[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] NSA supercomputer

On Thu, Apr 4, 2013 at 5:51 AM, Bernard Tyers <ei8fdb@xxxxxxxxxx> wrote:
> Hi,
> Is there a reason 1024 bit keys, instead of something higher is not used? Do higher bit keys affect host performance, or network latency?

Because in 2003/2004, when we were designing Tor, 1024-bit keys seemed
like they would probably be good enough, AND we weren't confident of
our ability to support arbitrary key sizes without screwing it up.

But as of 0.2.4, the forward-secrecy[0] parts of Tor[*] now support
256-bit ECC keys, which are probably about as good as 3072-bit RSA/DH
keys, and a lot faster for most uses.  I'd like to make more of the
authentication parts of Tor support ECC over the next couple of

[0] https://en.wikipedia.org/wiki/Perfect_forward_secrecy

[*] Specifically, the ephemeral-key part of the TLS handshake supports
P224 or P256 if both Tors were built with a recent OpenSSL version;
and the circuit handshake supports the "ntor" protocol with curve25519
if the client has UseNtorHandshake turned on. I want to make that
on-by-default before the release.[**]

[**] https://trac.torproject.org/projects/tor/ticket/8561

tor-talk mailing list