<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Mon, Jan 26, 2015 at 3:54 AM, Michael Rogers <span dir="ltr"><<a href="mailto:michael@briarproject.org" target="_blank">michael@briarproject.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">A hybrid of ring-LWE and ECDH has also been proposed for Tor, with the<br>
goal of maintaining forward secrecy of current traffic against future<br>
quantum computers</blockquote><div><br></div><div>This is the most interesting approach I've heard (and by that I mean I've heard it before but...):</div><div><br></div><div>1) Use an existing, uncontroversial key-exchange protocol (e.g. X25519)</div><div>2) Also use a post-quantum key-exchange protocol</div><div><br></div><div>When you're done, combine both results together (e.g. as KDF input)</div><div><br></div><div>The resulting combination, if done correctly, should be at least as strong as the strongest of the "pre-quantum" and "post-quantum" key exchange methods. </div></div><div><br></div>-- <br><div class="gmail_signature">Tony Arcieri<br></div>
</div></div>