[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Peter Schwabe
peter at cryptojedi.org
Thu May 12 13:54:11 UTC 2016
Yawning Angel <yawning at schwanenlied.me> wrote:
Hi Yawning,
Thanks for the more detailed description; I think I understand now what
you're saying. I also agree that the cost is small (only some extra
symmetric stuff happening).
I don't like the use of AES-GCM as an authenticated-encryption
algorithm, but as far as I understand, AEAD is a completely separate
discussion within Tor and this would be replaced by whatever that
discussion's outcome is?
> Correct. In a post quantum world, this is totally pointless,
> especially since `Z` is publicly available from the microdescriptors,
> but in the mean time it's extra authenticated, and extra sekrit.
Can you describe a pre-quantum attacker who breaks the non-modified key
exchange and does not, with essentially the same resources, break the
modified key exchange? I'm not opposed to your idea, but it adds a bit
of complexity and I would like to understand what precisely the benefit
is.
Best regards,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160512/39cf59a0/attachment.sig>
More information about the tor-dev
mailing list