[tor-bugs] #8089 [Stegotorus]: Implement the handshake and key exchange as described in the paper
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Jan 30 22:36:25 UTC 2013
#8089: Implement the handshake and key exchange as described in the paper
------------------------+---------------------------------------------------
Reporter: vmon | Owner: zwol
Type: defect | Status: new
Priority: critical | Milestone:
Component: Stegotorus | Version:
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
Comment(by rransom):
You can use Curve25519 instead of Möller's binary curve -- 3 is a
generator of the ‘twist’ group; 4 generates the main group.
For curve25519-donna, remove the part of `curve25519_donna` that masks the
secret key bits. The scalar-multiplication loop in curve25519-donna (as
of commit 6c6251ead7366d4499856c543a2de3e3dfadc4e4) will correctly compute
arbitrary multiples of a point without further changes.
For '''all''' Curve25519 implementations, clear the high (2^255^) bit of
the curve point before calling the scalar-multiply routine.
curve25519-donna ignores that bit when ‘unpacking’ a coordinate-field
element; DJB's software might not ignore it. Clearing the bit should work
with all implementations.
Note that if you use ''any implementation other than curve25519-donna'',
you'll need to both hack out any exponent-munging '''and''' look closely
at the main loop to make sure it doesn't assume that the exponent has had
the bit-munging DJB specifies applied to it. (An implementation can save
a small amount of time by skipping the differential addition in the last
three iterations if the exponent is known to have its three low bits
cleared.)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8089#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list