On Fri, 1 Jan 2016 19:33:31 -0800 Ryan Carboni <ryacko@xxxxxxxxx> wrote: > The first step should be replacing the long-term keys with > quantum-safe crypto. Wrong. There are NO usable PQ signature primitives that are suitable for deployment. Adding 1408+ bytes to every single microdescriptor is not a realistic proposition. Signing is also quite expensive unless you have AVX2, and will decimate circuit build performance. Protecting against Quantum Computer equipped active Man-In-The-Middle attacks is the least important thing to do in terms of user safety. By modifying the link handshake to incorporate a PQ key exchange algorithm with ephemeral keys as in the proposal, user data being generated right now will be protected from bulk decryption later, in the event of a Curve25519 break (probably by a large enough Quantum Computer), which is a far more realistic threat to be concerned about. -- Yawning Angel
Attachment:
pgpOuMTPxgZ6o.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev