[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope
yawning at schwanenlied.me
Thu May 12 00:07:47 UTC 2016
My tinfoil hat went crinkle in the night, and I had an additional
thought here. Should we encrypt the `CLIENT_NEWHOPE` and
`SERVER_NEWHOPE` values using <AE construct of your choice> and
something derived from `EXP(Z,x)`/`EXP(X,z)`?
It doesn't have perfect forward secrecy (compromise of `z` would allow
the adversary to decrypt all previous ciphertexts), but it's better
CPU-wise it's 1 additional KDF call (assuming you squeeze out the
forward and return symmetric keys at once), 1 extra CSPRNG call (for
the IV), and 2 AE calls. And `len(IV) + len(Tag)` bytes of extra
traffic in each direction in terms of extra network overhead, both
which I think are relatively cheap.
: Along with "I do this for basket2 for other reasons, and I think
it's a good idea even for tor".
: newhope public keys are "blatantly obvious" on the wire.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 819 bytes
Desc: OpenPGP digital signature
More information about the tor-dev