[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] Quantum-safe Hybrid handshake for Tor



On Fri, 1 Jan 2016 19:33:31 -0800
Ryan Carboni <ryacko@xxxxxxxxx> wrote:

> The first step should be replacing the long-term keys with
> quantum-safe crypto.

Wrong.

There are NO usable PQ signature primitives that are suitable for
deployment.  Adding 1408+ bytes to every single microdescriptor is
not a realistic proposition.  Signing is also quite expensive unless you
have AVX2, and will decimate circuit build performance.

Protecting against Quantum Computer equipped active Man-In-The-Middle
attacks is the least important thing to do in terms of user safety.

By modifying the link handshake to incorporate a PQ key exchange
algorithm with ephemeral keys as in the proposal, user data being
generated right now will be protected from bulk decryption later, in
the event of a Curve25519 break (probably by a large enough Quantum
Computer), which is a far more realistic threat to be concerned about.

-- 
Yawning Angel

Attachment: pgpOuMTPxgZ6o.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev