[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Yawning Angel yawning at schwanenlied.me
Fri May 6 20:08:05 UTC 2016

On Fri, 6 May 2016 19:17:11 +0000
isis <isis at torproject.org> wrote:
>   [XXX We think we want to omit the final hashing in the production
> of NTOR_KEY here, and instead put all the inputs through SHAKE-256.
> --isis, peter]
>   [XXX We probably want to remove ID and B from the input to the
> shared key material, since they serve for authentication but, as
> pre-established "prologue" material to the handshake, they should not
> be used in attempts to strengthen the cryptographic suitability of
> the shared key.  Also, their inclusion is implicit in the DH
> exponentiations.  I should probably ask Ian about the reasoning for
> the original design choice.  --isis]

Oh I missed this.  B at a minimum needs to be part of `auth_input`,
though probably does not need to be part of `secret_input`.

Per RFC 7748:

   Designers using these curves should be aware that for each public
   key, there are several publicly computable public keys that are
   equivalent to it, i.e., they produce the same shared secrets.  Thus
   using a public key as an identifier and knowledge of a shared secret
   as proof of ownership (without including the public keys in the key
   derivation) might lead to subtle vulnerabilities.


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160506/3c18cb48/attachment.sig>

More information about the tor-dev mailing list