[tor-dev] Quantum-safe Hybrid handshake for Tor

Jesse V kernelcorn at riseup.net
Sun Jan 3 03:12:02 UTC 2016


On 01/02/2016 05:42 PM, Tim Wilson-Brown - teor wrote:
> And if we can't use the reference implementation, we have some decent
> programmers…
> (On the other hand, if there's no reference implementation, then that
> makes it hard to recommend that particular crypto scheme.)

That sounds pretty close to a "roll your own crypto" idea, which as I'm
sure you know is almost always a poor idea. Classical algorithms like
RSA and Diffie-Hellman are ~40 years old but they have many
side-channels and are still hard to implement correctly. There are so
many subtleties with ECDHE and ECDSA, with the notable exception of the
safer *25519 cryptosystems from djb. Post-quantum cryptography is over
my head, but considering the pattern and the newness of the field I
wouldn't trust any implementation unless it was written or at least
vetted by the authors of the respective post-quantum cryptosystem.

That being said, I'd like to thank Schanck, Whyte, and Zhang for their
work, their paper, and their reference implementation.

-- 
Jesse V

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160102/a0c290c3/attachment-0001.sig>


More information about the tor-dev mailing list