[tor-bugs] #8106 [Tor]: Make .onion addresses harder to harvest by directory servers
Tor Bug Tracker & Wiki
blackhole at torproject.org
Wed Oct 9 16:56:26 UTC 2013
#8106: Make .onion addresses harder to harvest by directory servers
------------------------+--------------------------------
Reporter: asn | Owner:
Type: defect | Status: new
Priority: major | Milestone: Tor: 0.2.5.x-final
Component: Tor | Version:
Resolution: | Keywords: SponsorZ tor-hs
Actual Points: | Parent ID:
Points: |
------------------------+--------------------------------
Comment (by hyperelliptic):
Hi everybody.
Replying to [comment:29 asn]:
> There might be a smart multiplication somewhere there that would make
the unblinded public key disappear from the equation, but I don't see it
currently.
>
Yes, the equation changes. The initial version had some divisions, which
will not be so good performance wise. So, here is how it works without
blinding the base point:
General system set up: base point B on elliptic curve, B has prime order
l.
Signer knows: a (secret key), h=blinding factor of the day
=hash(date,A,B), where date is given in some agreed upon precision.
Long-term public key (known to the user): A=aB
Public key of the day: A'=hA=(ha)B
This means, that the secret key of the day is (ha).
Signature which is valid under A':
Pick random r (or better, compute it in some deterministic manner, see
EdDSA paper),
compute R=rB, compute S=r+hash(R,A',M)ah mod l, send signature (R,S) and
public key A'
Verify at DS: check whether SB=R+hash(R,A',M)A'.
This works for a valid signature since
SB=(r+hash(R,A',M)ah)B=rB+(hash(R,A',M)ah)B=R+hash(R,A',M)A'
Verify by user: User knows A and date, so can compute A' to query DS. Can
verify signature
the same way as DS does.
All the best
Tanja
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8106#comment:30>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list