[tor-dev] [draft] Proposal 220: Migrate server identity keys to Ed25519

Nick Mathewson nickm at alum.mit.edu
Wed Aug 14 01:49:18 UTC 2013

On Tue, Aug 13, 2013 at 4:19 PM, grarpamp <grarpamp at gmail.com> wrote:
> Thought I'd note seeing some projects xor different
> encryption types together, usually for stream encryption,
> so as to not rest all on one. That's not to suggest such
> ideas might of use within Tor, just something seen when
> balancing what to use arises.

Yeah; this isn't about stream encryption, though.  It's about signatures.

For signature schemes, the equivalent approach would be to use two
different signature algorithms at once, and only accept the signatures
when they're valid according to both.  I'm kind of doing that in this
proposal, I guess, by having documents signed with Ed25519 and
RSA1024... but one of the signatures is much better than the other:
255-bit ECC groups will be secure long after RSA1024 has fallen.

I suppose we could come up with a scheme that would introduce *two*
new signature schemes at once, choosing them such that it would be
very unlikely for them both to fall at the same time ... but I'm not
sure that the engineering burden there would have a commensurate

(I'm also a little surprised that nobody has said we should be using
Keccak or Blake2 in place of SHA256/SHA512 here. ;) )

best wishes,

More information about the tor-dev mailing list