Yawning Angel yawning@schwanenlied.me wrote:
Hi Yawning,
Thanks for the more detailed description; I think I understand now what you're saying. I also agree that the cost is small (only some extra symmetric stuff happening).
I don't like the use of AES-GCM as an authenticated-encryption algorithm, but as far as I understand, AEAD is a completely separate discussion within Tor and this would be replaced by whatever that discussion's outcome is?
Correct. In a post quantum world, this is totally pointless, especially since `Z` is publicly available from the microdescriptors, but in the mean time it's extra authenticated, and extra sekrit.
Can you describe a pre-quantum attacker who breaks the non-modified key exchange and does not, with essentially the same resources, break the modified key exchange? I'm not opposed to your idea, but it adds a bit of complexity and I would like to understand what precisely the benefit is.
Best regards,
Peter