[tor-access] deanonymizaton attacks
Jeff Burdges
burdges at gnunet.org
Wed Oct 5 00:24:08 UTC 2016
I've sent a bunch of emails to the tor-access list rather quickly, but
just to reiterate the most important part :
There are two very serious deanonymizaton attacks in the spec as written
so far.
First, if one does not use a blinding factor indistinguishable from
random that ranges over precisely the domain Z mod n, then you leak 1
bit per token to the mint.
Second, if one does not check the GCD of both the hash and the blinding
factor* with the RSA modulus n, then one potentially leaks even more
bits vs a malicious RSA key made from two bigish primes and several
smaller primes.
In both case, any leaked bits accumulate as you spend multiple tokens,
or via an intersection attack, which quickly deanonymizes users.
If one checks out GNUNet's svn repository, then one could find my
commits that address these attacks in Taler by running :
svn log gnunet/src/util/crypto_rsa.c | less
Just wanted to reiterate this to it didn't get buried in all the minor
concerns.
Jeff
* Inversion mod n might catch this on the blinding factor side, but
doing it that way might give worse error reporting.
p.s. I looked more seriously at blind BLS signatures, seemingly not as
bad as I'd feared, although the public key validation issues are likely
to remain tougher than one normally expects, especially for this
application.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-access/attachments/20161004/01933596/attachment.sig>
More information about the tor-access
mailing list