[tor-dev] Comparing handshake protocols for Tor: Ace vs ntor

2013-07-23 Thread Esfandiar Mohammadi 
Hi,

in WPES 2012 [2], Aniket Kate and me introduced Ace, an alternative for Tor's 
current handshake protocol ntor (which was also briefly discussed on this list 
[4]). Back then, no implementation for the double scalar multiplication 
operation (a * b + c * d) on Curve25519 was available. But recently, Robert 
Ransom implemented in his celator library [1] a highly efficient double scalar 
multiplication which is suitable for our handshake protocol Ace.

In an internship with us, Shivanker Goel implemented and run comparative 
benchmarks of the Ace protocol, using Robert's celator library [1], and the 
current ntor implementation. Here are the benchmarks:

64-bit architecture:
Ace: 401,129 cycles,
ntor: 472,772 cycles,

32-bit architecture:
Ace: 2,797,303 cycles,
ntor: 5,179,069 cycles,

About the benchmarks:

* For cleaning the cache, the benchmarks runs the handshake 1000 times prior 
to starting the benchmarks. Then, we used a tsc_read() function to count the 
cycles, repeated the handshake 5000 times and computed the average of the 
cycles.

* In order not to be forced to import too many functions from the Tor library, 
we do not use the function dimap_search, which looks up the secret key for a 
given public key, in the benchmarks.

* We assume that ephemeral keys are precomputed, e.g., in idle cycles. In the 
benchmarks these ephemeral keys are received as an input.

* For the benchmarks hyper-threading and overclocking were disabled and gcc-4.8 
with "-O2" optimizations was used.

The code is available online [2]. We also tried to formulate a tor-style 
proposal, which is also available online [3].

Any feedback, comments, or suggestions are welcome.

- Esfandiar

[1] http://www.infsec.cs.uni-saarland.de/~mohammadi/ace/celator.tar.gz
[2] http://www.infsec.cs.uni-saarland.de/~mohammadi/ace/ace-benchmarks.tar.gz
[3] http://www.infsec.cs.uni-saarland.de/~mohammadi/ace/ace-handshake.txt
[4] It was discussed in the thread "Another key exchange algorithm for 
extending circuits:  alternative to ntor?" from August 2012.
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Proposal 223: Ace: Improved circuit-creation key exchange

2013-11-20 Thread Esfandiar Mohammadi 
Am 20.11.2013 um 18:19 schrieb Paul Syverson :

> These authors found a
> vulnerability in that protocol, improved on it, and proved their
> protocol secure.

Actually, Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu found the 
vulnerability in Lasse and Paul's protocol [1], improved it, and proved the 
resulting protocol ntor secure [2]. We improved the efficiency of ntor and 
proved the resulting protocol Ace secure [3].

- Esfandiar

[1] Lasse Overlier and Paul Syverson. Improving efficiency and simplicity of 
Tor circuit establishment and hidden services. In Proceedings of the 7th 
international conference on Privacy enhancing technologies, pages 134 - 152, 
ACM, 2007.

[2] Ian Goldberg, Douglas Stebila, and Berkant Ustaoglu. Anonymity and one-way 
authentication in key exchange protocols. In the journal on Designs, Codes and 
Cryptography, pages 245-269, Springer, 2012.

[3] Michael Backes, Aniket Kate, and Esfandiar Mohammadi. Ace: an efficient 
key-exchange protocol for onion routing. In Proceedings of the 2012 ACM 
workshop on Privacy in the electronic society, pages 55 - 64, ACM, 2012.

___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

[tor-dev] MATor: A live-monitor for anonymity guarantees

2014-10-28 Thread Esfandiar Mohammadi 
Hi,

tl;dr: we have a CCS paper coming up about a client-based live-monitor, called 
MATor [1], that assesses the influence of Tor's path selection to a user's 
anonymity. The paper is a first step towards a useful live-monitor that 
assesses a user's anonymity in a provable manner. We would appreciate your 
feedback on our approach and the direction in general.

In detail, we implemented a live-monitor that computes upper bounds of the 
de-anonymization probability for sender, receiver, and relationship anonymity, 
based on Tor consensus data and the ports that the client needs. We formalized 
the guarantees that the live-monitor outputs in (an extension of) the AnoA 
framework [2] for circuit creation against passive attackers that do not 
control infrastructure (ASNs or IXPs).

We use safe approximations in the live-monitor to be able to efficiently (a few 
seconds [3]) compute upper bounds for de-anonymization.

At the moment the MATor monitor is a separate tool, but we are working on 
integrating it into the Tor client code. We envision an integration into Tor 
Browser Bundle.

Since MATor is an ongoing project, we would appreciate your opinion about the 
approach in general.

Best wishes,
- Sebastian & Esfandiar

[1] Michael Backes, Aniket Kate, Sebastian Meiser, Esfandiar Mohammad.
(Nothing else) MATor(s): Monitoring the Anonymity of Tor's Path Selection.
to appear in Proceedings of 21st ACM CCS, ACM, 2014.

The MATor project page (containing the paper and the implementation):
http://www.infsec.cs.uni-saarland.de/projects/anonymity-guarantees/mator.html

[2] Michael Backes, Aniket Kate, Praveen Manoharan, Sebastian Meiser, and 
Esfandiar Mohammadi.
AnoA: A Framework For Analyzing Anonymous Communication Protocols
Unified Definitions and Analyses of Anonymity Properties.
Proceedings of 26th IEEE CSF, pages 163-178, IEEE, 2013.

The AnoA project page (containing the paper):
http://www.infsec.cs.uni-saarland.de/~meiser/paper/anoa.html

[3] The running time is as follows on a MacBook Air 2GHz Intel i7 with 4GB RAM:

Preparation time:   3.39 seconds
For sender anonymity:   0.73 seconds
For recipient anonymity:6.07 seconds
For relationship anonymity: 9.10 seconds



signature.asc
Description: Message signed with OpenPGP using GPGMail
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev