[tor-dev] Proposal 262: Re-keying live circuits with new cryptographic material

Yawning Angel yawning at schwanenlied.me
Tue Dec 29 01:29:03 UTC 2015

On Mon, 28 Dec 2015 17:43:57 -0500
Nick Mathewson <nickm at torproject.org> wrote:
> 2. RELAY_REKEY cell operation
>    To rekey, the circuit initiator ("client") can send a new
> RELAY_REKEY cell type:
>         struct relay_rekey {
>           u16 rekey_method IN [0, 1];
>           u8 rekey_data[];
>         }
>         const REKEY_METHOD_ACK = 0;
>         const REKEY_METHOD_SHAKE128_CLIENT = 1;
>    This cell means "I am changing the key." The new key material will
> be derived from SHAKE128 of the aez_key concatenated with the
> rekey_data field, to fill a new shake_output structure.  The client
> should set rekey_data at random.

This should be SHAKE256 to be consistent with our initial AEZ key
derivation.  We're squeezing less data than the SHAKE256 rate, and we
need the same number of Keccak calls for either primitive during the
absorb phase, so there is no performance difference.

Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151229/b856a026/attachment.sig>

More information about the tor-dev mailing list