[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Sat May 7 06:24:17 UTC 2016

On Fri, 2016-05-06 at 19:17 +0000, isis wrote:

>   --- Description of the Newhope internal functions ---
>   gen_a(SEED seed) receives as input a 32-byte (public) seed.  It expands
>   this seed through SHAKE-128 from the FIPS202 standard. The output of SHAKE-128
>   is considered a sequence of 16-bit little-endian integers. This sequence is
>   used to initialize the coefficients of the returned polynomial from the least
>   significant (coefficient of X^0) to the most significant (coefficient of
>   X^1023) coefficient. For each of the 16-bit integers first eliminate the
>   highest two bits (to make it a 14-bit integer) and then use it as the next
>   coefficient if it is smaller than q=12289.
>   Note that the amount of output required from SHAKE to initialize all 1024
>   coefficients of the polynomial varies depending on the input seed.
>   Note further that this function does not process any secret data and thus does
>   not need any timing-attack protection.

Aren't the seed and polynomial a actually secret for negotiation with
any node after your guard?  

An adversary who can do a timing attack on a user's tor process would
gain some deanonymizing information from knowing which a elements get
skipped.  I suppose this adversary has already nailed the user via
correlation attack, but maybe worth rewording at least.  

And maybe an adversary could employ different attack infrastructure if
they can learn some skipped elements of a. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160507/e6802ec1/attachment.sig>

More information about the tor-dev mailing list