[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] RFC: AEZ for relay cryptography, v2

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] RFC: AEZ for relay cryptography, v2
From: Tim Wilson-Brown - teor <teor2345@xxxxxxxxx>
Date: Mon, 30 Nov 2015 18:12:06 +1100
Delivered-to: archiver@xxxxxxxx
Delivery-date: Mon, 30 Nov 2015 02:12:26 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:message-id :references:to; bh=9Hpt+cVunqR1IemYMTFm2IjLcexW5KcfaLg9Ly6AHWk=; b=WOmGiYUBR29ZsIrwad2LTKqH7xraOhv6Eb68ngH4Regx7pz1amUJOMRz/mkT6mYGC1 84R/NnlabV8ufK5jSZFhENWY3zTnJJ2ahTCXPjhvY7zpb+FszAZ+7bzlrSBV2J2NSJ1W N/FLpqoRTT88km++vtA5Kv4Am6dgODbvlhPRH5nDkjgfxwnaUASp6XbNX1WC3UqYcJZs YpfkW2IWsw0kFneQxPtpDQVjXHhndh4r3OgCWwVbA0UQkFvPu1/ZCLIuX/8eHmyAM5LB TxbVpffjPjIOSsyFz2jzlUpjLH6FORo03ON4a5X+Y6pWYmJLMAMvkLyrOXHZGefQHl90 jx8A==
In-reply-to: <CAKDKvuyRDHGzojyftV5QuTbMhA+RHuchQTZgY+gZBhs2jRyTtA@xxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <CAKDKvuzR3s-eSAS1csEvZDAc17S7WqkvGQ5udX=YCdk1wbhV1g@xxxxxxxxxxxxxx> <B671D30A-AF49-4C04-A0E5-AC0E0E68A053@xxxxxxxxx> <CAKDKvuyRDHGzojyftV5QuTbMhA+RHuchQTZgY+gZBhs2jRyTtA@xxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi Nick,

The AEZ paper says:

"We impose a limit that AEZ be used for at most 2^48 bytes of data (about 280 TB); by that time, the user should rekey. This usage limit stems from the existence of birthday attacks on AEZ, as well as the use of AES4 to create a universal hash function."

http://web.cs.ucdavis.edu/~rogaway/aez/rae.pdf

Since we change the tweak for every cell, do we have to be worried about this limit?

(Regardless of the tweak change, we are keeping the key constant, and using the same key forwards and backwards.)

It seems to me that the 280 TB limit so large that we don't have to worry about it being reached in any real-world circuit.

But I'm not sure of the maximum data volumes or lifetimes of current Tor circuits.

Should we include a method of rekeying in the Tor AEZ specification, in case the recommended limit is reduced in future?

Tim

On 30 Nov 2015, at 12:21, Nick Mathewson <nickm@xxxxxxxxxxxx> wrote:

On Sun, Nov 29, 2015 at 7:06 PM, Tim Wilson-Brown - teor
<teor2345@xxxxxxxxx> wrote:

On 30 Nov 2015, at 09:13, Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote:
...
2.2. New relay cell payload
...
When encrypting a cell for a hop that was created using one of these
circuits, clients and relays encrypt them using the AEZ algorithm
with the following parameters:

Let Chain denote chain_val_forward if this is a forward cell
or chain_forward_backward otherwise.

chain_val_backward?

Yes, whoops.

...

3.3. Why _not_ AEZ?

...

THIRD, it's really horrible to try to do it in hardware.

This may be considered an advantage against an adversary with the resources
to employ custom hardware to attempt to break AEZ-based encryption.

Ooh. Interesting.

...

...
4.3. A forward-secure variant.

How is this different to what you've specified in the main body of the
proposal?

We might want the property that after every cell, we can forget
some secret that would enable us to decrypt that cell if we saw
it again.

Whoops; it's leftover text from an earlier version of the proposal.

--
Nick
_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] RFC: AEZ for relay cryptography, v2
  - From: Nick Mathewson
- Re: [tor-dev] RFC: AEZ for relay cryptography, v2
  - From: Tim Wilson-Brown - teor
- Re: [tor-dev] RFC: AEZ for relay cryptography, v2
  - From: Nick Mathewson

Prev by Author: Re: [tor-dev] RFC: AEZ for relay cryptography, v2
Next by Author: Re: [tor-dev] running a BWauth
Previous by thread: Re: [tor-dev] RFC: AEZ for relay cryptography, v2
Next by thread: [tor-dev] BridgeDB 0.3.4 is released
Index(es):
- Author
- Thread