Removing 1 modular exponentiation
James Muir
jamuir at scs.carleton.ca
Tue Feb 20 02:55:51 UTC 2007
>>> We already distribute different keys for the current protocol. But the
>>> one I proposed is insecure so we might as well forget about it. Schnorr
>>> signatures are secure and are intended for this purpose, but we can only
>>> use them after 2008.
>>>
>> the way things are done now, each OR has two public keys in its router
>> descriptor. you are, I think, suggesting that another be added. I was
>> just wondering if you had considered the extra bandwidth load this puts
>> on the directory servers. If the extra load is substantial (maybe it
>> isn't, i don't know), then maybe we shouldn't give the ORs another
>> public key to manage just to save one 1024-bit exponentiation.
>>
>> -James
>>
> I was suggesting replacing the second key with the new key.
ah.. that makes sense to me now.
You may already know that the current scheme has a security reduction
(Goldberg, PET 2006), so I imagine there would have to be a comparable
argument before the powers that be would consider a new scheme.
Out of curiosity, what is it about your scheme that makes you say it is
insecure?
-James
More information about the tor-talk
mailing list