[tor-dev] Analysis of the Relative Severity of Tagging Attacks

Watson Ladd watsonbladd at gmail.com
Mon Mar 12 01:54:49 UTC 2012

On Sun, Mar 11, 2012 at 8:32 PM, Robert Ransom <rransom.8774 at gmail.com> wrote:
> On 2012-03-11, The23rd Raccoon <the.raccoon23 at gmail.com> wrote:
> But http://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf and an
> end-to-end MAC is more likely as a solution to the end-to-end tagging
> attack, because (a) per-hop MACs would take up much more space in each
> cell and disclose the length of a circuit to the exit node, and (b)
> with per-hop MACs, if you can get a forgery accepted (which happens
> with probability 2^(-n), where n is the number of bits in the MAC, for
> any MAC that Tor could use), you know with probability 2^(-n) that the
> next hop is the last one.
You are going to have to be careful and explain this to me. I get the
leaking the length of a circuit and position in the chain. But we use
length 3 circuits in the current client node all the time, and if you
weren't the start or the end, you are the middle. The forgery
acceptance probability for Poly1305 is 2^-128. Forgery is not going to

I also don't see what Bear/Lionness gets us. It does solve problems
with losing sync. It does so at a cost of determining when identical
ORs are sent, which happens a lot: think multiple http requests.
Losing semantic security is a Bad Thing. I'll freely admit there are
issues with incorporating a leak of circuit length into the protocol,
as well as possibly (depending on details of TLS) leaking what lengths
end where to a global adversary.

It's preeminently possible I am missing something.
> (This sucks, because polynomial-evaluation MACs are faster and more
> fun than most hash functions that would be suitable for
I concur: we do need to keep an eye on performance. Saturate commodity
bandwidth with commodity hardware!
> Robert Ransom
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Watson Ladd

"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the tor-dev mailing list