Onion Routing is an infrastructure for private communication over a public network. It provides anonymous connections that are strongly resistant to both eavesdropping and tra c analysis. Onion routing's anonymous connections are bidirectional and near realtime, and can be used anywhere a socket connection can be used. Any identifying information must be in the data stream carried over an anonymous connection. An onion is a data structure that is treated as the destination address by onion routers; thus, it is used to establish an anonymous connection. Onions themselves appear di erently to each onion router as well as to network observers. The same goes for data carried over the connections they establish. Proxy aware applications, such as web browsing and e-mail, require no modi cation to use onion routing, and do so through a series of proxies. Aprototype onion routing network is running between our lab and other sites. This paper describes anonymous connections and their implementation using onion routing. This paper also describes several application proxies for onion routing, as well as con gurations of onion routing networks. 1

this paper we give an overview of how the Analyzer works and describe its achievements so far. We also show how our use of the Prolog language benefited us in the design and implementation of the Analyzer. / 1. INTRODUCTION

Onion Routing provides anonymous connections that are strongly resistant to both eavesdropping and tra c analysis. Unmodi ed Internet applications can use these anonymous connections by means of proxies. The proxies may also make communication anonymous by removing identifying information from the data stream. Onion routing has been implemented on Sun Solaris 2.X with proxies for Web browsing, remote logins, and e-mail. This paper's contribution is a detailed speci cation of the implemented onion routing system, a vulnerability analysis based on this speci cation, and performance results. 1

Abstract. We present a formalism for the analysis of key-exchange protocols that combines previous definitional approaches and results in a definition of security that enjoys some important analytical benefits: (i) any key-exchange protocol that satisfies the security definition can be composed with symmetric encryption and authentication functions to provide provably secure communication channels (as defined here); and (ii) the definition allows for simple modular proofs of security: one can design and prove security of key-exchange protocols in an idealized model where the communication links are perfectly authenticated, and then translate them using general tools to obtain security in the realistic setting of adversary-controlled links. We exemplify the usability of our results by applying them to obtain the proof of two classes of key-exchange protocols, Diffie-Hellman and key-transport, authenticated via symmetric or asymmetric techniques. 1

This paper proposes new protocols for two goals: authenticated key agreement and authenticated key agreement with key confirmation in the asymmetric (public-key) setting. A formal

Abstract. Recently, Canetti and Krawczyk (Eurocrypt’2001) formulated a notion of security for key-exchange (ke) protocols, called SKsecurity, and showed that this notion suffices for constructing secure channels. However, their model and proofs do not suffice for proving more general composability properties of SK-secure ke protocols. We show that while the notion of SK-security is strictly weaker than a fully-idealized notion of key exchange security, it is sufficiently robust for providing secure composition with arbitrary protocols. In particular, SK-security guarantees the security of the key for any application that desires to set-up secret keys between pairs of parties. We also provide new definitions of secure-channels protocols with similarly strong composability properties, and show that SK-security suffices for obtaining these definitions. To obtain these results we use the recently proposed framework of “universally composable (UC) security. ” We also use a new tool, called “noninformation oracles, ” which will probably find applications beyond the present case. These tools allow us to bridge between seemingly limited indistinguishability-based definitions such as SK-security and more powerful, simulation-based definitions, such as UC security, where general composition theorems can be proven. Furthermore, based on such composition theorems we reduce the analysis of a full-fledged multi-session keyexchange protocol to the (simpler) analysis of individual, stand-alone, key-exchange sessions.

We consider the fundamental problem of authenticated group key exchange among n parties within a larger and insecure public network. A number of solutions to this problem have been proposed; however, all provably-secure solutions thus far are not scalable and, in particular, require O(n) rounds. Our main contribution is the first scalable protocol for this problem along with a rigorous proof of security in the standard model under the DDH assumption; our protocol uses a constant number of rounds and requires only O(1) "full" modular exponentiations per user. Toward this goal and of independent interest, we first present a scalable compiler that transforms any group key-exchange protocol secure against a passive eavesdropper to an authenticated protocol which is secure against an active adversary who controls all communication in the network. This compiler adds only one round and O(1) communication (per user) to the original scheme. We then prove secure --- against a passive adversary --- a variant of the two-round group key-exchange protocol of Burmester and Desmedt.

In this paper, we introduce a collection of cryptographic key constructions built from environmental data that are resistant to adversarial analysis and deceit. We expound upon their properties and discuss some possible applications; the primary envisioned use of these constructions is in the creation of mobile agents whose analysis does not reveal their exact purpose.

Dalit Naor y Proactive security provides a method for maintaining the overall security of a system, even when individual components are repeatedly broken into and controlled by an attacker. In particular it provides for automated recovery of the security of individual components, avoiding the use of expensive and inconvenient manual processes (unless perhaps when an ongoing attack is detected). The technique calls for the distribution of trust among several components (servers), together with periodic refreshments of the sensitive data held by the servers. This way, the proactive approach guarantees uninterrupted security as long as not too many servers are broken into at the same time. We describe the proactive approach and review some algorithms, implementations, and applications. We elaborate on two of the most important results: proactive signatures and proactive secure communication. Proactive signatures provide a solution for long-lived secret keys, such as the key of a certi cation authority. Proactive secure communication ensures secrecy and authenticity ofcommunication, with automated refresh of the secret keys. 1

In Crypto'99, Bellare and Miner introduced forward-secure signatures as digital signature