> that's not really a problem. all computations are done in the group > ZZ_p. 1/k really means the inverse of k modulo the order of g in ZZ_p. > So b/k does not have to be an integer. > > putting the security of the scheme aside, one question that comes to > mind is how Alice (the OP) is going to get an authentic copy of Ricky's > DH public key, y. One way to do this is to include it in the router > descriptors. But then we have to ask if it's worth adding a new public > key for each OR to the Tor PKI to just save one exponentiation during > session key agreement. > > -James > We already distribute different keys for the current protocol. But the one I proposed is insecure so we might as well forget about it. Schnorr signatures are secure and are intended for this purpose, but we can only use them after 2008.
signature.asc
Description: OpenPGP digital signature
