We at Security Innovation presented a similar proposal for ntor with additional NTRU-based key exchange at the ETSI Post Quantum Crypto Workshop back in October, along with a proof of this "at least as strong as the stronger algorithm" property (though the attack model is fiddly). Seems like a natural approach and one that can potentially be ported to TLS. One nice thing about fitting it into the ntor protocol is that the more expensive operations (key gen and decryption) naturally end up being performed by the client, reducing the additional cost on the server.
Cheers, William On Mon, Jan 26, 2015 at 10:38 PM, Tony Arcieri <[email protected]> wrote: > On Mon, Jan 26, 2015 at 3:54 AM, Michael Rogers <[email protected]> > wrote: >> >> A hybrid of ring-LWE and ECDH has also been proposed for Tor, with the >> goal of maintaining forward secrecy of current traffic against future >> quantum computers > > > This is the most interesting approach I've heard (and by that I mean I've > heard it before but...): > > 1) Use an existing, uncontroversial key-exchange protocol (e.g. X25519) > 2) Also use a post-quantum key-exchange protocol > > When you're done, combine both results together (e.g. as KDF input) > > The resulting combination, if done correctly, should be at least as strong > as the strongest of the "pre-quantum" and "post-quantum" key exchange > methods. > > -- > Tony Arcieri > > _______________________________________________ > Messaging mailing list > [email protected] > https://moderncrypto.org/mailman/listinfo/messaging > _______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
