isis agora lovecruft transcribed 8.6K bytes: > For the repeated suggestion of SIDH, [3] I expect we'll soon see concrete > details and improvements to the attacks mentioned in (and which they establish > "direct validation" measures to defend against in §9 of) "Efficient algorithms > for supersingular isogeny Diffie-Hellman" by Craig Costello, Patrick Longa, > and Michael Naehrig. [4] E.g. if an adversary sends a supersingular curve E > and linearly independent points P and Q, such that Bob calculates an isogeny > ɸ: E → E' with small-degree, there could potentially be ways to utilise the > kernel of the isogeny from one handshake to learn information about the shared > j-invariant computed in another handshake. Side note: it's a mystery to me > why the NSA and the Microsoft Research teams are jumping through hoops to > validate public SIDH keys, when they could just have the requirement that the > keys must be ephemeral (at the cost of some efficiency). Basically, there's a > whole bunch of swinging axes, poison darts, rolling boulders, and various > other death traps and doom which come into play when you take a random > elliptic curve as your key, and I expect another ten years of papers which > slowly work to enumerate all of them. Recently, a pre-print was submitted to eprint, and accepted to ASIACRYPT 2016: "On the Security of Supersingular Isogeny Cryptosystems" by Galbraith, Petit, Shani, and Ti. [0] The problems with reuse of non-ephemeral isogenies reused across SIDH key exchanges are potentially greater than previously realised, with attacks recovering the entire j-invariant. "Our third contribution is to give a reduction that uses partial knowledge of shared keys to determine an entire shared key. This can be used to retrieve the secret key, given information leaked from a side-channel attack on the key exchange protocol. A corollary of this work is the first bit security result for the supersingular isogeny key exchange: Computing any component of the j-invariant is as hard as computing the whole j-invariant." Please stop suggesting that Tor use SIDH. It's a fascinating and new field of research, with emphasis on new. It's not ready for use yet. [0]: https://eprint.iacr.org/2016/859 Best regards, -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev