[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope



On Fri, 6 May 2016 19:17:11 +0000
isis <isis@xxxxxxxxxxxxxx> wrote:
>   [XXX We think we want to omit the final hashing in the production
> of NTOR_KEY here, and instead put all the inputs through SHAKE-256.
> --isis, peter]
> 
>   [XXX We probably want to remove ID and B from the input to the
> shared key material, since they serve for authentication but, as
> pre-established "prologue" material to the handshake, they should not
> be used in attempts to strengthen the cryptographic suitability of
> the shared key.  Also, their inclusion is implicit in the DH
> exponentiations.  I should probably ask Ian about the reasoning for
> the original design choice.  --isis]

Oh I missed this.  B at a minimum needs to be part of `auth_input`,
though probably does not need to be part of `secret_input`.

Per RFC 7748:

   Designers using these curves should be aware that for each public
   key, there are several publicly computable public keys that are
   equivalent to it, i.e., they produce the same shared secrets.  Thus
   using a public key as an identifier and knowledge of a shared secret
   as proof of ownership (without including the public keys in the key
   derivation) might lead to subtle vulnerabilities.

Regards,

-- 
Yawning Angel

Attachment: pgpgC_C8QwAoT.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev