📅 Original date posted:2015-12-15
📝 Original message:
Olaoluwa Osuntokun <laolu32 at gmail.com> writes:
> Hi y'all!!
Hi Olaoluwa, welcome to the list!
I've yet to read the papers, so forgive if I've made an error
below.
> First, I'll give a brief overview of Sphinx. I won't delve into the exact
> details of the protocol, instead I'll highlight the key insight that allows
> for
> *extremely* small mix-headers. If we assume a maximum diameter of 20 hops,
> and a
> 16-byte MAC, then a full onion blob weighs in at only 705 bytes! This is
> considerably smaller (a 4X size reduction) than the 3840 bytes per
> onion-blob in
> current proposal.
Not sure where these numbers come from? The current header overhead is
sha256 (32 bytes) + pubkey (33 bytes), or 1300 bytes. (Don't be
confused by the current test implemenation which doesn't serialize the
pubkey).
If we were to cut to a 16 byte MAC (which seems unwise), that would be
980 bytes.
> Alice computes all the blinding factors and shared secrets up front,
> allowing
> her to create the mix-header for each hop using the derived hop shared
> secret
> to derive subsequent decryption and MAC keys. Each node receives a_{i}, and
> prepares a_{i+1} for the next hop by re-randomizing the group element using
> the
> blinding factor.
>
> The formula for computing the size of a mix-header for a given hop count,
> and
> security parameter is (ignoring the final message size):
> * p + (2r + 2)s
> * p = pub key size (in bytes, for DH each hop)
> * r = max number of hops
> * s = symmetric key size (in bytes)
>
> So, for 20 hops the size is computed as (with a symmetric key size of 16
> bytes):
> * 33 + (2*20 + 2) * 16 = 705 bytes!
>
> 445% smaller than the 3840 bytes of the current proposal.
Or, if we're standarizing on ChaCha20, with a 32-byte key:
33 + (2 * 20 + 2) * 32 = 1377 bytes.
> The original version of Sphinx was designed with anonymous mailing in mind.
> So the final mix-header to the destination node includes a final
> destination
> email-address (k-bits), and an Identifier (k-bits) used to generate reply
> messages back to the sender. If we remove these from the mix-net, we save
> 2k-bits arriving at a new formula to compute the mix-header size:
> * p + (2*r*s)
>
> So with 20 hops the size is reduced to:
> * 33 + (2*20*16) = 673 bytes
Or 33 + 2 * 20 * 32 = 1313 bytes for ChaCha20.
> With this size reduction the, the base64 encoding of a mix-header for two
> hops
> can fit entirely into a tweet!
> * 33 + (2*2*16) = 97 bytes
Now, *that* is an important metric :)
More important than the size is the idea of reusing a proven design over
an ad-hoc one, so we should use this anyway.
HORNET seems a bit over-the-horizon for now, so I'll leave that reply
for a future message :)
> We (me+Tadge+Joseph) are planning on publicly releasing our in progress
> implementation of Lightning, sometime near the end of this month (December)
> :).
Great! Let's argue about protobufs and ChaCha20 vs AES before then :)
Thanks!
Rusty.
Rusty Russell [ARCHIVE] /
npub1zw…hkhpx
2023-06-09 12:45:26
in reply to nevent1q…99jc
Author Public Key
npub1zw7cc8z78v6s3grujfvcv3ckpvg6kr0w7nz9yzvwyglyg0qu5sjsqhkhpxPublished at
2023-06-09 12:45:26Event JSON
{
"id": "400573955117609111959299ed424a9a4882e35f26967f4ba7107c5ce17f7812",
"pubkey": "13bd8c1c5e3b3508a07c92598647160b11ab0deef4c452098e223e443c1ca425",
"created_at": 1686314726,
"kind": 1,
"tags": [
[
"e",
"a0eae0709b098880fb92a837f655fe2ac84b7ed07fa439abcde3b595cd8022fc",
"",
"root"
],
[
"e",
"fbb26f1d955585b63d3cc4197b2eba320af07e6f2ccbbc2abb7322ce874c00e0",
"",
"reply"
],
[
"p",
"2df3fc2660459521b852c995d4fc1a93938389a5e085677d0ebb33ef92cc5476"
]
],
"content": "📅 Original date posted:2015-12-15\n📝 Original message:\nOlaoluwa Osuntokun \u003claolu32 at gmail.com\u003e writes:\n\u003e Hi y'all!!\n\nHi Olaoluwa, welcome to the list!\n\n I've yet to read the papers, so forgive if I've made an error\nbelow.\n\n\u003e First, I'll give a brief overview of Sphinx. I won't delve into the exact\n\u003e details of the protocol, instead I'll highlight the key insight that allows\n\u003e for\n\u003e *extremely* small mix-headers. If we assume a maximum diameter of 20 hops,\n\u003e and a\n\u003e 16-byte MAC, then a full onion blob weighs in at only 705 bytes! This is\n\u003e considerably smaller (a 4X size reduction) than the 3840 bytes per\n\u003e onion-blob in\n\u003e current proposal.\n\nNot sure where these numbers come from? The current header overhead is\nsha256 (32 bytes) + pubkey (33 bytes), or 1300 bytes. (Don't be\nconfused by the current test implemenation which doesn't serialize the\npubkey).\n\nIf we were to cut to a 16 byte MAC (which seems unwise), that would be\n980 bytes.\n\n\u003e Alice computes all the blinding factors and shared secrets up front,\n\u003e allowing\n\u003e her to create the mix-header for each hop using the derived hop shared\n\u003e secret\n\u003e to derive subsequent decryption and MAC keys. Each node receives a_{i}, and\n\u003e prepares a_{i+1} for the next hop by re-randomizing the group element using\n\u003e the\n\u003e blinding factor.\n\u003e\n\u003e The formula for computing the size of a mix-header for a given hop count,\n\u003e and\n\u003e security parameter is (ignoring the final message size):\n\u003e * p + (2r + 2)s\n\u003e * p = pub key size (in bytes, for DH each hop)\n\u003e * r = max number of hops\n\u003e * s = symmetric key size (in bytes)\n\u003e\n\u003e So, for 20 hops the size is computed as (with a symmetric key size of 16\n\u003e bytes):\n\u003e * 33 + (2*20 + 2) * 16 = 705 bytes!\n\u003e\n\u003e 445% smaller than the 3840 bytes of the current proposal.\n\nOr, if we're standarizing on ChaCha20, with a 32-byte key:\n\n 33 + (2 * 20 + 2) * 32 = 1377 bytes.\n\n\u003e The original version of Sphinx was designed with anonymous mailing in mind.\n\u003e So the final mix-header to the destination node includes a final\n\u003e destination\n\u003e email-address (k-bits), and an Identifier (k-bits) used to generate reply\n\u003e messages back to the sender. If we remove these from the mix-net, we save\n\u003e 2k-bits arriving at a new formula to compute the mix-header size:\n\u003e * p + (2*r*s)\n\u003e\n\u003e So with 20 hops the size is reduced to:\n\u003e * 33 + (2*20*16) = 673 bytes\n\nOr 33 + 2 * 20 * 32 = 1313 bytes for ChaCha20.\n\n\u003e With this size reduction the, the base64 encoding of a mix-header for two\n\u003e hops\n\u003e can fit entirely into a tweet!\n\u003e * 33 + (2*2*16) = 97 bytes\n\nNow, *that* is an important metric :)\n\nMore important than the size is the idea of reusing a proven design over\nan ad-hoc one, so we should use this anyway.\n\nHORNET seems a bit over-the-horizon for now, so I'll leave that reply\nfor a future message :)\n\n\u003e We (me+Tadge+Joseph) are planning on publicly releasing our in progress\n\u003e implementation of Lightning, sometime near the end of this month (December)\n\u003e :).\n\nGreat! Let's argue about protobufs and ChaCha20 vs AES before then :)\n\nThanks!\nRusty.",
"sig": "70955695ee1a75b8645cc0cbfadeef67637ac17c36b01d0a3cd9e7a9f9287023fae73bc7cf47c49e42dcc919cb62b85787849176a0de8e73a594771c49a755c3"
}