[tor-dev] Quantum-safe Hybrid handshake for Tor

Yawning Angel yawning at schwanenlied.me
Sun Apr 3 06:52:43 UTC 2016

On Sat, 2 Apr 2016 18:48:24 -0400
Jesse V <kernelcorn at riseup.net> wrote:
> Again, I have very little understanding of post-quantum crypto and I'm
> just starting to understand ECC, but after looking over
> https://en.wikipedia.org/wiki/Supersingular_isogeny_key_exchange and
> skimming the SIDH paper, I'm rather impressed. SIDH doesn't seem to be
> patented, it's reasonably fast, it uses the smallest bandwidth, and it
> offers perfect forward secrecy. It seems to me that SIDH actually has
> more potential for making it into Tor than any other post-quantum
> cryptosystem.

Your definition of "reasonably fast" doesn't match mine.  The number
for SIDH (key exchange, when the thread was going off on a tangent
about signatures) is ~200ms.

A portable newhope (Ring-LWE) implementation[0] on my laptop can do one
side of the exchange in ~190 usec.  Saving a few cells is not a good
reason to use a key exchange mechanism that is 1000x slower
(NTRUEncrypt is also fast enough to be competitive).

nb: Numbers are rough, and I don't have SIDH code to benchmark.
newhope in particular vectorizes really well and the AVX2 code is even

Yawning Angel

[0]: My version of the reference code.  I do use SSE2 in the ChaCha20
implementation, but anything that doesn't support enough vector
processing for a fast ChaCha20 belongs in a museum, and not on the
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160403/cfeee9ce/attachment-0001.sig>

More information about the tor-dev mailing list