For current work on postquantum handshake support in Tor, see proposals 263, 269, 270, and ticket #24985.
A digression: Personally, I don't agree that the evidence is so convincing about the NSA being able to break 256-bit ECDSA today: if they have it, then they'd treat it as a big secret, and not go around cagily implying that they had it. When they brag publicly about their capabilities, they're usually not doing so on order to advertise secret advances that the world doesn't know about. Of course, by the same argument, we don't have much evidence that there *aren't* scalable quantum computers today. If somebody has one, it makes sense that they would be keeping quiet about it. And even if there aren't large-scale quantum computers today, we need to keep in mind that any future such quantum computer would be able to decrypt today's traffic. So I think the sensible thing to do is to be cautious, and work under the assumption that we'll need to move our key exchange to a PQ handshake, according to something like the proposals above. cheers, -- Nick -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
