We had a GSOC project to produce "consensus diffs", so that clients could download the differences between each consensus each hour, rather than downloading a full consensus (~1.5MB).
It showed some great results, but still needs a little work before we merge it.https://trac.torproject.org/projects/tor/ticket/13339 https://trac.torproject.org/projects/tor/ticket/13339
Still, one doesn't need to download the full consensus. 3/16ths of the consensus could work and would be more beneficial for low bandwidth clients.
If Tor became popular, it wouldn't be usable. Right now it consumes the bandwidth of several colleges. If Tor got anywhere near consuming the bandwidth and popularity of a major datacenter (such as the five million user botnet spike of 2013), Tor wouldn't work too well.
Facebook has hundreds of millions of active users. A few billion people live under a dictatorship.
How well would Tor work if it's infrastructure and usage was scaled up a hundred times? It's not an immediate issue, but if one was to add quantum cryptography, this would be one of the issues that needs to be addressed (as it is one of many long-term issues).
nb: Migrating to X448 would possibly hold up longer than Curve25519
would since it requires a bigger quantum computer. But performance isn't that great without using vectorization.
Given the slow time it takes to roll things out, a timeline which begins with trusted directory keys include post-quantum crypto first, and which ends in enabling clients to use post-quantum crypto would be best.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 1/3/2016 11:24 PM, Ryan Carboni wrote:
Given the slow time it takes to roll things out, a timeline which begins with trusted directory keys include post-quantum crypto first, and which ends in enabling clients to use post-quantum crypto would be best.
That is wrong. Read Yawning's previous message to this thread. If we try to do things on all-or-nothing and right-now-dont-care basis we might end up doing nothing at all and waste precious time. Post quantum crypto for directory signing keys is useless at this moment, because quantum computers don't exist yet. A conspiracy theory that the NSA already has super duper quantum computers since n years ago and already cracks all curves is something too much to digest, and I prefer to build a timeline and establish priorities based on real world evidence and research papers as opposite to conspiracy theories and assumptions.
Back to the point, the directory signing keys are used to sign consensus documents. A consensus document has a very short limited lifetime (valid until). This means that if the keys are compromised (broken by quantum computers) after the end of life date, it's an useless attack that offers nothing. The only way this attack would work is if the attacker had the ability to compromise the directory keys in real time (almost instantly), not probably at some time in the future.
On the other hand, we have evidence that netflow traffic and whole internet traffic (even if encrypted) is captured and might be stored in unknown quantities for unknown periods. While "it is safe to assume" quantum computers so powerful to make a difference don't exist yet, and probably won't for a while longer, we can be certain that the technology to store massive amounts of data already exists and it is quite accessible and relatively cheap for attackers such the ones in our threat models.
So, yes, the threat of data collection now for future compromise is a much more realistic threat than someone having right now a super duper quantum computer which can crack currently used crypto in real time. Adding something quantum safe in link encryption for starters is worth looking into, and in the future of course changes will be applied to upper layer crypto as well.