[tor-dev] Padding prop224 REND1 cells to blend them with legacy cells

George Kadianakis desnacked at riseup.net
Tue Sep 19 14:44:46 UTC 2017

Hello Ian, (and other cryptographers on the list)

here is a quick question which you might be able to answer super fast:

Legacy RENDEZVOUS1 cells are bigger than the prop224 ones. The prop224
spec suggests we pad the new cells so that they look similar in size to
the legacy ones.

Here is how the legacy ones look like:

       RC       Rendezvous cookie  [20 octets]
       g^y      Diffie-Hellman     [128 octets]
       KH       Handshake digest   [20 octets]

Here is how the prop224 ones look like:

       RENDEZVOUS_COOKIE          [20 bytes]
       HANDSHAKE_INFO             [64 bytes]

The suggestion is to pad the prop224 cells to 168 bytes using random data.

Would that work? My main question is whether the g^y part of the legacy
cell has any distinguishers that could distinguish it from random data.
It's encoded using OpenSSL's BN_bn2bin() and it's a 1024 bit DH public
key. Are there any algebraic or openssl structure distinguishers we
should be worrying about, or is random data sufficient to mask it out?

Thanks!!! :)

More information about the tor-dev mailing list