[tor-dev] Post-quantum proposals #269 and #270

isis agora lovecruft isis at torproject.org
Mon Aug 8 17:26:53 UTC 2016 

lukep at tutanota.com transcribed 8.8K bytes:
> 5. Aug 2016 15:07 by isis at torproject.org:
> > So it's not an either-or situation for proposals #269 and #270 — they are
> > entirely compatible and #269 is meant to provide modularity.
> 
> Thanks - that wasn't clear to me, although I can see that they are aiming in
> the same direction. I agree with the principle of separating out the
> handshake from the protocol for modularity, but I don't think that's quite
> been achieved and there's some overlap/confliction between the two of
> them. For example in how the hybrid secret key is computed.
>
> 
> In #269, in the hybrid DH-KEM handshake it's computed as:
> 
> s0 := H(DH_MUL(A,x))
> 
> s1 := DH_MUL(Y,x)
> 
> s2 := KEM_DEC(C, esk)
> 
> secret := s0 | s1 | s2
> 
> 
> On the other hand in #270, in the X25519-Newhope handshake it's computed as:
> 
> NTOR_KEY := NTOR_SHAREDA(x, X, Y, Z, ID, AUTH)
> 
> NEWHOPE_KEY := NEWHOPE_SHAREDA(M, a)
> 
> sk := SHAKE-256(NTOR_KEY || NEWHOPE_KEY)
> 
> 
> As it stands, secret and sk are computed in a contradictory manner; these
> could be reconciled so they are the same, but if you are trying to write
> modular proposals the handshake algorithm should only be specified in one
> document. I think the method of computing the secret should be specified in
> #270 (only), and the protocol (depending on a call to the DH-KEM key
> exchange) should be specified in #269.

Thanks for pointing this out!  The SHAKE-256() call should actually be added
to #269, since it's acting as a replacement for the HKDF at the end of the
original ntor handshake, and it should be performed regardless of choice of PQ
KEM.

Best regards,
-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160808/8cb502c3/attachment.sig>

More information about the tor-dev mailing list