[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Sat May 7 20:51:27 UTC 2016

On Sat, 2016-05-07 at 19:41 +0000, lukep wrote:
> It's hard to guarantee that any fixed, finite amount of SHAKE
> output will be sufficient for any rejection sampling method
> like gen_a.
Isn't some small multiple usually enough?  I think 1024 is large enough
to tend towards the expected 42%ish failures. 

Also, can't one simply start the sampling over from the beginning if one
runs out? 

I've no idea if an maybe an arithmetic coding scheme would be more

> Or let a be a system-wide parameter changing say on a daily basis?

I mentioned using the Tor collaborative random number generator for a in
my other message, but only as feint to get to the meat of my argument
that Isis and Peter's proposal sounds optimal.  I think rotating a
network wide a would get messy and dangerous in practice. 

If bandwidth is an issue, then a could be derived from the ECDH
handshake, thereby making it zero cost. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160507/5dc50236/attachment-0001.sig>

More information about the tor-dev mailing list