On 10/19/17 3:55 PM, Jeff Burdges wrote: > On Wed, 2017-10-18 at 09:33 +0300, Nazar Mokrynskyi wrote: >> Message will still reach receiver (not dropped early), but from >> corrupted message it should not be possible to recover any structure >> that will allow to confirm tagging attack, it should look like >> rubbish. > There is still a 1 bit tagging attack where corrupting the message is > the tag, so one can send 1 bit per frame this way in an onion router. > > All I know is that Tor plants to use a wide-block cipher eventually, but > they did not prioritize it highly enough to use AEZ now, and instead > opted to wait until HHFHFH materializes to compare.
1 bit tagging is less of an issue if you have cover traffic, since it should be difficult to distinguish corrupted packet from regular cover traffic. Information about HHFHFH is very scarce, don't know what to expect from it yet and when it will be published, not even talking about some third-party analysis. The best thing IMO here is to prepare for relatively easy and fast cipher swapping when/if necessary. Sincerely, Nazar Mokrynskyi github.com/nazar-pc
_______________________________________________ Messaging mailing list Messaging@moderncrypto.org https://moderncrypto.org/mailman/listinfo/messaging
