[noise] Post-Quantum Noise with New Hope

Rhys Weatherley rhys.weatherley at gmail.com
Fri Jul 15 00:33:10 PDT 2016

New Hope [1] seems to be the latest "it" PQ scheme, with Google
investigating adding it to TLS.  So I did a little digging and

New Hope only supports ephemeral keys, so the only handshake pattern it can
work with is "NN", but that would be sufficient to run a "Noise_NN_NewHope"
handshake inside a regular "Noise_XX_25519" handshake.  The two could be
combined by generating a resumption PSK on the "Noise_NN_NewHope" handshake
and passing it as an SSK to the regular handshake's Split() call.

I've put the details on the method on the wiki [2], and have modified
Noise-C [3] to include "NewHope" as a new Diffie-Hellman algorithm to
demonstrate the concept.

There are some wrinkles to supporting New Hope that are different than
regular DH schemes due to its "unbalanced" nature but it ended up being
easier to integrate than I had first thought.



[1] https://eprint.iacr.org/2015/1092
[3] https://github.com/rweather/noise-c
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160715/5292d194/attachment.html>

More information about the Noise mailing list