[tor-dev] Post-quantum proposals #269 and #270

isis agora lovecruft isis at torproject.org
Thu Sep 8 23:39:32 UTC 2016 

isis agora lovecruft transcribed 8.6K bytes:
> For the repeated suggestion of SIDH, [3] I expect we'll soon see concrete
> details and improvements to the attacks mentioned in (and which they establish
> "direct validation" measures to defend against in §9 of) "Efficient algorithms
> for supersingular isogeny Diffie-Hellman" by Craig Costello, Patrick Longa,
> and Michael Naehrig. [4]  E.g. if an adversary sends a supersingular curve E
> and linearly independent points P and Q, such that Bob calculates an isogeny
> ɸ: E → E' with small-degree, there could potentially be ways to utilise the
> kernel of the isogeny from one handshake to learn information about the shared
> j-invariant computed in another handshake.  Side note: it's a mystery to me
> why the NSA and the Microsoft Research teams are jumping through hoops to
> validate public SIDH keys, when they could just have the requirement that the
> keys must be ephemeral (at the cost of some efficiency).  Basically, there's a
> whole bunch of swinging axes, poison darts, rolling boulders, and various
> other death traps and doom which come into play when you take a random
> elliptic curve as your key, and I expect another ten years of papers which
> slowly work to enumerate all of them.

Recently, a pre-print was submitted to eprint, and accepted to ASIACRYPT 2016:
"On the Security of Supersingular Isogeny Cryptosystems" by Galbraith, Petit,
Shani, and Ti. [0]  The problems with reuse of non-ephemeral isogenies reused
across SIDH key exchanges are potentially greater than previously realised,
with attacks recovering the entire j-invariant.

"Our third contribution is to give a reduction that uses partial knowledge of
shared keys to determine an entire shared key. This can be used to retrieve
the secret key, given information leaked from a side-channel attack on the key
exchange protocol. A corollary of this work is the first bit security result
for the supersingular isogeny key exchange: Computing any component of the
j-invariant is as hard as computing the whole j-invariant."

Please stop suggesting that Tor use SIDH.  It's a fascinating and new field of
research, with emphasis on new.  It's not ready for use yet.

[0]: https://eprint.iacr.org/2016/859

Best regards,
-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35
Current Keys: https://fyb.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1240 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20160908/8f32ebaa/attachment.sig>

More information about the tor-dev mailing list