[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
Jeff Burdges
burdges at gnunet.org
Sun May 8 20:55:12 UTC 2016
On Sun, 2016-05-08 at 13:15 +0000, isis wrote:
> Also, deriving `a` "somehow" from the shared X25519 secret is a bit
> scary
> (c.f. the §3 "Backdoors" part of the NewHope paper,
Oh wow. That one is nasty.
> or Yawning's PoC of a
> backdoored NewHope handshake [0]).
>
> [0]:
> https://git.schwanenlied.me/yawning/newhope/src/nobus/newhope_nobus.go
I see. The point is that being ambiguous about the security
requirements of the seed for a lets you sneak in a bad usage of it
elsewhere.
In some cases, I suppose both sides contributing to a might help them
know the other side is not backdoored, but that's not so relevant for
Tor.
Jeff
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160508/49da4890/attachment.sig>
More information about the tor-dev
mailing list