[tor-dev] Analysis of the Relative Severity of Tagging Attacks

Robert Ransom rransom.8774 at gmail.com
Mon Mar 12 01:32:44 UTC 2012

On 2012-03-11, The23rd Raccoon <the.raccoon23 at gmail.com> wrote:

> The crypto-tagger achieves amplification by being destructive to a
> circuit if the tagged cell is not untagged by them at the exit of the
> network, and also by being destructive when a non-tagged cell is
> "untagged" on a circuit coming from a non-tagging entry. It transforms
> all non-colluding entrances and exits into a "half-duplex global"
> adversary that works for the tagger to ensure that all traffic that he
> carries goes only through his colluding nodes.

I wonder what the 'bandwidth authorities' would think of exits that
close circuits which They don't control:

> Sounds like it's time to swap out AES-CTR in favor of a
> self-authenticating cipher[9] amirite??. OCB mode, anyone?

OCB is patented, and also crap.  http://cr.yp.to/papers.html#pema is
the right way to get a MAC (see also
http://cr.yp.to/papers.html#poly1305 and

But http://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf and an
end-to-end MAC is more likely as a solution to the end-to-end tagging
attack, because (a) per-hop MACs would take up much more space in each
cell and disclose the length of a circuit to the exit node, and (b)
with per-hop MACs, if you can get a forgery accepted (which happens
with probability 2^(-n), where n is the number of bits in the MAC, for
any MAC that Tor could use), you know with probability 2^(-n) that the
next hop is the last one.

(This sucks, because polynomial-evaluation MACs are faster and more
fun than most hash functions that would be suitable for

Robert Ransom

More information about the tor-dev mailing list