On 2012-03-11, The23rd Raccoon the.raccoon23@gmail.com wrote:
The crypto-tagger achieves amplification by being destructive to a circuit if the tagged cell is not untagged by them at the exit of the network, and also by being destructive when a non-tagged cell is "untagged" on a circuit coming from a non-tagging entry. It transforms all non-colluding entrances and exits into a "half-duplex global" adversary that works for the tagger to ensure that all traffic that he carries goes only through his colluding nodes.
I wonder what the 'bandwidth authorities' would think of exits that close circuits which They don't control: https://gitweb.torproject.org/torflow.git/blob/HEAD:/NetworkScanners/BwAutho...
Sounds like it's time to swap out AES-CTR in favor of a self-authenticating cipher[9] amirite??. OCB mode, anyone?
OCB is patented, and also crap. http://cr.yp.to/papers.html#pema is the right way to get a MAC (see also http://cr.yp.to/papers.html#poly1305 and http://cr.yp.to/papers.html#aecycles).
But http://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf and an end-to-end MAC is more likely as a solution to the end-to-end tagging attack, because (a) per-hop MACs would take up much more space in each cell and disclose the length of a circuit to the exit node, and (b) with per-hop MACs, if you can get a forgery accepted (which happens with probability 2^(-n), where n is the number of bits in the MAC, for any MAC that Tor could use), you know with probability 2^(-n) that the next hop is the last one.
(This sucks, because polynomial-evaluation MACs are faster and more fun than most hash functions that would be suitable for BEAR/LION/LIONESS.)
Robert Ransom