Re: [tor-dev] Quantum-safe Hybrid handshake for Tor
On Sat, 2 Apr 2016 18:48:24 -0400 Jesse V wrote: > Again, I have very little understanding of post-quantum crypto and I'm > just starting to understand ECC, but after looking over > https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and > skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be > patented, it's reasonably fast, it uses the smallest bandwidth, and it > offers perfect forward secrecy. It seems to me that SIDH actually has > more potential for making it into Tor than any other post-quantum > cryptosystem. Your definition of "reasonably fast" doesn't match mine. The number for SIDH (key exchange, when the thread was going off on a tangent about signatures) is ~200ms. A portable newhope (Ring-LWE) implementation[0] on my laptop can do one side of the exchange in ~190 usec. Saving a few cells is not a good reason to use a key exchange mechanism that is 1000x slower (NTRUEncrypt is also fast enough to be competitive). nb: Numbers are rough, and I don't have SIDH code to benchmark. newhope in particular vectorizes really well and the AVX2 code is even faster. -- Yawning Angel [0]: My version of the reference code. I do use SSE2 in the ChaCha20 implementation, but anything that doesn't support enough vector processing for a fast ChaCha20 belongs in a museum, and not on the internet. pgpiLrodBbwaW.pgp Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Advice regarding Cloudflare
On Sat, 2 Apr 2016 22:31:29 -0700 Ryan Carboni wrote: > On the Tor side, a way to minimize abuse is for exit nodes not to > allow multiple IP addresses from a single circuit. This would make web > crawling with Tor expensive, although it will disable the ability for > a single tab to use a single exit node. No. a) This increases the load on the Tor network, as circuit creation is CPU intensive, and exit nodes tend to be under load. b) In your magic world, how would accessing any site that uses multiple hosts for content to work? Eg: Say https://www.example.com/index.html pulls in static assets from cdn.example.com, google's copy of jquery, and an embedded youtube video. All of these things should be fetched over the same circuit (and will be currently). The one upside to what you want is that it's possible that Hanlon's Razor applies (as opposed to the people that seem to think that Exits should actively combat abuse by having the capability for censorship). Regards, -- Yawning Angel pgpej7J0FtsRN.pgp Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
[tor-dev] Advice regarding Cloudflare
I could see why cloudflare is annoyed with you, you are annoying activists from their perspective, although you folks aren't chaining yourselves to coal power plants . But I also use Tor from time to time, so I'll offer some advice. On the Tor side, a way to minimize abuse is for exit nodes not to allow multiple IP addresses from a single circuit. This would make web crawling with Tor expensive, although it will disable the ability for a single tab to use a single exit node. Another method is to request a sort of proof of work on the Cloudflare side. Given current protocols, the simplest would be to require ECDHE with secp521r1 with each Tor connection and disallow unencrypted connections. It will be more bearable than a captcha. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Quantum-safe Hybrid handshake for Tor
I just want to note you only need an algorithm that protects against 2^80 quantum operations for short-term keys. Regardless, I doubt anyone is going to be spending a billion dollars to crack data sent over a single Tor connection. ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Quantum-safe Hybrid handshake for Tor
On 02/03/2016 12:12 PM, Jeff Burdges wrote: > I donno that you'll ever beat that 1kb key size with a post-quantum > system. There is a lattice based signature scheme and an isogeny based > scheme that'll both beat SPHINCS on signature sizes, but I think not so > much on key size. I just wanted to resurrect this old thread to point out that supersingular isogeny key exchange (SIDH) is the isogeny scheme that you're referring to. Using a clever compression algorithm, SIDH only needs to exchange 3072 bits (384 bytes) at a 128-bit quantum security level. This beats SPHINCS by a mile and unlike NTRUEncrypt, fits nicely into Tor's current cell size. I don't know about key sizes, though. If I recall correctly, SIDH's paper also references the "A quantum-safe circuit-extension handshake for Tor" paper that lead to this proposal. Again, I have very little understanding of post-quantum crypto and I'm just starting to understand ECC, but after looking over https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be patented, it's reasonably fast, it uses the smallest bandwidth, and it offers perfect forward secrecy. It seems to me that SIDH actually has more potential for making it into Tor than any other post-quantum cryptosystem. -- Jesse V signature.asc Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
On Sat, Apr 02, 2016 at 07:19:30PM +, Yawning Angel wrote: > It's not a request header set by the browser. archive.is is acting > like a HTTP proxy and explicitly setting X-F-F. I wonder what would happen if the browser *also* set X-F-F...? ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
On Sat, 02 Apr 2016 17:00:10 + ban...@openmailbox.org wrote: > webcitation.org is an archive.is alternative. Potentially it doesn't > forward request headers (?) It's not a request header set by the browser. archive.is is acting like a HTTP proxy and explicitly setting X-F-F. From the FAQ: But take in mind that when you archive a page, your IP is being sent to the the website you archive as though you are using a proxy (in X-Forwarded-For header). This feature allows websites (e.g shops or the sites with weather forecast) target your region, not mine. If there's an easy way to automate requests to other cache/archive services, I will integrate them when I have time[0]. As far as I've seen archive.is has a fairly principled stance on what they will and will not host (The takedown policies listed on webcitation.org don't particularly give me warm and happy feelings), so unless things become unworkable, I'm likely to leave it as the default for the foreseeable future. Regards, -- Yawning Angel [0]: cfc is FOSS, patches accepted. pgp2mzv5_3mJW.pgp Description: OpenPGP digital signature ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Re: [tor-dev] Request for feedback/victims: cfc-0.0.2
On 2016-04-01 18:06, Yawning Angel wrote: On Fri, 01 Apr 2016 18:21:10 +0200 Jeff Burdges wrote: Are there any more sites where CloudFalre appears on archive.is? https://www.aei.org/publication/gen-michael-hayden-on-apple-the-fbi-and-data-encryption/ ​https://archive.is/7u5P8 It's some particularly harsh CloudFlare configuration perhaps? Without knowing how archive.is works, and how CloudFlare works, it's hard to tell. Since archive.is sets "X-Forwarded-For", it's not particularly hard to figure out if a Tor user is the one requesting a snapshot. I requested a new snapshot and the captcha error page in the archive shows that the IP of my exit, so part of the ClouldFlare infrastructure at least peeks at the header. I'll probably add support for other (user-configurable?) cached content providers when I have time. The archive.is person doesn't seem to want to respond to e-mail, so asking them to optionally not set X-F-F, seems like it'll go absolutely nowhere. Regards, webcitation.org is an archive.is alternative. Potentially it doesn't forward request headers (?) ___ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev