[tor-dev] PQ crypto updates

Taylor R Campbell campbell+tor-dev at mumble.net
Sun Aug 20 16:32:17 UTC 2017

> Date: Sat, 19 Aug 2017 06:55:29 +0000
> From: Yawning Angel <yawning at schwanenlied.me>
> On Sat, 19 Aug 2017 04:11:16 -0000
> bancfc at openmailbox.org wrote:
> > Boom headshot! AEZ is dead in the water post quantum:
> > 
> > Paper name: Quantum Key-Recovery on full AEZ
> > 
> > https://eprint.iacr.org/2017/767.pdf
> ...  I'm not seeing your point.  Even prior to that paper, AEZ wasn't
> thought to be quantum resistant in anyway shape or form, and providing
> quantum resistance wasn't part of the design goals of the primitive, or
> really why it was being considered at one point for use in Tor.

I would expect AEZ to have essentially the same post-quantum security
as, e.g., AES or any other symmetric crypto -- square root speedup by

However, this paper is not about the conventional notion of
post-quantum security -- what is the cost, to an adversary with large
a quantum computer, of breaking ordinary users of the cryptosystem? --
but a radically different notion of security for users who
inexplicably choose evaluate AEZ in a quantum superposition of inputs
and reveal that superposition to an adversary.

It is not surprising that when users abuse their crypto primitives in
an astoundingly bizarre way, to reveal quantum superpositions of
outputs, the original security claims of the classical crypto
primitives go flying out the window!

More information about the tor-dev mailing list