On Tue, 2017-10-17 at 22:54 +0300, Nazar Mokrynskyi wrote: > My understanding of the subject is probably not deep enough, but as I > understand it right now, you can't hide the number of hops and use > authenticated encryption on each hop and also have a fixed length of > the final message.
It's requires a customized "mode", but it's easy to do : You reserve one 16 bytes per hop for a poly1305 MAC, name these tag_0, .., tag_n. A node first splits the incoming packet into iv || tag || moretags || body where tag is 16 bytes and moretags is 16*n bytes. You authenticate by checking poly1305(iv, key, moretags || body) = tag Now you decrypt the block z1 || moretags || z2 || body where z1 and z2 are iv length and 16 bytes of zeros, respectively. You send the decrytion of this verbatim to the next hop. In effect, this slides moretags forward and decrypts the next tag and pulls off one layer of encryption from each subsequent tag. You create deterministic randomness for the next iv and the now empty last tag space. It's tricky to create the tags of course since you must know how these encrypted z2 tails stack up to fill up moretags before you can compute the final (first) tag, but you can do so because they are all deterministic results from the stream cipher. Read about the Sphinx mix network packet format for more details on building the tags via the tails of moretags. In fact, we were actually speaking in the context of Sphinx where the iv and body are empty. Jeff
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging