[tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Apr 25 15:00:32 UTC 2013
#8106: Make .onion addresses harder to harvest by directory servers
-----------------------------+----------------------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Keywords: SponsorZ tor-hs | Parent:
Points: | Actualpoints:
-----------------------------+----------------------------------------------
Comment(by asn):
Replying to [comment:1 rransom]:
> Replying to [ticket:8106 asn]:
>
> > On actual solutions, Robert posted:
> > https://lists.torproject.org/pipermail/tor-
dev/2012-September/004026.html
> > some months ago. I don't have the cryptographic skills to robustly
analyze his idea, but if this is the only thing we have, we should point
some cryptographers at it so that it gets some comments.
>
> For an Ed25519-based signature scheme with both the public-key group
element and the base point blinded, the verification equation is
equivalent to `S*B = (HB(nonce, B, A)^(-1))*R + H(R, HB(nonce, B, A)*B,
HB(nonce, B, A)*A, M)*A`, where `R` is carefully chosen to be a uniform
random group element and `HB(nonce, B, A)` is (computationally)
independent of `R`. This equation does not leak any more information
about the log of `A` than the verification equation for unmodified Ed25519
does, so this cryptosystem is obviously as safe as Ed25519.
>
Thanks for your last message (wrt onion address sizes using your scheme).
Another question: how did you end up with `S*B = (HB(nonce, B, A)^(-1))*R
+ H(R, HB(nonce, B, A)*B, HB(nonce, B, A)*A, M)*A` as the verification
equation of ed25519? How did the extra `HB(nonce, B, A)*B` get into H()?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:11>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list