On Sat, 2 Apr 2016 18:48:24 -0400 Jesse V <kernelcorn@xxxxxxxxxx> wrote: > Again, I have very little understanding of post-quantum crypto and I'm > just starting to understand ECC, but after looking over > https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and > skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be > patented, it's reasonably fast, it uses the smallest bandwidth, and it > offers perfect forward secrecy. It seems to me that SIDH actually has > more potential for making it into Tor than any other post-quantum > cryptosystem. Your definition of "reasonably fast" doesn't match mine. The number for SIDH (key exchange, when the thread was going off on a tangent about signatures) is ~200ms. A portable newhope (Ring-LWE) implementation[0] on my laptop can do one side of the exchange in ~190 usec. Saving a few cells is not a good reason to use a key exchange mechanism that is 1000x slower (NTRUEncrypt is also fast enough to be competitive). nb: Numbers are rough, and I don't have SIDH code to benchmark. newhope in particular vectorizes really well and the AVX2 code is even faster. -- Yawning Angel [0]: My version of the reference code. I do use SSE2 in the ChaCha20 implementation, but anything that doesn't support enough vector processing for a fast ChaCha20 belongs in a museum, and not on the internet.
Attachment:
pgpvd3uwqikXa.pgp
Description: OpenPGP digital signature
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev