On Thu, Apr 07, 2011 at 06:13:45PM -0400, Nick Mathewson wrote:
Oh! Also, for a bit of redundancy, I'm thinking that the symmetric crypto parts of the improved onion handshakes ought to be with a less malleable mode of operation than the counter-mode stuff we do now. Perhaps we could make use of an all-or-nothing mode of operation like LIONESS or biIGE. (They're both slower than counter mode, but for purposes of CREATE cells, I don't think the hit will matter in comparison with the cost of the public-key operations.)
This is another thing that triggers my crypto-spidey-sense. The particular problem that I'm thinking of is that for MAC-then-encrypt, only some modes of operation are secure (CTR is, CBC is not). In some ways, the malleability of CTR is a strength, and I'd be concerned that something else might be able to be leveraged in an attack.
Steven.