Backgrounds

For Nomos Blend, we need to encrypt a message with multiple layers. Each layer should be able to be decrypted by only the node selected by the message builder.

This can be achieved by using https://github.com/nymtech/sphinx, but it has metadata overhead that is not necessary in our use case. Instead, we can implement our own encoding by simplifying https://github.com/nymtech/sphinx. For that, the core part is encryption.

The https://github.com/nymtech/sphinx uses two encryption methods:

• Packet Header Encryption: AES-CTR with External MAC
• Payload Encryption: Lioness with no authentication tag

The AES-CTR with external MAC is a reasonable choice for the packet header encryption, but we need to check whether Lioness is the optimal for the payload encryption.

The Sphinx paper does not force us to use Lioness. Also, there is no mature implementation of Lioness in various programming languages yet. ‣ is the implementation that ‣ uses, but that is not mature.

That is why this report compares different encryption methods and checks how well they meet our requirements.

Requirements

1. Length Preservation:
   • The ciphertext must have the same length as the plaintext (2KB) to prevent revealing whether the data is encrypted or not based on its size.
2. Authentication:
   • Authentication is required without increasing the size of the ciphertext. Built-in authentication methods that append tags directly to the ciphertext are not acceptable. A separate authentication mechanism such as a MAC should be applied externally.
3. Performance:
   • The encryption method should efficiently handle network packets of 2KB in size with low overhead and high throughput.
4. (Optional) Key Order:
   • Encryption must be done with two keys (A then B), and decryption must happen in the reverse order (B then A). If the keys are applied in the wrong order, the decryption must fail to recover the original data.

Use Case

The primary use case is encrypting network packets, each of a constant size of 2 kilobytes. The encryption must maintain the length of the packet, ensure correct key ordering, and, in the future, incorporate authentication without increasing the ciphertext size by appending tags. The system requires high performance and low overhead due to real-time constraints.

Comparisons

Lioness

• Key Order: Yes, Lioness supports encryption with two keys (A then B) and requires decryption in the reverse order (B then A). Decrypting with the wrong order will not recover the original data.