After several years of research on onion routing, Camenisch and Lysyanskaya, in an attempt at rigorous analysis, defined an ideal functionality in the universal composability model, together with properties that protocols have to meet to achieve provable security. A whole family of systems based their security proofs on this work. However, analyzing HORNET and Sphinx, two instances from this family, we show that this proof strategy is broken. We discover a previously unknown vulnerability that breaks anonymity completely, and explain a known one. Both should not exist if privacy is proven correctly. In this work, we analyze and fix the proof strategy used for this family of systems. After proving the efficacy of the ideal functionality, we show how the original properties are flawed and suggest improved, effective properties in their place. Finally, we discover another common mistake in the proofs. We demonstrate how to avoid it by showing our improved properties for one protocol, thus partially fixing the family of provably secure onion routing protocols.
翻译:在对洋葱路线、Camenisch和Lysyanskaya进行了几年的研究之后,为了进行严格分析,对洋葱路线、Camenisch和Lysyanskaya进行了多年的研究,确定了普遍可化模型的理想功能,以及协议必须满足的特性,以实现可验证的安全。整个系统体系都以这项工作为基础,分析了HORNET和Sphinx,这个家庭的两个实例,我们证明这一验证策略已经破碎。我们发现了一个以前未知的弱点,完全打破匿名,并解释了一个已知的策略。如果隐私得到正确证明,两者都不应该存在。在这项工作中,我们分析并修正了这个系统大家庭所使用的验证策略。在证明了理想功能的有效性之后,我们展示了原始特性是如何有缺陷的,并提出了在它们的位置上改进的、有效的特性。最后,我们发现了证据中的另一个常见错误。我们通过展示一个协议的改进的特性来证明它是如何避免它,从而部分地固定了具有可辨认安全的洋流规则的家庭。