[torspec/master] update to latest version as of 11 July - tor-commits

6 Aug 2019

commit dc3683f929a747876cfb66fa1b91edff68dfc27d
Author: Nick Mathewson nickm@torproject.org
Date:   Tue Aug 6 13:58:28 2019 -0400
update to latest version as of 11 July
---
 proposals/295-relay-crypto-with-adl.txt | 103 ++++++++++++++------------------
 1 file changed, 44 insertions(+), 59 deletions(-)

diff --git a/proposals/295-relay-crypto-with-adl.txt b/proposals/295-relay-crypto-with-adl.txt
index f88f3cf..cfb58a2 100644
--- a/proposals/295-relay-crypto-with-adl.txt
+++ b/proposals/295-relay-crypto-with-adl.txt
@@ -2,7 +2,7 @@ Filename: 295-relay-crypto-with-adl.txt
 Title: Using ADL for relay cryptography (solving the crypto-tagging attack)
 Author: Tomer Ashur, Orr Dunkelman, Atul Luykx
 Created: 22 Feb 2018
-Last-Modified: 1 March 2019
+Last-Modified: 10 July 2019
 Status: Open
@@ -54,7 +54,8 @@ Status: Open
    CTR                  Counter Mode
    N_I                  A de/encryption nonce (to be used in CTR-mode)
    T_I                  A tweak (to be used to de/encrypt the nonce)
-   T'_I                 A running digest
+   Tf'_I                A running digest (forward direction)
+   Tb'_I                A running digest (backward direction)
    ^                    XOR
    ||                   Concatenation
           (This is more readable than a single | but must be adapted
@@ -71,7 +72,7 @@ Status: Open
    recommend DIG_KEY_LEN = 128.
ENC_KEY_LEN -- The key length used for encryption (e.g., AES). We
-   recommend ENC_KEY_LEN = 128.
+   recommend ENC_KEY_LEN = 256.
2.4. Key derivation (replaces Section 5.2.2)
@@ -94,8 +95,8 @@ Status: Open
Length       Purpose                         Notation
    ------        -------                        --------
-   HASH_LEN     forward digest IV               DF      *
-   HASH_LEN     backward digest IV              DB      *
+   HASH_LEN     forward digest IV               DF
+   HASH_LEN     backward digest IV              DB
    ENC_KEY_LEN  encryption key                  Kf
    ENC_KEY_LEN  decryption key                  Kb
    DIG_KEY_LEN  forward digest key              Khf
@@ -105,7 +106,7 @@ Status: Open
    DIGEST_LEN   nonce to use in the                      *
                   hidden service protocol
-      * I am not sure that we need these any longer.
+      * I am not sure that we need this any longer.
Excess bytes from K are discarded.
@@ -130,6 +131,10 @@ Status: Open
3. Routing relay cells
+   Let n denote the integer representing the destination node. For
+   I = 1...n, we set Tf'_{I} = DF_I and Tb'_{I} = DB_I
+   where DF_I and DB_I are generated according to Section 2.4.
+
 3.1. Forward Direction
The forward direction is the direction that CREATE/CREATE2 cells
@@ -137,25 +142,22 @@ Status: Open
3.1.1. Routing from the Origin
-   Let n denote the integer representing the destination node. For
-   I = 1...n+1, T'_{I} is initialized to the 128-bit string consisting
-   entirely of '0's. When an OP sends a relay cell, they prepare the
+   When an OP sends a relay cell, they prepare the
    cell as follows:
The OP prepares the authentication part of the message:
C_{n+1} = M
-                T_{n+1} = Digest(Khf_n,T'_{n+1}||C_{n+1})
+                T_{n+1} = Digest(Khf_n,C_{n+1})
                 N_{n+1} = T_{n+1} ^ E(Ktf_n,T_{n+1} ^ 0)
-                T'_{n+1} = T_{n+1}
Then, the OP prepares the multi-layered encryption:
For I=n...1:
                         C_I = Encrypt(Kf_I,N_{I+1},C_{I+1})
-                        T_I = Digest(Khf_I,T'_I||C_I)
+                        T_I = Digest(Khf_I,Tf'_I||C_I)
                         N_I = T_I ^ E(Ktf_I,T_I ^ N_{I+1})
-                        T'_I = T_I
+                        Tf'_I = T_I
The OP sends C_1 and N_1 to node 1.
@@ -166,10 +168,10 @@ Status: Open
'Forward' relay cell:
-                T_I = Digest(Khf_I,T'_I||C_I)
+                T_I = Digest(Khf_I,Tf'_I||C_I)
                 N_{I+1} = T_I ^ D(Ktf_I,T_I ^ N_I)
                 C_{I+1} = Decrypt(Kf_I,N_{I+1},C_I)
-                T'_I = T_I
+                Tf'_I = T_I
The OR then decides whether it recognizes the relay cell as
    described below. If the OR recognizes the cell, it processes the
@@ -190,10 +192,10 @@ Status: Open
'Backward' relay cell:
-                T_I = Digest(Khb_I,T'_I||C_{I+1})
+                T_I = Digest(Khb_I,Tb'_I||C_{I+1})
                 N_I = T_I ^ E(Ktb_I,T_I ^ N_{I+1})
                 C_I = Encrypt(Kb_I,N_I,C_{I+1})
-                T'_I = T_I
+                Tb'_I = T_I
with C_{n+1} = M and N_{n+1}=0. Once encrypted, the node passes
    C_I and N_I along the circuit towards the OP.
@@ -207,9 +209,9 @@ Status: Open
For I=1...n, where n is the end node on the circuit:
                         C_{I+1} = Decrypt(Kb_I,N_I,C_I)
-                        T_I = Digest(Khb_I,T'_I||C_{I+1})
+                        T_I = Digest(Khb_I,Tb'_I||C_{I+1})
                         N_{I+1} = T_I ^ D(Ktb_I,T_I ^ N_I)
-                        T'_I = T_I
+                        Tb'_I = T_I
If the payload is recognized (see Section 4.1),
                 then:
@@ -229,46 +231,30 @@ Status: Open
         The payload of each unencrypted RELAY cell consists of:
Relay command           [1 byte]
-                'Recognized'            [2 bytes]
                 StreamID                [2 bytes]
                 Length                  [2 bytes]
-                Data                    [PAYLOAD_LEN-23 bytes]
+                Data                    [PAYLOAD_LEN-21 bytes]
-   The 'recognized' field is used as a simple indication that the
-   cell is still encrypted. It is an optimization to avoid
-   calculating expensive digests for every cell. When sending cells,
-   the unencrypted 'recognized' MUST be set to zero.
-   When receiving and decrypting cells the 'recognized' will always
-   be zero if we're the endpoint that the cell is destined for. For
-   cells that we should relay, the 'recognized' field will usually
-   be nonzero, but will accidentally be zero with P=2^-16.
+   The old Digest field is removed since sufficient information for
+   authentication is now included in the nonce part of the payload.
-   If the cell is recognized, the node moves to verifying the
-   authenticity of the message as follows(*):
+   The old 'Recognized' field is removed and the node always tries to
+   authenticate the message as follows:
forward direction (executed by the end node):
-                T_{n+1} = Digest(Khf_n,T'_{n+1}||C_{n+1})
+                T_{n+1} = Digest(Khf_n,C_{n+1})
                 Tag = T_{n+1} ^ D(Ktf_n,T_{n+1} ^ N_{n+1})
-                T'_{n+1} = T_{n+1}
-                The message is authenticated (i.e., M = C_{n+1}) if
-                and only if Tag = 0
+                The message is recognized and authenticated
+				(i.e., M = C_{n+1}) if and only if Tag = 0.
backward direction (executed by the OP):
-                The message is authenticated (i.e., C_{n+1} = M) if
-                and only if N_{n+1} = 0
-
-
-   The old Digest field is removed since sufficient information for
-   authentication is now included in the nonce part of the payload.
+                The message is recognized and authenticated
+				(i.e., C_{n+1} = M) if and only if N_{n+1} = 0.
-       (*) we should consider dropping the 'recognized' field
-       altogether and always try to authenticate. Note that this is
-       an optimization question and the crypto works just as well
-       either way.
The 'Length' field of a relay cell contains the number of bytes
    in the relay payload which contain real payload data. The
@@ -319,31 +305,30 @@ Status: Open
    Suppose that node I tags the ciphertext part of the message
    (C'_{I+1} != C_{I+1}) then forwards it to the next node (I+1). As
    per Section 3.1.2. Node I+1 digests C'_{I+1} to generate T_{I+1}
-   and N_{I+2}. Since C'_{I+2} is different than it should be, so
-   are the resulting T_{I+1} and N_{I+2}. Hence, decrypting C'_{I+2}
+   and N_{I+2}. Since C'_{I+2} is different from what it should be, so
+   are the resulting T_{I+1} and N_{I+2}. Hence, decrypting C'_{I+1}
    using these values results in a random string for C_{I+2}. Since
    C_{I+2} is now just a random string, it is decrypted into a
-   random string and cannot be 'recognized' nor
-   authenticated. Furthermore, since C'_{I+1} is different than what
-   it should be, T'_{I+1} (i.e., the running digest of the middle
-   node) is now out of sync with that of the OP, which means that
-   all future cells sent through this node will decrypt into garbage
-   (random strings).
+   random string and cannot be authenticated. Furthermore, since
+   C'_{I+1} is different than what it should be, Tf'_{I+1}
+   (i.e., the running digest of the middle node) is now out of sync
+   with that of the OP, which means that all future cells sent through
+   this node will decrypt into garbage (random strings).
Likewise, suppose that instead of tagging the ciphertext, Node I
-   node tags the encrypted nonce N'_{I+1} != N_{I+1}. Now, when Node
-   I+1 digests the payload the tweak T_{I+1} is find, but using it
+   tags the encrypted nonce N'_{I+1} != N_{I+1}. Now, when Node
+   I+1 digests the payload the tweak T_{I+1} is fine, but using it
    to decrypt N'_{I+1} again results in a random nonce for
    N_{I+2}. This random nonce is used to decrypt C_{I+1} into a
-   random C'_{I+2} which is not recognized by the end node. Since
-   C_{I+2} is now a random string, the running digest of the end
-   node is now out of sync, which prevents the end node from
+   random C'_{I+2} which cannot be authenticated by the end node. Since
+   C_{I+2} is a random string, the running digest of the end node is
+   now out of sync with that of OP, which prevents the end node from
    decrypting further cells.
5.1.2. Backward direction
In the backward direction the tagging is done by Node I+2
-   untagging by the Node I. Suppose first that Node I+2 tags the
+   untagging by Node I. Suppose first that Node I+2 tags the
    ciphertext C_{I+2} and sends it to Node I+1. As per Section
    3.2.1, Node I+1 first digests C_{I+2} and uses the resulting
    T_{I+1} to generate a nonce N_{I+1}. From this it is clear that

    