[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: one less onion skin

Steve Southam wrote:
Is it because the ORs don't know where they are in the circuit?
Of course OR3 knows it's at the end, but the others either recognize or relay.

I agree that not using k_1, d_1 would allow OR1 to determine that they are the first node in a circuit. However, Tor clients already leak this information. The key agreement with OR1 is done using a "CREATE_FAST" command rather than a normal "CREATE". So, once an OR receives a "CREATE_FAST" it knows its position in the circuit. (it might be that Tor clients which are also onion routers themselves do not send "CREATE_FAST"... I am not sure)

So the question is, if we have already leaked this information, are we wasting CPU cycles doing AES with OR1?