[tor-dev] Quantum-safe Hybrid handshake for Tor
burdges at gnunet.org
Wed Feb 3 17:12:02 UTC 2016
On Fri, 2016-01-01 at 11:14 +0000, Yawning Angel wrote:
> On Thu, 31 Dec 2015 20:51:43 +0000
> isis <isis at torproject.org> wrote:
> > I feel like there needs to be some new terminology here. It's
> > certainly not post-quantum secure, but "quantum-safe" doesn't seem
> > right either, because it's exactly the point at which the adversary
> > gains appropriate quantum computational capabilities that it become
> > *unsafe*. If I may, I suggest calling it "pre-quantum secure". :)
> Post-quantum forward-secrecy is what I've been using to describe this
Isn't that using "forward security" to denote a weakening when it
usually denotes a strengthening?
> I personally don't think that any of the PQ signature schemes are
> for us right now, because the smallest key size for an algorithm that
> isn't known to be broken is ~1 KiB (SPHINCS256), and we probably
> afford to bloat our descriptors/micro-descriptors that much.
Did you mean to talk about the 41ish kb signature here?
I donno that you'll ever beat that 1kb key size with a post-quantum
system. There is a lattice based signature scheme and an isogeny based
scheme that'll both beat SPHINCS on signature sizes, but I think not so
much on key size.
p.s. I'd imagine that key size might come from the public key itself
proving that it's a SPHINCS public key or doing a simple initial
signature or something. If you didn't care during storage that the key
is really a key, or what its good for, then a 256 bit fingerprint of a
SPHINCS public key would be as good as a SPHINCS public key itself,
right? It's dubious that Tor, or anyone really, could use fingerprints
in such a context-free way though.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the tor-dev