Ace: an efficient key-exchange protocol for onion routing

Abstract

The onion routing (OR) network Tor provides privacy to Internet users by facilitating anonymous web browsing. It achieves anonymity by routing encrypted traffic across a few routers, where the required encryption keys are established using a key exchange protocol. Goldberg, Stebila and Ustaoglu recently characterized the security and privacy properties required by the key exchange protocol used in the OR network. They defined the concept of one-way authenticated key exchange (1W-AKE) and presented a provably secure 1W-AKE protocol called ntor, which is under consideration for deployment in Tor. In this paper, we present a novel 1W-AKE protocol Ace that improves on the computation costs of ntor: in numbers, the client has an efficiency improvement of 46% and the server of nearly 19%. As far as communication costs are concerned, our protocol requires a client to send one additional group element to a server, compared to the ntor protocol. However, an additional group element easily fits into the 512 bytes fix-sized Tor packets (or cell) in the elliptic curve cryptography (ECC) setting. Consequently, our protocol does not produce a communication overhead in the Tor protocol. Moreover, we prove that our protocol Ace constitutes a 1W-AKE. Given that the ECC setting is under consideration for the Tor system, the improved computational efficiency, and the proven security properties make our 1W-AKE an ideal candidate for use in the Tor protocol.