Re: tagging attacks and forward-message/reply-message distinction

[Roger Dingledine <arma@mit.edu>]

On Sat, Apr 06, 2002 at 01:54:11AM -0500, Roger Dingledine wrote:
> that sounds really hard -- effectively you need to take a seed, use
> it to generate a payload-sized hunk of text, multiply encrypt it,
> and then find some seed which characterizes the encrypted text. So
> basically it's like approach one above, except you're compressing the
> random-and-thus-uncompressable payload which otherwise you'd have to
> transmit in full.

Wait. I was looking at this from the traditional
you've-got-to-built-it-from-the-reverse perspective of the public key
world. But since these are just symmetric keys, and it's just an xor
with a counter cipher, then you (the author of the reply block) have
total control over it in either direction.

So you could plausibly pick a random short seed, use it to generate the
first version of the A-payload, decrypt it just like the mix would, hash
it and put that hash into the header, iterate. And then you would just
need to send the header plus the seed to the other guy. He could use
the seed to expand it to an entire A-payload -- he would still have no
idea what it looks like after the first decryption, yet it would match
all the hashes because the author of the reply block rigged it that way.

Slick. I think. Going to sleep on it. I'll let you know if I change my
mind again. :)

--Roger