Post-Quantum Migration of the Tor Application
Abstract
:1. Introduction
1.1. Background
1.2. Purpose
- First, based on the literature analysis, this paper intends to identify a set of appropriate schemes for Tor post-quantum cryptography migration.
- To set up a functioning Tor network comprising multiple physical nodes in order to measure it and evaluate its performance at scale.
- Thirdly, identifying and measuring the cryptographic processes within Tor software.
- Finally, the scope of this research is to estimate a theoretical overhead value by incorporating the results of the previously defined objectives with post-quantum benchmark performances made on the devices used.
2. Literature Review
2.1. Tor Design and Architecture
2.1.1. Circuits and Handshake
- “CreateFast” deprecated (unauthenticated, non-forward-secure) handshake, which was previously used for the first hop of each circuit.
- The ntor handshake [12].
- The onion service ntor handshake variant allows each party to encrypt data (without forward secrecy) after the first message. Clients have used it since version 3 of the OS protocol to encrypt data in the introduction and rendezvous cells [5] #224.
- The ntor v3 also permits each party to encrypt data at the cost of FS, enables the client to send an authenticated encrypted message within its onion skin and allows the relay to send an encrypted and authenticated reply as part of its response [5] #332.In 2019, Lauer et al. [14] proposed a 0-RTT handshake relying on puncturable KEMs to achieve a lower latency design than ntor; yet, the paper shows that it can result in higher computational overhead on certain low-power devices. The authors claim to achieve “immediate” FS, which appears to meet Tor’s need for perfect FS, as the immediate variant mandates the deletion of ephemeral keys instantaneously. This approach could facilitate key management and allow the integration of post-quantum KEMs within the Tor handshake.
2.1.2. Relay and Link Layer
2.2. Schemes
2.2.1. Key Exchange
- NTRUE KEM with the EESS443EP2-specific parameter set, estimated at 128-bit security for both traditional and quantum-resistant settings. The design declares the maximum message size as 49 bytes, the KEM public key length as = 615 bytes, and a KEM ciphertext size of = 610 bytes.
- NewHope KEM is declared with = 1824 and = 2048.
2.2.2. Signature
2.3. Reflection
- The circuit-extension handshake;
- Onion skin;
- Link layer TLS;
- OS Introduction, rendezvous points.
- Consensus document;
- Relay identity authentication;
- Link TLS handshake authentication;
- Encrypted descriptor.
3. Methodology and Design
3.1. Technical Requirements
3.2. Network Architecture
3.3. Local Benchmark
3.4. Code Performance
- The circuit_establish_circuit function in circuitbuild.c handles the process of selecting paths and managing the handshake protocols between nodes to establish circuits.
- onion.c is responsible for the creation, encoding, and parsing of cells (CREATE, CREATED, EXTEND, and EXTENDED). It invokes handshakes.
- channel.c implements the transmission, reception, and processing of cells across different connections.
- relay.c manages RELAY cells, including their encryption, decryption, forwarding, and processing for routing data.
- onion_ntor.c implements the ntor handshake.
- onion_ntor_v3.c, as specified in proposal 340 [5], requires the enhanced handshake, ntor v3, for cell fragmentation.
- relay_crypto.c handles relay cell payload encryption, decryption, integrity verification via cryptographic digests, and the initialisation of symmetric keys.
- hs_ntor.c is closer to ntor v3 than ntor; it is the implementation of the handshake for onion services.
- tortls.c is the main TLS implementation file in Tor.
- channeltls.c is the only instantiation of channel abstraction. It handles the v3+ link handshake, certificate verification, and cell processing over OR connections.
3.5. PQC
3.6. Reflection
4. Implementation
4.1. System Setup
4.2. Local Network Benchmark
4.2.1. Pcap Analysis
4.2.2. Simple Bandwidth Scanner
4.2.3. Curl Measurements
Listing 1. Curl GET request to duckduckgo. |
curl --socks5-hostname 127.0.0.1:9050 -w “%{time_total} ” -o /dev/null -s https://duckduckgo.com |
Listing 2. Curl GET request to onion service. |
curl --socks5-hostname 127.0.0.1:9050 -w “%{time_total} ” -o /dev/null http:// adg4jkv2xpciraegkj3rpcfrdnzlaeqnlt7a3wzylhzcvshzkerhacyd.onion |
4.2.4. Circuit Build Time
Listing 3. Python script using the stem controller library. |
import time import numpy as np from statistics import mean, median, stdev from stem import CircStatus from stem.control import Controller def benchmark_circuits(controller, numCircuits=1000): circuitBuildTimes = [] for i in range(numCircuits): startTime = time.time() # Creating a new circuit and waiting until circuit is fully built circId = controller.create_circuit(await_build=False) while True: circ = controller.get_circuit(circId) if circ.status == CircStatus.BUILT: break time.sleep(0.001) # Checking the status as frequently as possible endTime = time.time() buildTime = endTime - startTime circuitBuildTimes.append(buildTime) controller.close_circuit(circId) if circuitBuildTimes: avgTime = mean(circuitBuildTimes) mdTime = median(circuitBuildTimes) mnTime = min(circuitBuildTimes) mxTime = max(circuitBuildTimes) sdTime = stdev(circuitBuildTimes) if len(circuitBuildTimes) > 1 else 0 q1Time = np.percentile(circuitBuildTimes, 25) q3Time = np.percentile(circuitBuildTimes, 75) print(f“Metrics for {numCircuits} circuits:”) print(f“ Average build time: {avgTime:.4f} seconds”) print(f“ Median build time: {mdTime:.4f} seconds”) print(f“ Min build time: {mnTime:.4f} seconds”) print(f“ Max build time: {mxTime:.4f} seconds”) print(f“ Standard dev: {sdTime:.4f} seconds”) print(f“ First quartile (Q1): {q1Time:.4f} seconds”) print(f“ Third quartile (Q3): {q3Time:.4f} seconds”) else: print(“No circuits”) if __name__ == “__main__”: with Controller.from_port(port=9051) as controller: benchmark_circuits(controller, numCircuits=1000) |
4.3. Cryptography Benchmark
4.4. PQC Runtimes
4.5. Reflection
5. Evaluation
5.1. Results
5.1.1. Bandwidth and Circuit Performance
5.1.2. Cryptography Comparison
5.2. Effectiveness
Related Work
5.3. Reflection
6. Conclusions
- Four algorithms have been demonstrated to be more appropriate than others: ML-KEM, and NTRU (sntrup761) as KEMs, followed by ML-DSA and Falcon as signature schemes.
- A local Tor network has been successfully deployed with multiple physical devices; it reached a Tor circuit-round latency of 83 ms for a non-encapsulated bandwidth mean value of 93.8 Mbits/s.
- The C code related to Tor cryptographic operations was timed. However, the relevance of the timings should be interpreted with caution within the context of this experiment.
- Using the obtained results alongside PQC performances, an accurate estimate of the overhead percentage cannot be determined. Numerous unclear variables are likely to influence the final latency evolution. This work has highlighted that the hardware characteristics of Tor nodes will be one of these factors.
6.1. Limitations
- While trying to satisfy the low-bandwidth requirement, the selected schemes only cover the two first NIST security categories. Furthermore, they lack diversity in their mathematical assumptions, relying solely on lattice problems.
- The benchmarking is heavily subjective.Firstly, it is influenced by the technology used, such as the optimisation of cryptosystems based on a CPU architecture. In this context, this theoretical bare-metal Tor network simulation could be improved by using hardware generally used in the real Tor network. This would require more intrusive relay metrics and may go against security and privacy principles. Secondly, the timings are greatly influenced by the configuration. The torrc files were adapted to obtain a functional local network with the given number of nodes. Yet, another blend of settings could result in a more realistic implementation. Adding more nodes should improve the stability of the setup. Going further, the nodes could be distanced geographically. Planet Lab [58] may be an appropriate test bed. Additionally, the methods and tools employed in the measurement process can significantly alter the results; for instance, time is consistently taken as a reference point, and other measuring units, such as CPU cycles, are neglected.
- The estimation of the PQC overhead is only theoretical and misses a multitude of parameters, such as different traffic types or volumes. In a virtual environment, further testing with Shadow could provide valuable insights based on the real Tor traffic, while on physical machines, adapting or creating tools like OnionPerf to target local instantiations could also produce more relevant measures. In the future, Tor’s software optimisations and restructuring of the underlying protocols will also impact network performance.
6.2. Future Work
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
Glossary
Acronym | Meaning |
ACCE | Authenticated and Confidential Channel Establishment |
ACME | Automated Certificate Management Environment |
AEAD | Authenticated Encryption with Associated Data |
AES | Advanced Encryption Standard |
AKE | Authenticated Key Exchange |
ARTI | A pure-Rust Tor Implementation |
CA | Certificate Authorities |
CCA | Chosen-Ciphertext Attack |
SVP | Shortest Vector Problem |
CRYSTALS | Cryptographic Suite for Algebraic Lattices |
DH | Diffie–Hellman |
DHCP | Dynamic Host Configuration Protocol |
DNS | Domain Name System |
DSA | Digital Signature Algorithm |
ECC | Elliptic Curve Cryptography |
ECDH | Elliptic Curve Diffie–Hellman |
EES | Efficient Embedded Security |
FALCON | Fast Fourier Lattice-based Compact signatures over NTRU |
FO | Fujisaki–Okamoto transform |
FS | Forward Secrecy |
HHK | Hofheinz–Hövelmanns–Kiltz transform |
HQC | Hamming Quasi-Cyclic |
IETF | Internet Engineering Task Force |
IND-CCA | INDistinguishability under Chosen-Ciphertext Attack |
IND-CCA2 | INDistinguishability under Adaptive-Ciphertext Attack |
IND-CPA | INDistinguishability under Chosen-Plaintext Attack |
IP | Internet Protocol |
KEM | Key Encapsulation Mechanism |
LMS | Leighton–Micali Signature |
MLWE | Module Learning With Error |
ML-KEM | Module-Lattice-based Key Encapsulation Mechanism |
ML-DSA | Module-Lattice-based Digital Signature Algorithm |
MTU | Maximum Transmission Unit |
NAT | Network Address Translation |
NIST | National Institute of Standards and Technology |
NSA | National Security Agency |
NTRU | Nth degree TRUncated polynomial ring |
OSs | Onion Services |
PDK | Pre-Distributed (public) Key |
PFS | Perfect Forward Secrecy |
PKE | Public Key Encryption |
PQC | Post-Quantum Cryptography |
PRNG | Pseudo-Random Number Generator |
QC | Quantum Computer |
QKD | Quantum Key Distribution |
RAM | Random-Access Memory |
RSA | Rivest–Shamir–Adleman |
RTT | Round-Trip Time |
SHA | Secure Hash Algorithm |
SSL | Secure Sockets Layer |
TAP | Tor Authentication Protocol |
TCP | Transmission Control Protocol |
TLS | Transport Layer Security |
TOR | The Onion Routing |
XMSS | eXtended Merkle Signature Scheme |
1W-AKE | One-Way Authenticated Key Exchange |
Appendix A
Key | Type | Description | Expected Lifetime |
---|---|---|---|
relayid_rsa | 1024-bit RSA | identity key | long-term, never rotated |
onion_tap | 1024-bit RSA | TAP onion key | medium-term, at least 1 week |
conn_tls | 1024-bit RSA | connection key for negotiating TLS connections | short-term, at most 1 day |
ntor | x25519 (256 bits) | onion key for handling onion key handshakes | medium-term, at least 1 week |
relayid_ed | ed25519 (256 bits) | identity key | long-term, never rotated |
relaysign_ed | ed25519 (256 bits) | signing key | medium-term, rotated periodically |
relaysign_ed_cert | ed25519 (256 bits) | relaysign_ed signed by relayid_ed | same lifetime as relaysign_ed |
link_ed | ed25519 (256 bits) | link auth key, used to authenticate the link handshake | regenerated “frequently” |
link_ed_cert | ed25519 (256 bits) | link_ed signed by relaysign_ed | same lifetime as link_ed |
Key | Type | Description | Expected Lifetime |
---|---|---|---|
hs_id | ed25519 (256 bits) | identity key | long-term, never rotated |
hs_blind_id | ed25519 (256 bits) | blinded signing key (derived from hs_id) | 1 time period |
hs_desc_sign | ed25519 (256 bits) | descriptor signing key | 1 time period |
hs_desc_sign_cert | ed25519 (256 bits) | descriptor signing certificate (hs_desc_sign signed by hs_blind_id) | short-term (54h) |
hsc_desc_enc | x25519 (256 bits) | the client’s counterpart to hss_desc_enc | long-term until the client rotates it/service revokes access |
hsc_intro_auth | ed25519 (256 bits) | client auth key for use in the introduction protocol | long-term/until the client rotates it/service revokes access |
Key | Type | Description | Expected Lifetime |
---|---|---|---|
v3_ident | RSA (2048 bits) | identity key of the authority | long-term, never rotated |
dir_signing | RSA (1024 bits) | signing key used for directory information | medium-term, rotated periodically |
dir_signing_cert | RSA (1024 bits) | dir_signing signed by v3_ident | same lifetime as dir_signing |
Scheme | Public Key Size | Private Key Size | Signature Size |
---|---|---|---|
ML-DSA-44 | 1312 | 2528 | 4981 |
ML-DSA-65 | 1952 | 4000 | 3351 |
ML-DSA-87 | 2592 | 4864 | 4595 |
SLH-DSA-128f | 32 | 64 | 1700 |
SLH-DSA-192f | 48 | 96 | 3564 |
SLH-DSA-256f | 64 | 128 | 4988 |
Scheme | Public Key Size | Private Key Size | Signature Size |
---|---|---|---|
XMSS_SHA2_10_256 | 64 | 1373 | 2500 |
XMSS_SHAKE256_10_192 | 48 | 1053 | 1492 |
LMS_SHA256_H5_W1 | 60 | 64 | 8688 |
LMS_SHA256_H5_W8 | 60 | 64 | 1296 |
Scheme | Public Key Size | Private Key Size | Signature Size |
---|---|---|---|
Falcon-512 | 897 | 1281 | 752 |
Falcon-1024 | 1793 | 2305 | 1462 |
Listing A1. Cisco switch configuration. |
> enable configure terminal ip dhcp pool LAN_POOL network 192.168.1.0 255.255.255.0 interface vlan1 ip address 192.168.1.1 255.255.255.0 no shutdown service dhcp exit write memory |
Listing A2. Chutney configuration file. |
Authority1 = Node(tag=“a1”, authority=1, relay=1, torrc=“authority.tmpl”) Authority2 = Node(tag=“a2”, authority=1, relay=1, torrc=“authority.tmpl”) GuardRelay1 = Node(tag=“g1”, relay=1, guard=1, torrc=“relay.tmpl”) GuardRelay2 = Node(tag=“g2”, relay=1, guard=1, torrc=“relay.tmpl”) GuardRelay3 = Node(tag=“g3”, relay=1, guard=1, torrc=“relay.tmpl”) MiddleRelay1 = Node(tag=“m1”, relay=1, middle=1, onion_service=1, torrc=“relay.tmpl”) MiddleRelay2 = Node(tag=“m2”, relay=1, middle=1, rendezvous=1, torrc=“relay.tmpl”) ExitRelay1 = Node(tag=“e1”, relay=1, exit=1, torrc=“relay.tmpl”) ExitRelay2 = Node(tag=“e2”, relay=1, exit=1, torrc=“relay.tmpl”) NODES = [Authority1, Authority2, GuardRelay1, GuardRelay2, GuardRelay3, MiddleRelay1, MiddleRelay2, ExitRelay1, ExitRelay2] ConfigureNodes(NODES) |
Listing A3. Listing of files generated by node type (chutney). |
000a1 (Directory authority) fingerprint fingerprint-Ed25519 keys authority_certificate authority_identity_key authority_signing_key Ed25519_master_id_public_key Ed25519_master_id_secret_key Ed25519_signing_cert Ed25519_signing_secret_key secret_id_key secret_onion_key secret_onion_key_ntor lock torrc 004g3 (Guard relay) fingerprint fingerprint-Ed25519 keys Ed25519_master_id_public_key Ed25519_master_id_secret_key Ed25519_signing_cert Ed25519_signing_secret_key secret_id_key secret_onion_key secret_onion_key_ntor lock torrc 005m1 (Middle relay) fingerprint fingerprint-Ed25519 keys Ed25519_master_id_public_key Ed25519_master_id_secret_key Ed25519_signing_cert Ed25519_signing_secret_key secret_id_key secret_onion_key secret_onion_key_ntor lock torrc 007e1 (Exit relay) fingerprint fingerprint-Ed25519 keys Ed25519_master_id_public_key Ed25519_master_id_secret_key Ed25519_signing_cert Ed25519_signing_secret_key secret_id_key secret_onion_key secret_onion_key_ntor lock torrc |
Listing A4. Directory authority torrc file. |
TestingTorNetwork 1 PathsNeededToBuildCircuits 0.35 TestingDirAuthVoteExit $D36D51189EC2112507DDB293FC166C5E5ADA9B91,$3E5729E0BE77AAD422BE2D95D72200EF01D1F29F TestingDirAuthVoteExitIsStrict 1 TestingDirAuthVoteHSDir $BD452B626D1A453BB3E557B363CEC39F1E63D089,$CCE340CBBFFA07C8E434261FFCA5AB457DD06217,$D36D51189EC2112507DDB293FC166C5E5ADA9B91 #TestingDirAuthVoteHSDirIsStrict 1 TestingDirAuthVoteGuard $84C8BDC0ECB2A6F7B536A2C6696DE0ADE8AC09A9,$139726CAC0132D62C1D6E5E2F306315CCFE857A9,$A0595788A046B7B2DF48B04A02C262DC525A82E2,$691B61F16F6D48F65183AF7A39BC789645C14C49,$2EEB5B771A2A177EC0D184D410DDB4F153FF354F TestingDirAuthVoteGuardIsStrict 1 V3AuthNIntervalsValid 2 V3BandwidthsFile /home/ubuntu/000a1/bwfile.v3bw MiddleNodes $691B61F16F6D48F65183AF7A39BC789645C14C49,$CCE340CBBFFA07C8E434261FFCA5AB457DD06217 DataDirectory /home/ubuntu/000a1 RunAsDaemon 1 ConnLimit 60 Nickname test000a1 ShutdownWaitLength 2 DisableDebuggerAttachment 0 AddressDisableIPv6 1 ControlPort 8000 ControlSocket /home/ubuntu/000a1/control CookieAuthentication 1 PidFile /home/ubuntu/000a1/pid Log notice file /home/ubuntu/000a1/notice.log Log info file /home/ubuntu/000a1/info.log Log debug file debug.log ProtocolWarnings 1 SafeLogging 0 LogTimeGranularity 1 AuthoritativeDirectory 1 V3AuthoritativeDirectory 1 ContactInfo auth0@test.test DirAuthority test000a1 orport=5100 no-v2 v3ident=4832D1130A4F32E4410E42D33C36B6B87EC37C27 192.168.1.15:7100 EA30E583EF155930ACE4144D0CFA800725C65D46 DirAuthority test001a2 orport=5101 no-v2 v3ident=43DE83E17AB616F71A36394D519732767B2CEF50 192.168.1.16:7101 BD452B626D1A453BB3E557B363CEC39F1E63D089 SocksPort 9050 OrPort 5100 Address 192.168.1.15 DirPort 7100 ExitRelay 0 DisableNetwork 0 ConfluxEnabled 0 TestingAuthKeyLifetime 3 months ServerDNSAllowNonRFC953Hostnames 1 ServerDNSDetectHijacking 0 |
Listing A5. Guard relay torrc file. |
TestingTorNetwork 1 PathsNeededToBuildCircuits 0.45 TestingDirAuthVoteExit * TestingDirAuthVoteHSDir * V3AuthNIntervalsValid 2 TestingDirAuthVoteGuard * TestingMinExitFlagThreshold 0 DataDirectory /home/ubuntu/002g1 RunAsDaemon 1 ConnLimit 60 Nickname test002g1 ShutdownWaitLength 2 DisableDebuggerAttachment 0 AddressDisableIPv6 1 ControlPort 8002 ControlSocket /home/ubuntu/002g1/control CookieAuthentication 1 PidFile /home/ubuntu/002g1/pid Log notice file /home/ubuntu/002g1/notice.log Log info file /home/ubuntu/002g1/info.log ProtocolWarnings 1 SafeLogging 0 LogTimeGranularity 1 DirAuthority test000a1 orport=5100 no-v2 v3ident=4832D1130A4F32E4410E42D33C36B6B87EC37C27 192.168.1.15:7100 EA30E583EF155930ACE4144D0CFA800725C65D46 DirAuthority test001a2 orport=5101 no-v2 v3ident=43DE83E17AB616F71A36394D519732767B2CEF50 192.168.1.16:7101 BD452B626D1A453BB3E557B363CEC39F1E63D089 OrPort 5102 Address 192.168.1.17 ExitRelay 0 DisableNetwork 0 ConfluxEnabled 0 |
Listing A6. Client torrc file. |
TestingTorNetwork 1 DirAuthority test000a1 orport=5100 no-v2 v3ident=4832D1130A4F32E4410E42D33C36B6B87EC37C27 192.168.1.15:7100 EA30E583EF155930ACE4144D0CFA800725C65D46 DirAuthority test001a2 orport=5101 no-v2 v3ident=43DE83E17AB616F71A36394D519732767B2CEF50 192.168.1.16:7101 BD452B626D1A453BB3E557B363CEC39F1E63D089 SocksPort 9050 DisableNetwork 0 CircuitBuildTimeout 60 LearnCircuitBuildTimeout 0 DataDirectory /var/lib/tor LogTimeGranularity 1 NumEntryGuards 1 UseEntryGuards 0 ClientOnly 1 SocksPolicy accept 192.168.0.0/16 RunAsDaemon 1 ConfluxEnabled 0 |
Listing A7. Tor browser command. |
$ TOR_SKIP_LAUNCH=1 TOR_SOCKS_PORT=9050 TOR_SKIP_CONTROLPORTTEST=1 /home/$USERNAME/.local/share/torbrowser/tbb/x86_64/tor-browser/Browser/start-tor-browser |
Listing A8. Tor Browser command. |
for i in {1..500}; do curl --socks5-hostname 127.0.0.1:9050 -w “%{time_total}, “ -o /dev/null -X POST \ -H “Content-Type: application/json” \ -H “User-Agent: BenchmarkingAgent/1.0” \ -H “Accept: application/json" \ -d ’{ “cookie": “value111111111111111111111111", “username": “testuser", “password": “76478736456728374637823764637382", “session_id": “abc123xyz4567890", “data": { “field1": “Some random text to increase payload size 1", “field2": “Some random text to increase payload size 2", “field3": “Some random text to increase payload size 3" } }’ \ -s https://local.tor/postpath done |
References
- Shor, P. Algorithms for quantum computation: Discrete logarithms and factoring. In Proceedings of the 35th Annual Symposium on Foundations of Computer Science, Santa Fe, NM, USA, 20–22 November 1994; pp. 124–134. [Google Scholar] [CrossRef]
- Grover, L.K. A fast quantum mechanical algorithm for database search. In Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing, Philadelphia, PA, USA, 22–24 May 1996. [Google Scholar]
- TOR Metrics. Available online: https://metrics.torproject.org/ (accessed on 20 September 2024).
- Dingledine, R.; Syverson, P. Tor: The Second-Generation Onion Router. In Proceedings of the USENIX Security Symposium, San Diego, CA, USA, 9–13 August 2004. [Google Scholar]
- Tor Proposals. Available online: https://spec.torproject.org/proposals/ (accessed on 18 September 2024).
- Gidney, C.; Ekerå, M. How to factor 2048 bit RSA integers in 8 hours using 20 million noisy qubits. Quantum 2021, 5, 433. [Google Scholar] [CrossRef]
- Raimondo, G.M.; Locascio, L.E. FIPS 204 Federal Information Processing Standards Publication Module-Lattice-Based Digital Signature Standard. Nist Natl. Inst. Stand. Technol. 2024, 55. [Google Scholar] [CrossRef]
- Moody, D.; Perlner, R.; Regenscheid, A.; Robinson, A.; Cooper, D. Transition to Post-Quantum Cryptography Standards; NIST Internal Report 8547; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar] [CrossRef]
- Goldberg, I.; Cheriton, D.R. On the Security of the Tor Authentication Protocol. In International Workshop on Privacy Enhancing Technologies; Springer: Berlin/Heidelberg, Germany, 2006. [Google Scholar]
- Tor Specifications. Available online: https://spec.torproject.org/tor-spec/index.html (accessed on 21 September 2024).
- Schanck, J.M.; Whyte, W.; Zhang, Z. Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world. Cryptol. Eprint Arch. 2015, 2016, 219–236. [Google Scholar] [CrossRef]
- Goldberg, I.; Stebila, D.; Ustaoglu, B. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptogr. 2013, 67, 245–269. [Google Scholar] [CrossRef]
- Ghosh, S.; Kate, A. Post-Quantum Forward-Secure Onion Routing (Future Anonymity in Today’s Budget). Cryptol. Eprint Arch. 2015, 9092, 263–286. [Google Scholar]
- Lauer, S.; Gellert, K.; Merget, R.; Handirk, T.; Schwenk, J. T0RTT: Non-Interactive Immediate Forward-Secret Single-Pass Circuit Construction. Proc. Priv. Enhancing Technol. 2020, 2020, 336–357. [Google Scholar] [CrossRef]
- Degabriele, J.P.; Stam, M. Untagging tor: A formal treatment of onion encryption. In Proceedings of the Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); LNCS. Springer: Berlin/Heidelberg, Germany, 2018; Volume 10822, pp. 259–293. [Google Scholar] [CrossRef]
- Rogaway, P.; Zhang, Y. Onion-AE: Foundations of Nested Encryption. Proc. Priv. Enhancing Technol. 2018, 85–104. [Google Scholar] [CrossRef]
- Jaques, S.; Naehrig, M.; Roetteler, M.; Virdia, F. Implementing Grover Oracles for Quantum Key Search on AES and LowMC. In Proceedings of the EUROCRYPT 2020, Virtual Conference, 11–15 May 2020. [Google Scholar]
- Dowling, B.; Fischlin, M.; Günther, F.; Stebila, D. A Cryptographic Analysis of the TLS 1.3 Handshake Protocol. J. Cryptol. 2021, 34, 37. [Google Scholar] [CrossRef]
- Schwabe, P.; Stebila, D.; Wiggers, T. Post-Quantum TLS Without Handshake Signatures. In Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, 9 November 2020. Technical Report 2020/534, IACR Cryptology ePrint Archive. [Google Scholar]
- Perrin, T. The Noise Protocol Framework, 2018. Revision 34, Status: Official. Available online: https://noiseprotocol.org/ (accessed on 8 October 2024).
- Schwabe, P.; Stebila, D.; Wiggers, T. More efficient post-quantum KEMTLS with pre-distributed public keys. In Computer Security—ESORICS 2021, Proceedings of the European Symposium on Research in Computer Security, Darmstadt, Germany, 4–8 October 2021; Springer: Berlin/Heidelberg, Germany, 2021; pp. 3–22, Cryptology ePrint Archive, Paper 2021/779. [Google Scholar] [CrossRef]
- Stebila, D.; Fluhrer, S.; Gueron, S. Hybrid Key Exchange in TLS 1.3. Internet-Draft Draft-Ietf-Tls-Hybrid-Design-11, Internet Engineering Task Force. 2024. Available online: https://datatracker.ietf.org/doc/draft-ietf-tls-hybrid-design/ (accessed on 11 November 2024).
- Langley, A. CECPQ2: Post-Quantum Confidentiality in TLS. 2018. Available online: https://www.imperialviolet.org/2018/12/12/cecpq2.html (accessed on 14 September 2024).
- Baseri, Y.; Chouhan, V.; Ghorbani, A.; Chow, A. Evaluation Framework for Quantum Security Risk Assessment: A Comprehensive Study for Quantum-Safe Migration. Comput. Secur. 2025, 150, 104272. [Google Scholar] [CrossRef]
- Barker, E.; Dang, Q.; Hanon, N. NIST Special Publication 800-57 Part 1, Revision 5: Recommendation for Key Management, Part 1: General; Technical Report 800-57pt1r5; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2020; 57p. [Google Scholar] [CrossRef]
- Barton, J.; Buchanan, W.; Pitropakis, N.; Sayeed, S.; Abramson, W. Post Quantum Cryptography Analysis of TLS Tunneling on a Constrained Device. In Proceedings of the 8th International Conference on Information Systems Security and Privacy—ICISSP, Online, 9–11 February 2022; 2022; 1, pp. 551–561. [Google Scholar] [CrossRef]
- Alagic, G.; Apon, D.; Cooper, D.; Dang, Q.; Dang, T.; Kelsey, J.; Lichtinger, J.; Liu, Y.K.; Miller, C.; Moody, D.; et al. Status Report on the Third Round of NIST Post-Quantum Cryptography Standardization Process; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2022. [Google Scholar] [CrossRef]
- Kret, E.; Schmidt, R. The PQXDH Key Agreement Protocol. Revision 3. 2023. Available online: https://signal.org/docs/specifications/pqxdh/pqxdh.pdf (accessed on 23 January 2024).
- Cheng, H.; Großschädl, J.; Rønne, P.B.; Ryan, P.Y.A. AVRNTRU: Lightweight NTRU-based Post-Quantum Cryptography for 8-bit AVR Microcontrollers. In Proceedings of the DATE 2021: Design, Automation and Test in Europe, Virtual Conference, 1–5 February 2021. [Google Scholar]
- Bernstein, D.J.; Chuengsatiansup, C.; Lange, T.; van Vredendaal, C. NTRU Prime: Reducing attack surface at low cost. In Proceedings of the Selected Areas in Cryptography–SAC 2017: 24th International Conference, Ottawa, ON, Canada, 16–18 August 2017. [Google Scholar]
- Bos, J.W.; Bronchain, O.; Custers, F.; Renes, J.; Verbakel, D.; van Vredendaal, C. Enabling FrodoKEM on Embedded Devices. Cryptol. Eprint Arch. 2023. Paper 2023/158. Available online: https://eprint.iacr.org/2023/158 (accessed on 1 January 2025).
- Bos, J.W.; Ducas, L.; Kiltz, E.; Lepoint, T.; Lyubashevsky, V.; Schanck, J.M.; Schwabe, P.; Seiler, G.; Stehlé, D. CRYSTALS—Kyber: A CCA-Secure Module-Lattice-Based KEM. In Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK, 24–26 April 2018; pp. 353–367. [Google Scholar] [CrossRef]
- Raimondo, G.M.; Locascio, L.E. FIPS 203 Federal Information Processing Standards Publication Module-Lattice-Based Key-Encapsulation Mechanism Standard. Nist Natl. Inst. Stand. Technol. 2024, 47. [Google Scholar] [CrossRef]
- Kwala, A.K.; Kant, S.; Mishra, A. Comparative analysis of lattice-based cryptographic schemes for secure IoT communications. Discov. Internet Things 2024, 4, 13. [Google Scholar] [CrossRef]
- Open Quantum Safe, Liboqs. Available online: https://openquantumsafe.org (accessed on 8 October 2024).
- Melchor, C.A.; Aragon, N.; Bettaieb, S.; Bidoux, L.; Blazy, O.; Bos, J.; Deneuville, J.C.; Arnaud Dion, P.G.; Lacan, J.; Persichetti, E.; et al. Hamming Quasi-Cyclic (HQC) Fourth Round Specification. Technical report, SandboxAQ, Univ. of Limoges, TII, Ecole Polytechnique, Worldline, ENAC, ISAE Supaero, Florida Atlantic Univ., Univ. of Toulon, Univ. of Bordeaux. 2024. Available online: https://pqc-hqc.org/ (accessed on 4 November 2024).
- Rescorla, E. The Transport Layer Security (TLS) Protocol Version 1.3. Request for Comments 8446, 2018. Standards Track. Available online: https://datatracker.ietf.org/doc/rfc8446/ (accessed on 4 November 2024).
- Færøy, A.H. BoringSSL Tor Fork. Branch: Ahf/boringssl. Available online: https://gitlab.torpaper.org/ahf/tor/-/commits/ahf%2Fboringssl (accessed on 11 November 2024).
- Paquin, C.; Stebila, D.; Tamvada, G. Benchmarking Post-quantum Cryptography in TLS. In Post-Quantum Cryptography; Ding, J., Tillich, J.P., Eds.; Springer International Publishing: Cham, Switzerland, 2020; pp. 72–91. [Google Scholar]
- Alnahawi, N.; Müller, J.; Oupický, J.; Wiesmaier, A. A Comprehensive Survey on Post-Quantum TLS. Iacr Commun. Cryptol. 2024, 1, hal-04845617. [Google Scholar] [CrossRef]
- Pan, J.; Riepel, D.; Zeng, R. Key Exchange with Tight (Full) Forward Secrecy via Key Confirmation. Cryptol. Eprint Arch. 2024, 14657, 59–89. [Google Scholar]
- Pan, J.; Wagner, B.; Zeng, R. Tighter Security for Generic Authenticated Key Exchange in the QROM. Cryptol. Eprint Arch. 2023, 14441, 401–433. [Google Scholar]
- Eaton, E.; Stebila, D.; Stracovsky, R. Post-Quantum Key-Blinding for Authentication in Anonymity Networks. A Compressed Version Appears in the Proceedings of Latincrypt 2021. Available online: https://eprint.iacr.org/2021/963.pdf (accessed on 16 November 2024).
- Kampanakis, P.; Childs-Klein, W. The impact of data-heavy, post-quantum TLS 1.3 on the Time-To-Last-Byte of real-world connections. Cryptol. Eprint Arch. 2024. Paper 2024/176. [Google Scholar] [CrossRef]
- Group, L.W. Stateless Hash-Based Digital Signature Algorithms (SLH-DSA) in X.509 Public Key Infrastructure (PKI). Internet-Draft Draft-Ietf-Lamps-x509-slhdsa-02, Internet Engineering Task Force. 2024. Available online: https://datatracker.ietf.org/doc/draft-ietf-lamps-x509-slhdsa/ (accessed on 13 November 2024).
- Sikeridis, D.; Kampanakis, P.; Devetsikiotis, M. Post-Quantum Authentication in TLS 1.3: A Performance Study. Cryptol. Eprint Arch. 2020. Paper 2020/071. [Google Scholar] [CrossRef]
- Kampanakis, P.; Kallitsis, M. Faster Post-Quantum TLS Handshakes Without Intermediate CA Certificates. In Cyber Security, Cryptology, and Machine Learning; Dolev, S., Katz, J., Meisels, A., Eds.; Springer International Publishing: Cham, Switzerland, 2022; pp. 337–355. [Google Scholar]
- Misell, Q. Automated Certificate Management Environment (ACME) Extensions for “.onion” Special-Use Domain Names. Internet-Draft Draft-Ietf-Acme-Onion-04, Internet Engineering Task Force (IETF). Available online: https://acmeforonions.org/ (accessed on 12 November 2024).
- Preston, R. Applying Grover’s Algorithm to Hash Functions: A Software Perspective. IEEE Trans. Quantum Eng. 2023, 3, 1–10. [Google Scholar] [CrossRef]
- Alagic, G.; Bros, M.; Ciadoux, P.; Cooper, D.; Dang, Q.; Dang, T.; Kelsey, J.; Lichtinger, J.; Liu, Y.K.; Miller, C.; et al. Status Report on the First Round of the Additional Digital Signature Schemes for NIST Post-Quantum Cryptography Standardization Process; NIST Internal Report 8528; National Institute of Standards and Technology: Gaithersburg, MD, USA, 2024. [Google Scholar]
- Baum, C.; Braun, L.; de Saint Guilhem, C.D.; Klooß, M.; Orsini, E.; Roy, L.; Scholl, P. Publicly Verifiable Zero-Knowledge and Post-Quantum Signatures From VOLE-in-the-Head. Cryptol. Eprint Arch. 2023, 14085, 581–615. [Google Scholar]
- Castryck, W.; Decru, T. An efficient key recovery attack on SIDH. Cryptol. Eprint Arch. 2022, 14008, 423–447. [Google Scholar]
- Rahman, M.S.; DiAdamo, S.; Mehic, M.; Fleming, C. Quantum Secure Anonymous Communication Networks. In Proceedings of the 2024 International Conference on Quantum Communications, Networking, and Computing (QCNC), Kanazawa, Japan, 1–3 July 2024. [Google Scholar]
- Zhang, Y.; Zhang, Y.; Portokalidis, G.; Xu, J. Towards Understanding the Runtime Performance of Rust. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE ’22), New York, NY, USA, 10–14 October 2022; pp. 1–6. [Google Scholar] [CrossRef]
- DAST; Team, E.D. iPerf: The Network Bandwidth Measurement Tool. NLANR and ESnet. 2003. Available online: https://github.com/esnet/iperf (accessed on 19 November 2024).
- QSOR: Quantum-Safe Onion Routing. Available online: https://arxiv.org/pdf/2001.03418 (accessed on 21 November 2024).
- Evgnosia-Alexandra, K. A note on Post Quantum Onion Routing. Cryptol. Eprint Arch. 2021. Paper 2021/111. Available online: https://eprint.iacr.org/2021/111 (accessed on 1 January 2025).
- PlanetLab Europe. Available online: https://www.planet-lab.eu/ (accessed on 13 November 2024).
Layer | Protocol/Version | Scheme | Security Category | Role |
---|---|---|---|---|
Circuit-extend | ntor | HMAC-SHA256 | 2 | Message integrity in handshake, authenticity |
HKDF | 2 | Key derivation from shared secret | ||
ntor v3 and OS-ntor | Ed25519 | unsafe | Relay identity verification | |
SHA3-256 | 2 | Integrity, authenticity of messages | ||
SHAKE-256 | 4 | Keying material generation with randomness | ||
All handshakes | AES-128-CTR | 1 | Message content encryption during handshake | |
X25519 | unsafe | Key agreement | ||
Relay | Standard circuits | SHA-1 | unsafe | Cell header integrity check (being phased out) |
SHA-256 | 2 | Cell message integrity check | ||
AES-128-CTR | 1 | Relay cell encryption in layers | ||
Ed25519 | unsafe | Relay identity verification and key signing | ||
OS v3 | AES-256-CTR | 5 | Encryption for data integrity and identity validation | |
SHA-256 | 2 | Key derivation, message integrity, handshake validation | ||
Directory authorities | Ed25519 | unsafe | Signature for consensus data | |
SHA-256 | 2 | Integrity through hashes of consensus documents and descriptors | ||
RSA2048 or 3072 | unsafe | Authority identity key, Directory server public signing key | ||
Link | TLS 1.2 | RSA2048 | unsafe | Identity authentication |
DHE | unsafe | Ephemeral key exchange with forward secrecy | ||
TLS 1.3 | AEAD only | 1 | Channel encryption; e.g., AES-GCM, ChaCha20-Poly1305, having built-in integrity checks | |
All | SHA-256 and above | >2 | Message integrity, authentication, key derivation | |
ECDHE | unsafe | Ephemeral key exchange with forward secrecy | ||
Internal | X.509 | unsafe | Certificate-based identity and link verification |
Encapsulation Key | Decapsulation Key | Ciphertext | Shared Secret Key | |
---|---|---|---|---|
sntrup761 | 1158 | 1763 | 1039 | 32 |
FrodoKEM-640-AES | 9616 | 19,888 | 9720 | 16 |
FrodoKEM-640-SHAKE | 9616 | 19,888 | 9720 | 16 |
FrodoKEM-976-AES | 15,632 | 31,296 | 15,744 | 24 |
Encapsulation Key | Decapsulation Key | Ciphertext | Shared Secret Key | |
---|---|---|---|---|
ML-KEM-512 | 800 | 1632 | 768 | 32 |
ML-KEM-768 | 1184 | 2400 | 1088 | 32 |
ML-KEM-1024 | 1568 | 3168 | 1568 | 32 |
Keygen/s | Keygen (Cycles) | Encaps/s | Decaps/s | Security Category | |
---|---|---|---|---|---|
HQC-128 | 6719.33 | 371,892 | 3571.00 | 2349.00 | 1 |
HQC-192 | 2855.00 | 875,523 | 1465.00 | 1000.00 | 3 |
Kyber512 | 23,348.00 | 106,974 | 18,970.00 | 16,118.00 | 1 |
Kyber768 | 13,660.67 | 182,899 | 11,630.00 | 10,096.33 | 3 |
sntrup761 | 115.55 | 21,636,049 | 2308.00 | 818.00 | 2 |
FrodoKEM-640-SHAKE | 345.99 | 7,224,951 | 282.67 | 280.33 | 1 |
Encapsulation Key | Ciphertext | Secret Key | |
---|---|---|---|
HQC-128 | 2249 | 4487 | 56 |
HQC-192 | 4522 | 9042 | 64 |
HQC-256 | 7245 | 14,485 | 72 |
Keygen/s | Keypair (Cycles) | Sign/s | Verify/s | Security Category | |
---|---|---|---|---|---|
Falcon-512 | 53.26 | 46,938,518 | 176.55 | 17,246.00 | 1 |
Falcon-1024 | 17.91 | 139,565,458 | 80.56 | 8341.00 | 5 |
Dilithium2 | 9486.00 | 263,444 | 2099.33 | 8752.33 | 2 |
Dilithium3 | 5184.33 | 482,134 | 1320.00 | 5519.00 | 3 |
SPHINCS+-SHA2-128f-s | 558.81 | 4,473,508 | 23.86 | 404.73 | 1 |
SPHINCS+-SHA2-192f-s | 382.08 | 6,542,247 | 14.52 | 270.91 | 3 |
Sign/s | Verify/s | Model | |
---|---|---|---|
Ed25519 | 2939.1 | 1327.0 | 4b |
RSA2048 | 199.2 | 7492.9 | 4b |
RSA3072 | 21.3 | 1209.6 | 4b |
Ed25519 | 16,301.1 | 6846.1 | 5 |
RSA2048 | 281.0 | 10,289.0 | 5 |
RSA3072 | 90.1 | 4652.2 | 5 |
Key Exchange/s | Model | ||
X25519 | 1044.6 | 4b | |
X25519 | 5973.5 | 5 |
Keygen/s | Encaps/s | Decaps/s | Model | |
---|---|---|---|---|
ML-KEM-512 | 3807.3 | 3462.0 | 2783.0 | 4b |
ML-KEM-768 | 2539.0 | 3905.0 | 2571.5 | 4b |
sntrup761 | 25.2 | 841.7 | 410.6 | 4b |
ML-KEM-512 | 23,168.3 | 19,178.0 | 15,136.3 | 5 |
ML-KEM-768 | 13,976.6 | 11,900.6 | 9614.3 | 5 |
sntrup761 | 158.1 | 6067.0 | 3210.3 | 5 |
Keypair/s | Sign/s | Verify/s | ||
Falcon-512 | 23.6 | 615.3 | 7866.3 | 4b |
ML-DSA-44 | 2642.7 | 286.1 | 3213.9 | 4b |
Falcon-512 | 95.4 | 3360.6 | 19,831.3 | 5 |
ML-DSA-44 | 8986.3 | 1885.0 | 8139.0 | 5 |
Duckduckgo | Local Webserver | Onion Service | Request Type | |
---|---|---|---|---|
Mean | 262.9 | 136.7 | 174.6 | GET |
Median | 260.8 | 142.4 | 166.0 | GET |
Mean | _ | 141.8 | 172.6 | POST |
Median | _ | 148.0 | 171.5 | POST |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Berger, D.; Lemoudden, M.; Buchanan, W.J. Post-Quantum Migration of the Tor Application. J. Cybersecur. Priv. 2025, 5, 13. https://doi.org/10.3390/jcp5020013
Berger D, Lemoudden M, Buchanan WJ. Post-Quantum Migration of the Tor Application. Journal of Cybersecurity and Privacy. 2025; 5(2):13. https://doi.org/10.3390/jcp5020013
Chicago/Turabian StyleBerger, Denis, Mouad Lemoudden, and William J. Buchanan. 2025. "Post-Quantum Migration of the Tor Application" Journal of Cybersecurity and Privacy 5, no. 2: 13. https://doi.org/10.3390/jcp5020013
APA StyleBerger, D., Lemoudden, M., & Buchanan, W. J. (2025). Post-Quantum Migration of the Tor Application. Journal of Cybersecurity and Privacy, 5(2), 13. https://doi.org/10.3390/jcp5020013