Re: Removing 1 modular exponentiation

[James Muir <jamuir@xxxxxxxxxxxxxxx>]

> > > We already distribute different keys for the current protocol. But the
> > > one I proposed is insecure so we might as well forget about it. Schnorr
> > > signatures are secure and are intended for this purpose, but we can only
> > > use them after 2008.
>>>
> > the way things are done now, each OR has two public keys in its router
> > descriptor.  you are, I think, suggesting that another be added.  I was
> > just wondering if you had considered the extra bandwidth load this puts
> > on the directory servers.  If the extra load is substantial (maybe it
> > isn't, i don't know), then maybe we shouldn't give the ORs another
> > public key to manage just to save one 1024-bit exponentiation.
> >
> > -James
> I was suggesting replacing the second key with the new key.

ah.. that makes sense to me now.

You may already know that the current scheme has a security reduction 
(Goldberg, PET 2006), so I imagine there would have to be a comparable 
argument before the powers that be would consider a new scheme.

Out of curiosity, what is it about your scheme that makes you say it is 
insecure?

-James