[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
yawning at schwanenlied.me
Sat May 7 22:01:57 UTC 2016
On Sat, 07 May 2016 23:46:28 +0200
Jeff Burdges <burdges at gnunet.org> wrote:
> On Sat, 2016-05-07 at 13:14 -0700, Watson Ladd wrote:
> > I'm not sure I understand the concern here. An attacker sees that we
> > got unlucky: that doesn't help them with recovering SEED under mild
> > assumptions we need anyway about SHAKE indistinguishability.
> We're assuming the adversary controls a node in your circuit and hence
> sees your seed later. You get unlucky like over 400 times, so, if
> they can record enough of the failure pattern, then their node can
> recognize you from your seed.
Hmm? The timing information that's available to a local attacker
(how an adversary will be limited to just this information, and not
things that enable a strong attack on it's own like packet timing
escapes me) would be the total time taken for `a` generation.
So. the evil observer on Alice's side gets:
* The total number of samples (N).
Bob (or Eve) gets:
* The seed, which may correspond to something that required N samples.
I don't think there's much pattern information available to the
attacker on Alice's side, but I may be missing something...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the tor-dev