On Sun, 3 Jan 2016 04:16:17 -0500 grarpamp grarpamp@gmail.com wrote:
Just another link.
None of those algorithms will hold up to a quantum computer, and apart from for TLS (where we use the NIST curves) we already use "safe" Curve/Ed25519.
So I don't know why you're bringing it up. This is discussion regarding how to prevent a total disaster in the event of a Curve25519 break.
nb: Migrating to X448 would possibly hold up longer than Curve25519 would since it requires a bigger quantum computer. But performance isn't that great without using vectorization.
Additionally, without AVX2, signing is glacially slow, clocking in at ~200 ms on an Haswell i5. The same hardware does our existing ntor handshake in ~230 usec.
Haswell i5 seems to have AVX2, as do all Haswell's, perhaps you refer to Ivy Bridge i5's which do not...
Or, perhaps I meant exactly what I said, because the implementation I happened to benchmark (which I coincidentally, happened to write) does not use AVX2 (it doesn't, since it was written to be portable) and I wanted non-vectorized performance numbers (I did).
I know the algorithm is faster when vectorized but that does little good for what I suspect are a substantial fraction of the relays.