On Thu, Apr 7, 2011 at 5:18 PM, Nick Mathewson nickm@freehaven.net wrote: [...]
Here's a first cut of what I think might go in a hypothetical diffie-hellman based handshake
I'm deliberately *not* using MQV, HMQV, FHMQV, etc etc here. They're faster than the "Just do DH twice" thing I wrote up, but the patent situation seems unfavorable from what I can tell. Also, curve25519 is about 5x faster than our current 1024-bit DH, and about 11 times faster than the 1536-bit DH we'd probably want to move towards for an upgraded variant of current our RSA+DH handshake. So replacing an RSA and a DH with two ECC DH operations seems a find thing to do, assuming that we decide that curve25519 is a good idea for us.
In both cases, we'll want a new key derivation function.
Oh! Also, for a bit of redundancy, I'm thinking that the symmetric crypto parts of the improved onion handshakes ought to be with a less malleable mode of operation than the counter-mode stuff we do now. Perhaps we could make use of an all-or-nothing mode of operation like LIONESS or biIGE. (They're both slower than counter mode, but for purposes of CREATE cells, I don't think the hit will matter in comparison with the cost of the public-key operations.)