[messaging] Do quantum attacks/algos also lead to compromise of PFS?

William Whyte wwhyte at securityinnovation.com
Tue Jan 27 06:58:00 PST 2015

We at Security Innovation presented a similar proposal for ntor with
additional NTRU-based key exchange at the ETSI Post Quantum Crypto
Workshop back in October, along with a proof of this "at least as
strong as the stronger algorithm" property (though the attack model is
fiddly). Seems like a natural approach and one that can potentially be
ported to TLS. One nice thing about fitting it into the ntor protocol
is that the more expensive operations (key gen and decryption)
naturally end up being performed by the client, reducing the
additional cost on the server.



On Mon, Jan 26, 2015 at 10:38 PM, Tony Arcieri <bascule at gmail.com> wrote:
> On Mon, Jan 26, 2015 at 3:54 AM, Michael Rogers <michael at briarproject.org>
> wrote:
>> A hybrid of ring-LWE and ECDH has also been proposed for Tor, with the
>> goal of maintaining forward secrecy of current traffic against future
>> quantum computers
> This is the most interesting approach I've heard (and by that I mean I've
> heard it before but...):
> 1) Use an existing, uncontroversial key-exchange protocol (e.g. X25519)
> 2) Also use a post-quantum key-exchange protocol
> When you're done, combine both results together (e.g. as KDF input)
> The resulting combination, if done correctly, should be at least as strong
> as the strongest of the "pre-quantum" and "post-quantum" key exchange
> methods.
> --
> Tony Arcieri
> _______________________________________________
> Messaging mailing list
> Messaging at moderncrypto.org
> https://moderncrypto.org/mailman/listinfo/messaging

More information about the Messaging mailing list