.
If the inline PDF is not rendering correctly, you can download the PDF file here.
 Masayuki Abe, Jens Groth, Miyako Ohkubo, and Takeya Tango. Converting cryptographic schemes from symmetric to asymmetric bilinear groups. In Juan A. Garay and Rosario Gennaro, editors, Advances in Cryptology – CRYPTO 2014, Part I, volume 8616 of Lecture Notes in Computer Science, pages 241–260, Santa Barbara, CA, USA, August 17–21, 2014. Springer, Heidelberg, Germany.
 Mashael Alsabah and Ian Goldberg. Performance and security improvements for tor: A survey. ACM Comput. Surv., 49(2):32:1–32:36, September 2016.
 Nimrod Aviram, Kai Gellert, and Tibor Jager. Session resumption protocols and efficient forward security for TLS 1.3 0-RTT. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 117–150. Springer, 2019.
 Michael Backes, Aniket Kate, and Esfandiar Mohammadi. Ace: An efficient key-exchange protocol for onion routing. In Proceedings of the 2012 ACM Workshop on Privacy in the Electronic Society, WPES ’12, pages 55–64, New York, NY, USA, 2012. ACM.
 Paulo S. L. M. Barreto and Michael Naehrig. Pairing-friendly elliptic curves of prime order. In Bart Preneel and Stafford Tavares, editors, SAC 2005: 12th Annual International Workshop on Selected Areas in Cryptography, volume 3897 of Lecture Notes in Computer Science, pages 319–331, Kingston, Ontario, Canada, August 11–12, 2006. Springer, Heidelberg, Germany.
 Kevin Bauer, Joshua Juen, Nikita Borisov, Dirk Grunwald, Douglas Sicker, and Damon McCoy. On the optimal path length for Tor. In HotPETS in conjunction with Tenth International Symposium on Privacy Enhancing Technologies (PETS 2010), Berlin, Germany, 2010.
 Burton H. Bloom. Space/time trade-offs in hash coding with allowable errors. Commun. ACM, 13(7):422–426, July 1970.
 Nikita Borisov, George Danezis, Prateek Mittal, and Parisa Tabriz. Denial of service or denial of security? In Peng Ning, Sabrina De Capitani di Vimercati, and Paul F. Syverson, editors, ACM CCS 07: 14th Conference on Computer and Communications Security, pages 92–102, Alexandria, Virginia, USA, October 28–31, 2007. ACM Press.
 Jan Camenisch and Anna Lysyanskaya. A formal treatment of onion routing. In Victor Shoup, editor, Advances in Cryptology – CRYPTO 2005, volume 3621 of Lecture Notes in Computer Science, pages 169–187, Santa Barbara, CA, USA, August 14–18, 2005. Springer, Heidelberg, Germany.
 Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. In Christian Cachin and Jan Camenisch, editors, Advances in Cryptology – EUROCRYPT 2004, volume 3027 of Lecture Notes in Computer Science, pages 207–222, Interlaken, Switzerland, May 2–6, 2004. Springer, Heidelberg, Germany.
 Dario Catalano, Mario Di Raimondo, Dario Fiore, Rosario Gennaro, and Orazio Puglisi. Fully non-interactive onion routing with forward secrecy. Int. J. Inf. Secur., 12(1):33–47, February 2013.
 Dario Catalano, Dario Fiore, and Rosario Gennaro. Certificateless onion routing. In Ehab Al-Shaer, Somesh Jha, and Angelos D. Keromytis, editors, ACM CCS 09: 16th Conference on Computer and Communications Security, pages 151–160, Chicago, Illinois, USA, November 9–13, 2009. ACM Press.
 David L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Commun. ACM, 24(2):84–90, February 1981.
 Cécile Delerablée. Identity-based broadcast encryption with constant size ciphertexts and private keys. In Kaoru Kurosawa, editor, Advances in Cryptology – ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, pages 200–215, Kuching, Malaysia, December 2–6, 2007. Springer, Heidelberg, Germany.
 David Derler, Kai Gellert, Tibor Jager, Daniel Slamanig, and Christoph Striecks. Bloom filter encryption and applications to efficient forward-secret 0-RTT key exchange. Cryptology ePrint Archive, Report 2018/199, 2018. https://eprint.iacr.org/2018/199.
 David Derler, Tibor Jager, Daniel Slamanig, and Christoph Striecks. Bloom filter encryption and applications to effi-cient forward-secret 0-RTT key exchange. In Jesper Buus Nielsen and Vincent Rijmen, editors, Advances in Cryptology – EUROCRYPT 2018, Part III, volume 10822 of Lecture Notes in Computer Science, pages 425–455, Tel Aviv, Israel, April 29 – May 3, 2018. Springer, Heidelberg, Germany.
 David Derler, Sebastian Ramacher, Daniel Slamanig, and Christoph Striecks. I want to forget: Fine-grained encryption with full forward secrecy in the distributed setting. Cryptology ePrint Archive, Report 2019/912, 2019. https://eprint.iacr.org/2019/912.
 Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, 22(6):644–654, 1976.
 Roger Dingledine and Nick Mathewson. Tor protocol specification.
 Roger Dingledine, Nick Mathewson, and Paul Syverson. Tor: The second-generation onion router. In Proceedings of the 13th Conference on USENIX Security Symposium - Volume 13, SSYM’04, pages 21–21, Berkeley, CA, USA, 2004. USENIX Association.
 Taher ElGamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985.
 Michael J. Freedman and Robert Morris. Tarzan: a peer-to-peer anonymizing network layer. In Vijayalakshmi Atluri, editor, ACM CCS 02: 9th Conference on Computer and Communications Security, pages 193–206, Washington D.C., USA, November 18–22, 2002. ACM Press.
 Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography, 67(2):245–269, May 2013.
 David Goldschlag, Michael Reed, and Paul Syverson. Onion routing. Commun. ACM, 42(2):39–41, February 1999.
 David M. Goldschlag, Michael G. Reed, and Paul F. Syverson. Hiding routing information. In Proceedings of the First International Workshop on Information Hiding, pages 137–150, London, UK, UK, 1996. Springer-Verlag.
 Matthew D. Green and Ian Miers. Forward secure asynchronous messaging from puncturable encryption. In 2015 IEEE Symposium on Security and Privacy, pages 305–320, San Jose, CA, USA, May 17–21, 2015. IEEE Computer Society Press.
 Tim Grube, Markus Thummerer, Jörg Daubert, and Max Mühlhäuser. Cover traffic: A trade of anonymity and efficiency. In International Workshop on Security and Trust Management, pages 213–223. Springer, 2017.
 Christoph G. Günther. An identity-based key-exchange protocol. In Jean-Jacques Quisquater and Joos Vandewalle, editors, Advances in Cryptology – EUROCRYPT’89, volume 434 of Lecture Notes in Computer Science, pages 29–37, Houthalen, Belgium, April 10–13, 1990. Springer, Heidelberg, Germany.
 Felix Günther, Britta Hale, Tibor Jager, and Sebastian Lauer. 0-RTT key exchange with full forward secrecy. In Jean-Sébastien Coron and Jesper Buus Nielsen, editors, Advances in Cryptology – EUROCRYPT 2017, Part III, volume 10212 of Lecture Notes in Computer Science, pages 519–548, Paris, France, April 30 – May 4, 2017. Springer, Heidelberg, Germany.
 Britta Hale, Tibor Jager, Sebastian Lauer, and Jörg Schwenk. Simple security definitions for and constructions of 0-RTT key exchange. In Dieter Gollmann, Atsuko Miyaji, and Hiroaki Kikuchi, editors, ACNS 17: 15th International Conference on Applied Cryptography and Network Security, volume 10355 of Lecture Notes in Computer Science, pages 20–38, Kanazawa, Japan, July 10–12, 2017. Springer, Heidelberg, Germany.
 Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk. On the security of TLS-DHE in the standard model. In Reihaneh Safavi-Naini and Ran Canetti, editors, Advances in Cryptology – CRYPTO 2012, volume 7417 of Lecture Notes in Computer Science, pages 273–293, Santa Barbara, CA, USA, August 19–23, 2012. Springer, Heidelberg, Germany.
 Tibor Jager, Florian Kohlar, Sven Schäge, and Jörg Schwenk. Authenticated confidential channel establishment and the security of TLS-DHE. Journal of Cryptology, 30(4):1276–1324, October 2017.
 Aniket Kate, Greg Zaverucha, and Ian Goldberg. Pairing-based onion routing. In Proceedings of the 7th International Conference on Privacy Enhancing Technologies, PET’07, pages 95–112, Berlin, Heidelberg, 2007. Springer-Verlag.
 Aniket Kate, Greg M. Zaverucha, and Ian Goldberg. Pairing-based onion routing with improved forward secrecy. ACM Trans. Inf. Syst. Secur., 13(4):29:1–29:32, December 2010.
 Taechan Kim and Razvan Barbulescu. Extended tower number field sieve: A new complexity for the medium prime case. In Matthew Robshaw and Jonathan Katz, editors, Advances in Cryptology – CRYPTO 2016, Part I, volume 9814 of Lecture Notes in Computer Science, pages 543–571, Santa Barbara, CA, USA, August 14–18, 2016. Springer, Heidelberg, Germany.
 Alfred Menezes, Palash Sarkar, and Shashank Singh. Challenges with assessing the impact of nfs advances on the security of pairing-based cryptography. In International Conference on Cryptology in Malaysia, pages 83–108. Springer, 2016.
 Lasse Overlier and Paul Syverson. Improving efficiency and simplicity of Tor circuit establishment and hidden services. In Proceedings of the 7th International Conference on Privacy Enhancing Technologies, PET’07, pages 134–152, Berlin, Heidelberg, 2007. Springer-Verlag.
 M. G. Reed, P. F. Syverson, and D. M. Goldschlag. Anonymous connections and onion routing. IEEE J.Sel. A. Commun., 16(4):482–494, September 2006.
 Marc Rennhard and Bernhard Plattner. Introducing morphmix: Peer-to-peer based anonymous internet usage with collusion detection. In Proceedings of the 2002 ACM Workshop on Privacy in the Electronic Society, WPES ’02, pages 91–102, New York, NY, USA, 2002. ACM.
 Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman. A method for obtaining digital signature and public-key cryptosystems. Communications of the Association for Computing Machinery, 21(2):120–126, 1978.
 Paul Syverson, Gene Tsudik, Michael Reed, and Carl Landwehr. Towards an analysis of onion routing security. In International Workshop on Designing Privacy Enhancing Technologies: Design Issues in Anonymity and Unobservability, pages 96–114, Berlin, Heidelberg, 2001. Springer-Verlag.
 The OpenSSL Project. OpenSSL: The open source toolkit for SSL/TLS, April 2003. www.openssl.org.
 Jianghong Wei, Xiaofeng Chen, Jianfeng Wang, Xuexian Hu, and Jianfeng Ma. Forward-secure puncturable identity-based encryption for securing cloud emails. In European Symposium on Research in Computer Security, pages 134–150. Springer, 2019.