[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Sun May 8 20:55:12 UTC 2016

On Sun, 2016-05-08 at 13:15 +0000, isis wrote:
> Also, deriving `a` "somehow" from the shared X25519 secret is a bit
> scary
> (c.f. the §3 "Backdoors" part of the NewHope paper,

Oh wow.  That one is nasty. 

>  or Yawning's PoC of a
> backdoored NewHope handshake [0]).
> [0]:
> https://git.schwanenlied.me/yawning/newhope/src/nobus/newhope_nobus.go

I see.  The point is that being ambiguous about the security
requirements of the seed for a lets you sneak in a bad usage of it

In some cases, I suppose both sides contributing to a might help them
know the other side is not backdoored, but that's not so relevant for


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160508/49da4890/attachment.sig>

More information about the tor-dev mailing list