[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Quantum-safe Hybrid handshake for Tor



On Sat, 2 Apr 2016 18:48:24 -0400
Jesse V <kernelcorn@xxxxxxxxxx> wrote:
> Again, I have very little understanding of post-quantum crypto and I'm
> just starting to understand ECC, but after looking over
> https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and
> skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be
> patented, it's reasonably fast, it uses the smallest bandwidth, and it
> offers perfect forward secrecy. It seems to me that SIDH actually has
> more potential for making it into Tor than any other post-quantum
> cryptosystem.

Your definition of "reasonably fast" doesn't match mine.  The number
for SIDH (key exchange, when the thread was going off on a tangent
about signatures) is ~200ms.

A portable newhope (Ring-LWE) implementation[0] on my laptop can do one
side of the exchange in ~190 usec.  Saving a few cells is not a good
reason to use a key exchange mechanism that is 1000x slower
(NTRUEncrypt is also fast enough to be competitive).

nb: Numbers are rough, and I don't have SIDH code to benchmark.
newhope in particular vectorizes really well and the AVX2 code is even
faster.

-- 
Yawning Angel

[0]: My version of the reference code.  I do use SSE2 in the ChaCha20
implementation, but anything that doesn't support enough vector
processing for a fast ChaCha20 belongs in a museum, and not on the
internet.

Attachment: pgpvd3uwqikXa.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev