[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Yawning Angel
yawning at schwanenlied.me
Fri May 6 20:08:05 UTC 2016
On Fri, 6 May 2016 19:17:11 +0000
isis <isis at torproject.org> wrote:
> [XXX We think we want to omit the final hashing in the production
> of NTOR_KEY here, and instead put all the inputs through SHAKE-256.
> --isis, peter]
>
> [XXX We probably want to remove ID and B from the input to the
> shared key material, since they serve for authentication but, as
> pre-established "prologue" material to the handshake, they should not
> be used in attempts to strengthen the cryptographic suitability of
> the shared key. Also, their inclusion is implicit in the DH
> exponentiations. I should probably ask Ian about the reasoning for
> the original design choice. --isis]
Oh I missed this. B at a minimum needs to be part of `auth_input`,
though probably does not need to be part of `secret_input`.
Per RFC 7748:
Designers using these curves should be aware that for each public
key, there are several publicly computable public keys that are
equivalent to it, i.e., they produce the same shared secrets. Thus
using a public key as an identifier and knowledge of a shared secret
as proof of ownership (without including the public keys in the key
derivation) might lead to subtle vulnerabilities.
Regards,
--
Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160506/3c18cb48/attachment.sig>
More information about the tor-dev
mailing list