[tor-dev] Proposal 223: Ace: Improved circuit-creation key exchange

Paul Syverson paul.syverson at nrl.navy.mil
Wed Nov 20 17:19:48 UTC 2013

On Wed, Nov 20, 2013 at 08:36:30AM -0800, Watson Ladd wrote:
> Is it just me, or is this protocol MQV with the client generating a
> fake long term key?

Well yeah sort of, but the "details" are crucial. In "Improving
efficiency and simplicity of Tor circuit establishment and hidden
services" (available on www.syverson.org or the anonbib) Lasse and I
and presented a similar protocol and explicitly described how the
similarity to and basis in MQV was a hopeful indicator that it was
sound. But we didn't do a proper security analysis (in any model) in
that paper, leaving that for future work. These authors found a
vulnerability in that protocol, improved on it, and proved their
protocol secure.


More information about the tor-dev mailing list