Tor rolled their own new encryption (CGO). Why not ChaChaPoly? (Spoiler: Tech Debt)
Tor's old tor1 relay encryption (AES-128-CTR + weak SHA-1 digest) had serious holes: tagging attacks for tracing, no forward secrecy (leaked keys decrypt everything), and weak forgery checks.
ChaChaPoly could've added integrity (non-malleable AEAD), but it didn't mesh with Tor's hop-by-hop layers (overhead for multiple ops per cell), no native cell chaining to garble tampering, and no per-cell key updates for quick forward secrecy.
They rolled their own with CGO: A wide-block cipher (UIV+) tuned for malleability resistance, single-pass speed, and beefy tags. Patches the issues without a total overhaul.
It works, but it's not optimal.
- Custom UIV+: New code risks flaws; skips vetted standards.
- Missed AEAD: Custom tweaks introduce unvetted complexity.
- Ciphertext expansion: Nonce adds bytes, inflating bandwidth.
Tor's early design locked them in.
Zsub fixes this.
Zsub's onion routing is built on battle tested ChaCha20-Poly1305
- Non-malleable, so tagging/tampering fails outright, garbling or dropping bad packets.
- Ratchets key per message: Forward/backward secrecy baked in, recovering fast post-compromise and no persistent circuit keys.
- Chunks and multiplexes over randomized paths to obscure patterns, limits metadata leaks, and keeps efficiency without custom ciphers.
#tor #privacy #nostr #cybersecurity #grownostr
Whitepaper, beta: https://zsubmesh.net/
