Cryptology ePrint Archive: Report 2015/287

Circuit-extension handshakes for Tor achieving forward secrecy in a quantum world

John M. Schanck and William Whyte and Zhenfei Zhang

Abstract: We propose a circuit extension handshake for Tor that is forward secure against adversaries who gain quantum computing capabilities after session negotiation. In doing so, we refine the notion of an authenticated and confidential channel establishment (ACCE) protocol and define pre-quantum, transitional, and post-quantum ACCE security. These new definitions reflect the types of adversaries that a protocol might be designed to resist. We prove that, with some small modifications, the currently deployed Tor circuit extension handshake, ntor, provides pre-quantum ACCE security. We then prove that our new protocol, when instantiated with a post-quantum key encapsulation mechanism, achieves the stronger notion of transitional ACCE security. Finally, we instantiate our protocol with NTRUEncrypt and provide a performance comparison between ntor, our proposal, and the recent design of Ghosh and Kate.

Category / Keywords: cryptographic protocols, Tor, key agreement, post-quantum

Original Publication (in the same form): Proceedings on Privacy Enhancing Technologies

Date: received 26 Mar 2015, last revised 13 Jun 2016

Contact author: jschanck at securityinnovation com

Available format(s): PDF | BibTeX Citation

Version: 20160613:171621 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]