On Thu, 2016-05-12 at 15:54 +0200, Peter Schwabe wrote: > Can you describe a pre-quantum attacker who breaks the non-modified > key > exchange and does not, with essentially the same resources, break the > modified key exchange? I'm not opposed to your idea, but it adds a bit > of complexity and I would like to understand what precisely the > benefit > is. Assuming I understand what Yawning wrote : It's about metadata leakage, not actual breaks. If Tor were randomly selecting amongst multiple post-quantum algorithms, then a malicious node potentially learns more information about the user's tor by observing the type of the subsequent node's handshake. In particular, if there is a proliferation of post-quantum choices, then it sounds very slightly more dangerous to allow users to configure what post-quantum algorithms they use without Yawning's change. Jeff p.s. At the extreme example, there is my up thread comment refuting the idea of using Sphinx-like packets with Ring-LWE. I asked : Why can't we send two polynomials (a,A) and mutate them together with a second Ring-LWE like operation for each hop? It's linear bandwidth in the number of hops as opposed to quadratic bandwidth, which saves 2-4k up in Tor's case and maybe keeps node from knowing quite as much about their position. Answer : If you do that, it forces the whole protocol's anonymity to rest on the Ring-LWE assumption, so it's no longer a hybrid protocol for anonymity, even though cryptographically it remains hybrid.
Attachment:
signature.asc
Description: This is a digitally signed message part
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev