[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Zhenfei Zhang zzhang at securityinnovation.com
Mon May 9 18:04:27 UTC 2016 

Hi all,

If I understand it properly, in the proposal the client need to send the
whole
matrix A during the first initiation message. I draw this conclusion from
the
datagram:

 | a, A         := NEWHOPE_KEYGEN(SEED)
                 |
 | CLIENT_HDATA := ID || Z || X || A
                 |
 |
                 |
 |               --- CLIENT_HDATA --->



May I ask why? Is it because the keypair generation is modularized, and
hence a and A are connected from a protocol point of view? However, in the
original construction of new hope, or other R-LWE based schemes, a and A
are sampled independently, giving out the seed of A will not leak
information
on a. So how about the following:

 | A            := NEWHOPE_PK_KEYGEN(SEED1)
                 |
 | a            := NEWHOPE_SK_KEYGEN(SEED2)
                 |
 | CLIENT_HDATA := ID || Z || X || SEED1
                 |
 |
                 |
 |               --- CLIENT_HDATA --->



This will save significant data for the first transmission: over 1 KB of A
compared to 32 bits of SEED1. The server will be able to recover A from
NEWHOPE_PK_KEYGEN which will be a public function.


Cheers,
Zhenfei


On Mon, May 9, 2016 at 12:07 PM, isis <isis at torproject.org> wrote:

> eikovi at sigaint.org transcribed 0.6K bytes:
> > isis wrote:
> > > eikovi at sigaint.org transcribed 1.1K bytes:
> > >> Typos:
> > >
> > > Thanks!  Fixed:
> > >
> > >
> https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=5c115905
> >
> > You skipped 2:
> >
> > -  public keys already being in included within the "ntor-onion-key"
> entry.
> > +  public keys already being included within the "ntor-onion-key" entry.
> >
> > -  [0]; a pseudocode description of a very naive inplace transformation
> of an
> > +  [0]; a pseudocode description of a very naive in-place transformation
> of an
>
> Oops!  Thanks again.  Peter fixed those in this commit:
>
> https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=28181cc7
>
> --
>  ♥Ⓐ isis agora lovecruft
> _________________________________________________________
> OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
> Current Keys: https://fyb.patternsinthevoid.net/isis.txt
>
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160509/a77216ea/attachment.html>

More information about the tor-dev mailing list