On Fri, 1 Jan 2016 19:33:31 -0800 Ryan Carboni ryacko@gmail.com wrote:
The first step should be replacing the long-term keys with quantum-safe crypto.
Wrong.
There are NO usable PQ signature primitives that are suitable for deployment. Adding 1408+ bytes to every single microdescriptor is not a realistic proposition. Signing is also quite expensive unless you have AVX2, and will decimate circuit build performance.
Protecting against Quantum Computer equipped active Man-In-The-Middle attacks is the least important thing to do in terms of user safety.
By modifying the link handshake to incorporate a PQ key exchange algorithm with ephemeral keys as in the proposal, user data being generated right now will be protected from bulk decryption later, in the event of a Curve25519 break (probably by a large enough Quantum Computer), which is a far more realistic threat to be concerned about.