[tor-dev] Quantum-safe Hybrid handshake for Tor
yawning at schwanenlied.me
Sun Apr 3 06:52:43 UTC 2016
On Sat, 2 Apr 2016 18:48:24 -0400
Jesse V <kernelcorn at riseup.net> wrote:
> Again, I have very little understanding of post-quantum crypto and I'm
> just starting to understand ECC, but after looking over
> https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and
> skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be
> patented, it's reasonably fast, it uses the smallest bandwidth, and it
> offers perfect forward secrecy. It seems to me that SIDH actually has
> more potential for making it into Tor than any other post-quantum
Your definition of "reasonably fast" doesn't match mine. The number
for SIDH (key exchange, when the thread was going off on a tangent
about signatures) is ~200ms.
A portable newhope (Ring-LWE) implementation on my laptop can do one
side of the exchange in ~190 usec. Saving a few cells is not a good
reason to use a key exchange mechanism that is 1000x slower
(NTRUEncrypt is also fast enough to be competitive).
nb: Numbers are rough, and I don't have SIDH code to benchmark.
newhope in particular vectorizes really well and the AVX2 code is even
: My version of the reference code. I do use SSE2 in the ChaCha20
implementation, but anything that doesn't support enough vector
processing for a fast ChaCha20 belongs in a museum, and not on the
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the tor-dev