wiki:org/meetings/2017Amsterdam/Notes/PQCrypto

Post-Quantum Cryptography

Handshake methods to chose from - Newhope - lattice based, (prop 270) Newhope simple - without reconcilation vectors Kyber - ring/module learning with errors

Nick has proposal for large create cells, no mechanism so far for extending cells. e.g. newhope about 2k cell size needed.

quantum protection important for people wanting to keep secrets for a while in the future. For this reason authentication less relevant cause needs man in the middle instant attack.

only adding protections not replacing, so things will not become *less* secure.

Isis looked at signature schemes based on SIDH/Lattice (super-singular isogeny DH, computing some shared j-invariant), seems impractical at the moment, recent works decrease message size at expense of computation time.

Hash-based signatures? Might be interesting to look at. Not clear if can use a stateful scheme, perhaps hybrid scheme - assume that its stateful, if state lost, recover part of it by looking at subtree.

For signing onion keys/descriptors there should be a record of state.

Have merkle tree of keys each key can do one signautre, everybody knows my root.

Hash-based schemes are "GCHQ approved". GCHQ also says lattice schemes promising for encryption, not clear for other stuff.

Isis started making modular schemes, where it should be easy to play with new key exchange.

Tor was concerened about linux not including elliptic curve stuff,

There is a rust implementation of new hope, though not same as published version.

No public impelmentation of new hope simple, but would require only small tweak.

Lattice implementations should not be hard to make sidechannel resistant. In beginning have to make random polynomial, the tossing might give information about people. Solution: oversample and throw in sorting network.

Currently been aiming for 256 bit security, so things like Grover leave at least 128.

Nick sayed he wanted post-quantum key agreement within a year.

propoal 264 - a way to signal which versions you speak. Will require to use postquantum from clients who will have it installed.

Partitioning attacks - observe from exit node if someone has postquantum turned on, make sure at least 20% have it before using it (as default?)

Things that need to be done before pq added: prop 269,

Isis says nice if someone will implement SIDH just to show how slloowww it issss same perhaps for other postquantum handshakes.

SIDH key size 300-700 bytes, but computation cost exteremely high lattice based faster, but 2k keys.

Secruity of lattice based on ring lwe assumptions.

SIDH - can only use your key once. lattice based schemes have negligible chance of not reaching key agreement.

Look at schemes based on quai-cyclic/diadic codes? Have keylengths comparable to RSA.

Last modified 10 months ago Last modified on Apr 1, 2017, 2:29:56 AM