On Sat, 2 Jan 2016 17:18:56 -0800 Ryan Carboni <ryacko@xxxxxxxxx> wrote: > And yet the NSA is moving to prime numbers. So? In terms of prioritization, ensuring all existing traffic isn't subject to later decryption is far more important that defending against targeted active attacks that require hardware that doesn't exist yet. > A large public key isn't a very good reason to not adopt quantum-safe > crypto, it just means that it requires having the Tor project to be > able to scale to a larger degree. I suggest hash tables, a percentage > of which are pseudorandomly downloaded. Otherwise the Tor project > won't scale to 10x the relays ... even ignoring quantum cryptography. Nope. Every client needs to know the public key of every relay or we're worse off vs active attackers. To put numbers into things for the bandwidth/storage overhead for having SPHINCS256 keys for every relay, currently the full list of microdescriptors for a consensus is ~3.2 MiB, with 6960 relays. This is roughly 9.3 MiB of extra information that would need to be downloaded in terms directory information, and ~41 KiB per hop of extra traffic as part of the circuit build process. Additionally, without AVX2, signing is glacially slow, clocking in at ~200 ms on an Haswell i5. The same hardware does our existing ntor handshake in ~230 usec. Increasing the amount of work each hop needs to do to establish a circuit by 3 orders of magnitude to the point where a single core on a relatively modern processor can process 5 circuit creations/second would kill the Tor network. (I'm done arguing over this. If you think relays should have PQ signature based identity keys, then feel free to write a patch. I view other things as more important, and will focus my efforts elsewhere.) Regards, -- Yawning Angel
Attachment:
pgp_aPYo7LDz0.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev