[tor-dev] Quantum-safe Hybrid handshake for Tor
Yawning Angel
yawning at schwanenlied.me
Sat Jan 2 04:19:28 UTC 2016
On Fri, 1 Jan 2016 19:33:31 -0800
Ryan Carboni <ryacko at gmail.com> wrote:
> The first step should be replacing the long-term keys with
> quantum-safe crypto.
Wrong.
There are NO usable PQ signature primitives that are suitable for
deployment. Adding 1408+ bytes to every single microdescriptor is
not a realistic proposition. Signing is also quite expensive unless you
have AVX2, and will decimate circuit build performance.
Protecting against Quantum Computer equipped active Man-In-The-Middle
attacks is the least important thing to do in terms of user safety.
By modifying the link handshake to incorporate a PQ key exchange
algorithm with ephemeral keys as in the proposal, user data being
generated right now will be protected from bulk decryption later, in
the event of a Curve25519 break (probably by a large enough Quantum
Computer), which is a far more realistic threat to be concerned about.
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160102/dff24542/attachment.sig>
More information about the tor-dev
mailing list