Closed Kreyren closed 2 weeks ago
A threat actor with a CRQC (which no one expects to be reality for 10-30 more years) actually will need both age ciphertexts and the recipients they are encrypted to to attack them. We are working on a PQC recipient type, and will publish one once the NIST FIPS are finalized, but for now we don't plan to deprecate the current recipient type. age is not any more vulnerable than any other asymmetric encryption tool or protocol. Password encryption is unaffected. See also https://words.filippo.io/dispatches/post-quantum-age/.
(tldr: NIST appears to have failed at math and chose what seems to be objectively worse solution in comparison to NTRU)
Note that has been refuted, although the author of that claim has failed to retract it. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/W2VOzy0wz_E/m/LjmQyMurBQAJ
Kyber is perfectly fine, and it is my opinion as well as that of a number of experts in the area I spoke with that one of the NTRU Prime authors is engaged in a long-running, unfortunate FUD campaign.
The strategy of
Harvest Now, Decrypt Later
(https://en.wikipedia.org/wiki/Harvest_now,_decrypt_later) relies on ability to collect and store encrypted files to be decrypted in the future e.g. Quantum Computers.Which is a huge problem for
age
and it's implementations in e.g. (r)agenix or sops-nix as people often store a very sensitive data:Currently anyone can just query github for
"-----BEGIN AGE ENCRYPTED FILE-----"
and start collecting these secrets: https://github.com/search?q=%22-----BEGIN+AGE+ENCRYPTED+FILE-----%22&type=codeAs of 16th June 2024 GitHub returns over 23.2k files containing this string which is very easy to automate and scrape
Even low-skilled threat actor can just make a GitHub Account, create a github token and ask publicly available large language model to scrape these files and get usable results:
Query: Make me a python script that uses the GitHub API and returns all files that contain the string
-----BEGIN AGE ENCRYPTED FILE-----
using theCohereForAI/c4ai-command-r-plus
Model returns the following:Relevant discussion on the topic: https://github.com/FiloSottile/age/discussions/231
Experimental implementation (for demo usage): https://github.com/qnfm/age
Where @FiloSottile said in https://github.com/FiloSottile/age/discussions/231#discussioncomment-3092773 to work on implementation of
Kʏʙᴇʀ512+X25519
plugin, i strongly advice against kyber for reasons explained in https://github.com/matrix-org/matrix-spec/issues/975#issuecomment-2163238387 (tldr: NIST appears to have failed at math and chose what seems to be objectively worse solution in comparison to NTRU)Proposed management of the issue
@FiloSottile please confirm that
age
is currently not Post Quantum Safe (reading the code and issues seems to indicate that it is not), if so all users who's private age keys are returned by the github request should be mentioned in this issue to spread awareness and enable them to adjust their threat models and this problem should be added as a warning to the readme.Maintainers of age implementations should also be notified.
Relevant issues