Re: [tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#8106: Make .onion addresses harder to harvest by directory servers
-----------------------------+----------------------------------------------
 Reporter:  asn              |          Owner:                    
     Type:  defect           |         Status:  new               
 Priority:  major            |      Milestone:  Tor: 0.2.5.x-final
Component:  Tor              |        Version:                    
 Keywords:  SponsorZ tor-hs  |         Parent:                    
   Points:                   |   Actualpoints:                    
-----------------------------+----------------------------------------------

Comment(by rransom):

 Replying to [comment:20 hyperelliptic]:
 > Replying to [comment:19 rransom]:
 > > Replying to [comment:18 asn]:
 > > > Hey Robert,
 > > >
 > > > I talked with hyperelliptic today and she explained me her concerns
 of comment:17.
 > >
 > > None of those concerns are legitimate.
 > >
 > Huh? Let me try this again.
 >
 > There are two security requirements:
 > * Nobody can produce a signature that passes verification by a user
 knowing A's long-term key.
 > AND
 > * Nobody can produce a signature that passes verification for the short-
 term public key.
 >
 > The second proposal of rransom flunks the second requirement.
 >
 > Here is why this requirement matters:
 > The HS address is the x-cooordinate of the short-term public key. This
 can be computed by anybody knowing the long-term public key. An attacker
 could overwrite the correct information on the directory service with
 bogus information if he could produce a signature under the short-term
 public key.
 >
 > What makes the attack work on the second scheme is that the basepoint is
 provided as part of the signature and is therefore under the control of
 the attacker.
 >
 > To avoid this problem, use a fixed basepoint or use x(short-term
 key),x(basepoint) as HS address.

 ----

 I said explicitly in comment:13, before your first comment here, that the
 blinded base point is part of the blinded public key:

 > In Ed25519, the public key is `A`. In my blinded-public-key variant of
 Ed25519, the blinded public key is `(HB(nonce, B, A)*B, HB(nonce, B,
 A)*A)`.

 I said in comment:15, in the explicit description of my signature scheme
 which you specifically asked for (and thus can be expected to have read),
 that the blinded base point is part of the blinded public key:

 >
 {{{
 BlindedPubKey = struct {
   Bprime: GroupElement;
   Aprime: GroupElement;
 };
 }}}

 Since you had previously missed that fact in comment:13, I repeated it for
 emphasis in comment:15, as explicitly as it can be said:

 > Also note that the blinded public key contains the blinded base point;
 the attacker does not get to choose the base point separately from the
 blinded public-key group element.

 ----

 You have not only misrepresented my idea, you are now attempting to claim
 credit for it.

 I'm done putting up with your crap.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:22>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs