[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] PQ crypto updates



On Tue, 22 Aug 2017 20:47:06 +0200
Peter Schwabe <peter@xxxxxxxxxxxxxx> wrote:
> Yawning Angel <yawning@xxxxxxxxxxxxxxx> wrote:
> 
> Hi Yawning, hi all,
> 
> > Ultimately none of this matters because Prop. 261 is dead in the
> > water.  Assuming people want the new cell crypto to be both fragile
> > and to resist tagging attacks, Farfalle may be a better choice,
> > assuming there's a Keccak-p parameterization such that it gives
> > adequate performance.  
> 
> At what number of cycles/block on what architecture(s) would you call
> the performance "adequate"?

Note, I'm not hating on Farfalle, I need to look at it more, and the
last time I gave serious thought to this question in a Tor context was
back around the time Prop 261 was being drafted.

The answer to this from my point of view is "not slow to the point
where the network falls over", which I'll admit is extremely handwavy,
but truth be told, I have no idea what fraction of the relays are on
what micro architectures these days.

Looking at the Farfalle and Kangaroo 12 papers, Kravette may be ok with
AVX2 assuming I'm extrapolating correctly.  But, while it's probably
reasonable to assume that all the fast existing relays have AES-NI, I
do not know what fraction of those predate AVX2.

Part of me thinks that focusing on raw primitive performance is a bit
silly (even though I'm the one that brought it up), because just about
anything will likely deliver adequate performance if the cell crypto
used more than one core[0].

Sorry I don't have anything more concrete. :(

Regards,

-- 
Yawning Angel

[0]: And another part of me kind of wants to say "eat the overhead of a
MAC per hop and use AES-GCM-SIV or something".

Attachment: pgp6sXDT12K7Q.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev