On Sat, 07 May 2016 23:46:28 +0200 Jeff Burdges <burdges@xxxxxxxxxx> wrote: > On Sat, 2016-05-07 at 13:14 -0700, Watson Ladd wrote: > > I'm not sure I understand the concern here. An attacker sees that we > > got unlucky: that doesn't help them with recovering SEED under mild > > assumptions we need anyway about SHAKE indistinguishability. > > We're assuming the adversary controls a node in your circuit and hence > sees your seed later. You get unlucky like over 400 times, so, if > they can record enough of the failure pattern, then their node can > recognize you from your seed. Hmm? The timing information that's available to a local attacker (how an adversary will be limited to just this information, and not things that enable a strong attack on it's own like packet timing escapes me) would be the total time taken for `a` generation. So. the evil observer on Alice's side gets: * The total number of samples (N). Bob (or Eve) gets: * The seed, which may correspond to something that required N samples. I don't think there's much pattern information available to the attacker on Alice's side, but I may be missing something... Regards, -- Yawning Angel
Attachment:
pgp4KdVfdT0M9.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev