[tor-dev] Proposal 202: Two improved relay encryption protocols for Tor cells

Robert Ransom rransom.8774 at gmail.com
Thu Jun 21 22:28:33 UTC 2012


On 6/19/12, Nick Mathewson <nickm at freehaven.net> wrote:
> Filename: 202-improved-relay-crypto.txt


> 1.4. A note on algorithms
>
>    This document is deliberately agnostic concerning the choice of
>    cryptographic primitives -- not because I have no opinions about
>    good ciphers, MACs, and modes of operation -- but because
>    experience has taught me that mentioning any particular
>    cryptographic primitive will prevent discussion of anything else.

Not particularly agnostic, because you're specifying a different set
of primitives than the protocol actually requires.  See below.

>    Please DO NOT suggest algorithms to use in implementing these
>    protocols yet.  It will distract!  There will be time later!

OK, fine.  I won't prove that the cryptographic primitives which your
protocols really require can be implemented in terms of existing
low-level primitives and constructions.

>    If somebody _else_ suggests algorithms to use, for goodness' sake
>    DON'T ARGUE WITH THEM!  There will be time later!
>
>
> 2. Design 1: Large-block encryption
>
>    In this approach, we use a tweakable large-block cipher for
>    encryption and decryption, and a tweak-chaining function TC.
>
> 2.1. Chained large-block what now?
>
>    We assume the existence of a primitive that provides the desired
>    properties of a tweakable[Tweak] block cipher, taking blocks of any
>    desired size.  (In our case, the block size is 509 bytes[*].)
>
>    It also takes a Key, and a per-block "tweak" parameter that plays
>    the same role that an IV plays in CBC, or that the counter plays
>    in counter mode.
>
>    The Tweak-chaining function TC takes as input a previous tweak, a
>    tweak chaining key, and a cell; it outputs a new tweak.  Its
>    purpose is to make future cells undecryptable unless you have
>    received all previous cells.  It could probably be something like
>    a MAC of the old tweak and the cell using the tweak chaining key
>    as the MAC key.
>
>    (If the initial tweak is secret, I am not sure that TC needs to
>    be keyed.)
>
>    [*] Some large-block cipher constructions use blocks whose size is
>        the multiple of some underlying cipher's block size.  If we wind
>        up having to use one of those, we can use 496-byte blocks instead
>        at the cost of 2.5% wasted space.

You're talking about a particular cryptographic primitive here.  (Some
underlying ciphers (e.g. Skipjack) operate on 8-byte blocks, so you
would only reduce the large-block block cipher to 504-byte blocks at
the cost of about 1% wasted space.)

Since you've crossed the ‘mentioning specific primitives’ line by
suggesting a kludge to support AES-biIGE, I might as well point out
that large-block block cipher constructions can generally be modified
to extract entropy from the message and key during
encryption/decryption into an extra output (which may need to be kept
secret).  This extra output can be hashed with a longer-term ‘chaining
key’ and/or the previous large-block block cipher key to produce a new
large-block block cipher key (or to produce a new tweak for the
large-block block cipher, if you insist on using underlying primitives
(mumble *AES* mumble mumble) which are too inefficient to use without
per-key precomputation).


> 3. Design 2: short-MAC-and-pad
>
>    In this design, we behave more similarly to a mix-net design
>    (such as Mixmaster or Mixminion's headers).  Each node checks a
>    MAC, and then re-pads the cell to its chosen length before
>    decoding the cell.
>
>    This design uses as a primitive a MAC and a stream cipher.  It
>    might also be possible to use an authenticating cipher mode,
>    if we can find one that works like a stream cipher and allows us
>    to efficiently output authenticators for the stream so far.
>
>    NOTE TO AE/AEAD FANS: The encrypt-and-MAC model here could be
>    replaced with an authenticated encryption mode without too much
>    loss of generality.

Here you are assuming that MAC(a | b) can be efficiently computed from
PreMAC(a) and b for some function PreMAC, and that either the MAC does
not require a per-message nonce or PreMAC is independent of the nonce.
 (In particular, you are assuming HMAC or a Poly1305-AES-like MAC, and
forbidding some faster and/or safer polynomial-evaluation MACs.)

Many MACs (possibly not polynomial-evaluation MACs, though) can be
used to authenticate the stream of cells: let p be the full output of
the MAC for the preceding cell, and compute MAC(cell_index, p |
cell_data) as the MAC for the current cell (then stick a possibly
truncated copy of that on the cell for transmission).  (And now,
instead of specifying a particular authenticated encryption primitive
as Nick did, I'm specifying a particular AEAD primitive with a(n
extra) ‘chaining’ output.  AE and AEAD are primitives themselves, not
things that must be kludged up as cipher modes for a (small-block)
block cipher (unless you're NSA and you're trying to force-feed
everyone AES).)


Robert Ransom


More information about the tor-dev mailing list