> that's not really a problem. all computations are done in the group > ZZ_p. 1/k really means the inverse of k modulo the order of g in ZZ_p. > So b/k does not have to be an integer. > > putting the security of the scheme aside, one question that comes to > mind is how Alice (the OP) is going to get an authentic copy of Ricky's > DH public key, y. One way to do this is to include it in the router > descriptors. But then we have to ask if it's worth adding a new public > key for each OR to the Tor PKI to just save one exponentiation during > session key agreement. > > -James > We already distribute different keys for the current protocol. But the one I proposed is insecure so we might as well forget about it. Schnorr signatures are secure and are intended for this purpose, but we can only use them after 2008.
Attachment:
signature.asc
Description: OpenPGP digital signature