[tor-bugs] #7202 [Tor]: Implement ntor handshake or its successor

Tor Bug Tracker & Wiki blackhole at torproject.org
Thu Dec 13 21:03:27 UTC 2012 

#7202: Implement ntor handshake or its successor
--------------------------------+-------------------------------------------
 Reporter:  karsten             |          Owner:                    
     Type:  project             |         Status:  needs_review      
 Priority:  normal              |      Milestone:  Tor: 0.2.4.x-final
Component:  Tor                 |        Version:                    
 Keywords:  SponsorZ tor-relay  |         Parent:                    
   Points:                      |   Actualpoints:                    
--------------------------------+-------------------------------------------

Comment(by nickm):

 Ian just gave me permission to post this from personal email:

 >There are three ways a point can be "bad":
 >
 >1. point at infinity
 >2. on the curve, but not in the prime-order subgroup
 >3. not on the curve at all

 >If each side generates their private keys with the low 3 bits set to 0,
 then after any exponentiation, the component outside the prime-order
 subgroup will vanish, as both the group and the twist group are of the
 form Z_k x Z_p for a small k that's either 4 or 8 (group or twist), and a
 large prime p.  So what's important is that the component in the prime
 subgroup is nontrivial.  Checking for all-0 bytes after the exponentiation
 will cover that.  So that deals with (1) and (2) above. [Well, it will
 allow points not in the subgroup as long as they have a non-zero component
 in the subgroup.  But that's OK.  It just means there are 4 or 8 ways to
 represent on the wire any particular point in the group.]
 >
 >The other question is what do you do if you get a point that's actually
 on the twist curve, and not on the main curve at all (3).  I'm pretty sure
 in that case (where one side is honest and generated points on the main
 curve, but the other side generated points on the twist), the dishonest
 party won't be able to generate the same secret as the honest party, as
 the honest party will take the dishonest party's public key to the power
 of something, yielding a point on the twist, while the dishonest party
 will get a public key on the main curve from the honest party, and won't
 be able to generate the corresponding point on the twist.  So I think you
 can just ignore this problem entirely, as the handshake will fail.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/7202#comment:15>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list