[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Yawning Angel yawning at schwanenlied.me
Sat May 7 22:01:57 UTC 2016

On Sat, 07 May 2016 23:46:28 +0200
Jeff Burdges <burdges at gnunet.org> wrote:

> On Sat, 2016-05-07 at 13:14 -0700, Watson Ladd wrote:
> > I'm not sure I understand the concern here. An attacker sees that we
> > got unlucky: that doesn't help them with recovering SEED under mild
> > assumptions we need anyway about SHAKE indistinguishability.  
> We're assuming the adversary controls a node in your circuit and hence
> sees your seed later.  You get unlucky like over 400 times, so, if
> they can record enough of the failure pattern, then their node can
> recognize you from your seed. 

Hmm?  The timing information that's available to a local attacker
(how an adversary will be limited to just this information, and not
things that enable a strong attack on it's own like packet timing
escapes me) would be the total time taken for `a` generation.

So. the evil observer on Alice's side gets:

 * The total number of samples (N).

Bob (or Eve) gets:

 * The seed, which may correspond to something that required N samples.

I don't think there's much pattern information available to the
attacker on Alice's side, but I may be missing something...


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160507/e20d9ef2/attachment.sig>

More information about the tor-dev mailing list