Removing 1 modular exponentiation

James Muir jamuir at
Mon Feb 19 22:34:30 UTC 2007

>> putting the security of the scheme aside, one question that comes to
>> mind is how Alice (the OP) is going to get an authentic copy of Ricky's
>> DH public key, y.  One way to do this is to include it in the router
>> descriptors.  But then we have to ask if it's worth adding a new public
>> key for each OR to the Tor PKI to just save one exponentiation during
>> session key agreement.
>> -James
> We already distribute different keys for the current protocol. But the
> one I proposed is insecure so we might as well forget about it. Schnorr
> signatures are secure and are intended for this purpose, but we can only
> use them after 2008.

the way things are done now, each OR has two public keys in its router 
descriptor.  you are, I think, suggesting that another be added.  I was 
just wondering if you had considered the extra bandwidth load this puts 
on the directory servers.  If the extra load is substantial (maybe it 
isn't, i don't know), then maybe we shouldn't give the ORs another 
public key to manage just to save one 1024-bit exponentiation.


More information about the tor-talk mailing list