Thus spake Watson Ladd (watsonbladd@xxxxxxxxx):
Hello!
Tor currently uses RSA encrypted DH exchanges. This requires that the
server and client both make 3 exponentiations: Two for DH, One for RSA.
But we can reduce this significantly. I've already presented this
before, but now I think I can justify security. Sanity checks are assumed.
Cryptographic Personae: Anonymous Alice and Ricky the Onion Router.
Protocol Paramaters: A group with a "generator" g that takes on m
values. DDH is hard in the group. I put generator in quotes because a
lot of the time it's not a mathematical generator. The group is written
multiplicatively.
Setup: Ricky picks a random positive integer k less then m. Let y be
Ricky's public key. Then y=g^k.
Protocol round 1: Alice picks a random positive integer a. Let f=y^a.
Alice sends f to Ricky.
Protocol round 2: Ricky picks a random positive integer b. Let h=g^b.
Key calculation: Ricky computes the key as f^(b/k) where
(g^(k))^(1/k)=g. Alice computes the key as h^a. Note that both Ricky and
Alice perform 2 group exponentiations.
Well, one immediate problem is that b/k has to be an integer.. So b=rk
for some random r and b is thus not completely random.. To clarify the
effects of this, you should rewrite your protocol as follows from
Round 2 on: