<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On 23 Dec 2015, at 03:59, Nick Mathewson <<a href="mailto:nickm@alum.mit.edu" class="">nickm@alum.mit.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="">On Mon, Nov 30, 2015 at 2:12 AM, Tim Wilson-Brown - teor<br class=""><<a href="mailto:teor2345@gmail.com" class="">teor2345@gmail.com</a>> wrote:<br class=""><blockquote type="cite" class="">Hi Nick,<br class=""><br class="">The AEZ paper says:<br class=""><br class="">"We impose a limit that AEZ be used for at most 2^48 bytes of data (about<br class="">280 TB); by that time, the user should rekey. This usage limit stems from<br class="">the existence of birthday attacks on AEZ, as well as the use of AES4 to<br class="">create a universal hash function."<br class=""><br class=""><a href="http://web.cs.ucdavis.edu/~rogaway/aez/rae.pdf" class="">http://web.cs.ucdavis.edu/~rogaway/aez/rae.pdf</a><br class=""><br class="">Since we change the tweak for every cell, do we have to be worried about<br class="">this limit?<br class="">(Regardless of the tweak change, we are keeping the key constant, and using<br class="">the same key forwards and backwards.)<br class=""><br class="">It seems to me that the 280 TB limit so large that we don't have to worry<br class="">about it being reached in any real-world circuit.<br class="">But I'm not sure of the maximum data volumes or lifetimes of current Tor<br class="">circuits.<br class=""><br class="">Should we include a method of rekeying in the Tor AEZ specification, in case<br class="">the recommended limit is reduced in future?<br class=""></blockquote><br class="">How's this:<br class=""></div></div></blockquote><div><br class=""></div><div>Looks good, I particularly like the way we test it on every (medium-term) connection.</div><br class=""><blockquote type="cite" class=""><div class=""><div class="">2.3. Key rotation<br class=""><br class=""> According to the AEZ paper, we should re-key after 280 TB. Let's<br class=""> conservatively say that we should re-key every ~4 billion cells (about<br class=""> 2 GB.<br class=""><br class=""> To rekey, the circuit initiator ("client") can send a new RELAY_REKEY cell<br class=""> type:<br class=""><br class=""> struct relay_rekey {<br class=""> u16 rekey_method IN [0];<br class=""> u8 rekey_data[];<br class=""> }<br class=""><br class=""> This cell means "I am changing the key." The new key material will be<br class=""> derived from SHAKE128 of the aez_key concatenated with the rekey_data<br class=""> field, to fill a new shake_output structure. The client should set<br class=""> rekey_data at random.<br class=""></div></div></blockquote><div><br class=""></div><div>What is the minimum / recommended / set length of rekey_data?</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""> After sending one of these RELAY_REKEY cells, the client uses the new<br class=""> aez_key to encrypt all of its data to this hop, but retains the old<br class=""> aez_key for decrypting the data coming back from the relay.<br class=""><br class=""> When the relay receives a RELAY_REKEY cell, it sends a RELAY_REKEY cell<br class=""> back towards the client, with empty rekey_data, and then updates its own<br class=""> key material for all additional data it sends and receives to the client.<br class=""><br class=""> When the client receives this reply, it can discard the old AEZ key, and<br class=""> begin decrypting subsequent inbound cells with the new key.<br class=""><br class=""> I recommend that, to make sure this code works, clients be set up to<br class=""> rekey after e.g. the first 128Kb, and then every 2**32 cells thereafter.<br class=""></div></div></blockquote><div><br class=""></div><div>Do we want to randomise the number of cells before a rekey?</div><div>(I can imagine that rekeying might have a detectable timing / traffic pattern, but I'm not sure if that matters.)</div><br class=""><blockquote type="cite" class=""><div class=""><div class=""> Note that the cell_number cell counter does not reset even when the key is<br class=""> rotated.<br class=""></div></div></blockquote><br class=""></div><div>Tim</div><br class=""><div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Tim Wilson-Brown (teor)</div><div style="color: rgb(0, 0, 0); letter-spacing: normal; text-transform: none; white-space: normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""></div><div style="orphans: auto; text-align: start; text-indent: 0px; widows: auto; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">teor2345 at gmail dot com<br class="">PGP 968F094B<br class=""><br class="">teor at blah dot im<br class="">OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
</div>
<br class=""></body></html>