dbosk
commented
4 years ago Integrity checks at each layer: provide the reply header and ephemeral symmetric keys k_1, ..., k_N. Embed k_i on layer i, so the router will get a copy. Compute MAC on payload_i (the payload ciphertext at layer i) with key k_i.
We'll need the privacy properties (onion correctness, layer unlinkability, tail indistinguishability) for the payload too.
Sphinx cannot do this to be able to handle anonymous replies. We need that. Does this cause any problems?
We have the attack against HORNET in Breaking and (Partially) Fixing Provably Secure Onion Routing (Section V).