[tor-dev] RFC: AEZ for relay cryptography, v2

Nick Mathewson nickm at alum.mit.edu
Mon Nov 30 01:21:22 UTC 2015


On Sun, Nov 29, 2015 at 7:06 PM, Tim Wilson-Brown - teor
<teor2345 at gmail.com> wrote:
>
> On 30 Nov 2015, at 09:13, Nick Mathewson <nickm at torproject.org> wrote:
> ...
> 2.2. New relay cell payload
> ...
>   When encrypting a cell for a hop that was created using one of these
>   circuits, clients and relays encrypt them using the AEZ algorithm
>   with the following parameters:
>
>       Let Chain denote chain_val_forward if this is a forward cell
>          or chain_forward_backward otherwise.
>
>
> chain_val_backward?

Yes, whoops.

> ...
>
> 3.3. Why _not_ AEZ?
>
>   ...
>
>   THIRD, it's really horrible to try to do it in hardware.
>
>
> This may be considered an advantage against an adversary with the resources
> to employ custom hardware to attempt to break AEZ-based encryption.

Ooh.  Interesting.

> ...
>
> ...
> 4.3. A forward-secure variant.
>
>
> How is this different to what you've specified in the main body of the
> proposal?
>
>
>   We might want the property that after every cell, we can forget
>   some secret that would enable us to decrypt that cell if we saw
>   it again.

Whoops; it's leftover text from an earlier version of the proposal.

-- 
Nick


More information about the tor-dev mailing list