On 6/19/12, Nick Mathewson nickm@freehaven.net wrote:
Filename: 202-improved-relay-crypto.txt
Any new approach should be able to coexist on a circuit with the old approach. That is, if Alice wants to build a circuit through Bob1, Bob2, and Bob3, and only Bob2 supports a revised relay protocol, then Alice should be able to build a circuit such that she can have Bob1 and Bob3 process each cell with the current protocol, and Bob2 process it with a revised protocol. (Why? Because if all nodes in a circuit needed to use the same relay protocol, then each node could learn information about the other nodes in the circuit from which relay protocol was chosen. For example, if Bob1 supports the new protocol, and sees that the old relay protocol is in use, and knows that Bob2 supports the new one, then Bob1 has learned that Bob3 is some node that does not support the new relay protocol.)
This feature is unsafe to use. Each client must use the same circuit-extension protocol for every relay on every circuit it builds.
2.1. Chained large-block what now?
We assume the existence of a primitive that provides the desired properties of a tweakable[Tweak] block cipher, taking blocks of any desired size. (In our case, the block size is 509 bytes[*].)
It also takes a Key, and a per-block "tweak" parameter that plays the same role that an IV plays in CBC, or that the counter plays in counter mode.
The Tweak-chaining function TC takes as input a previous tweak, a tweak chaining key, and a cell; it outputs a new tweak. Its purpose is to make future cells undecryptable unless you have received all previous cells. It could probably be something like a MAC of the old tweak and the cell using the tweak chaining key as the MAC key.
No. In every tweakable block cipher construction which I have seen proposed, an attacker who knows the key and has one plaintext and its corresponding ciphertext can recover the tweak.
Varying the tweak would allow an honest recipient to fail to decrypt a cell if any previous cell was altered, but cells are not undecryptable if only the tweak is unknown.
Robert Ransom