[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope



On Sun, 2016-05-08 at 13:15 +0000, isis wrote:
> Also, deriving `a` "somehow" from the shared X25519 secret is a bit
> scary
> (c.f. the Â3 "Backdoors" part of the NewHope paper,

Oh wow.  That one is nasty. 

>  or Yawning's PoC of a
> backdoored NewHope handshake [0]).
> 
> [0]:
> https://git.schwanenlied.me/yawning/newhope/src/nobus/newhope_nobus.go

I see.  The point is that being ambiguous about the security
requirements of the seed for a lets you sneak in a bad usage of it
elsewhere. 

In some cases, I suppose both sides contributing to a might help them
know the other side is not backdoored, but that's not so relevant for
Tor. 

Jeff

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev