Anonymous communication networks (ACNs) aim to thwart an adversary,
who controls or observes chunks of the communication network,
from determining the respective identities of two communicating parties.
We focus on low-latency ACNs such as Tor, which target a practical level
of anonymity without incurring an unacceptable transmission delay.

While several definitions have been proposed to quantify the level of anonymity
provided by high-latency, message-centric ACNs (such as mix-nets and DC-nets),
this approach is less relevant to Tor, where user--destination pairs communicate
over secure overlay circuits. Moreover, existing evaluation methods of
traffic analysis attacks on Tor appear somewhat ad hoc and fragmented.
We propose a fair evaluation framework for such attacks against onion
routing systems by identifying and discussing the crucial components
for evaluation, including how to consider various adversarial goals,
how to factor in the adversarial ability to collect information relevant
to the attack, and how these components combine to suitable metrics to
quantify the adversary's success.

The area of computational cryptography is dedicated to the development of effective methods in algorithmic number theory that improve implementation of cryptosystems or further their cryptanalysis. This book is a tribute to Arjen K. Lenstra, one of the key contributors to the field, on the occasion of his 65th birthday, covering his best-known scientific achievements in the field. Students and security engineers will appreciate this no-nonsense introduction to the hard mathematical problems used in cryptography and on which cybersecurity is built, as well as the overview of recent advances on how to solve these problems from both theoretical and practical applied perspectives. Beginning with polynomials, the book moves on to the celebrated Lenstra–Lenstra–Lovász lattice reduction algorithm, and then progresses to integer factorization and the impact of these methods to the selection of strong cryptographic keys for usage in widely used standards.

Public key encryption schemes are increasingly being studied concretely, with an emphasis on tight bounds even in a multi-user setting. Here, two types of formalization have emerged, one with a single challenge bit and one with multiple challenge bits. Another modelling choice is whether to allow key corruptions or not. How tightly the various notions relate to each other has hitherto not been studied in detail. We show that in the absence of corruptions, single-bit left-or-right indistinguishability is the preferred notion, as it tightly implies the other (corruption-less) notions. However, in the presence of corruptions, this implication no longer holds; we suggest the use of a more general notion that tightly implies both existing options. Furthermore, for completeness we study how the relationship between left-or-right versus real-or-random evolves in the multi-user PKE setting.