[tor-dev] PQ crypto updates
Peter Schwabe
peter at cryptojedi.org
Sat Sep 2 08:16:08 UTC 2017
Yawning Angel <yawning at schwanenlied.me> wrote:
Hi Yawning, hi all,
> Note, I'm not hating on Farfalle, I need to look at it more, and the
> last time I gave serious thought to this question in a Tor context was
> back around the time Prop 261 was being drafted.
>
> The answer to this from my point of view is "not slow to the point
> where the network falls over", which I'll admit is extremely handwavy,
> but truth be told, I have no idea what fraction of the relays are on
> what micro architectures these days.
>
> Looking at the Farfalle and Kangaroo 12 papers, Kravette may be ok with
> AVX2 assuming I'm extrapolating correctly. But, while it's probably
> reasonable to assume that all the fast existing relays have AES-NI, I
> do not know what fraction of those predate AVX2.
You should end up with something like 13 cycles per byte for Farfalle
with the Keccak permutation on Skylake. Would there be some way to test what
effects this has on overall performance without harming any users?
If this is *clearly* too slow, then it might be interesting to try the
Farfalle construction with different permutations to see how far you can
push performance.
Cheers,
Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170902/02171316/attachment.sig>
More information about the tor-dev
mailing list