the onion router (tor): onion encryption served three ways€¦ · tor seeks to frustrate attackers...
TRANSCRIPT
The Onion Router (Tor):Onion Encryption Served Three Ways
Martijn Stam
COINS Winterschool in Finse, May 2019
2
Tor: The Second-Generation Onion RouterDingledine, Mathewson, Syverson (Usenix’04)
What is TorTor is a tool to advance anonymity on the Internet.
Designers’ Aim of Tor
Tor seeks to frustrate attackers from linking communication part-ners, or from linking multiple communications to or from a singleuser.
Tor has since grown into a project incl. a browser etc.
OutlineFirst half
1 Aspects of Anonymity
2 How Tor worksHigh LevelLow Level
3 Threats to TorTra�ic AnalysisTagging Attacks
OutlineSecond half
4 Why Model Tor
5 PETS ModelRogaway and Zhang, 2018
6 Eurocrypt ModelDegabriele and Stam, 2018
7 ConclusionComparison and Future Challenges
Aspects of Anonymity 5
Aims of AnonymityUser-Centric
A
B
C
X
Y
Z
User’s Perspective
Prevent websites from tracking meAccess web services that are otherwise blockedHide which websites I’m visitingPublish a websites without revealing my location etc.
Aspects of Anonymity 6
Tracking UsersPrevent websites from tracking me
Fingerprinting Websites
Adversary is the website being visitedGoals could be identifying or linking usersThis talk: Out of scopeTOR-browser can help protect you
Aspects of Anonymity 7
CensoringAccess web services that are otherwise blocked
Fingerprinting Websites
Adversary might be your ISPGoals is to filter out “bad” tra�icThis talk: Out of scopeFormat Transforming Encryption can help
Aspects of Anonymity 8
DeanonymizationHide which websites I’m visiting
Different GoalsDeanonymize as much tra�ic as possibleDetermine users of a specific websiteDetermine which websites a specific user visitsLink users across time and space
Aspects of Anonymity 8
DeanonymizationHide which websites I’m visiting
Adversarial Capabilities
Seeing incoming and outgoing tra�icObserving part of the networkControlling part of the networkPlus possible some endpoints
Aspects of Anonymity 8
DeanonymizationHide which websites I’m visiting
User Expectations (Hypothetical)
Noone can see who I amNoone can see what I am doingNoone can profile me
How Tor works High Level 9
Tor: The Second-Generation Onion RouterDingledine, Mathewson, Syverson (Usenix’04)
What is TorTor is a tool to advance anonymity on the Internet.
Designers’ Aim of Tor
Tor seeks to frustrate attackers from linking communication part-ners, or from linking multiple communications to or from a singleuser.
Themain principle behind Tor is that of routing internet tra�ic throughmul-tiple hops
How Tor works High Level 10
Onion RoutingProxies, Routers, Circuits, and Streams
Involved PartiesYellow these are the onion routers comprising the Tor networkPurple the onion proxy, run by the client to connect to the networkGreen my favourite destination or website, which doesn’t run Tor
How Tor works High Level 10
Onion RoutingProxies, Routers, Circuits, and Streams
Circuits and Streams1 The purple proxy knows the yellow routers comprising the Tor network2 It selects some routers for its blue circuit3 It runs a TCP stream over the circuit to the destination
How Tor works High Level 10
Onion RoutingProxies, Routers, Circuits, and Streams
Principle Idea
Each hop, or onion router, mixes all the tra�ic that goes through itIdeally, you are hiding amongst the masses:if there are enough users and honest routers, you are “safe”
How Tor works High Level 11
Tor: The Second-Generation Onion RouterOriginal design decisions
Efficiency
1 Directory serversDescribing known routers and their current state
2 Congestion controlDetect and deal with tra�ic bottlenecks
3 Variable exit policiesRouters advertise which destinations and ports it supports
How Tor works High Level 11
Tor: The Second-Generation Onion RouterOriginal design decisions
Functional1 Separation of “protocol cleaning” from anonymityYou can use e.g. Privoxy for the “cleaning” instead
2 Rendezvous points and hidden servicesEnables anonymously hosted .onionwebsites
3 Many TCP streams can share one circuitImproves both e�iciency and security
How Tor works High Level 11
Tor: The Second-Generation Onion RouterOriginal design decisions
Security Related
1 Nomixing, padding, or tra�ic shaping (yet)Tra�ic shaping or low-latency mixing that work are hard to come by
2 Perfect forward secrecyCompromising a router does not reveal anything related to pastcommunication
3 Leaky-pipe circuit topologyThe exit node need not be the last one in a circuit
4 End-to-end integrity checkingPrevents “external” tagging attacks
How Tor works High Level 12
Tor: The Second-Generation Onion RouterProtocol Design
Cryptographic components
Tor has four core protocols1 Link protocol2 Circuit Extend protocol3 Relay protocol4 Stream protocol
Ignored non-cryptographic components
How information about the network is distributedHow onion proxies decide which circuits to build.
How Tor works Low Level 13
Core Tor SpecificationLink Protocol (TLS)
Link protocol
Agree on Tor version/configurationUse TLS to establish secure OR-to-OR channelsEstablish a link from proxy to entry router
How Tor works Low Level 13
Core Tor SpecificationLink Protocol (TLS)
Link protocol
Agree on Tor version/configurationUse TLS to establish secure OR-to-OR channelsEstablish a link from proxy to entry router
How Tor works Low Level 14
Core Tor SpecificationCircuit Extend Protocol
Circuit extend protocol
Used by the onion proxy to create a circuitUses a telescopic conceptResults in the proxy sharing a key with each of its routers
How Tor works Low Level 14
Core Tor SpecificationCircuit Extend Protocol
Circuit extend protocol
Used by the onion proxy to create a circuitUses a telescopic conceptResults in the proxy sharing a key with each of its routers
How Tor works Low Level 14
Core Tor SpecificationCircuit Extend Protocol
Circuit extend protocol
Used by the onion proxy to create a circuitUses a telescopic conceptResults in the proxy sharing a key with each of its routers
How Tor works Low Level 14
Core Tor SpecificationCircuit Extend Protocol
Circuit extend protocol
Used by the onion proxy to create a circuitUses a telescopic conceptResults in the proxy sharing a key with each of its routers
How Tor works Low Level 14
Core Tor SpecificationCircuit Extend Protocol
Circuit identifiersFor any given circuit, a router only knows:
1 the key it shares with the anonymous proxy2 the router preceding and following it on the circuit3 an incoming and an outgoing circuit identifier
How Tor works Low Level 15
Core Tor SpecificationRelay Protocol
Cells are 514 bytes (v4+)
Route
CircID Circuit IdentifierCMD Cell type (3 or 9)
RELAY (3) orRELAY_EARLY
How Tor works Low Level 15
Core Tor SpecificationRelay Protocol
Payloads are 509 bytes (v4+)
Encode
CircID Circuit IdentifierCMD Cell typeRec Recognised
field (0x0000)Digest seeded running
hash (truncatedSHA-1)
Used for e2e authentication
How Tor works Low Level 15
Core Tor SpecificationRelay Protocol
Encrypt
Repeated CTRmode in AES
Should provideconfidentialityunlinkability
How Tor works Low Level 15
Core Tor SpecificationRelay Protocol
Cell Decryption
Performed by Onion Routers1 Use CircID to identifycircuit
2 Undo one AES-CTR layer3 Check integrity:
forwardoutput messagereject
How Tor works Low Level 15
Core Tor SpecificationRelay Protocol
Summary
The core cryptographiccomponent is authenticatedencryption implemented by
1 encode (Rec and Digest)2 encrypt (AES-CTR,repeated)
Dodgy mode-of-operation forordinary AE, but maybe okhere?
How Tor works Low Level 16
Core Tor SpecificationStream Protocol
Stream ProtocolUsed to serve a TCP connection to host xyz.com
Ideally uses https-connection between proxy and host
Threats to Tor Tra�ic Analysis 17
Traffic AnalysisJust a flavour
Source: Chakravarty et al. / PAM 2014
Threats to Tor Tagging Attacks 18
Tagging AttacksHigh Level Concept
Aim of Tagging Attack
Assume the adversary controls some onion routers.Goal is for OR1 and OR3 to link their circuitsSimilar to tra�ic correlation attacks, where linking is achieved bymatching tra�ic patterns between input and output edges
Threats to Tor Tagging Attacks 18
Tagging AttacksHigh Level Concept
How to Tag
1 OR1 receives a legitimate cell from the proxy2 OR1 processes thenmodifies the cell before forwarding to OR23 OR2 behaves honestly4 OR3 detects and undoes OR1’s modification
Threats to Tor Tagging Attacks 19
Tagging AttacksLow Level Details
How to tag
1 OR1 receives a legitimatecell from the proxy
2 OR1 processes thenmodifies the cell beforeforwarding to OR2
3 OR2 behaves honestly4 OR3 detects and undoesOR1’s modification
The adversary can confirm whether two edges belong to the same circuit.
Threats to Tor Tagging Attacks 19
Tagging AttacksLow Level Details
How to tag
1 OR1 receives a legitimatecell from the proxy
2 OR1 flips a bit in a celland forwards it over.
3 OR2 behaves honestly4 OR3 flips that bit backand tests if decryptionsucceeds.
Attack works as CTRmode is malleable
Threats to Tor Tagging Attacks 20
Tagging AttacksPerceptions
2004 Tagging attacks were known to the Tor designers, but protectingagainst themwas deemed pointless since tra�ic correlation attackswould be possible anyway.
“our design is vulnerable to end-to-end timing attacks; so taggingattacks performed within the circuit provide no additional informa-tion to the attacker”
Threats to Tor Tagging Attacks 20
Tagging AttacksPerceptions
2004 Tagging attacks were known to the Tor designers, but protectingagainst themwas deemed pointless since tra�ic correlation attackswould be possible anyway.
2008 The23rd Raccoon: How I Learned to Stop Ph34ring NSA and Love theBase Rate Fallacy.
2009 Tagging attacks rediscovered by Fu and Ling and presented at BlackHat 2009 - Tor project’s response: Nothing new here!
2012 The23rd Raccoon: Analysis of the Relative Severity of Tagging Attacks.Tor project decides to protect the relay protocol against taggingattacks, leading to Tor proposal 261.
Threats to Tor Tagging Attacks 20
Tagging AttacksPerceptions
2004 Tagging attacks were known to the Tor designers, but protectingagainst themwas deemed pointless since tra�ic correlation attackswould be possible anyway.
2008 The23rd Raccoon: How I Learned to Stop Ph34ring NSA and Love theBase Rate Fallacy.
2009 Tagging attacks rediscovered by Fu and Ling and presented at BlackHat 2009 - Tor project’s response: Nothing new here!
2012 The23rd Raccoon: Analysis of the Relative Severity of Tagging Attacks.Tor project decides to protect the relay protocol against taggingattacks, leading to Tor proposal 261.
Threats to Tor Tagging Attacks 21
Tagging AttacksImplications
The23rd Raccoon’s ObservationsConsider a network with 10,000 concurrent circuits, and a TCadversary controlling 30% of the entry/exit nodes.Due to noise, correlation detectors inevitably exhibit false positives.Let us assume a false positive rate of 0.5%.The probability that a pair of edges truly belong to the same circuitwhen amatch is detected is∼2% (base rate fallacy).This e�ect becomes more pronounced as the number of circuitsincreases, but tagging attacks are immune to this.The 2012 post describes an amplification e�ect and argues thattagging attacks require less resources.
Threats to Tor Tagging Attacks 22
Tagging AttacksThwarting
Recap
Tagging attacks are enabled bythe malleability of counter mode encryptionthe integrity checking being end-to-end only
Threats to Tor Tagging Attacks 22
Tagging AttacksThwarting
Recap
Tagging attacks are enabled bythe malleability of counter mode encryptionthe integrity checking being end-to-end only
Intermediate Integrity Checking
A naive fix would be to append a MAC tag at each layer of encryption,but this leaks information!This leakage can be prevented with appropriate padding to ensure thecell size is constant throughout.
Threats to Tor Tagging Attacks 22
Tagging AttacksThwarting
Recap
Tagging attacks are enabled bythe malleability of counter mode encryptionthe integrity checking being end-to-end only
Improved Modes-of-Operation
An alternative approach, resulting in a higher throughput, is to depart fromcounter mode
Proposal 261 (Mathewson)Proposal 295 (Ashur, Dunkelman, Luykx)
Threats to Tor Tagging Attacks 23
Thwarting Tagging AttacksProposal 261 by Mathewson
1 Digest set to 0x000000002 AES-CTR replaced by TWBC
Separate tweak per layer,updated with each cell.Tweak includes CMD(RELAY or RELAY_EARLY).
3 Verification checks a total 55 bits4 End-to-end integrity viaencode-then-encipher.
Threats to Tor Tagging Attacks 23
Thwarting Tagging AttacksProposal 261 by Mathewson
1 Digest set to 0x000000002 AES-CTR replaced by TWBC
Separate tweak per layer,updated with each cell.Tweak includes CMD(RELAY or RELAY_EARLY).
3 Verification checks a total 55 bits4 End-to-end integrity viaencode-then-encipher.
Threats to Tor Tagging Attacks 23
Thwarting Tagging AttacksProposal 261 by Mathewson
1 Digest set to 0x000000002 AES-CTR replaced by TWBC
Separate tweak per layer,updated with each cell.Tweak includes CMD(RELAY or RELAY_EARLY).
3 Verification checks a total 55 bits4 End-to-end integrity viaencode-then-encipher.
Threats to Tor Tagging Attacks 23
Thwarting Tagging AttacksProposal 261 by Mathewson
1 Digest set to 0x000000002 AES-CTR replaced by TWBC
Separate tweak per layer,updated with each cell.Tweak includes CMD(RELAY or RELAY_EARLY).
3 Verification checks a total 55 bits4 End-to-end integrity viaencode-then-encipher.
Threats to Tor Tagging Attacks 24
Thwarting Tagging Attacks IIProposal 295 by Ashur, Dunkelman, Luykx
OP
+
‖
EK ,DK
DigestK
EncryptK
DecryptK
?= X
T ′i
M
Ci
Ni
Duplicate value
Bitwise XOR
Concatenation
Update value
Block cipher
Universal hash
Encryption algorithm
Decryption algorithm
Equality check with X
Running digest
Message
Ciphertext
Nonce
M
C4 (= M)
EncryptKf3
C3
EncryptKf2
C2
EncryptKf1
C1
T ′1 ‖ ·
T ′2 ‖ ·
T ′3 ‖ ·
T ′4 ‖ ·DigestKhf3
DigestKhf1
DigestKhf2
DigestKhf3
T ′1
T ′2
T ′3
T ′4
0128
N1
N2
N3
N4
EKtf3
EKtf1
EKtf2
EKtf3
+
+
+
+
+
+
+
+
C1N1
+
DKtf1
+
T ′1
DigestKhf1 T ′1 ‖ ·
DecryptKf1
C2N2
+
DKtf2
+
T ′2
DigestKhf2 T ′2 ‖ ·
DecryptKf2
C3N3
+
DKtf3
+
T ′3
DigestKhf3 T ′3 ‖ ·
DecryptKf3
OR1
OR2
M
T ′4 ‖ ·DigestKhf3
T ′4
DKtf3
+
+
?= 0128
OR3
Threats to Tor Tagging Attacks 25
Questions so Far?(Plus a microbreak)
?
26
Outline of Part II
4 Why Model Tor
5 PETS ModelRogaway and Zhang, 2018
6 Eurocrypt ModelDegabriele and Stam, 2018
7 ConclusionComparison and Future Challenges
Why Model Tor General Musings 27
Real World Crypto SandwichKeywords
Why Model Tor General Musings 27
Real World Crypto SandwichKeywords
Why Model Tor General Musings 27
Real World Crypto SandwichKeywords
Why Model Tor General Musings 27
Real World Crypto SandwichKeywords
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
State of play
Countermode TOR is susceptible to tagging attacks.TOR-261 and TOR-295 are designed to prevent tagging attacks.
But do they?
1 What security is breached by tagging attacks?2 Can we formally define the relevant security?3 Can we prove TOR-261 and TOR-295 are secure?
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
Ideal of provable security
Given a secure TWBC, TOR-261 is a secure onion encryption scheme
Reality of provable security
Why provably secure constructions may get broken in practiceProof The security claim is incorrect
Solutions: automated proof checking, modularity of proofsBound The security claim is quantitively too weak
Solution: derive concrete multi-user boundsModel The security claim is qualitatively too weak
Solution: carefully refine the model
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
Abstraction LevelsTor exists in di�erent levels of granularity:
1 Tor aims to implement an anonymous channel2 Using the principles of onion routing3 Based on the Tor standard4 As implemented in Tor so�ware
A security model needs to decide which details are pertinent
Choice 1: Abstraction levelDi�erent levels of abstractions lead to models with varying scope andrelevance to practice
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
Tor Use CasesTor aims to improve privacy and security on the Internet in a variety ofways. People use Tor to
Keep websites from tracking themAccess web services that are otherwise blockedHide which websites are visitedPublish websites without revealing their location
Choice 2: Security goal
Di�erent aimsmight call for di�erent orthogonal security models
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
Adversarial capabilities
Imagine an adversary:Controlling part of the networkCorrelating tra�icInjecting/modifying tra�ic
Choice 3: Adversarial powers
Di�erent threat models lead to more or less potent security models
Why Model Tor Specific to Tor 28
Modeling TorHow cryptology can help protect you!
Modeling Choices
Abstraction Which aspects of the protocol are modelledAim What is an adversary trying to achieve
Capability What powers does an adversary have
Two models capturing tagging attacks
PETS More abstract, less powerful adversaries, cleanerEurocrypt More detailed, more powerful adversaries, messier
How do results in your model relate to real world deployment?
PETS Model Rogaway and Zhang, 2018 29
PETS ModelRogaway and Zhang (2018)
Modeling authenticated onion encryption
Goal distinguish an onion encryption scheme from an idealizedprimitive
Powers querying the keyed component algorithms
Assumptions
keys are magically pre-distributed (extend protocol)cell routing is out of scope (relay protocol)ignore streams (stream protocol)
PETS Model Rogaway and Zhang, 2018 30
PETS modelSyntax
Source: Phil Rogaway, PETS 2018
PETS Model Rogaway and Zhang, 2018 31
PETS modelSecurity
Source: Phil Rogaway, PETS 2018
PETS Model Rogaway and Zhang, 2018 31
PETS modelSecurity
Source: Phil Rogaway, PETS 2018
PETS Model Rogaway and Zhang, 2018 31
PETS modelSecurity
Source: Phil Rogaway, PETS 2018
Eurocrypt Model Degabriele and Stam, 2018 32
Eurocrypt ModelDegabriele and Stam (2018)
Modeling the relay protocol
Goal learn information about the circuits’ topology beyond what isinevitably leaked through node corruptions
Powers choose the messages that get encrypted; reorder, inject, andmanipulate cells on the network; selectively corrupt routers
Assumptions
keys are magically pre-distributed (extend protocol)node-to-node links are secured (link protocol)ignore streams (stream protocol)
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
Setting
Consider a circuit withan onion proxy: n6(here) three onion routers: n3, n5 and n4
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
Party’s State
A party’s state is circuit-based:for each circuit it keeps some stateFor onion routers, this state is split in two: a routing component and aprocessing component
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
Four algorithms
1 G for key generation2 E for encryption3 D for routing4 D̄ for decryption
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
G for key generation
1 Initiated by proxy on input the path of the circuit2 The proxy and the router obtain state information for the new circuit3 The new information is added to their respective states so far
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
G for key generation
1 Initiated by proxy on input the path of the circuit2 The proxy and the router obtain state information for the new circuit3 The new information is added to their respective states so far
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
E for encryption
Run by the proxyAs input the state of the relevant circuitAnd somemessagemResults in a cell C for first router on circuit
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
D for routing
Run by router when receiving a cell CTo identify which circuit the cell belongs toUse the first part τ of all circuit statesLeave the states τ untouched
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
D̄ for decryption
Run by router when processing a cell CUsing the τ̄ part of the relevant circuit stateResults deterministically in⊥,M or C′
May update the circuit state τ̄
Eurocrypt Model Degabriele and Stam, 2018 33
Eurocrypt ModelSyntax
Why the vector of split states?
Wewant to include circuit routing in our modelWe want to model the problem, not Tor’s solutionWe do not want too much interference between circuits
Eurocrypt Model Degabriele and Stam, 2018 34
Secure ChannelConfidentiality and Integrity
Left-or-Right End-to-End Indistinguishability
An adversary with all-but-one decryption keys of a circuit cannotdistinguish whetherm0 orm1 was encrypted by an onion proxy
Plaintext Integrity
An adversary cannot trick a router into outputting anmessage out of order
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
Let’s consider a network of onion routers
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
The adversary gets to corrupt some of the routers
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
The adversary selects two sets of potential circuitsthe game implements either the le�-or-right configuration
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
Both configurations need to “coincide on” the corrupted routers
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
The adversary gets to interact with the honest nodes in a restricted fashionIs it in the le� or right configuration?
Eurocrypt Model Degabriele and Stam, 2018 35
Circuit HidingLeft-or-Right Topology Indistinguishability
IntricaciesMany controls to ensure interface is the sameSo length of circuit and node’s relative position remain hiddenProtects against reordering and replay of cellsCells need to be re-injected simultaneously, one for each circuitAdversary may corrupt at most two segments of a circuit
The adversary gets to interact with the honest nodes in a restricted fashionIs it in the le� or right configuration?
Eurocrypt Model Degabriele and Stam, 2018 36
Circuit HidingProposal 261
P261 is not circuit hiding
Use the cell header’s CMD field totag cells, by switching its value fromRELAY to RELAY_EARLYAuthentication of CMD in the tweakis ine�ectiveSimilarities to the 2014 CMU incidenton Tor’s Onion Services which tookdown Silk Road.
Eurocrypt Model Degabriele and Stam, 2018 36
Circuit HidingProposal 261
P261 almost circuit hiding
Practical exploitability and e�icacyof this attack is limitedRELAY_EARLY cell type limits thecircuit size and its use is restrictedFixing CMD to RELAY providesprovable circuit hiding
Conclusion Comparison and Future Challenges 37
ComparisonEurocrypt versus PETS models
CommonalitiesTarget the core relay protocolTo prevent tagging attacksConsider only unidirectional tra�icIgnore leaky pipesAbstract away key generetionUse game-based formalization
Conclusion Comparison and Future Challenges 37
ComparisonEurocrypt versus PETS models
DifferencesEurocrypt v. PETSProtocol-centric Primitive-centricIncludes routing Excludes routingMulti-user Single-userIncludes Corruptions No CorruptionsAspirational Best-possibleEnd-to-end security Cell securityExplicit suppression Silencing
Conclusion Comparison and Future Challenges 38
Challenges
Quantify the power of tagging attacks more rigourously
Find middle-ground between the PETS and the Eurocrypt models
Prove the security of Proposal 295
Improve upon existing proposals
Expand the provable security treatment to includethe other protocols and bidirectionalityother security objectives (e.g. forward security)
Conclusion Comparison and Future Challenges 39
Conclusion
Modeling Tor
Onion encryption can bemodelled in various waysThe Eurocrypt model identified circuit hiding as its anonymity goalThe PETSmodel gave an authenticated encryption treatment instead
The Eurocrypt model shows that the routing mechanism a�ects anonymity
Abstraction is a double-edged sword
the next step in an ongoing evolution of most appropriate and im-portant onion routing adversaries, away fromabstracting reality tillit matches models and towards better matchingmodels to reality
—Syverson