[tor-dev] augmenting RSA identities/signatures with ECC and beyond

[Jacob Appelbaum]

Hi,

Linus and I had an interesting discussion at IETF 87 this past week in
Berlin. We're both concerned about long term Directory Authority
identity keys as well consensus signing with RSA keys.

We've agreed that we're interested in writing a proposal whereby we add
additional identity keys for authorities. Thus, we'll have whatever
security may be provided by RSA and the security that should be provided
by ECC signatures. The work on ntor should directly assist us in having
almost all the required crypto we'll need for such augmentation.

I tend to think that every directory authority should generate an
additional and new long term ECC identity key. This will require that
tor-gencert is extended to understand both ECC and RSA. We'll want to
add these fingerprints to src/or/config.c for each respective DA.

We'll want each directory authority to sign with both RSA and ECC. We'll
also want to extend the consensus format to handle publication of such
signatures. Older clients should be able to parse the consensus without
worry and they will check RSA signatures as always. Newer clients should
check both and report a mismatch into the logs at a high level. When
combined with ntor, I believe that we will have significantly improved
the cryptography in Tor.

It would be nice to be able to add other signature schemes -
specifically for pq crypto related undertakings. In an ideal world, I'd
like to be able to sign the consensus from my directory authority with
RSA, ECC and some kind of djb approved, tanja tested post-quantum
computer signature construct.

What do you think we should consider as we draft this proposal?

All the best,
Jacob