[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

[Yawning Angel]

Hello,

My tinfoil hat went crinkle in the night[0], and I had an additional
thought here. Should we encrypt the `CLIENT_NEWHOPE` and
`SERVER_NEWHOPE` values using <AE construct of your choice> and
something derived from `EXP(Z,x)`/`EXP(X,z)`?

It doesn't have perfect forward secrecy (compromise of `z` would allow
the adversary to decrypt all previous ciphertexts), but it's better
than nothing.

CPU-wise it's 1 additional KDF call (assuming you squeeze out the
forward and return symmetric keys at once), 1 extra CSPRNG call (for
the IV), and 2 AE calls. And `len(IV) + len(Tag)` bytes of extra
traffic in each direction in terms of extra network overhead, both
which I think are relatively cheap.

Regards,

-- 
Yawning Angel

[0]: Along with "I do this for basket2 for other reasons[1], and I think
it's a good idea even for tor".
[1]: newhope public keys are "blatantly obvious" on the wire.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160512/af43064f/attachment.sig>