[messaging] Sphinx symmetric crypto questions

Ian Goldberg ian at cypherpunks.ca
Wed Nov 11 16:06:18 PST 2015

[Sorry for the delay in answering your question directly to me.  Busy
busy and all... :-p ]

On Wed, Nov 11, 2015 at 08:05:26PM +0100, Jeff Burdges wrote:
> Hello,
> I've two basic symmetric crypto questions about the usage of symmetric
> crypto in the Sphinx mixnet format :
> http://freehaven.net/anonbib/cache/DBLP:conf/sp/DanezisG09.pdf
> I suppose a stream cypher was used for the header to simplify padding
> the header, yes?  And a stream cypher with a MAC is probably as good or
> better than a block cypher anyways.  Amy I missing anything?

I'd have to think about whether you even *could* construct the header
with a block cipher.  The construction in Figures 1 and 2 of the above
paper relies on the XOR underlying the stream cipher in order to get the
nested MACs to work out.

> I suppose the lioness block cypher selected for the body because :
> - We need a cypher that's secure when used in reverse for use with
> single-use reply blocks (SURBs), but..
> - We could not use a stream cypher because we could not MAC the body
> when creating a SURB, but..
> - A block cypher does not need the MAC to prevent message modification
> attacks.
> - There is no explicit argument in the lionness paper that it's equally
> secure in the forwards or backwards direction, but it's pretty obvious
> since lion and bear are both sub-cyphers of it.
> https://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf
> Is this all correct?
> In short, if one wants to implement Sphinx then one really much needs
> to implement Lionness too.  Or find something with similar properties,
> but Lionness is pretty straight forward.

What Sphinx needs from Lioness is a "large block" block cipher.  You can
implement that however you like, but Lioness was a straightforward
Ian Goldberg
Associate Professor and University Research Chair
Cheriton School of Computer Science
University of Waterloo

More information about the Messaging mailing list