On Fri, 2016-01-01 at 11:14 +0000, Yawning Angel wrote: > On Thu, 31 Dec 2015 20:51:43 +0000 > isis <isis@xxxxxxxxxxxxxx> wrote: > [snip] > > I feel like there needs to be some new terminology here. It's > > certainly not post-quantum secure, but "quantum-safe" doesn't seem > > right either, because it's exactly the point at which the adversary > > gains appropriate quantum computational capabilities that it become > > *unsafe*. If I may, I suggest calling it "pre-quantum secure". :) > > Post-quantum forward-secrecy is what I've been using to describe this > property. Isn't that using "forward security" to denote a weakening when it usually denotes a strengthening? > I personally don't think that any of the PQ signature schemes are > usable > for us right now, because the smallest key size for an algorithm that > isn't known to be broken is ~1 KiB (SPHINCS256), and we probably > can't > afford to bloat our descriptors/micro-descriptors that much. Did you mean to talk about the 41ish kb signature here? I donno that you'll ever beat that 1kb key size with a post-quantum system. There is a lattice based signature scheme and an isogeny based scheme that'll both beat SPHINCS on signature sizes, but I think not so much on key size. Jeff p.s. I'd imagine that key size might come from the public key itself proving that it's a SPHINCS public key or doing a simple initial signature or something. If you didn't care during storage that the key is really a key, or what its good for, then a 256 bit fingerprint of a SPHINCS public key would be as good as a SPHINCS public key itself, right? It's dubious that Tor, or anyone really, could use fingerprints in such a context-free way though.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev