[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Jeff Burdges
burdges at gnunet.org
Sat May 7 20:51:27 UTC 2016
On Sat, 2016-05-07 at 19:41 +0000, lukep wrote:
> It's hard to guarantee that any fixed, finite amount of SHAKE
> output will be sufficient for any rejection sampling method
> like gen_a.
Isn't some small multiple usually enough? I think 1024 is large enough
to tend towards the expected 42%ish failures.
Also, can't one simply start the sampling over from the beginning if one
runs out?
I've no idea if an maybe an arithmetic coding scheme would be more
efficient.
> Or let a be a system-wide parameter changing say on a daily basis?
I mentioned using the Tor collaborative random number generator for a in
my other message, but only as feint to get to the meat of my argument
that Isis and Peter's proposal sounds optimal. I think rotating a
network wide a would get messy and dangerous in practice.
If bandwidth is an issue, then a could be derived from the ECDH
handshake, thereby making it zero cost.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160507/5dc50236/attachment-0001.sig>
More information about the tor-dev
mailing list