[tor-dev] New paper by Goldberg, Stebila, and Ostaoglu with proposed circuit handshake

Ian Goldberg iang at cs.uwaterloo.ca
Wed May 11 22:10:26 UTC 2011

On Wed, May 11, 2011 at 03:42:30PM -0400, Nick Mathewson wrote:
> RIght.  If we can get away with something faster than HMAC_SHA256
> here, I'd love to move to it.  SHA3 is right around the corner, and
> most of the candidates seem to allow better constructions for
> "tweakability" than HMAC.
> Would this make a difference, actually?  Let's see.  Looking at the
> numbers from my desktop and doing some back-of-the-envelope
> calculations.
> I would expect the old handshake to take, total, about 3500
> microseconds.  (This is counting both client and server crypto.)
> If we tried to do that with 2048-bit keys, it would take, total, about
> 14700 microseconds.
> And I would expect the new handshake to take, total, something like
> 830 microseconds.  That's more than 4x faster than the old one, and
> more than 17x faster than the old one using keys with equivalent
> security.  (Nice!)
> Of that 830 microseconds, I'd spend something like 3-5% doing SHA256
> hashes.  So it might not be worthwhile spending too much time
> optimizing the number of hashes here.

You're totally right.  No sense stressing about how many hash blocks
we're processing.

Remember also that if you have non-black-box access to the
exponentiation routine, the server can compute X^y and X^b
simultaneously.  That will make a bigger difference in time, but is not
really relevant from a spec-level standpoint.

   - Ian

More information about the tor-dev mailing list