[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Proposal 262: Re-keying live circuits with new cryptographic material



On Mon, 28 Dec 2015 17:43:57 -0500
Nick Mathewson <nickm@xxxxxxxxxxxxxx> wrote:
> 2. RELAY_REKEY cell operation
> 
>    To rekey, the circuit initiator ("client") can send a new
> RELAY_REKEY cell type:
> 
>         struct relay_rekey {
>           u16 rekey_method IN [0, 1];
>           u8 rekey_data[];
>         }
> 
>         const REKEY_METHOD_ACK = 0;
>         const REKEY_METHOD_SHAKE128_CLIENT = 1;
> 
>    This cell means "I am changing the key." The new key material will
> be derived from SHAKE128 of the aez_key concatenated with the
> rekey_data field, to fill a new shake_output structure.  The client
> should set rekey_data at random.

This should be SHAKE256 to be consistent with our initial AEZ key
derivation.  We're squeezing less data than the SHAKE256 rate, and we
need the same number of Keccak calls for either primitive during the
absorb phase, so there is no performance difference.

-- 
Yawning Angel

Attachment: pgpE0hHImTSKR.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev