[noise] Post Quantum SIDHp751 with Noise

Rhys Weatherley rhys.weatherley at gmail.com
Sun Jul 24 12:34:11 PDT 2016

On Mon, Jul 25, 2016 at 1:33 AM, Trevor Perrin <trevp at trevp.net> wrote:

> The fact that SIDH key pairs are generated specifically for either the
> "Alice" or "Bob" role is an interesting twist.  You make a good observation
> that Noise with SIDH could still support all patterns if each party has a
> doubled static "keypair" that contains both "Alice" and "Bob" SIDH
> keypairs, and uses one or the other, as needed.
> At the PETS conference I talked with Peter Schwabe, Isis, and others about
> PQ key exchange, and Peter mentioned this same idea (attributing it to MSR).

I'm sure I wasn't the first to think of it.

> Your proposed spec extensions make sense, but the Alice and Bob labelling
> seems somewhat specific to SIDH, so there's a question whether extensions
> like this should be:
>  (a) integrated into the main pseudocode in the main spec
>  (b) described in a separate section of the main spec (like PSK or SSK)
>  (c) described in a separate extension document
> I lean away from (a) because I worry the spec is already too long.  I
> think Noise is fundamentally simple, but it will help people appreciate
> that simplicity if we cordon off new concepts (like "Alice" and "Bob"
> labelling) into a separate section - or, probably better, a separate
> document.

Agreed.  Either an Appendix or a separate document for "post-quantum
extension" is fine by me.  We already have cases where we say later "the
definition changes in this way": PSK's alter the core definition of
Initialize() and the "e" token, and SSK's alter the core definition of
Split(), for example.

I think the only part we need to put in the main specification is the
details of token doubling.  What does "Alg1+Alg2" mean for the definitions
of the tokens?  As I said in a previous thread, "25519+448" would work as a
forward secrecy strengthener so we don't need any extra algorithms to
demonstrate how the tokens will work when doubled.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20160725/4d342065/attachment.html>

More information about the Noise mailing list