mitigations for malleable cell crypto
This session was to talk about a specific mitigation for tagging or watermarking attacks that an adversary who controls both a guard node and an exit node can perform to deanonymize Tor network users. The proposed solution chains GCM nonces by encrypting with each onion key on each hop so modifications will not decrypt correctly. (This might be weaker than standard notions of authenticated encryption but might be good enough for our purposes.)
Tomer Ashur's fix: https://www.esat.kuleuven.be/cosic/publications/thesis-298.pdf (Section 6.5.4)
Shorter version: https://eprint.iacr.org/2017/239.pdf
People are concerned about incremental deployability: if only some relays in a circuit support this scheme, will it still work? This will probably need more analysis.
Nick and Taylor will get in touch with Marc after the meeting to schedule some time to chat more about helping Marc with an experimental implementation.