[tor-dev] New paper by Goldberg, Stebila, and Ostaoglu with proposed circuit handshake

Nick Mathewson nickm at freehaven.net
Fri May 6 14:50:05 UTC 2011

Crypto people who have been following threads about the
circuit-establishment handshake will be interested in the new paper,
"Anonymity and one-way authentication in key-exchange protocols", by
Goldberg, Stebila, and Ostaoglu. Here's the version they updated


If we're moving to an improved handshake, this might be a good
candidate to consider.  The protocol itself is on page 14.

Some notes, written by a guy who knows less crypto than everybody involved:

  * It's a pure Diffie-Hellman based system, which would lend itself
nicely to use with ECC.

  * It seems to require the same number of exponentiations as our
current system, but Ian Goldberg notes that if you want to compute X^a
and X^b at the same time you can do so more efficiently by taking into
account the shared base.

  * The security proof requires that the Gap DH assumption holds over
the group -- basically, that computing the Decisional DH problem is
easy, but computing the Computational DH problem is hard.  This
assumption isn't true of most basic ECC groups -- I think it means you
need to use a pairing-based system instead for the proof to hold. I'd
bet that the authors aren't seriously suggesting that we use
pairing-based crypto, but I'm wondering how much they were able to
prove in a groups where DDH is hard.

  * I haven't read over the security model closely yet; folks should
review it for reasonableness.

  * I'm hoping to write this up as a proposed spec soon, unless Ian or
somebody wants to give it a shot.


More information about the tor-dev mailing list