[tor-dev] PQ crypto updates

Yawning Angel yawning at schwanenlied.me
Sun Aug 20 19:45:32 UTC 2017

On Sun, 20 Aug 2017 16:32:17 +0000
Taylor R Campbell <campbell+tor-dev at mumble.net> wrote:
> > ...  I'm not seeing your point.  Even prior to that paper, AEZ
> > wasn't thought to be quantum resistant in anyway shape or form, and
> > providing quantum resistance wasn't part of the design goals of the
> > primitive, or really why it was being considered at one point for
> > use in Tor.  
> I would expect AEZ to have essentially the same post-quantum security
> as, e.g., AES or any other symmetric crypto -- square root speedup by
> Grover.

Yes and?

My point was that quantum speedups that existed prior to the
paper alone, were sufficient to render the primitive insecure in a
post quantum setting.

Something that's broken being more broken is non-interesting, in
particular when the impetus for even considering the something (as is
the case for AEZ and Tor), had nothing to do with PQ cryptography in the
first place.

> However, this paper is not about the conventional notion of
> post-quantum security -- what is the cost, to an adversary with large
> a quantum computer, of breaking ordinary users of the cryptosystem? --
> but a radically different notion of security for users who
> inexplicably choose evaluate AEZ in a quantum superposition of inputs
> and reveal that superposition to an adversary.

Believe it or not, I did read the paper.

> It is not surprising that when users abuse their crypto primitives in
> an astoundingly bizarre way, to reveal quantum superpositions of
> outputs, the original security claims of the classical crypto
> primitives go flying out the window!

I'm having trouble parsing that, perhaps my English is failing me.

Ultimately none of this matters because Prop. 261 is dead in the
water.  Assuming people want the new cell crypto to be both fragile and
to resist tagging attacks, Farfalle may be a better choice, assuming
there's a Keccak-p parameterization such that it gives adequate


Yawning Angel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20170820/f4dbc88c/attachment.sig>

More information about the tor-dev mailing list