Re: [tor-dev] Proposal 262: Re-keying live circuits with new cryptographic material

On Mon, 28 Dec 2015 17:43:57 -0500 Nick Mathewson nickm@torproject.org wrote:

2. RELAY_REKEY cell operation

   To rekey, the circuit initiator ("client") can send a new

RELAY_REKEY cell type:

    struct relay_rekey {
      u16 rekey_method IN [0, 1];
      u8 rekey_data[];
    }

    const REKEY_METHOD_ACK = 0;
    const REKEY_METHOD_SHAKE128_CLIENT = 1;

This cell means "I am changing the key." The new key material will be derived from SHAKE128 of the aez_key concatenated with the rekey_data field, to fill a new shake_output structure. The client should set rekey_data at random.

This should be SHAKE256 to be consistent with our initial AEZ key derivation. We're squeezing less data than the SHAKE256 rate, and we need the same number of Keccak calls for either primitive during the absorb phase, so there is no performance difference.