[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Thu May 12 12:18:41 UTC 2016

On Thu, 2016-05-12 at 11:17 +0000, Yawning Angel wrote:
> Well, if we move the handshake identifier inside the AE(AD) envelope,
> we can also add padding to normalize the handshake length at minimal
> extra CPU cost by adding a length field and some padding inside as
> well.
> It would remove some of the advantages of using algorithms with
> shorter
> keys (since it would result in more traffic on the wire than otherwise
> would have been), but handshakes will be indistinguishable to anyone
> but space aliens and the final destinations...

Is that even beneficial though?  

If we choose our post-quantum algorithm randomly from New Hope and SIDH,
and add random delays, then maybe an adversary has less information
about when a circuit build is progressing to the next hop, or when it's
actually being used? 

Is there some long delay between circuit build and first use that makes
anything done to obscure build useless? 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160512/3658d9df/attachment.sig>

More information about the tor-dev mailing list