----- Forwarded message from isis agora lovecruft <i...@torproject.org> -----
> From: isis agora lovecruft <i...@torproject.org> > Subject: Fwd: December 2016 Report for Tor Bridge Distribution > Date: Thu, 2 Mar 2017 03:54:41 +0000 > Message-ID: <20170302035441.gb32...@patternsinthevoid.net> > To: otf-proje...@opentechfund.org, otf-act...@opentechfund.org > Cc: isis agora lovecruft <i...@patternsinthevoid.net>, Henry de Valence > <hdevale...@hdevalence.ca> > Reply-To: i...@patternsinthevoid.net > Delivered-To: <i...@patternsinthevoid.net> > > (Forwarding because I'm not entirely certain whether that last report actually > made it to the list… the Mailer Daemon sent me a rejection that I've only just > noticed.) > > ----- Forwarded message from isis agora lovecruft > <i...@patternsinthevoid.net> ----- > > > From: isis agora lovecruft <i...@patternsinthevoid.net> > > Subject: December 2016 Report for Tor Bridge Distribution > > Date: Tue, 10 Jan 2017 23:08:19 +0000 > > Message-ID: <20170110230818.gh30...@patternsinthevoid.net> > > To: otf-act...@opentechfund.org > > Cc: Henry de Valence <hdevale...@hdevalence.ca>, isis agora lovecruft > > <i...@patternsinthevoid.net> > > Reply-To: i...@patternsinthevoid.net > > Delivered-To: <i...@patternsinthevoid.net> > > > > The following progress was made in December 2016: > > > > - Henry and I realised that curve25519's cofactor of 8 causes some > > cryptographic problems for the algebraic MACs which we planned to > > implement. The gist of the issue is that the group of points on > > curve25519 > > is not actually prime-order, which means that we need some safe way to > > work > > in a prime-order subgroup and to guarantee points to be within said > > subgroup. In retrospect, if we had a time machine, we'd go back a month > > ago and use Ed448 instead, since the Decaf point (de-)compression [0] > > scheme allows one to neatly map to an image of a subgroup which is of > > prime > > order. We don't really have time to do that right now, so the > > alternatives > > are that we: > > > > 1. Slowly and carefully reason about every curve point and scalar and > > whether it need to be multiplied by the cofactor or the inverse of > > the > > cofactor (respectively). This is the standard solution, but it's not > > a generalised solution. > > > > 2. Figure out how to get Decaf working for curve25519. > > > > We've made some progress on both these fronts, and the security proofs > > for > > the revised protocol. > > > > - I found a rather nasty bug which appears to exist in nearly every > > Elligator2 > > implementation. I've notified some of the authors of the bug. Henry > > and I > > are still investigating the severity of it, but it looks pretty bad and > > we > > think that the decoding of a uniform representative is not resulting in a > > point on the curve. If you're using Elligator right now you should > > probably come talk to me privately. > > > > - We've implemented the algebraic MAC scheme defined in [1], but we're not > > ready to publicly release it, as we're currently dealing with the > > cofactor > > issues mentioned above, and seeking further review. Out of anxiety that > > other projects would actually use our MAC scheme before we've assembled > > some reasoning or proof w.r.t. its security, we're not releasing the code > > publicly yet. > > > > - We've also begun work to construct the anonymous credentials based on the > > above algebraic MACs (defined in the same paper), which we're also not > > releasing yet, for the same reasons as above, and with the additional > > reason that it's not finished yet. > > > > Happy holidays and new year to everyone! > > > > [0]: https://mikehamburg.com/papers/decaf/decaf.pdf > > [1]: https://eprint.iacr.org/2013/516 > > > > Best regards, > > -- > > ♥Ⓐ isis agora lovecruft > > _________________________________________________________ > > OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 > > Current Keys: https://fyb.patternsinthevoid.net/isis.txt > > > > ----- End forwarded message ----- > > -- > ♥Ⓐ isis agora lovecruft > _________________________________________________________ > OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 > Current Keys: https://fyb.patternsinthevoid.net/isis.txt ----- End forwarded message ----- -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt
signature.asc
Description: Digital signature
_______________________________________________ tor-reports mailing list tor-reports@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports