[tor-talk] Post Quantum Tor
Nick Mathewson
nickm at torproject.org
Sun May 27 14:20:33 UTC 2018
For current work on postquantum handshake support in Tor, see
proposals 263, 269, 270, and ticket #24985.
A digression:
Personally, I don't agree that the evidence is so convincing about the
NSA being able to break 256-bit ECDSA today: if they have it, then
they'd treat it as a big secret, and not go around cagily implying
that they had it. When they brag publicly about their capabilities,
they're usually not doing so on order to advertise secret advances
that the world doesn't know about.
Of course, by the same argument, we don't have much evidence that
there *aren't* scalable quantum computers today. If somebody has one,
it makes sense that they would be keeping quiet about it.
And even if there aren't large-scale quantum computers today, we need
to keep in mind that any future such quantum computer would be able to
decrypt today's traffic.
So I think the sensible thing to do is to be cautious, and work under
the assumption that we'll need to move our key exchange to a PQ
handshake, according to something like the proposals above.
cheers,
--
Nick
More information about the tor-talk
mailing list