[tor-reports] October - November 2016 Report for Tor Bridge Distribution

isis agora lovecruft isis at torproject.org
Tue Dec 20 02:46:07 UTC 2016


The following progress was made in October and November 2016:

 - Began implementing the crypto needed for the social distributor, as well as
   writing documentation describing it. [0] [1]

   In light of the history of attacks on pairing-friendly curves combined with
   the recent pseudo-MOV attack which solves discrete logarithms in the
   embedding field of the pairing (where the embedding field is of small
   degree), [2] I decided to avoid pairings altogether and use an
   attribute-based credential scheme based on algebraic MACs. [3]  The
   construction of this scheme required a library for working with points on
   an elliptic curve, [4] which Henry de Valence and I have implemented in
   Rust, using a curve25519 in Edwards form.  Henry has made more detailed
   announcement of our curve25519-dalek library on the curves mailing list,
   [5] and our documentation is also available online. [6]

   The next steps for the social distributor are to implement:

   * hashing to a point on the curve (elligator2),
   * the algebraic MAC scheme,
   * Schnorr-style zero-knowledge proofs of knowledge of discrete logarithms,
   * a blind signature scheme, and
   * (maybe) a better point (de-)compression scheme, in order to eliminate the
     need to worry about the cofactor (if possible for cofactor 8).

   This may sound like a lot of work, but it really shouldn't be, now that the
   library is in a somewhat usable, if not HIGHLY EXPERIMENTAL AND UNREVIEWED,
   state.  (On that note: we'd also like to humbly request code review.  If
   you're up for this, please email me.)

   This work is potentially applicable to other OTF and internet freedom
   projects, including Tor (if we ever allow linking against Rust code) and
   Signal.  After a meeting with Trevor Perrin, we've also added to our todo
   list (probably after this project is done, so with alternate funding) to
   incorporate into curve25519-dalek some additional functionality required
   for the Signal protocol.

[0]: https://bugs.torproject.org/7520
[1]: https://people.torproject.org/~isis/papers/rBridge:%20User%20Reputation%20based%20Tor%20Bridge%20Distribution%20with%20Privacy%20Preservation.copy%20with%20notes.pdf
[2]: https://arxiv.org/pdf/1605.07746.pdf
[3]: https://eprint.iacr.org/2013/516
[4]: https://github.com/isislovecruft/curve25519-dalek
[5]: https://moderncrypto.org/mail-archive/curves/2016/000830.html
[6]: https://docs.rs/curve25519-dalek/

Best Regards,
 ♥Ⓐ isis agora lovecruft
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20161220/d1899a78/attachment.sig>

More information about the tor-reports mailing list