[tor-dev] Discussion Meeting for Prop#249 "Large CREATE cells"
isis agora lovecruft
isis at torproject.org
Sat Dec 9 00:29:04 UTC 2017
What: A proposal discussion meeting for prop#249 "Allow CREATE cells with
>505 bytes of handshake data". 
Who: This proposal is likely of interest to those hoping to integrate newer,
non-ECC-based, circuit-layer handshakes into the Tor protocol.
When: Next week, on Monday or Tuesday (or Wednesday, for some timezones).
If you'd like to attend, please vote on a time here:
Where: irc.oftc.net #tor-meeting
Meeting Preparation Materials
The following is meant for attendees to refresh before the meeting. Please
feel free to respond with further summary and/or open questions/concerns.
The proposal outlines two new cell types, CREATE2V and CREATED2V, which are
variable-length and (like their CREATE2/CREATED2 counterparts) are sent
encapsulated in EXTEND2 cells. Due to their variable-length, however, if a
CREATE(D)2V cell's HDATA is larger than the standard allotment of 505 bytes,
these new cells are fragmented across multiple EXTEND2 cells.
1. Since CREATE2V cells are used for handshakes, and several newer,
post-quantum primitives have asymmetric payloads for the client versus
server directions, should we require that the CREATE(D)2V padding be used
to equalise the number of bytes sent in each direction?
2. Should we randomise the bytes in the padding? (Currently, as proposed,
we require all-zero padding.)
3. Should we do anything more future-proofed w.r.t. the future possibility
of using an alternate (non-stateful, e.g. not TCP) transport?
(Currently, the proposal relies heavily upon the transport-layer to
provide delivery guarantee and, perhaps more important, ordering.)
4. Shoule we, for hybrid handshakes (handshakes which use multiple separate
primitives to derive shared secrets, e.g. ECDH+RLWE or ECDH+SIDH, by
conducting each handshake separately and composing their respective
resulting shared secrets), design some mechanism where, if a party only
supports say the ECDH portion of the hybrid handshake and not the RLWE
part, then they proceed with the portion they understand? For example, a
client sends their portion of a ECDH+RLWE handshake to a relay which only
understands ECDH, so the relay responds with only ECDH and they continue.
This is mostly a difference in subprotocol versioning for handshakes,
that is, an ECDH+RLWE handshake, rather than being "handshake type 5" or
whatever, would be "handshake type 2 AND/OR handshake type 5".
5. As written, the proposal doesn't specify a maximum (or minimum) size of
handshake data. However, the max is somewhat limited by the number of
allowed RELAY_EARLY cells; maximum handshake data is then limited to
♥Ⓐ isis agora lovecruft
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1240 bytes
Desc: Digital signature
More information about the tor-dev