[tor-dev] Quantum-safe Hybrid handshake for Tor

lukep lukep at tutanota.com
Thu Apr 21 15:57:04 UTC 2016

Thanks Yawning.

> Most of the changes since the paper has been released have been minor.
> The last major algorithmic change I'm aware of was 20151209 which
> altered the reconciliation mechanism (I don't particularly count the
> March changes that changed the on-the-wire encoding format to be
> major, it's just a more compact way to send the same things).

Don't get me wrong, I like the ring-LWE algorithm, I just wanted to sound a
note of caution that there's a new version with different parameters,
possibly incompatible with the previous version (depending on
implementation), and that it's still pretty new so could change, or someone
could find a problem with the security proof.

> Kind of a moot point since by the time any of this will actually be
> used in core tor things would have settled.  And my gut feeling is
> RingLWE will have performant, well defined implementations well before
> SIDH is a realistic option.

How long do you think it would take for tor? Is there a version of Zhang's
quantum safe hybrid protocol for newhope?

> I track the paper and reference code in the implementation I maintain.
> FWIW, the performance hasn't changed noticeably, unless there's
> something newer than 20160328.

I can now see you've got a new version in your github repository. Is this
standalone or have you tried incorporating it into tor source code yet?


-- lukep

More information about the tor-dev mailing list