Chapter 1 WHAT PRICE PRIVACY? (and why identity theft is about neither identity nor theft) (2009)
It is commonplace to note that in surveys people claim to place a high value on privacy while they paradoxically throw away their privacy in exchange for a free hamburger or a two dollar discount on...
Bridging and Fingerprinting: Epistemic Attacks on Route Selection (2009)
Abstract. Users building routes through an anonymization network must discover the nodes comprising the network. Yet, it is potentially costly, or even infeasible, for everyone to know the entire...
Panel: What Is an Attack on a Cryptographic Protocol? (2008)
Attacks on cryptographic protocols are often subtle and hard to find. This is certainly true in the context of pro-tocol design. It is also true in the context of protocol analysis: researchers...
Joan Feigenbaum, Aaron Johnson, Paul Syverson
We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication that abstracts the essential properties of onion routing in the...
Geoffrey Goodell, Paul Syverson
Examining the use of network location in authentication and abuse prevention. The use of network location to draw conclusions about users has become quite commonplace on today’s Internet. Numerous...
Improving efficiency and simplicity of Tor circuit establishment and hidden services (2008)
Abstract. In this paper we demonstrate how to reduce the overhead and delay of circuit establishment in the Tor anonymizing network by using predistributed Diffie-Hellman values. We eliminate the use...
Blending different latency traffic with (2008)
Roger Dingledine, Andrei Serjantov, Paul Syverson
alpha-mixing
Joan Feigenbaum, Aaron Johnson, Paul Syverson
We perform a probabilistic analysis of onion routing. The analysis is presented in a black-box model of anonymous communication that abstracts the essential properties of onion routing in the...
Paul Syverson, Gene Tsudik, Michael Reed
This paper presents a security analysis of Onion Routing, an application independent infrastructure for traffic-analysis-resistant and anonymous Internet connections. It also includes an overview of...
Markus Jakobsson, Ari Juels, Paul Syverson
Abstract. We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits re-encryption, such as ElGamal, does so only for a player with...
Andrei Serjantov, Roger Dingledine, Paul Syverson
Abstract. The literature contains a variety of dierent mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to...
Paul Syverson, Iliano Cervesato
The rationale of authentication has been a topic of study for about a decade and a half. First attempts at formal analysis of authentication protocols were not using logics per se, but were certainly...
To the memory of my father, (2007)
Andrew S. Grimshaw, Jorg Liebeherr, Paul Syverson, Dean Richard, W. Miksad, ...
Secure communication is largely dependent on effective application of cryptography. While cryptographic methods have been investigated to ensure confidence in the security of the encryption...
Distance Bounding Protocols: Authentication Logic Analysis and Collusion Attacks (2007)
Meadows, Catherine, Poovendran, Radha, Pavlovic, Dusko, Chang, LiWu, Syverson, Paul
Distance estimation, that is the estimate of the distance between two nodes, plays of a fundamental part in the setting up and maintenance of sensor networks. For example, a node trying to localize...
Distance bounding protocols: Authentication logic analysis and collusion attacks (2007)
Catherine Meadows, Radha Poovendran, Dusko Pavlovic, Liwu Chang, Paul Syverson
Summary. In this paper we consider the problem of securely measuring distance between two nodes in a wireless sensor network. The problem of measuring distance has fundamental applications in both...
A model of onion routing with provable anonymity (2007)
Joan Feigenbaum, Aaron Johnson, Paul Syverson
Abstract. Onion routing is a scheme for anonymous communication that is designed for practical use. Until now, however, it has had no formal model and therefore no rigorous analysis of its anonymity...
Valet services: Improving hidden servers with a personal touch (2006)
Abstract. Location hidden services have received increasing attention as a means to resist censorship and protect the identity of service operators. Research and vulnerability analysis to date has...
Valet services: Improving hidden servers with a personal touch (2006)
Abstract. Location hidden services have received increasing attention as a means to resist censorship and protect the identity of service operators. Research and vulnerability analysis to date has...
High-power proxies for enhancing RFID privacy and utility (2005)
Ari Juels, Paul Syverson, Dan Bailey
Abstract. A basic radio-frequency identification (RFID) tag is a small and inexpensive microchip that emits a static identifier in response to a query from a nearby reader. Basic tags of the...
Challenges in deploying low-latency anonymity (2005)
Roger Dingledine, Nick Mathewson, Paul Syverson
Abstract. There are many unexpected or unexpectedly difficult obstacles to deploying anonymous communications. Drawing on our experiences deploying Tor (the second-generation onion routing network),...
Universal re-encryption for mixnets (2004)
Markus Jakobsson, Ari Juels, Paul Syverson
Abstract. We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with...
Synchronous batching: From cascades to free routes (2004)
Roger Dingledine, Vitaly Shmatikov, Paul Syverson
Abstract. The variety of possible anonymity network topologies has spurred much debate in recent years. In a synchronous batching design, each batch of messages enters the mix network together, and...
Tor: The Second-Generation Onion Router (2004)
Roger Dingledine, Nick Mathewson, Paul Syverson
We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design by adding perfect forward...
Synchronous batching: From cascades to free routes (2004)
Roger Dingledine, Vitaly Shmatikov, Paul Syverson
Abstract. The variety of possible anonymity network topologies has spurred much debate in recent years. In a synchronous batching design, each batch of messages enters the mix network together, and...
Synchronous batching: From cascades to free routes (2004)
Roger Dingledine, Vitaly Shmatikov, Paul Syverson
Abstract. The variety of possible anonymity network topologies has spurred much debate in recent years. In a synchronous batching design, each batch of messages enters the mix network together, and...
Tor: The Second-Generation Onion Router (2004)
Roger Dingledine, Nick Mathewson, Paul Syverson
We present Tor, a circuit-based low-latency anonymous communication service. This second-generation Onion Routing system addresses limitations in the original design. Tor adds perfect forward...
On the Economics of Anonymity (2003)
Alessandro Acquisti, Roger Dingledine, Paul Syverson
Abstract. Decentralized anonymity infrastructures are still not in wide use today. While there are technical barriers to a secure robust design, our lack of understanding of the incentives to...
Catherine Meadows, Paul Syverson, Iliano Cervesato
Although research has been going on in the formal analysis of cryprographic protocols for a number of years, they are only slowly being integrated into the protocol design process. In this paper we...
Metrics for traffic analysis prevention (2003)
Richard E. Newman, Ira S. Moskowitz, Paul Syverson, Andrei Serjantov
Abstract. This paper considers systems for Traffic Analysis Prevention (TAP) in a theoretical model. It considers TAP based on padding and rerouting of messages and describes the effects each has on...
The Paradoxical Value of Privacy (2003)
Paul Syverson Naval, Paul Syverson
We consider some common assumptions about the value placed on privacy in society. We observe that: 1. Contrary to popular accounts, individuals are not obviously irrational in how they value privacy.
On the Economics of Anonymity (2003)
Alessandro Acquisti, Ro Acquisti, Roger Dingledine, Paul Syverson
Decentralized anonymity infrastructures are still not in wide use today. While there are technical barriers to a secure robust design, our lack of understanding of the incentives to participate in...
Metrics for Traffic Analysis Prevention (2003)
Richard E. Newman, Ira S. Moskowitz, Paul Syverson, Andrei Serjantov
This paper considers systems for Traffic Analysis Prevention (TAP) in a theoretical model. It considers TAP based on padding and rerouting of messages and describes the effects each has on the...
Formal Specification and Analysis of the Group (2003)
Domain Of Intrepretation, Catherine Meadows, Paul Syverson, Iliano Cervesato
protocols for a number of years, they are only slowly being integrated into the protocol design process. In this paper we describe how we furthered the integration of analysis and design by working...
Catherine Meadows, Paul Syverson, Iliano Cervesato
Although research has been going on in the formal analysis of cryptographic protocols for a number of years, they are only slowly being integrated into the protocol design process. In this paper we...
Catherine Meadows, Paul Syverson, Iliano Cervesato
Although research has been going on in the formal analysis of cryptographic protocols for a number of years, they are only slowly being integrated into the protocol design process. In this paper we...
The paradoxical value of privacy (2003)
We consider some common assumptions about the value placed on privacy in society. We observe that: 1. Contrary to popular accounts, individuals are not obviously irrational in how they value privacy....
From a trickle to a flood: Active attacks on several mix types (2002)
Andrei Serjantov, Roger Dingledine, Paul Syverson
Abstract. The literature contains a variety of different mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to...
Environmental requirements for authentication protocols (2002)
Ran Canetti, Catherine Meadows, Paul Syverson
Abstract. Most work on requirements in the area of authentication protocols has concentrated on identifying requirements for the protocol without much consideration of context. Little work has...
Open issues in the economics of anonymity (2002)
Roger Dingledine, Paul Syverson
Recent work tying together security and economics has indicated that the hard problems are not the technical issues, such as designing stronger cryptography and making policies easier to understand...
Reliable MIX cascade networks through reputation (2002)
Roger Dingledine, Paul Syverson
Abstract. We describe a MIX cascade protocol and a reputation system that together increase the reliability of a network of MIX cascades. In our protocol, MIX nodes periodically generate a communally...
Reliable MIX cascade networks through reputation (2002)
Roger Dingledine, Paul Syverson
Abstract. We describe a MIX cascade protocol and a reputation system that together increase the reliability of a network of MIX cascades. In our protocol, MIX nodes periodically generate a communally...
From a trickle to a flood: Active attacks on several mix types (2002)
Andrei Serjantov, Roger Dingledine, Paul Syverson
Abstract. The literature contains a variety of different mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to...
Universal Re-encryption for Mixnets (2002)
Philippe Golle, Markus Jakobsson, Ari Juels, Paul Syverson
We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of...
Universal Re-encryption for Mixnets (2002)
Philippe Golle, Markus Jakobsson, Ari Juels, Paul Syverson
We introduce a new cryptographic technique that we call universal re-encryption. A conventional cryptosystem that permits reencryption, such as ElGamal, does so only for a player with knowledge of...
Reliable MIX cascade networks through reputation (2002)
Roger Dingledine, Paul Syverson
Abstract. We describe a MIX cascade protocol and a reputation system that together increase the reliability of a network of MIX cascades. In our protocol, MIX nodes periodically generate a communally...
From a trickle to a flood: Active attacks on several mix types (2002)
Andrei Serjantov, Roger Dingledine, Paul Syverson
Abstract. The literature contains a variety of different mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to...
From a trickle to a flood: Active attacks on several mix types (2002)
Andrei Serjantov, Roger Dingledine, Paul Syverson
Abstract. The literature contains a variety of different mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to...
From a Trickle to a Flood: Active Attacks on Several Mix Types (2002)
Andrei Serjantov, Roger Dingledine, Paul Syverson
The literature contains a variety of di#erent mixes, some of which have been used in deployed anonymity systems. We explore their anonymity and message delay properties, and show how to mount active...
The logic of authentication protocols (2001)
Paul Syverson, Iliano Cervesato
The rationale of authentication has been a topic of study for about a decade and a half. First attempts at formal analysis of authentication protocols were not using logics per se, but were certainly...
Formalizing GDOI group key management requirements in NPATRL (2001)
Catherine Meadows, Paul Syverson, Iliano Cervesato
Although there is a substantial amount of work on formal requirements for two and three-party key distribution protocols, very little has been done on requirements for group protocols. However, since...
Formalizing GDOI group key management requirements in NPATRL (2001)
Catherine Meadows, Paul Syverson
Although there is a substantial amount of work on formal requirements for two and three-party key distribution protocols, very little has been done on requirements for group protocols. However, since...
Environmental requirements and authentication protocols (2001)
Ran Canetti, Catherine Meadows, Paul Syverson
Abstract. Most work on requirements in the area of authentication protocols has concentrated on identifying requirements for the protocol without much consideration of context. Little work has...
Towards an Analysis of Onion Routing Security (2000)
Paul Syverson, Gene Tsudik, Michael Reed, Carl Landwehr
This paper presents a security analysis of Onion Routing, an application independent infrastructure for traffic-analysis-resistant and anonymous Internet connections. It also includes an overview of...
Dolev-Yao is no better than Machiavelli (2000)
Paul Syverson, Catherine Meadows, Iliano Cervesato
We show that all attacks that can be mounted by a traditional Dolev-Yao intruder against common cryptographic protocols can be enacted by an apparently weaker `Machiavellian' adversary in which...
Towards an Analysis of Onion Routing Security (2000)
Paul Syverson, Gene Tsudik, Michael Reed, Carl Landwehr
This paper presents a security analysis of Onion Routing, an application independent infrastructure for traffic-analysis-resistant and anonymous Internet connections. It also includes an overview of...
Towards an Analysis of Onion Routing Security (2000)
Michael Reed Carl Landwehr z This paper presents a security analysis of Onion Routing, an application independent infrastructure for tra c-analysis-resistant and anonymous Internet connections. It...
David Goldschlag, Michael Reed, Paul Syverson
Preserving privacy means not only hiding the content of messages, but also hiding who is talking to whom (trafficanalysis). Much like a physical envelope, the simple application of cryptography...
Towards a strand semantics for authentication logic (1999)
The logic BAN was developed in the late eighties to reason about authenticated key establishment protocols. It uncovered many flaws and properties of protocols, thus generating lots of attention in...
Onion Routing for Anonymous and Private Internet Connections (1999)
David Goldschlag, Michael Reed, Paul Syverson
this article's publication, the prototype network is processing more than 1 million Web connections per month from more than six thousand IP addresses in twenty countries and in all six main top...
Towards a strand semantics for authentication logic (1999)
The logic BAN was developed in the late eighties to reason about authenticated key establishment protocols. It uncovered many aws and properties of protocols, thus generating lots of attention in...
Resisting Traffic Analysis on Unclassified Networks (1998)
Dingledine, Roger, Mathewson, Nick, Meadows, Catherine, Syverson, Paul
While the need for data and message confidentiality is well known, the need to protect against traffic analysis on networks, including unclassified networks, is less widely recognized. Tor is a...
A Formal Specification of Requirements for Payment Transactions in the SET Protocol (1998)
Catherine Meadows, Paul Syverson
Payment transactions in the SET (Secure Electronic Transaction) protocol are described. Requirements for SET are discussed and formally represented in a version of NPATRL (the NRL Protocol Analyzer...
Weakly Secret Bit Commitment: Applications to Lotteries and Fair Exchange (1998)
This paper presents applications for the weak protection of secrets in which weakness is not just acceptable but desirable. For one application, two versions of a lottery scheme are presented in...
Fail-Stop Protocols: An Approach to Designing Secure Protocols (1998)
We present a methodology to facilitate the design and analysis of secure cryptographic protocols. We advocate the general approach, and a new avenue for research, of restricting protocol designs to...
Weakly secret bit commitment: Applications to lotteries and fair exchange (1998)
This paper presents applications for the weak protection of secrets in which weakness is not just acceptable but desirable. For one application, two versions of a lottery scheme are presented in...
Anonymous Connections and Onion Routing (1997)
Paul Syverson, David M. Goldschlag, Michael G. Reed
Onion Routing provides anonymous connections that are strongly resistant to both eavesdropping and traffic analysis. Unmodified Internet applications can use these anonymous connections by means of...
Limitations on Design Principles for Public Key Protocols (1996)
Recent papers have taken a new look at cryptographic protocols from the perspective of proposing design principles. For years the main approach to cryptographic protocols has been logical, and a...
Formal Requirements for Key Distribution Protocols (1995)
Paul Syverson, Catherine Meadows
. We discuss generic formal requirements for reasoning about two party key distribution protocols, using a language developed for specifying security requirements for security protocols. Typically...
A Formal Language for Cryptographic Protocol Requirements (1995)
Paul Syverson, Catherine Meadows
In this paper we present a formal language for specifying and reasoning about cryptographic protocol requirements. We give sets of requirements for key distribution protocols and for key agreement...
A Formal Language for Cryptographic Protocol Requirements (1995)
Paul Syverson, Catherine Meadows
In this paper we present a formal language for specifying and reasoning about cryptographic protocol requirements. We give sets of requirements for key distribution protocols and for key agreement...
Fail-Stop Protocols: An Approach to Designing Secure Protocols (1995)
We present a methodology to facilitate the design and analysis of secure cryptographic protocols. We advocate the general approach, and a new avenue for research, of restricting protocol designs to...
Fail-stop protocols: An approach to designing secure protocols (1995)
We present a methodology to facilitate the design and analysis of secure cryptographic protocols. We advocate the general approach, and a new avenue for research, of restricting protocol designs to...
A Taxonomy of Replay Attacks (1994)
This paper presents a taxonomy of replay attacks on cryptographic protocols in terms of message origin and destination. The taxonomy is independent of any method used to analyze or prevent such...
Formal requirements for key distribution protocols (1994)
Paul Syverson, Catherine Meadows
Abstract. We discuss generic formal requirements for reasoning about two party key distribution protocols, using a language developed for specifying security requirements for security protocols....
A Logical Language for Specifying Cryptographic Protocol Requirements (1993)
Paul Syverson, Catherine Meadows
In this paper we present a formal language for specifying and reasoning about cryptographic protocol requirements. We give examples of simple sets of requirements in that language. We look at two...
On Key Distribution Protocols for Repeated Authentication (1993)
In [KSL92], Kehne et al. present a protocol (KSL) for key distribution. Their protocol allows for repeated authentication by means of a ticket. They also give a proof in BAN logic [BAN89] that the...