Yawning Angel wrote:
Hi Yawning, hi all,
> Note, I'm not hating on Farfalle, I need to look at it more, and the
> last time I gave serious thought to this question in a Tor context was
> back around the time Prop 261 was being drafted.
>
> The answer to this from my point of view is "not slow
Yawning Angel wrote:
Hi Yawning, hi all,
> Ultimately none of this matters because Prop. 261 is dead in the
> water. Assuming people want the new cell crypto to be both fragile and
> to resist tagging attacks, Farfalle may be a better choice, assuming
> there's a Keccak-p parameterization such
Zhenfei Zhang wrote:
> Hi Peter,
Hi Zhenfei, hi all,
> We are working on a constant-time implementation of NTRU. We expect to
> release the source code this summer.
That's great news! Any thoughts on the license? Can you place it into
public domain?
> However, as far as I know, timing attacks
ban...@openmailbox.org wrote:
Hi all,
> Some great developments in lattice-based crypto. DJB just released a paper
> on NTRU Prime:
Let me just also throw in my 2 cents:
As far as I can tell, there are now 5 approaches to post-quantum key
exchange that are discussed (or at least have surfaced)
lukep wrote:
Hi lukep, hi all,
> You may want to get more drinks in - there's a new eprint on IACR archive
> that's claiming a faster generation of 'a' using the 5q / 16 bit trick:
> https://eprint.iacr.org/2016/467.pdf
I know, I have been in contact with the authors and I think that we will
wa
Yawning Angel wrote:
Hi Yawning,
Thanks for the more detailed description; I think I understand now what
you're saying. I also agree that the cost is small (only some extra
symmetric stuff happening).
I don't like the use of AES-GCM as an authenticated-encryption
algorithm, but as far as I und
isis wrote:
Hi all,
> Nope, it would still not work to fix the timing attack. Although, luckily, we
> already wrote some constant time code for my sorting-network idea, and then,
> with some coffee, Peter made it faster. (Give us something stronger to drink,
> and we'll probably come up with a
isis wrote:
Hi all,
> I haven't given it much thought yet, but the performance cost to making
> polynomial initialisation constant time may not actually be so bad. My naïve,
> I'm-still-finishing-my-breakfast solution would be to oversample (say 2048
> uint16_ts) from SHAKE-128, shove them into
