[tor-dev] Proposal 202: Two improved relay encryption protocols for Tor cells

Robert Ransom rransom.8774 at gmail.com
Tue Jun 19 18:06:48 UTC 2012 

On 6/19/12, Nick Mathewson <nickm at freehaven.net> wrote:
> Filename: 202-improved-relay-crypto.txt

>    Any new approach should be able to coexist on a circuit
>    with the old approach.  That is, if Alice wants to build a
>    circuit through Bob1, Bob2, and Bob3, and only Bob2 supports a
>    revised relay protocol, then Alice should be able to build a
>    circuit such that she can have Bob1 and Bob3 process each cell
>    with the current protocol, and Bob2 process it with a revised
>    protocol.  (Why?  Because if all nodes in a circuit needed to use
>    the same relay protocol, then each node could learn information
>    about the other nodes in the circuit from which relay protocol
>    was chosen.  For example, if Bob1 supports the new protocol, and
>    sees that the old relay protocol is in use, and knows that Bob2
>    supports the new one, then Bob1 has learned that Bob3 is some
>    node that does not support the new relay protocol.)

This feature is unsafe to use.  Each client must use the same
circuit-extension protocol for every relay on every circuit it builds.


> 2.1. Chained large-block what now?
>
>    We assume the existence of a primitive that provides the desired
>    properties of a tweakable[Tweak] block cipher, taking blocks of any
>    desired size.  (In our case, the block size is 509 bytes[*].)
>
>    It also takes a Key, and a per-block "tweak" parameter that plays
>    the same role that an IV plays in CBC, or that the counter plays
>    in counter mode.
>
>    The Tweak-chaining function TC takes as input a previous tweak, a
>    tweak chaining key, and a cell; it outputs a new tweak.  Its
>    purpose is to make future cells undecryptable unless you have
>    received all previous cells.  It could probably be something like
>    a MAC of the old tweak and the cell using the tweak chaining key
>    as the MAC key.

No.  In every tweakable block cipher construction which I have seen
proposed, an attacker who knows the key and has one plaintext and its
corresponding ciphertext can recover the tweak.

Varying the tweak would allow an honest recipient to fail to decrypt a
cell if any previous cell was altered, but cells are not undecryptable
if only the tweak is unknown.


Robert Ransom

More information about the tor-dev mailing list