On Thu, 2016-05-12 at 15:54 +0200, Peter Schwabe wrote:
Can you describe a pre-quantum attacker who breaks the non-modified key exchange and does not, with essentially the same resources, break the modified key exchange? I'm not opposed to your idea, but it adds a bit of complexity and I would like to understand what precisely the benefit is.
Assuming I understand what Yawning wrote :
It's about metadata leakage, not actual breaks.
If Tor were randomly selecting amongst multiple post-quantum algorithms, then a malicious node potentially learns more information about the user's tor by observing the type of the subsequent node's handshake.
In particular, if there is a proliferation of post-quantum choices, then it sounds very slightly more dangerous to allow users to configure what post-quantum algorithms they use without Yawning's change.
Jeff
p.s. At the extreme example, there is my up thread comment refuting the idea of using Sphinx-like packets with Ring-LWE.
I asked : Why can't we send two polynomials (a,A) and mutate them together with a second Ring-LWE like operation for each hop? It's linear bandwidth in the number of hops as opposed to quadratic bandwidth, which saves 2-4k up in Tor's case and maybe keeps node from knowing quite as much about their position.
Answer : If you do that, it forces the whole protocol's anonymity to rest on the Ring-LWE assumption, so it's no longer a hybrid protocol for anonymity, even though cryptographically it remains hybrid.