[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
burdges at gnunet.org
Sat May 7 20:51:27 UTC 2016
On Sat, 2016-05-07 at 19:41 +0000, lukep wrote:
> It's hard to guarantee that any fixed, finite amount of SHAKE
> output will be sufficient for any rejection sampling method
> like gen_a.
Isn't some small multiple usually enough? I think 1024 is large enough
to tend towards the expected 42%ish failures.
Also, can't one simply start the sampling over from the beginning if one
I've no idea if an maybe an arithmetic coding scheme would be more
> Or let a be a system-wide parameter changing say on a daily basis?
I mentioned using the Tor collaborative random number generator for a in
my other message, but only as feint to get to the meat of my argument
that Isis and Peter's proposal sounds optimal. I think rotating a
network wide a would get messy and dangerous in practice.
If bandwidth is an issue, then a could be derived from the ECDH
handshake, thereby making it zero cost.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 819 bytes
Desc: This is a digitally signed message part
More information about the tor-dev