[tor-dev] obfs4 questions

Yawning Angel yawning at schwanenlied.me
Sat Nov 29 00:35:50 UTC 2014


On Fri, 28 Nov 2014 17:57:26 +0000
Michael Rogers <michael at briarproject.org> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 28/11/14 15:50, Yawning Angel wrote:
> > A one time poly1305 key is calculated for each box, based on 32
> > bytes of zeroes encrypted with a one time Salsa20 key/counter
> > derived from the nonce and the box key.  You can view the use of
> > Salsa20 there as an arbitrary keyed hash function (in the case of
> > the original paper, AES was used).
> > 
> > Hope that clarifies things somewhat,
> 
> Thanks - this is similar to the argument I came up with. I called my
> argument hand-wavy because it relies on HSalsa20 and Salsa20 being
> PRFs, and I don't know how big an assumption that is.

For what it's worth "7 Nonce and stream" both support using a counter
here as the nonce, and refers to 'The standard ("PRF") security
conjecture for Salsa20".  IIRC the security proof for the extended
nonce variants also hinges on the underlying algorithms being PRFs as
well, so it's something I'm comfortable in assuming.

http://cr.yp.to/highspeed/naclcrypto-20090310.pdf

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20141129/0bf7f6fb/attachment.sig>


More information about the tor-dev mailing list