James Muir wrote:
The following recent preprint deals with the subject of this thread:
A. Kate, G. Zaverucha and I. Goldberg
Pairing-Based Onion Routing pdf
CACR 2007-08
http://www.cacr.math.uwaterloo.ca/techreports/2007/cacr2007-08.pdf
-James
Nice. Patents are going to be an issue
Fergie wrote:
-- James Muir [EMAIL PROTECTED] wrote:
The following recent preprint deals with the subject of this thread:
A. Kate, G. Zaverucha and I. Goldberg
Pairing-Based Onion Routing pdf
CACR 2007-08
http://www.cacr.math.uwaterloo.ca/techreports/2007/cacr2007-08.pdf
I'm
The following recent preprint deals with the subject of this thread:
A. Kate, G. Zaverucha and I. Goldberg
Pairing-Based Onion Routing pdf
CACR 2007-08
http://www.cacr.math.uwaterloo.ca/techreports/2007/cacr2007-08.pdf
-James
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- James Muir [EMAIL PROTECTED] wrote:
The following recent preprint deals with the subject of this thread:
A. Kate, G. Zaverucha and I. Goldberg
Pairing-Based Onion Routing pdf
CACR 2007-08
Thus spake Watson Ladd ([EMAIL PROTECTED]):
Hello!
Tor currently uses RSA encrypted DH exchanges. This requires that the
server and client both make 3 exponentiations: Two for DH, One for RSA.
But we can reduce this significantly. I've already presented this
before, but now I think I can
Mike Perry wrote:
Thus spake Watson Ladd ([EMAIL PROTECTED]):
Hello!
Tor currently uses RSA encrypted DH exchanges. This requires that the
server and client both make 3 exponentiations: Two for DH, One for RSA.
But we can reduce this significantly. I've already presented this
before, but now I
that's not really a problem. all computations are done in the group
ZZ_p. 1/k really means the inverse of k modulo the order of g in ZZ_p.
So b/k does not have to be an integer.
putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get
putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get an authentic copy of Ricky's
DH public key, y. One way to do this is to include it in the router
descriptors. But then we have to ask if it's worth adding a new public
key for each OR
Thus spake James Muir ([EMAIL PROTECTED]):
Mike Perry wrote:
Thus spake Watson Ladd ([EMAIL PROTECTED]):
Well, one immediate problem is that b/k has to be an integer.. So b=rk
for some random r and b is thus not completely random.. To clarify the
effects of this, you should rewrite your
Problem is: (g^X)^k = g for some given k. Find X equivalent to 1/k.
Rewrite as (g^k)^X = g
Seems like you need to take the Discrete Log of both sides to get your
X=1/k value. This is hard.
Since we are working modulo p and we know that g is a generator of ZZ_p
its order is p-1. So, to find
James Muir wrote:
putting the security of the scheme aside, one question that comes to
mind is how Alice (the OP) is going to get an authentic copy of Ricky's
DH public key, y. One way to do this is to include it in the router
descriptors. But then we have to ask if it's worth adding a new
We already distribute different keys for the current protocol. But the
one I proposed is insecure so we might as well forget about it. Schnorr
signatures are secure and are intended for this purpose, but we can only
use them after 2008.
the way things are done now, each OR has two public keys
James Muir wrote:
You may already know that the current scheme has a security reduction
(Goldberg, PET 2006), so I imagine there would have to be a comparable
argument before the powers that be would consider a new scheme.
Out of curiosity, what is it about your scheme that makes you say
Thus spake Watson Ladd ([EMAIL PROTECTED]):
James Muir wrote:
You may already know that the current scheme has a security reduction
(Goldberg, PET 2006), so I imagine there would have to be a comparable
argument before the powers that be would consider a new scheme.
Out of
14 matches
Mail list logo
