On Fri, 2016-01-01 at 11:14 +0000, Yawning Angel wrote:
On Thu, 31 Dec 2015 20:51:43 +0000 isis isis@torproject.org wrote: [snip]
I feel like there needs to be some new terminology here. It's certainly not post-quantum secure, but "quantum-safe" doesn't seem right either, because it's exactly the point at which the adversary gains appropriate quantum computational capabilities that it become *unsafe*. If I may, I suggest calling it "pre-quantum secure". :)
Post-quantum forward-secrecy is what I've been using to describe this property.
Isn't that using "forward security" to denote a weakening when it usually denotes a strengthening?
I personally don't think that any of the PQ signature schemes are usable for us right now, because the smallest key size for an algorithm that isn't known to be broken is ~1 KiB (SPHINCS256), and we probably can't afford to bloat our descriptors/micro-descriptors that much.
Did you mean to talk about the 41ish kb signature here?
I donno that you'll ever beat that 1kb key size with a post-quantum system. There is a lattice based signature scheme and an isogeny based scheme that'll both beat SPHINCS on signature sizes, but I think not so much on key size.
Jeff
p.s. I'd imagine that key size might come from the public key itself proving that it's a SPHINCS public key or doing a simple initial signature or something. If you didn't care during storage that the key is really a key, or what its good for, then a 256 bit fingerprint of a SPHINCS public key would be as good as a SPHINCS public key itself, right? It's dubious that Tor, or anyone really, could use fingerprints in such a context-free way though.