[tor-dev] obfs4 questions

Michael Rogers michael at briarproject.org
Sat Nov 29 09:04:45 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 29/11/14 00:35, Yawning Angel wrote:
> On Fri, 28 Nov 2014 17:57:26 +0000 Michael Rogers
> <michael at briarproject.org> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
>> 
>> On 28/11/14 15:50, Yawning Angel wrote:
>>> A one time poly1305 key is calculated for each box, based on
>>> 32 bytes of zeroes encrypted with a one time Salsa20
>>> key/counter derived from the nonce and the box key.  You can
>>> view the use of Salsa20 there as an arbitrary keyed hash
>>> function (in the case of the original paper, AES was used).
>>> 
>>> Hope that clarifies things somewhat,
>> 
>> Thanks - this is similar to the argument I came up with. I called
>> my argument hand-wavy because it relies on HSalsa20 and Salsa20
>> being PRFs, and I don't know how big an assumption that is.
> 
> For what it's worth "7 Nonce and stream" both support using a
> counter here as the nonce, and refers to 'The standard ("PRF")
> security conjecture for Salsa20".  IIRC the security proof for the
> extended nonce variants also hinges on the underlying algorithms
> being PRFs as well, so it's something I'm comfortable in assuming.
> 
> http://cr.yp.to/highspeed/naclcrypto-20090310.pdf

Awesome, thanks!

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJUeYwsAAoJEBEET9GfxSfM9PsIAIADA/7Lfkx9kxxkvfggMNQZ
Ln71QB//POwEskJSVftg/NE30pdw9KiYA8EJLA5El62UxUT4NS8OOyiGTSXz3IDo
dvBcnOls9HAVYeE7HjOeKdiwwitjBv0+QFetGY+0XNAjkmHLkU+cQdO9+jkJ122l
nWLFaOj1o3qjx7QHiL7TKqFf+Rh1P/quurNBYrexM2uRxsAXQgncGMVaLgGAdvmu
h09NotPW5sDTmu4m6HgRFQKYD15sPkkF2C65IkQNiO0Al7NIVcxq6JEtzLMcK66t
jZpvZe+U/XrgEFqzkxYep20bFITTovXkC6cMhm4iA5X58ZKWnGf8eBxVs/RCDCY=
=2auj
-----END PGP SIGNATURE-----


More information about the tor-dev mailing list