[messaging] [Fwd: Re: Ronion anonymous routing protocol framework]

Jeff Burdges burdges at gnunet.org
Tue Oct 17 14:58:15 PDT 2017

On Tue, 2017-10-17 at 22:54 +0300, Nazar Mokrynskyi wrote:
> My understanding of the subject is probably not deep enough, but as I
> understand it right now, you can't hide the number of hops and use
> authenticated encryption on each hop and also have a fixed length of
> the final message.

It's requires a customized "mode", but it's easy to do :  

You reserve one 16 bytes per hop for a poly1305 MAC, name these
tag_0, .., tag_n.  A node first splits the incoming packet into
	iv || tag || moretags || body
where tag is 16 bytes and moretags is 16*n bytes.  You authenticate by
	poly1305(iv, key, moretags || body) = tag
Now you decrypt the block
	z1 || moretags || z2 || body
where z1 and z2 are iv length and 16 bytes of zeros, respectively.  You
send the decrytion of this verbatim to the next hop.  

In effect, this slides moretags forward and decrypts the next tag and
pulls off one layer of encryption from each subsequent tag.  You create
deterministic randomness for the next iv and the now empty last tag

It's tricky to create the tags of course since you must know how these
encrypted z2 tails stack up to fill up moretags before you can compute
the final (first) tag, but you can do so because they are all
deterministic results from the stream cipher.

Read about the Sphinx mix network packet format for more details on
building the tags via the tails of moretags.  In fact, we were actually
speaking in the context of Sphinx where the iv and body are empty. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20171017/2b57640d/attachment.sig>

More information about the Messaging mailing list