[tor-dev] Improved circuit-setup protocol [was: Re: Designing and implementing improved circuit-setup protocol [was: GSoC 2011]]
Nick Mathewson
nickm at freehaven.net
Thu Apr 7 22:13:45 UTC 2011
On Thu, Apr 7, 2011 at 5:18 PM, Nick Mathewson <nickm at freehaven.net> wrote:
[...]
> Here's a first cut of what I think might go in a hypothetical
> diffie-hellman based handshake
I'm deliberately *not* using MQV, HMQV, FHMQV, etc etc here. They're
faster than the "Just do DH twice" thing I wrote up, but the patent
situation seems unfavorable from what I can tell. Also, curve25519 is
about 5x faster than our current 1024-bit DH, and about 11 times
faster than the 1536-bit DH we'd probably want to move towards for an
upgraded variant of current our RSA+DH handshake. So replacing an RSA
and a DH with two ECC DH operations seems a find thing to do, assuming
that we decide that curve25519 is a good idea for us.
> In both cases, we'll want a new key derivation function.
Oh! Also, for a bit of redundancy, I'm thinking that the symmetric
crypto parts of the improved onion handshakes ought to be with a less
malleable mode of operation than the counter-mode stuff we do now.
Perhaps we could make use of an all-or-nothing mode of operation like
LIONESS or biIGE. (They're both slower than counter mode, but for
purposes of CREATE cells, I don't think the hit will matter in
comparison with the cost of the public-key operations.)
--
Nick
More information about the tor-dev
mailing list