[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope



On Thu, 12 May 2016 11:58:56 +0200
Jeff Burdges <burdges@xxxxxxxxxx> wrote:
> On Thu, 2016-05-12 at 05:29 +0000, Yawning Angel wrote:
> > and move the handshake
> > identifier into the encrypted envelope) so that only the recipient
> > can see which algorithm we're using as well (So: Bad guys must have
> > a quantum computer and calculate `z` to figure out which post
> > quantum algorithm we are using).  
> 
> This sounds like a win.
> 
> We still do not know if/when quantum computers will become practical.
> It was only just last year that 15 was finally factored "without
> cheating" : http://www.scottaaronson.com/blog/?p=2673
> 
> We do know that advancements against public key crypto systems will
> occur, so wrapping up the more unknown system more tightly sounds
> wise.
> 
> 
> In the shorter term, SIDH would take only one extra cell, maybe none
> if tweaked downward, as compared to the four of New Hope, and
> whatever NTRU needs.  This variation might be good or bad for
> anonymity, but it's sound better if fewer nodes can compare the
> numbers of packets with the algorithms used.

Well, if we move the handshake identifier inside the AE(AD) envelope,
we can also add padding to normalize the handshake length at minimal
extra CPU cost by adding a length field and some padding inside as well.

It would remove some of the advantages of using algorithms with shorter
keys (since it would result in more traffic on the wire than otherwise
would have been), but handshakes will be indistinguishable to anyone
but space aliens and the final destinations...

Regards,

-- 
Yawning Angel

Attachment: pgpMmJzyjwCkb.pgp
Description: OpenPGP digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev