Published on: 2023-09-05T01:12:48+00:00
In the email, David Stainton expresses his concerns regarding the performance of the Sphinx cryptographic packet format. He compares the current choice to the one made in 2002 with mixminion and raises skepticism about the current choice in 2023. David proposes an improvement to Sphinx by eliminating the "blinding trick" and reducing the number of public key operations per hop. He suggests storing the group element for each hop within the Sphinx header's routing information section to enhance performance.To preserve IND-CCA2 security, David recommends using a NIKE to KEM adapter that combines both public keys with the Diffie-Hellman (DH) output. He further suggests combining the NIKE adapted KEM with a Post Quantum (PQ) KEM like Kyber1024 or other PQ KEMs to improve Sphinx's performance. According to David, Kyber is faster than X25519, and combining the two KEMs would likely result in similar speed to the current NIKE Sphinx implementation.David discusses the bandwidth overhead associated with using a Kyber KEM Sphinx, as each hop's KEM ciphertext needs to be stored within the routing info section of the Sphinx header. He provides a table showing the bandwidth overhead of the Katzenpost Sphinx implementation with different KEMs.Additionally, David mentions a paper on KEM Combiners that explores the design of a security preserving KEM combiner. He explains that this combiner ensures that the resulting hybrid KEM has IND-CCA2 security if at least one of the composing KEMs has IND-CCA2 security. David shares pseudo code for a split PRF function that combines two KEM shared secrets and their ciphertexts using a hash function.Overall, David's email highlights concerns about the performance of Sphinx and proposes ways to enhance it by eliminating certain operations and combining different KEMs. He also addresses the bandwidth overhead and references a paper on security preserving KEM combiners.
Updated on: 2023-09-06T01:57:01.445928+00:00