[tor-dev] Quantum-safe Hybrid handshake for Tor
Yawning Angel
yawning at schwanenlied.me
Sun Jan 3 09:48:45 UTC 2016
On Sun, 3 Jan 2016 04:16:17 -0500
grarpamp <grarpamp at gmail.com> wrote:
> http://safecurves.cr.yp.to/
>
> Just another link.
None of those algorithms will hold up to a quantum computer, and apart
from for TLS (where we use the NIST curves) we already use "safe"
Curve/Ed25519.
So I don't know why you're bringing it up. This is discussion
regarding how to prevent a total disaster in the event of a Curve25519
break.
nb: Migrating to X448 would possibly hold up longer than Curve25519
would since it requires a bigger quantum computer. But performance
isn't that great without using vectorization.
> > Additionally, without AVX2, signing is glacially slow, clocking in
> > at ~200 ms on an Haswell i5. The same hardware does our existing
> > ntor handshake in ~230 usec.
>
> Haswell i5 seems to have AVX2, as do all Haswell's,
> perhaps you refer to Ivy Bridge i5's which do not...
Or, perhaps I meant exactly what I said, because the implementation I
happened to benchmark (which I coincidentally, happened to write) does
not use AVX2 (it doesn't, since it was written to be portable) and I
wanted non-vectorized performance numbers (I did).
I know the algorithm is faster when vectorized but that does little
good for what I suspect are a substantial fraction of the relays.
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160103/8bf74d82/attachment-0001.sig>
More information about the tor-dev
mailing list