Removing 1 modular exponentiation

Watson Ladd watsonbladd at
Tue Feb 20 02:06:57 UTC 2007

James Muir wrote:
>>> putting the security of the scheme aside, one question that comes to
>>> mind is how Alice (the OP) is going to get an authentic copy of Ricky's
>>> DH public key, y.  One way to do this is to include it in the router
>>> descriptors.  But then we have to ask if it's worth adding a new public
>>> key for each OR to the Tor PKI to just save one exponentiation during
>>> session key agreement.
>>> -James
>> We already distribute different keys for the current protocol. But the
>> one I proposed is insecure so we might as well forget about it. Schnorr
>> signatures are secure and are intended for this purpose, but we can only
>> use them after 2008.
> the way things are done now, each OR has two public keys in its router
> descriptor.  you are, I think, suggesting that another be added.  I was
> just wondering if you had considered the extra bandwidth load this puts
> on the directory servers.  If the extra load is substantial (maybe it
> isn't, i don't know), then maybe we shouldn't give the ORs another
> public key to manage just to save one 1024-bit exponentiation.
> -James
I was suggesting replacing the second key with the new key.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the tor-talk mailing list