[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Removing 1 modular exponentiation



putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get an authentic copy of Ricky's
DH public key, y.  One way to do this is to include it in the router
descriptors.  But then we have to ask if it's worth adding a new public
key for each OR to the Tor PKI to just save one exponentiation during
session key agreement.

-James

We already distribute different keys for the current protocol. But the
one I proposed is insecure so we might as well forget about it. Schnorr
signatures are secure and are intended for this purpose, but we can only
use them after 2008.

the way things are done now, each OR has two public keys in its router descriptor. you are, I think, suggesting that another be added. I was just wondering if you had considered the extra bandwidth load this puts on the directory servers. If the extra load is substantial (maybe it isn't, i don't know), then maybe we shouldn't give the ORs another public key to manage just to save one 1024-bit exponentiation.


-James