I'd imagine everyone in this thread knows this, but New Hope requires that "both parties use fresh secrets for each instantiation". I suppose any key exchanges designed around this meshes well enough with ntor, so that's okay. It leaves you relying on ECDH for the key exchange with long term key material though. I have not read the papers on doing Ring-LWE key exchanges with long term key material, but presumably they increase the key side. On Wed, 2016-04-20 at 19:00 +0000, Yawning Angel wrote: > And my gut feeling is RingLWE will have performant, well defined > implementations well before SIDH is a realistic option. This is undoubtedly true because too few people are looking into SIDH. I've been chatting with Luca about writing a "more production ready" implementation, like optimizing the GF(p^2) field operations and things. If that happens, maybe it'll spur more interest. There is some chance SIDH might wind up being preferable for key exchanges with long term key material. Jeff
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev