Fergie wrote: > -- James Muir <jamuir@xxxxxxxxxxxxxxx> wrote: > >> The following recent preprint deals with the subject of this thread: > >> A. Kate, G. Zaverucha and I. Goldberg >> Pairing-Based Onion Routing pdf >> CACR 2007-08 > >> http://www.cacr.math.uwaterloo.ca/techreports/2007/cacr2007-08.pdf > > > I'm quite happy to see some objective dialog on the list > again. :-) > > - ferg > I have a very incomplete proposal for adding this to tor. It is badly written and probably breaks a lot of stuff. A lot more work needs doing, like on how we get a distributed PKG. --- Watson Ladd
Filename:107-PBC.txt Title:The pairing-based key negotiation protocol Version:0.0.1 Last modified: Author:Watson Ladd Created:9-March-2007 Status:Open Overview: This document describes a new version of the tor protocol that uses pairing-based cryptography following [1]. Motivation: The protocol described in [1] is much more efficient in both bandwith and CPU then the current protocol. Backwards-compatability: Sadly, use of the VERSION cell will negate some of the advantages of the new protocol. This is very much a work in progress. Current solution is a new cell type. Proposal: Section 0.0: Magic Numbers Section 1.0: Circuit Establisment Section 1.1: The distributed PKG. Section 2.1: The new directory format Section 0.0: Magic Numbers Curve P-521 in FIPS 186 [2] is to be used. New cell types is defined: [7] CREATE_WARPSPEED, and [8] EXITING_HYPERSPACE The master key expiration period is 24 hours exact to the nearest second. The private key expiration period is one hour to the nearest second. Section 1.0: Circuit establishment In 1.1 the orgin of v_m, U, and sU will be mentioned. v_m is a timestamp consisting of the number of seconds since midnight Jan 1, 1970 to the begining of the Master Key Validity Period. Let i be an index variable taken over all OR's in the circuit. Then let Q_vi=H(v||ID_i) where v is the timestamp at the begining of the Private Key Validity Period, and ID_i is the ID of router i. Then let y_vi=P(sU, Q_vi). Let r_i be random integers not zero in Z_n where n is the size of the group. r_i's are selected randomly for each OR i. Then let P_i=r_iU and compute y_vi^r_i for each OR i. From each y_vi^r_i a forwards key K_f_i and backwards key K_b_i are computed. Let A,..,N be the nodes being put into an onion circuit. Then the CREATE_WARPSPEED cell being sent to A has the following payload: cid,r_AU,{B, r_BU,{ ... {N, r_NU, {NULL}_{K_f_N}}...}_{K_f_B}}_{K_f_A} On recipt of a CREATE_WARPSPEED cell the OR i computes P(r_iU,d_vi) and from it derives K_f_i and K_b_i. It then finds out what router to send the next CREATE_WARPSPEED cell to. In the process it chops off the router's name and replaces it with the circuit id it wants to use for that link of the circuit. The NULL message is a EXITING_HYPERSPACE cell. On noticing that the decrypted message is an EXITING_HYPERSPACE cell, the OR is expected to send a CIRCUIT_CREATED cell back, encrypting it with K_b_i, just like all traffic on the newly established circuit. Section 1.1 TODO Section 1.2 TODO
Attachment:
signature.asc
Description: OpenPGP digital signature