It is good that they kept the classical crypto along. However, the general tendency towards quantum-resistant cryptography leaves me puzzled. From my perspective as a physics PhD graduate, I firmly believe that a quantum computer capable of breaking public key crypto will never be built. This is because as you add more qubits, there's increased interference between them due to the additional connections required.<p>It's similar to how FM radio works: there's a main frequency and several sidebands. When you adjust the tuner to pick up a station, you're essentially "interacting" with the corresponding station. But if there are too many stations, you may no longer be able to hear the music, and as a result, there would be only a static noise present.<p>This leads me to a somewhat cynical conspiracy. Imagine the moment when a curios government agency realises that building a quantum computer for this purpose is a futile endeavor. Instead of admitting this, they could perpetuate the idea that its construction is just around the corner. Then, act as a wolf in sheep’s skin and introduce everyone to quantum-resistant solutions, which are unfortunate to have secret hidden backdoors by having done more advanced research on them. Has anyone thought about this?
Given that Signal's main innovation (compared to traditional end to end encryption) was to safeguard its users against future compromises via the ratchet protocol, this actually seems like a logical move for them to make.
Why not use something like backchannel? That way we wouldn't need phone numbers either...<p>The initial shared private key exchange could be done with more expensive, quantum resistant cryptography but the actual communication could be done through symmetric encryption.<p><a href="https://www.inkandswitch.com/backchannel/" rel="nofollow noreferrer">https://www.inkandswitch.com/backchannel/</a><p>For the key exchange itself ("PAKE") maybe something like this: <a href="https://journal-home.s3.ap-northeast-2.amazonaws.com/site/icisc2021/presentation/paper_42.pdf" rel="nofollow noreferrer">https://journal-home.s3.ap-northeast-2.amazonaws.com/site/ic...</a><p>And for the symmetric encryption: <a href="https://github.com/Steppenwolfe65/eAES">https://github.com/Steppenwolfe65/eAES</a>
That is very well-written, as someone else pointed out, though this common explanation for laypeople needs work (I'm not blaming Signal's blogger, who wrote it more carefully than most):<p><i>"Instead of bits as in a classical computer, quantum computers operate on qubits. Rather than 0 or 1, qubits can exist in a superposition of states, in some sense allowing them to be both values at once."</i><p>'Instead of beads as in a classical abacus, our Quabacus operates on Quabeads! Rather than positions 0 or 1, quabeads can be in both positions at once!'<p>Beads that are simultaneously in both positions sounds like a f$@!#g annoying glitch and not a feature - how does that help anyone record or calculate numbers? ('Would someone take a look a this broken Quabacus-abacus and resolve these g#$%!m glitching quabeads?!!!') It mocks the non-technical reader, who assumes they must have been given enough information to understand why it's faster and possibly how it works, but can't figure it out.<p>They have not been given enough. Does anyone who perhaps understands it better than I do want to take a stab at a new commonplace explanation, one that connects the dots between quantum superposition and performance (for certain calculations)?
Super cool.<p>If current quantum computers were scaled up to more qubits, could they break modern crypto? Or would we need both more qubits and a new quantum computer architecture?
Actively resisting <i>future</i> attackers and hardware is an incredibly forward-thinking thing to do, bravo. <i>How long</i> into the future is an achievable and desirable duration for encryption (barring any rapid, unforeseen paradigm shift)? If ten years is acceptable for declassification of standard documents in the US, is this a reasonable target for day to day signal chats?
Congrats to Signal, this is a great step!<p>At Tutanota we also use the Signal protocol to build post-quantum secure encryption for email and drive: <a href="https://tutanota.com/blog/pqdrive-project" rel="nofollow noreferrer">https://tutanota.com/blog/pqdrive-project</a><p>Post-quantum secure encryption can't be developed early enough. In the end all our data today will be at risk of being decrypted in the future - unless we secure it now!
Whitepaper says:<p>>PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol.<p>So that's why active mitm with a contemporary quantum computer is a concern mentioned in the blog post. Of course it isn't of any concern currently (since no one has the hardware to exploit this), but I'm curious why they couldn't fit the crystals-kyber method for mutual auth in this hybridized implementation? performance concerns?
Very well written and digestable. I have much respect for the Signal people.<p>However I'd like to mention using usernames instead of phone numbers has been met with the classic "soon™" response for years now. When will they actually do it? This the the only thing I really really dislike about Signal - their lack of communication on oddly specific things. Like them holding back the codebase for months on GitHub so as to not spoil the.. Surprise! MobileCoin!
About time! People picked this up soon after it was committed to the repository back in May, and the beta version of Signal has had dual keys aka "safety numbers" for a while now (maybe 1.5 months?). Happy to see they decided releasing a blog post about it after all :)<p>Pick your platform: <a href="https://mobile.twitter.com/Th3Zer0/status/1661078047196364815" rel="nofollow noreferrer">https://mobile.twitter.com/Th3Zer0/status/166107804719636481...</a> <a href="https://ch.linkedin.com/posts/dr-angie-qarry-397538127_add-kyber-kem-and-implement-pqxdh-protocol-activity-7067943827482771456-5Qf7" rel="nofollow noreferrer">https://ch.linkedin.com/posts/dr-angie-qarry-397538127_add-k...</a> <a href="https://chaos.social/@luc/111048883207848400" rel="nofollow noreferrer">https://chaos.social/@luc/111048883207848400</a> (disclosure: the latter is myself; there was another Mastodon post I'm pretty sure, but when I search for PQXDH there it only shows my own post)<p>The blog doesn't mention it, but based on a code comment, it seems that ~two months from now the new key fingerprints will become mandatory for peers to remain trusted after you update your client<p>From the blog post:<p>> We want to extend our sincerest thanks and appreciation to all the people who contributed to the development of this protocol upgrade. This includes the cryptographic research community, the Kyber team, and the following people who directly contributed to our whitepaper<p>All that behind closed doors, apparently.<p>There was scarcely a mention of PQXDH to be found on the web besides the Signal source code and the handful of people that picked up on it on social media. A github ticket about adding post-quantum support was responded to with "we have no announcements to make" and then closed due to inactivity. I suppose one only needs so many cooks, but why not have this whitepaper, the ideas going into the protocol design, the timeline, whatever goes into this security decision <i>for an open source app</i> visible, even if only read-only? Feels more like source-available than open source spirited, but I guess that's in line with "the ecosystem is moving" (Moxie's talk where he says that they can do better without a community developing more clients, integrations, federation, etc.)
I am a bit puzzled: governments and big corp are pouring indecent amounts of money in developing quantum computers, which main application, afaict, is to break cryptography.<p>...and this is defeated by changing our algorithms ?<p>Whats the use in developing quantum computers then?