On Sun, Nov 29, 2015 at 7:06 PM, Tim Wilson-Brown - teor teor2345@gmail.com wrote:
On 30 Nov 2015, at 09:13, Nick Mathewson nickm@torproject.org wrote: ... 2.2. New relay cell payload ... When encrypting a cell for a hop that was created using one of these circuits, clients and relays encrypt them using the AEZ algorithm with the following parameters:
Let Chain denote chain_val_forward if this is a forward cell or chain_forward_backward otherwise.chain_val_backward?
Yes, whoops.
...
3.3. Why _not_ AEZ?
...
THIRD, it's really horrible to try to do it in hardware.
This may be considered an advantage against an adversary with the resources to employ custom hardware to attempt to break AEZ-based encryption.
Ooh. Interesting.
...
... 4.3. A forward-secure variant.
How is this different to what you've specified in the main body of the proposal?
We might want the property that after every cell, we can forget some secret that would enable us to decrypt that cell if we saw it again.
Whoops; it's leftover text from an earlier version of the proposal.