Optical Onion Routing
Abstract
As more and more data is transmitted in the configurable optical layer, – whereby all optical switches forward packets without electronic layers involved, we envision privacy as the intrinsic property of future optical networks. In this paper, we propose Optical Onion Routing (OOR) routing and forwarding techniques, inspired by the onion routing in the Internet layer,  the best known realization of anonymous communication today, – but designed with specific features innate to optical networks. We propose to design the optical anonymization network system with a new optical anonymization node architecture, including the optical components and their electronic counterparts to realize layered encryption. We propose modification to the secret key generation using Linear Feedback Shift Register (LFSR), – able to utilize different primitive irreducible polynomials, and the usage optical XOR operation as encryption, an important optical technology coming of age. We prove formally that, for the proposed encryption techniques and distribution of secret information, the optical onion network is perfectly private and secure. The paper aims at providing practical foundations for privacyenhancing optical network technologies.
I Introduction
Communication privacy is important. In IP networks, based on the source and destination IP addresses, an adversary can track interactions and interaction patterns, revealing personal data about the users. Therefore, practical mechanisms have been developed to enhance user privacy via unlinkability and unobservability, in the socalled anonymity networks, or mix nets. One of the most popular anonymity networks today is The Onion Routing (Tor), built as an overlay network among volunteer systems on the Internet. Tor provides anonymous communication between source and destination as well as data integrity. Onion routing is a lowlatency application of mix nets, where each message is encrypted to each proxy using public key cryptography, with the resulting layered encryption. Each relay has a public and a private key. The public keys are known by all users and are used to establish communication path. Anonymous communication is possible through traffic tunneling over a chain of randomly selected Tor relays. After the tunnel between a pair of Tor routers is setup, symmetric key cryptography is used to transfer the data. These encryption layers ensure sender unlinkability, whereby the eavesdropper is unable to guess complete path from observed links [1, 2].
As more and more data is transmitted in the configurable photonic layer, whereby all optical switches and routers forward packets without electronic layers involved, we envision privacy as the intrinsic property of optical networks also. Just like optical and quantum cryptography has advanced the field of traditional cryptography [3, 4], optical network systems designed with secrecy and anonymity features should also be able to provide essential building blocks for privacy in future networks, built to serve free societies. However, in contrast to Tor networks, where privacy and anonymity directly depend on number and dependability of volunteer systems, the privacy features in optical network need to be approached differently: for instance, it is a telecom operator that should be able offer a private optical communication service as a value added feature. For instance, for some client networks an optical network can grant anonymous access to thirdparty servers in the cloud, whereby the traffic contents and the origin of requests can remain secret for both the attacker as well as the cloud provider. In designing an anonymous optical network akin to Tor, however, several obstacles need to be overcome, since the main features need to be primarily implemented in photonics, i.e., without intervention of electronics, such as encryption, traffic routing, and session key distribution. Also, just as Tor requires compute intensive processing of encryption layers in forwarding routers, high speed processing of optical data would also be required, or consideration of large optical buffers, which is a challenge, and requires practical foundations for privacyenhancing optical network technologies.
In this paper, we propose to treat the wellknown privacy constructs of Tor in the optical layers, which we refer to as the Optical Onion Routing (OOR). To this end, we address two practical issues: the design of alloptical anonymization nodes, and the secrecy and privacy degree achieved. To design an optical anonymizaiton node, we propose to generate a session key with Linear Feedback Shift Register (LFSR), – a component more commonly used for random number generation, able to utilize different primitive irreducible polynomials of random degree. In addition, we propose to use an optical XOR operation as encryption, an important alloptical technology coming of age. These two components allow to encrypt data in the optical layer at the line speed, thus eliminating the need for large buffers in the node. To enable optical routing and forwarding, we integrate the anonymization functions in the traditional optical cross connect architecture, with the goal of processing optical data alloptically as much as possible with the current technologies. Finally, we prove formally that for the encryption technique and distribution of secret information proposed, the system can be perfectly private and secrecypreserving, whereby entropy of the secret data is equal to or less than equivocation observed by the fiber eavesdropper.
The rest of the paper is organized as follows. Section II provides principles of the optical anonymity routing proposed. Section III presents the analysis. Section IV shows analytical and simulation results. Section V concludes the paper.
Ii System Model
Iia Anonymous forwarding
Onion routing in the Internet is based on a connectionoriented communication channel, a circuit. This is where we start drawing the analogy. We envision optical WDM network as the underlaying infrastructure to setup that circuit, and assume a network of optical nodes and fiber links, where switching, routing and forwarding is all done in the photonic domain. Just like in the Tor, the nodes can act as either regular optical nodes,  with alloptical switching and forwarding functions, or the anonymization nodes. Anonymization nodes are the optical nodes with enhanced functions responsible for processing and forwarding optical signals, such that no correlation can be established between the source and destination by tapping into any link along the way. As the optical network architecture usually encompass both the data plane, and from the data plane a separated control plane, we assume that the control plane is able to provide information about network topology, available network resources and is able to direct optical data and control the related processing such as encryption. Similar to Tor, only a subset of anonymization nodes in the network is enough to assure secrecy and anonymity. Control plane randomly selects anonymization nodes in the network and available wavelengths and, then, sends control message to establish optical circuit between source and destination on the select wavelengths. Here, control plane does not distribute the actual session keys, but only the routing information for optical circuit setup as well as randomly selected parameters for session key generation. To keep these sensitive control information private and confidential, the control plane encrypts it in layers by applying the public key cryptography, just like in Tor. Fig. 1 illustrates the idea of OOR network architecture.
The source is an initiator of private communication, whereby, based on control plane information, anonymization nodes and the corresponding available wavelengths are randomly selected, and made known to the source. After that, the control plane sends, on a select wavelength or separate control channel, the control messages to establish optical circuit between source and destination , as well as to distribute policies of session key generation to all nodes in that circuit. This is similar to Tor network, where the tunnel is established over randomly selected IP routers. In our example, the path between source and destination consists of two concatenated circuits, one between nodes and and the other one between the nodes and , whereby each circuit contains one forwarding node; the forwarding node is a traditional optical switching and forwarding function, without anonymization. The circuit, i.e., endtoend wavelength path, is established over arbitrary available links and forwarding nodes on the available wavelengths. Thus, the path available between and is randomly selected for setup, so that neither the destination nor anonymization nodes know the paths selected (which is the essence of Tor). The control message is encrypted with public keys of nodes and , as in Tor. In contrast to Tor, where data from exit node, i.e., the last anonymization node, to destination is sent without encryption, all nodes involved in anonymous communication in OOR, i.e, , and , perform anonymization of optical data via encryption.
The idea behind onion routing, and its Tor implementation, is to hide the communicating nodes from the eavesdropper of the individual links, as well as the identity of the source from the destination. This is how we envision to do it in the optical layer. After the optical path (tunnel) is established (via two circuits) the secret data is ready for transmission towards the anonymization node . The secret data is encrypted at the source with a session keys and of and , respectively. These session keys are generated with the previously mentioned Linear Feedback Shift Register (LFSR), which is its new application as it is a component more commonly used for random number generation. Here, LSFR generates the key based on randomly selected generator polynomials and seeds configured by the control plane. Thus, the source sends an optical stream to node . Lambda reader in node detects the input port and wavelength allocated, and based on that allocated wavelength the Key Generation Unit allocates a suitable session key which is then sent to optical Decryption Unit. Finally, the payload is decrypted with a key as . Next, the optical data stream sent by over subtunnel reaches node . After detecting of input signal on certain wavelength, at , the session key is applied to optical payload as . Due to data encryption in anonymization nodes, each outgoing optical stream differs from incoming optical stream. When an attacker has access to links of certain switch, it must deanonymize all outgoing data to identify a certain optical stream of interest and to guess its next hop.
IiB Discussion on implementation
IiB1 Public Key Cryptography
To distribute confidential control plane information during optical circuit (tunnel) setup process, the public key cryptography can be applied, similar to Tor. The public key cryptosystems require two keys, i.e., public and private . The public keys of all nodes in the network are known. Due to the fact, that the key information must be stored, the public key cryptosystem is implemented in the electronic control plane layer, similar to what is proposed in [5]. In our architecture, we do not define a specific public key cryptosystem and generally allow all existing public key designs, which can be based on discrete logarithm problem such as DiffieHellman, factorization problem such as RivestShamirAdelmann (RSA) or on square root problem, such as Rabin systems.
IiB2 Exclusive or (XOR) operation
The XOR operation utilized in cryptographic systems is usually implemented in software. We propose to implement encryption and decryption with session keys in the optical layer, i.e., data anonymization, with an alloptical XOR gate component [6, 7]. The XOR operation transforms the incoming data into new outgoing data and, thus, unlinks the communication between source and destination, whereby each incoming message is mixed, i.e., XOR concatenated, with a session key. Here, ultrafast nonlinear interferometers based on semiconductor optical amplifiers (SOAs) can be used to combine two optical streams, whereby transverse electric (TE) and transverse magnetic (TM) components of a probe pulse can be split and recombine by setting the relative optical delays between them. When the phases experienced by the TE and TM components in the SOA are the same, the resulting signal is ’1’, or ’0’ otherwise.
IiB3 Linear Feedback Shift Register
In each anonymization node, optical data is ananymized by encryption, before it is forwarded to output port. We propose to generate the session key for ananymization by LFSR, a component commonly used as random number generator. The session key generation with LFSR is discussed in [8, 9]. Since LFSR of length bits can generally be easily deducted by observing consecutive generated bits, we propose to utilize different generator polynomials of different degrees and randomly selected seeds. This can help us to increase the amount and randomness of possible session keys, with the goal to provide a onetime pad, which is random, and at least as long as the plaintext, and not reused and completely secret [10]. Generally, LFSR can be implemented in hardware or software. In our system, this function is implemented in the optical layer, which necessitates an electricaltooptical conversion before encryption (XOR). The session key can be precalculated during circuit setup process, or generated at line rate. The first variant is suitable for LFSR implementations as we propose, based on [11], whereby it must be assumed that additional electronic buffer is required to store the precalculated keys. In contrast, the second solution must be implemented at line speed, what is a challenge for current optical systems, due to high speed, though it would eliminate the need for buffer.
IiC OOR node architecture
A possible node architecture is illustrated in Fig. 2. As it can be seen, the typical WDM node architecture is enhanced to provide functions of anonymization. In that sense, the node can act as a simple forwarding (alloptical switching node), anonymization node, or OOR node for sending (source) or termination (destination). We next describe each of these functionalities and concepts in more detail.
IiC1 Source
The basic function of the source node is to modulate the electronic signals onto optical carriers, along with the flow encryption, the wavelength assignment and/or any other flow adaptation for further transmission over an OTN/WDM network. Here, the optical data generated () is encrypted with the dedicated keys from LFSR and by applying optical XOR. The source collects all anonymization keys of the anonymization nodes that are to be used on the wavelength path assigned, e.g., and these keys are to be utilized by each anonymization node traversed, e.g., by the node and by destination ; this is a way to anonymize the incoming optical data for the next hop or to decrypt it. The generation of the key is important and it is created in LFSR with polynomial from vector and seed from , both randomly selected in the control plane and distributed to each node during the circuit setup. The incoming optical signal is then encrypted with optical XOR by all elements from as , where . The encrypted optical data is finally sent to the predefined optical circuit (on Fiber 4).
IiC2 Anonymization
Each anonymization node performs data anonymization/decryption before forwarding. Here, the incoming optical flows from optical circuit on wavelength (Fiber 1) is detected, and the information about this wavelength is sent to Lambda Reader and Key Generation Unit for matching. As a result, the corresponding anonymization key is forwarded to optical XOR gate. The session key was also here generated by LFSR by utilizing generator polynomial and corresponding seed , just like in the source node. The session key is simply converted to optical signal, before it is XORconcatenated with data, as follows . For simplicity, if the data is to be further sent towards the next hop, we assume that the same wavelength is utilized, respecting the wavelength continuity constraint. Otherwise, the signal can also be retransmitted (converted) to another wavelength, which would make it more complex.
IiC3 Destination
When data reached its destination , it is processed just like if destination were an ananymization node. The received optical payload is decrypted with key into , converted into the electronic signal at the destination.
Iii Modeling and analysis
Iiia Routing and Treat Model in OOR
IiiA1 Routing model
We assume that optical circuits in form of wavelengthcontinuous optical paths are setup in the random fashion over a randomly selected wavelength, whereby a network provides at most optical paths between source and destination over all wavelengths and fibers, which for the sake of modeling we collect in set . Generally, only out of , , paths are available, while at least one wavelength paths among them is randomly selected for transmission. All existing optical paths are arranged in the sorted vector with related probabilities, that an individual path is available. We denote a fiber link as and a wavelength link on connecting two nodes, and , as a wavelength link as , respectively. The capacity of a fiber link is measured in number of wavelengths. Thus, each edge provides parallel wavelength links between nodes and . Each path between and consists of links , , and of intermediate nodes , , while out of nodes are randomly selected as anonymization nodes , .
Let us now assume that there is a collection , which contains path sets , , while can be a collection of all existing paths, i.e., , or of available paths, i.e., or , and can be a number of available paths or the number of required for transmission paths, i.e., or . In contrast, set from collection is the set of remaining elements, which are not in the combination . Thus, the probability , that paths are in set and not in set , is defined as
(1) 
, where and are probabilities of path , , collected in and and indexes and are the sequence numbers of paths in and , respectively.
As a result, the network provides wavelength paths out of paths with probability defined as
(2) 
, where the set from the collection contains one path combination out of combinations of , , available paths with related probabilities from vector .
In case of (no path is available), the transmission request will be blocked with probability , i.e.,
(3) 
Since we assume that all paths have the same probability to be selected for transmission, the probability, that any path collected in is available and utilized, is
(4) 
IiiA2 Threat model
The treat model assumes that an attacker can eavesdrop select links in the network, and guess the source and destination nodes, as well as the data transmitted. To model this, let us define a set , containing all possible wiretap edges, while at most edges can be attacked simultaneously. Since optical receivers are broadband, we assume that an attacker is always able to access all wavelengths on a fiber link .
Let us assume the worst type of attack in the network, where any link in the network can be eavesdropped with a probability . In other words, the set of fiber links attacked and its size are variable, while each link can belong to set with probability . Here, each wavelength path can be wiretapped with probability defined by Eq. (5) as a probability that at least one wiretap link utilized by path .
(5) 
, where has the same value for all links in the network. As a result, the probability, that a wiretap path is utilized for transmission, is defined by using of Eqs. (4) and (5) as
(6) 
IiiB Analysis of data anonymization
The secret data of length bits is sent over OOR network passing through , anonymization nodes, whereby is the maximal number of anonymization nodes can be utilized along optical tunnel. When an attacker gains access to encrypted optical data with probability as discussed previously, it has to decrypt along all its anonymization keys to reveal the secret data .
Lemma 1.
The OOR system is perfectly secure, whereby an attacker is not able to recover the secret data sent over randomly selected wavelength path.
Proof.
A secret data of length bits is generally an arbitrary bit sequence out of all possible, while the entropy of the plain text is . is encrypted by all secret keys of all anonymization node and of the destination. Thus, there are possible combinations of and secret keys, while each combination always contains different elements out of , whereby only can contain zero element. Thus, the entropy of encrypted data is defined as follow

(7) 
An attacker does not have any knowledge about the number of selected anonymization nodes or the number of already passed anonymization nodes on the wavelength path and, thus, has to check all possible variants of the same, where can be encrypted by one to secret keys. Thus, the equivocation observed by an attacker is

(8) 
However, , thus any can be transmitted perfectly secret. ∎
To provide data privacy and anonymity, the proposed OOR utilizes different functional components such as public key cryptography, encoding by XOR and key generation with LFSR on control and data plane. Next, we analyze informationtheoretically the resulting privacy and anonymity degree as a function of components utilized.
IiiB1 Public Key Cryptography
The public key cryptosystems require two keys, i.e., public and private . The message sent to node is encrypted by public key of as . The destination can decrypt received message by applying the private key as . For high level of data secrecy, we restrict the policies for selecting of key and plain text sizes as , where and are entropies of secret message of length bits and public key of length bits, respectively, i.e., . That ensures that an eavesdropper is not able to break the utilized cryptosystem by obtaining the encrypted data .
IiiB2 XOR operation
We assume that incoming date of length in node is mixed, i.e., XOR concatenated, with a secret key of length so that an attacker can not recognize and its next hop node . The outgoing data is defined as , where and are the bits, , and, , within and , respectively. Without loss of generality, any secret data is XOR encrypted into data of the same length .
IiiB3 Lfsr
Generally, keys generated with LFSR do not provide a strong cryptographic security, whereby an attacker is able to gain the generator polynomial of degree , if it receives at least consecutive plain text bits generated by LFSR. To this end, we propose to generate session key for data anonymization directly in each anonymization node , whereby a primitive irreducible polynomial of degree and seed as a start point are randomly selected by source for each utilized anonymization node and secretly distributed with public key cryptography. The source randomly selects one out of primitive polynomials of arbitrary degree , , where is Euler function, while are the prim numbers. The minimal degree is defined so that the maximal key length generated by LFSR is larger than data encrypted by this key, i.e., .
Due to public key cryptography used to distribute control messages during setup process of the optical circuit, all the data is assumed to be perfectly secret. In other words, each control message of length encrypted with a public key of node can not be recovered by an attacker, unless the control message out of all possible messages is guessed, i.e., . As a result, the routing information for circuit provisioining, the bit sequences , i.e., randomly selected primitive polynomials for session key generation, and random selected seeds are perfectly secret, which can not be recovered by an external attacker.
Since the data from source to destination is anonymized in each anonymization node along optical tunnel, an attacker can only discover and by accessing all wavelength segments between the anonymization nodes, as well as all incoming links of and outgoing links of to ensure that they are not the forwarding nodes of optical data attacked.
Lemma 2.
The proposed OOR ensures privacy and secrecy between any pair from an arbitrary extern attacker, if
(9) 
Proof.
Let us assume that attacker has access to all links along the path. In this case, the attacker needs to deanonymize the optical data sent by each node to the next anonymization node . Due to the fact that the polynomial of length bits, , and seed are chosen randomly and transmitted perfectly secure, the entropy of anonymization key can be defined as , while source randomly selects one out of existing primitive irreducible polynomials of degree and a seed out of (without zero) possible for each anonymization node. On the other hand, the secret key can be an arbitrary bit sequence out of possible, i.e., bits. An attacker can follow the algorithm for generation of and, thus, guesses any and or directly guesses of length . In the first case, the equivocation is defined as , while, in the second case, . For an attacker, it is simpler to guess polynomial and seed, if . Thus, must be equal to or larger than for a perfect secrecy. Since there are primitive polynomials of degree , the condition for perfect secrecy provided by anonymization key can be defined by Eq. (9), i.e., an attacker will be not able to deanonymize and to link (trace back) to nodes and . ∎
Iv Performance evaluation
We now show theoretical results for proposed private and anonymous OOR network and validate the same by simulations. The analytical results were calculated with Eq. (6) as well as with Eqs. (7) and (8). Since our model directly depends a steady state wavelength path availability and random path selection, we validate the analysis by using dynamic MonteCarlosimulations with of confidence.
We analyze modified optical network topology with 24 nodes and 35 fiber links, each fiber link carrying wavelengths ; each wavelength has the capacity of 10Gb/s. The link directions and available number of wavelengths on each fiber link are defined as and , respectively. Let us consider source node 1 and destination node 5. Here, there are in total different possible wavelength paths over all available wavelength links. All paths are sorted in the ascending order of length in number of hops, and collected in . The path availability for each decreases with increasing path length, i.e., . Before transmission, random wavelength paths between anonymization nodes are established by utilizing available wavelengths. Every node in the network can be used as an anonymization node, and the number of anonymization nodes per path is determined randomly.
Fig. 3 shows the normalized equivocation as a function of amount of number anonymization nodes used on a path and of maximal number of anonymization nodes . An increase in increases the system robustness against wiretapping (dashed line), while an attacker have to recover more redundant information, when anonymization nodes are utilized. For instance, an attacker must recover bits to guess secret data in case of and , while increase in increases entropy as per Eq. (7) and decreases redundant information in encrypted data up to for .
Next, we assume and evaluate the equivocation and the probabilities and for successful eavesdropping and correctly recovered data . Fig. 4 shows the normalized mean equivocation and probability for wiretapped transmission path , when any link in the network can be eavesdropped with probability . The equivocation redundancy and probability for eavesdropped transmission path increase with . As a result, an attacker can wiretap almost all paths when probability for wiretap link, , is , while equivocation redundancy amounts , when an attacker tries to decrypt. Next, we consider a special case whereby a maximum of fiber links in network can be wiretapped either simultaneously or indiviudally, . Fig. 5 shows the normalized mean equivocation and probability for wiretapped transmission path as a function of number of fiber links wiretapped at the same time, i.e., . An increase in increases the probability and, thus, the amount of redundant information required to be recovered by attacker, which follows the algorithm to guess from eavesdropped optical data . Here, the equivocation increases from around to bits with increasing number of wiretap links, i.e., for and , respectively, while the mean amount of wiretapped data, i.e., , also increases.
V Conclusion
We proposed an Optical Onion Routing (OOR) architecture, the mirror of Tor. We designed the network and a new optical anonymization node architecture, including the optical components (XOR) and their electronic counterparts (LFSR) to realize layered encryption. We proved formally and confirmed numerically that such an optical onion network can be perfectly private and secure. The paper aimed at providing practical foundations for privacyenhancing optical network technologies, and as such is work in progress.
References
 [1] E. Erdin, C. Zachor, and M. H. Gunes, “How to find hidden users: A survey of attacks on anonymity networks,” IEEE Communications Surveys Tutorials, vol. 17, no. 4, pp. 2296–2316, 2015.
 [2] S. Nepal, S. Dahal, and S. Shin, “Deanonymizing schemes of hidden services in tor network: A survey,” in Information Networking (ICOIN), 2015 International Conference on, Jan 2015, pp. 468–473.
 [3] N. I. Mowla, I. Doh, and K. Chae, “Securing information flow in content delivery networks with visual and quantum cryptography,” in 2016 International Conference on Information Networking (ICOIN), Jan 2016, pp. 463–468.
 [4] C. Y. Chen, G. J. Zeng, F. j. Lin, Y. H. Chou, and H. C. Chao, “Quantum cryptography and its applications over the internet,” IEEE Network, vol. 29, no. 5, pp. 64–69, September 2015.
 [5] T. GÃ¼neysu, F. Regazzoni, P. Sasdrich, and M. WÃ³jcik, “Thor  the hardware onion router,” in 2014 24th International Conference on Field Programmable Logic and Applications (FPL), Sept 2014, pp. 1–4.
 [6] E. Dimitriadou and K. E. Zoiros, “Alloptical xor gate using single quantumdot soa and optical filter,” Journal of Lightwave Technology, vol. 31, no. 23, pp. 3813–3821, Dec 2013.
 [7] X. Yang, R. J. Manning, and W. Hu, “Simple 40 gbit/s alloptical xor gate,” Electronics Letters, vol. 46, no. 3, pp. 229–230, Feb 2010.
 [8] K. Zeng, C. H. Yang, D. Y. Wei, and T. R. N. Rao, “Pseudorandom bit generators in streamcipher cryptography,” Computer, vol. 24, no. 2, pp. 8–17, Feb 1991.
 [9] F. M. A. Eljadi and I. F. T. A. Shaikhli, “Dynamic linear feedback shift registers: A review,” in Information and Communication Technology for The Muslim World (ICT4M), 2014 The 5th International Conference on, Nov 2014, pp. 1–5.
 [10] C. E. Shannon, “Communication theory of secrecy systems,” The Bell System Technical Journal, vol. 28, no. 4, pp. 656–715, Oct 1949.
 [11] J. C. C. C. D. M. David H. K. Hoe, Jonathan M. Comer and M. V. Shirvaikar, “Cellular automatabased parallel random number generators using fpgas,” International Journal of Reconfigurable Computing, 2012.