[tor-dev] Quantum-safe Hybrid handshake for Tor
Henry de Valence
hdevalence at riseup.net
Sat Jan 2 14:11:19 UTC 2016
On 12/28/2015 11:34 PM, Zhenfei Zhang wrote:
> 1.2 Motivation: Disaster resilience
>
> We are really trying to protect against the disastrous situation of one key
> being entirely compromised. By introducing a second cryptographic primitive,
> namely, NTRUEncrypt, we ensure that the system remains secure in those
> extreme scenarios.
[snipped]
> 2.1.1 Achieved Property:
[snipped]
> 2) The proposed key exchange method is disaster resilient: The protocol
> depends on two cryptographic primitives. Compromising one does not break
> the security of the whole system.
I'm a little confused about what exactly is meant by "disaster
resilience" here.
If the disaster is that there's a major cryptanalytic breakthrough
against ECC (or, more likely, against NTRU), then I think it would be
better to say explicitly that a design goal is that the handshake should
be no weaker than either primitive, rather than to say the threat is
against "a disaster".
However, the wording in §1.2 seems to indicate that the goal is to
defend against an attacker who can, e.g., obtain a relay's ECC key
without also obtaining their NTRU key. Both keys are in the same
security perimeter, so I'm not sure what this really achieves in practice.
I think it would be good to remove the word 'disaster' entirely and say
what exactly the threat is and what the design goal is: the threat is an
attack on one of the cryptosystems, and the goal is that the handshake
should be no weaker than either.
Cheers,
Henry de Valence
More information about the tor-dev
mailing list