[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Peter Schwabe peter at cryptojedi.org
Thu May 12 13:54:11 UTC 2016

Yawning Angel <yawning at schwanenlied.me> wrote:

Hi Yawning,

Thanks for the more detailed description; I think I understand now what
you're saying. I also agree that the cost is small (only some extra
symmetric stuff happening). 

I don't like the use of AES-GCM as an authenticated-encryption
algorithm, but as far as I understand, AEAD is a completely separate
discussion within Tor and this would be replaced by whatever that
discussion's outcome is?

> Correct.  In a post quantum world, this is totally pointless,
> especially since `Z` is publicly available from the microdescriptors,
> but in the mean time it's extra authenticated, and extra sekrit.

Can you describe a pre-quantum attacker who breaks the non-modified key
exchange and does not, with essentially the same resources, break the
modified key exchange? I'm not opposed to your idea, but it adds a bit
of complexity and I would like to understand what precisely the benefit

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160512/39cf59a0/attachment.sig>

More information about the tor-dev mailing list