[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Tim Wilson-Brown - teor
teor2345 at gmail.com
Sat May 7 14:59:57 UTC 2016
> On 7 May 2016, at 05:17, isis <isis at torproject.org> wrote:
> Let `ID` be a router's identity key taken from the router microdescriptor.
> In the case for relays possessing Ed25519 identity keys (c.f. Tor proposal
> #220), this is a 32-byte string representing the public Ed25519 identity key.
> For backwards and forwards compatibility with routers which do not possess
> Ed25519 identity keys, this is a 32-byte string created via the output of
I don't understand why we do this backwards and forwards compatibility for ID, when the proposal only works for relays with an ed25519 key in their descriptor.
I'm sure I'm missing something basic - I'm still learning how to read crypto papers and specifications.
> The function CVPD4 does the following:
> v00 = round(y0/2q)
> v01 = round(y1/2q)
> v02 = round(y2/2q)
> v03 = round(y3/2q)
> v10 = round((y0-1)/2q)
> v11 = round((y1-1)/2q)
> v12 = round((y2-1)/2q)
> v13 = round((y3-1)/2q)
> t = abs(y0 - 2q*v00)
> t += abs(y1 - 2q*v01)
> t += abs(y2 - 2q*v02)
> t += abs(y3 - 2q*v03)
> if(t < 2q):
> v0 = v00
> v1 = v01
> v2 = v02
> v3 = v03
> k = 0
> v0 = v10
> v1 = v11
> v2 = v12
> v3 = v13
> r = 1
> return (v0-v3,v1-v3,v2-v3,k+2*v3)
> In this description, round() returns the closest integer and abs() returns the
> absolute value.
> Note that all computations involved in helprec operate on secret data and must
> be protected against timing attacks.
round() is underspecified here: does 0.5 round to 0 or 1?
Or is it not possible to get answers that are exactly halfway between two integers?
Tim Wilson-Brown (teor)
teor2345 at gmail dot com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the tor-dev