Author: David Stainton 2023-08-31 17:22:26+00:00
Published on: 2023-08-31T17:22:26+00:00
In the email, David Stainton raises concerns about the performance of the Sphinx cryptographic packet format. He mentions that while the format is compact, it sacrifices performance. He compares the current choice to the one made in 2002 when mixminion was around and states that he is skeptical about the current choice in 2023. David suggests that by eliminating the "blinding trick" and having only one group operation per hop, the performance of Sphinx can be improved. He explains that Sphinx currently performs two public key operations per hop, one being a DH operation and the other being the "blinding trick". By storing the group element for each hop within the Sphinx header's routing information section, the performance can be enhanced. He also mentions the need to preserve IND-CCA2 and proposes using a NIKE to KEM adapter that combines both public keys with the DH output.To further improve the performance of Sphinx, David suggests combining the NIKE adapted KEM with a Post Quantum KEM like Kyber1024 or other PQ KEMs. He highlights that Kyber is faster than X25519 and combining the two KEMs would likely result in the same speed as the current NIKE Sphinx implementation. He shares a table of Sphinx benchmarks using the Katzenpost implementation of Sphinx with different NIKEs and KEMs.David also discusses the bandwidth overhead of using a Kyber KEM Sphinx, as each hop's KEM ciphertext needs to be stored within the routing info section of the Sphinx header. He provides another table indicating the bandwidth overhead of the Katzenpost Sphinx implementation with various KEMs.In addition, David mentions a paper on KEM Combiners (https://eprint.iacr.org/2018/024.pdf) that discusses the design of a security preserving KEM combiner. He explains that a security preserving KEM combiner ensures that the resulting hybrid KEM has IND-CCA2 security if at least one of the composing KEMs has IND-CCA2 security. He shares pseudo code for a split PRF function that combines two KEM shared secrets and their ciphertexts using a hash function.Overall, David's email raises concerns about the performance of Sphinx and suggests ways to improve it by eliminating certain operations and combining different KEMs. He also highlights the bandwidth overhead and references a paper on security preserving KEM combiners.
Updated on: 2023-09-02T01:48:43.155221+00:00