[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

isis isis at torproject.org
Sun May 8 16:11:44 UTC 2016


Yawning Angel transcribed 2.2K bytes:
> On Fri, 6 May 2016 19:17:11 +0000
> isis <isis at torproject.org> wrote:
> >   Both parties check that none of the EXP() operations produced the
> > point at infinity. [NOTE: This is an adequate replacement for
> > checking Y for group membership, if the group is Curve25519.]
> > 
> >   [XXX: This doesn't sound exactly right. You need the scalar
> > tweaking of X25519 for this to work and also, the point at infinity
> > is obviously an element of the group --isis, peter]
> 
> Maybe reword this to specify that EXP() MUST include the check for all
> zero output as specified in RFC 7748.  It's what our current ntor
> implementation does here.

Thanks, good suggestion.  I've added it here:
https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=bcf8c60a

And removed the odd description w.r.t. "the Curve25519 group" here:
https://gitweb.torproject.org/user/isis/torspec.git/commit/?h=draft/newhope&id=d04f771f

FWIW, the original "Both parties check that none of the EXP() […] group is
Curve25519" sentence comes directly from the original NTor specification in
proposal #216, so we might consider making this change there:
https://gitweb.torproject.org/torspec.git/tree/proposals/216-ntor-handshake.txt#n99

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160508/23ac03f0/attachment.sig>


More information about the tor-dev mailing list