[tor-dev] [proposal] Post-Quantum Secure Hybrid Handshake Based on NewHope

Jeff Burdges burdges at gnunet.org
Thu May 12 18:31:56 UTC 2016

On Thu, 2016-05-12 at 15:54 +0200, Peter Schwabe wrote:
> Can you describe a pre-quantum attacker who breaks the non-modified
> key
> exchange and does not, with essentially the same resources, break the
> modified key exchange? I'm not opposed to your idea, but it adds a bit
> of complexity and I would like to understand what precisely the
> benefit
> is.

Assuming I understand what Yawning wrote :

It's about metadata leakage, not actual breaks.

If Tor were randomly selecting amongst multiple post-quantum algorithms,
then a malicious node potentially learns more information about the
user's tor by observing the type of the subsequent node's handshake. 

In particular, if there is a proliferation of post-quantum choices, then
it sounds very slightly more dangerous to allow users to configure what
post-quantum algorithms they use without Yawning's change. 


p.s.  At the extreme example, there is my up thread comment refuting the
idea of using Sphinx-like packets with Ring-LWE.  

I asked : Why can't we send two polynomials (a,A) and mutate them
together with a second Ring-LWE like operation for each hop?  It's
linear bandwidth in the number of hops as opposed to quadratic
bandwidth, which saves 2-4k up in Tor's case and maybe keeps node from
knowing quite as much about their position. 

Answer : If you do that, it forces the whole protocol's anonymity to
rest on the Ring-LWE assumption, so it's no longer a hybrid protocol for
anonymity, even though cryptographically it remains hybrid.  

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160512/50f2e199/attachment.sig>

More information about the tor-dev mailing list