[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Sat May 7 21:46:28 UTC 2016

On Sat, 2016-05-07 at 13:14 -0700, Watson Ladd wrote:
> I'm not sure I understand the concern here. An attacker sees that we
> got unlucky: that doesn't help them with recovering SEED under mild
> assumptions we need anyway about SHAKE indistinguishability.

We're assuming the adversary controls a node in your circuit and hence
sees your seed later.  You get unlucky like over 400 times, so, if they
can record enough of the failure pattern, then their node can recognize
you from your seed. 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160507/9fe6a101/attachment.sig>

More information about the tor-dev mailing list