[tor-dev] Quantum-safe Hybrid handshake for Tor

Yawning Angel yawning at schwanenlied.me
Sun Jan 3 03:22:29 UTC 2016


On Sat, 2 Jan 2016 17:18:56 -0800
Ryan Carboni <ryacko at gmail.com> wrote:

> And yet the NSA is moving to prime numbers.

So?  In terms of prioritization, ensuring all existing traffic isn't
subject to later decryption is far more important that defending against
targeted active attacks that require hardware that doesn't exist yet.

> A large public key isn't a very good reason to not adopt quantum-safe
> crypto, it just means that it requires having the Tor project to be
> able to scale to a larger degree. I suggest hash tables, a percentage
> of which are pseudorandomly downloaded. Otherwise the Tor project
> won't scale to 10x the relays ... even ignoring quantum cryptography.

Nope.  Every client needs to know the public key of every relay or
we're worse off vs active attackers.

To put numbers into things for the bandwidth/storage overhead for
having SPHINCS256 keys for every relay, currently the full list of
microdescriptors for a consensus is ~3.2 MiB, with 6960 relays.

This is roughly 9.3 MiB of extra information that would need to be
downloaded in terms directory information, and ~41 KiB per hop of extra
traffic as part of the circuit build process.

Additionally, without AVX2, signing is glacially slow, clocking in at
~200 ms on an Haswell i5.  The same hardware does our existing ntor
handshake in ~230 usec.  Increasing the amount of work each hop needs
to do to establish a circuit by 3 orders of magnitude to the point
where a single core on a relatively modern processor can process 5
circuit creations/second would kill the Tor network.

  (I'm done arguing over this.  If you think relays should have PQ
   signature based identity keys, then feel free to write a patch.
   I view other things as more important, and will focus my efforts
   elsewhere.)

Regards,

-- 
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160103/eccd199e/attachment.sig>


More information about the tor-dev mailing list