[Sorry for the delay in answering your question directly to me. Busy busy and all... :-p ]
On Wed, Nov 11, 2015 at 08:05:26PM +0100, Jeff Burdges wrote: > > Hello, > > I've two basic symmetric crypto questions about the usage of symmetric > crypto in the Sphinx mixnet format : > http://freehaven.net/anonbib/cache/DBLP:conf/sp/DanezisG09.pdf > > I suppose a stream cypher was used for the header to simplify padding > the header, yes? And a stream cypher with a MAC is probably as good or > better than a block cypher anyways. Amy I missing anything? I'd have to think about whether you even *could* construct the header with a block cipher. The construction in Figures 1 and 2 of the above paper relies on the XOR underlying the stream cipher in order to get the nested MACs to work out. > I suppose the lioness block cypher selected for the body because : > - We need a cypher that's secure when used in reverse for use with > single-use reply blocks (SURBs), but.. > - We could not use a stream cypher because we could not MAC the body > when creating a SURB, but.. > - A block cypher does not need the MAC to prevent message modification > attacks. > - There is no explicit argument in the lionness paper that it's equally > secure in the forwards or backwards direction, but it's pretty obvious > since lion and bear are both sub-cyphers of it. > https://www.cl.cam.ac.uk/~rja14/Papers/bear-lion.pdf > > Is this all correct? > > In short, if one wants to implement Sphinx then one really much needs > to implement Lionness too. Or find something with similar properties, > but Lionness is pretty straight forward. What Sphinx needs from Lioness is a "large block" block cipher. You can implement that however you like, but Lioness was a straightforward construction. -- Ian Goldberg Associate Professor and University Research Chair Cheriton School of Computer Science University of Waterloo _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
