[tor-dev] Quantum-safe Hybrid handshake for Tor

Jeff Burdges burdges at gnunet.org
Fri Apr 22 09:41:30 UTC 2016

I'd imagine everyone in this thread knows this, but New Hope requires
that "both parties use fresh secrets for each instantiation".  

I suppose any key exchanges designed around this meshes well enough with
ntor, so that's okay.  It leaves you relying on ECDH for the key
exchange with long term key material though. 

I have not read the papers on doing Ring-LWE key exchanges with long
term key material, but presumably they increase the key side. 

On Wed, 2016-04-20 at 19:00 +0000, Yawning Angel wrote:
> And my gut feeling is RingLWE will have performant, well defined
> implementations well before SIDH is a realistic option.

This is undoubtedly true because too few people are looking into SIDH. 

I've been chatting with Luca about writing a "more production ready"
implementation, like optimizing the GF(p^2) field operations and things.
If that happens, maybe it'll spur more interest. 

There is some chance SIDH might wind up being preferable for key
exchanges with long term key material. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160422/f1ac0acd/attachment.sig>

More information about the tor-dev mailing list