Hello tor-devs,
Martijn Stam and myself have previously worked on analysing the security of proposal 261. Together with Martijn's PhD student, Alessandro Melloni, we have now written a proposal for an onion encryption scheme as an alternative to Proposals 261 and 295. It builds on the GCM-RUP construction from [ADL17] but it offers a number of improvements over proposal 295. In addition to addressing the issues described below we expect it to offer better performance. We are currently working on a security proof and potential efficiency optimisations for this scheme. In the meantime, we would be very happy to hear what you think and any feedback you may have. If something is unclear, please let us know.
Best,
Martijn, Alessandro, and Jean Paul
---------------------
In our assessment of proposal 295 we identified the following issues:
a) Improper use of the universal hash function. The proposal suggested using GHASH, a universal hash function, to compute the digest. Universal hash functions require their input to be independent of the hash key for security to hold. This is also a basic requirement in the tweakable block cipher construction, underlying the PIV and RUP constructions. However, the construction requires feeding back the digest (which is key-dependent) back into the input of the hash. Note that such feedback was not present in [ADL17] and the security proof breaks down with this modification.
b) Lack of Forward Security for any type of hash function that is used. If instantiated with GHASH, proposal 295 does not provide forward security (as it is easy to invert given the hash key). The designers suggested (on the Tor dev mailing list) that forward security could be achieved by instantiating the hash function with SHA2 or SHAKE instead. Clearly this degrades the efficiency of the scheme but, as we argue below, it still does not suffice to achieve forward security Specifically, even if the hash function is instantiated with an ideal hash function (a random oracle), the construction succumbs to the following attack.
Assume that the last OR in a circuit of length n has already processed some cells and that its current state is (Kf_n, Kb_n, Ktf_n, Ktb_n, Khf_n, Khb_n, Tf'_n, Tf'_{n+1}, Tb'_n, Tb'_{n+1}). An adversary, who has collected previous ciphertexts and nonces (C, N), then corrupts it. The adversary has enough information to recover the last message received by OR_n, which it computes as follows:
N_{n+1} = Tf'_n ^ D(Ktf_n, Tf'_n ^ N_n) M = Decrypt(Kf_n, N_{n+1}, C_n).
Clearly this breaks forward security, and it is enabled by the fact that the current digest needs to be saved for computing the next digest for when another ciphertext is received.
[ADL17] Tomer Ashur, Orr Dunkelman, Atul Luykx, "Boosting Authenticated Encryption Robustness with Minimal Modifications", CRYPTO 2017.
On Thu, Sep 12, 2019 at 6:34 PM Jean Paul Degabriele jpdega@gmail.com wrote:
Hello tor-devs,
Martijn Stam and myself have previously worked on analysing the security of proposal 261. Together with Martijn's PhD student, Alessandro Melloni, we have now written a proposal for an onion encryption scheme as an alternative to Proposals 261 and 295. It builds on the GCM-RUP construction from [ADL17] but it offers a number of improvements over proposal 295. In addition to addressing the issues described below we expect it to offer better performance. We are currently working on a security proof and potential efficiency optimisations for this scheme. In the meantime, we would be very happy to hear what you think and any feedback you may have. If something is unclear, please let us know.
Thank you! I've added this as proposal 308. I'll be looking it over with interest in the near future.
One thing that helps me understand this kind of proposal is writing or examining a reference implementation for it, so I can see clearly what state is kept, which party does what, and so on. I did one for proposal 295 as https://github.com/nmathewson/prop295ref -- I hope I can get a reference implementation together for this one too, unless you're already on it.
It would also be interesting to know what the ADL authors think of this proposal too -- most of us at Tor aren't cryptographers ourselves.
thanks again, and best wishes,
Hi,
Thank you! I've added this as proposal 308. I'll be looking it over
with interest in the near future.
Thanks for adding this to the list of proposals.
One thing that helps me understand this kind of proposal is writing or examining a reference implementation for it, so I can see clearly what state is kept, which party does what, and so on. I did one for proposal 295 as https://github.com/nmathewson/prop295ref -- I hope I can get a reference implementation together for this one too, unless you're already on it.
A reference implementation would be nice and at the moment we are not working on that.
It would also be interesting to know what the ADL authors think of
this proposal too -- most of us at Tor aren't cryptographers ourselves.
Of course, all input is welcome.
Best wishes,
Jean Paul
Hi Nick, all,
It would also be interesting to know what the ADL authors think of this proposal too -- most of us at Tor aren't cryptographers ourselves.
We're looking into it. If indeed this proposal delivers on its claims we'll be happy to endorse it over Proposal 295. Will try to get back to you soon.
Tomer
-----Original Message----- From: tor-dev tor-dev-bounces@lists.torproject.org On Behalf Of Nick Mathewson Sent: Sunday, September 15, 2019 3:26 AM To: tor-dev@lists.torproject.org Cc: martijn@simula.no Subject: Re: [tor-dev] Counter Galois Onion: A New Proposal for Forward-Secure Relay Cryptography
On Thu, Sep 12, 2019 at 6:34 PM Jean Paul Degabriele jpdega@gmail.com wrote:
Hello tor-devs,
Martijn Stam and myself have previously worked on analysing the security of proposal 261. Together with Martijn's PhD student, Alessandro Melloni, we have now written a proposal for an onion encryption scheme as an alternative to Proposals 261 and 295. It builds on the GCM-RUP construction from [ADL17] but it offers a number of improvements over proposal 295. In addition to addressing the issues described below we expect it to offer better performance. We are currently working on a security proof and potential efficiency optimisations for this scheme. In the meantime, we would be very happy to hear what you think and any feedback you may have. If something is unclear, please let us know.
Thank you! I've added this as proposal 308. I'll be looking it over with interest in the near future.
One thing that helps me understand this kind of proposal is writing or examining a reference implementation for it, so I can see clearly what state is kept, which party does what, and so on. I did one for proposal 295 as https://github.com/nmathewson/prop295ref -- I hope I can get a reference implementation together for this one too, unless you're already on it.
It would also be interesting to know what the ADL authors think of this proposal too -- most of us at Tor aren't cryptographers ourselves.
thanks again, and best wishes, -- Nick _______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
-
Jean Paul Degabriele -
Nick Mathewson -
Tomer Ashur