[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

To: tor-dev@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
From: William Whyte <wwhyte@xxxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 13 May 2016 10:59:40 -0400
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 13 May 2016 10:59:54 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=Ambr+KEu+JC6OG80vs/3bFS4FxaYYwDX+bazvuPSroM=; b=LuHrxeP3MgCjxZOQv/TvJQWTBCi7L/L+VsKIP5ZvLHiSAdbGyinnJnEgv7XDX9eVXQ Dk78+jiAR3tq+GKdAf9mGQKNuV0eOr8y5sdu74fWO3JIHHCi3ioySqEMAC+5LfDBDS8F CNxJzOiXRY+JZsJ5exsL2MZspvOG4B3hb07Gw=
In-reply-to: <2f116356a0bc0785fb062ea7ca1a29ce@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-dev/>
List-help: <mailto:tor-dev-request@lists.torproject.org?subject=help>
List-id: discussion regarding Tor development <tor-dev.lists.torproject.org>
List-post: <mailto:tor-dev@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-dev>, <mailto:tor-dev-request@lists.torproject.org?subject=unsubscribe>
References: <20160506191711.GI1741@xxxxxxxxxxxxxxxxxxxxx> <20160512000747.35b94da1@xxxxxxxxxxxxxxx> <20160512034821.GI1741@xxxxxxxxxxxxxxxxxxxxx> <20160512052917.1cbf1e28@xxxxxxxxxxxxxxx> <20160512135411.GK11631@fedora-21-dvm> <1463077916.6719.0.camel@xxxxxxxxxx> <20160512192514.2c7e2fb6@xxxxxxxxxxxxxxx> <2f116356a0bc0785fb062ea7ca1a29ce@xxxxxxxxxxxxxxx>
Reply-to: tor-dev@xxxxxxxxxxxxxxxxxxxx
Sender: "tor-dev" <tor-dev-bounces@xxxxxxxxxxxxxxxxxxxx>

Hi all,

>Â3. The only implementation that mitigates decryption failures completely, killing information leaks to adversaries.

This is clearly a nice-to-have feature, but it comes with a tradeoff. To remove decryption failures you need to increase the parameter q, but this affects size (and so performance) in two ways: first, the key and ciphertext are arrays of integers mod q, so obviously increasing log_2(q) increases key and ciphertext size; but second, increasing q makes lattice reduction attacks more effective, so it means that you need to increase the dimension parameter N as well to get the same level of lattice security. Conversely, it's not difficult to calculate upper bounds on decryption failure probabilities, so it's straightforward to find a q that gives less than 2^-k chance of a decryption failure. There's no particular need for a decryption failure probability that's less than the security of the other parts of the cryptosystem.

Just wanted to explain why the standardized NTRUEncrypt parameter sets (fromÂhttps://github.com/NTRUOpenSourceProject/ntru-crypto) are chosen the way they are, i.e. to have nonzero decryption failure probability. We could have chosen larger q and N but didn't think the tradeoff is worth it. Obviously the other point of view is legitimate too.

Cheers,

William

On Thu, May 12, 2016 at 9:51 PM, <bancfc@xxxxxxxxxxxxxxx> wrote:

Some great developments in lattice-based crypto. DJB just released a paper on NTRU Prime:

1. Competitively fast compared to the leading lattice-based cryptosystems including New Hope.

2. Safer implementation of NTRU that avoids vulnerable ring structures and runs in constant-time.

3. The only implemntation that mitigates decryption failures completely, killing information leaks to adversaries.

4. Includes some handy advice for "transitional cryptography" - mixing and matching classical signature schemes with PQ public-keys.

https://ntruprime.cr.yp.to/ntruprime-20160511.pdf

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

References:
- [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: isis
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Yawning Angel
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: isis
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Yawning Angel
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Peter Schwabe
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Jeff Burdges
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: Yawning Angel
- Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
  - From: bancfc

Prev by Author: Re: [tor-dev] [Proposal] Obfuscating the Tor Browser Bundle initial download
Next by Author: [tor-dev] Testing Network Node Availability
Previous by thread: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Next by thread: Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Index(es):
- Author
- Thread