Post-Quantum Cryptography

signalapp / libsignal

Home to the Signal Protocol as well as other cryptographic primitives which make Signal possible.

GNU Affero General Public License v3.0

3.62k stars 420 forks source link

Post-Quantum Cryptography #465

Closed Qata closed 1 year ago

Qata commented 2 years ago

I was reading The Post-Quantum Signal Protocol and was just wondering if there's any roadmap plans to move the library in a post-quantum direction.

I know we're still a far cry from widespread cryptography breaking, so I'm just asking this for visibility on what timelines will be, if there are any at all.

ehrenkret-signal commented 2 years ago

We do not have any post-quantum timelines to share at this time, but we are watching the space closely (in particular the PQ-KEM standardization process) and will update the Signal Protocol appropriately to deal with this issue.

tigerhawkvok commented 2 years ago

NIST announced selections today:

https://csrc.nist.gov/projects/post-quantum-cryptography/selected-algorithms-2022

Looks like CRYSTALS-Kyber and CRYSTALS-DILITHIUM are the winners.

ghost commented 2 years ago

All currently captured Signal traffic will be retroactively decrypted once quantum computing advances far enough. This isn't just a problem for the future.

There are both Kyber and Mceliece Rust libraries: https://github.com/Argyle-Software/kyber https://github.com/Colfenor/classic-mceliece-rust

Also hybrid encryption entails no loss in security. both ECC and the PQ-algo would be used simultaneously.

igor-krawczuk commented 1 year ago

Relevant talk from the rc3 would indicate classic mceliece is safer from a patent perspective for a quick rollout https://www.youtube.com/watch?v=taZfUOpUc6E

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 1 year ago

This issue has been closed due to inactivity.

plutoniumm commented 1 year ago

Now that the signal protocol has added Khyber to their specification, I would assume this issue is relevant again?

PQXDH

ston1th commented 1 year ago

I'm no expert by any means but is this post from DJB regarding the NISTs selection process for Kyber somehow relevant on the choice of algorithms for PQXDH?

https://blog.cr.yp.to/20231003-countcorrectly.html

loganaden commented 1 year ago

@ehrenkret-signal why not tweak the specs to allow non-NIST Kex like NTRU Prime ? OpenSSH 9.0 defaults to a hybrid with ntru prime and there hasn't been known weaknesses so far.

jrose-signal commented 1 year ago

Just clearing this up: the spec says

A post-quantum key encapsulation mechanism that has IND-CCA post-quantum security (e.g. Crystals-Kyber-1024)

Another implementation of PQXDH can certainly choose to use a KEM other than Kyber.