[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Quantum-safe Hybrid handshake for Tor



On Wed, 20 Apr 2016 18:30:14 +0000 (UTC)
lukep <lukep@xxxxxxxxxxxx> wrote:
> Beware that the definition of newhope has changed! The authors have
> published a new version of this paper and some of the numbers are
> different. The parameter for the binomial distribution has changed
> from 12 to 16, the probability of failure has changed from 2^-110 to
> 2^-64, the core hardness of the attack has increased from 186 to 206
> bits on a quantum computer, and the timings have increased slightly
> too.

I track the paper and reference code in the implementation I maintain.
FWIW, the performance hasn't changed noticeably, unless there's
something newer than 20160328.

> I'm not sure that the newhope algorithm has settled down yet. There's
> also a new paper on IACR called "How (not) to instantiate ring-LWE"
> which has some ideas on how to choose the error distribution - this
> might mean that newhope has to change again??

Most of the changes since the paper has been released have been minor.
The last major algorithmic change I'm aware of was 20151209 which
altered the reconciliation mechanism (I don't particularly count the
March changes that changed the on-the-wire encoding format to be
major, it's just a more compact way to send the same things).

Kind of a moot point since by the time any of this will actually be
used in core tor things would have settled.  And my gut feeling is
RingLWE will have performant, well defined implementations well before
SIDH is a realistic option.

Regards,

-- 
Yawning Angel

Attachment: pgpFCD13VdQVW.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev