<i>Stateless tokens come with independent security concerns, and moving towards stateful tokens is prudent just to ensure more robust systems. [...] Our main recommendation is to use stateful tokens where possible, given their additional security benefits.</i><p>This is smart. PQC schemes often add too much overhead for interoperable cookie sizes. Instead of trying to cram a PQC signature into a cookie, just stop using the stateless cookie designs that require asymmetric signatures.<p>I'm not sure I buy the Global Risk Institute chart. I get that they need to motivate adoption, but practical cryptanalytic work with quantum computers seems unpromising right now.
A counter-point that perhaps everyone is taking PQ a bit too seriously [1].<p>Personally, it seems reasonable to at least spend some effort preparing for it, given the rather long lead time required to develop, study and stress the constructions needed. It might be a long time (if ever) before cryptographically relevant quantum computers show up, but if they do, we'll be glad we had a decade or two to get ready. The alternative of scrambling at the last minute while everything gets cracked seems unenviable.<p>[1] <a href="https://www.cs.auckland.ac.nz/~pgut001/pubs/heffalump_crypto.pdf" rel="nofollow">https://www.cs.auckland.ac.nz/~pgut001/pubs/heffalump_crypto...</a>
Besides encrypting your user data at rest using these post-quantum cryptography algo.<p>What can be done from a design point of view to make it as hard as possible to deter attackers?<p>Would it make sense to segregate different types of data into other dbs rather than as a separate table?<p>“Name DB”
“Account DB”
“Address DB”<p>An attacker would need to have advanced knowledge of the app backend to know you have to snag both the account db and address db. Otherwise, the decrypted data is useless with only 1 db.<p>Drawbacks of course include “performance degradation”, “increasingly complex app”.<p>Ideally, if you did not need to store sensitive data or collect other user info such as address or zip code. Then not asking for it at all would be optimal. Maybe regulation is needed here.
> There are several alternatives to simply replacing classical signatures with quantum-safe signatures, which could address the performance issues when it comes to PKI. We are currently looking to experiment in this space to gather data for more solid recommendations, which we will share in a future blog post.<p>Does anyone know what those alternatives might be? Some way to collapse a chain of signatures into one? Long-term symmetric session keys? Neither of those sound like good ideas but I'm grasping at straws.
The threat estimate for a quantum computer that breaks cryptography shall be based on currently available data and the understanding that only the Schor algorithm is known to provide exponential speedup for factorisation.<p>Let’s give IBM credit for attempting to factor in the number 35 in 2022, although they failed there [1]. Before that, the successful factorisation happened for the number 21 in 2012 [2] and the first factorisation of 15 in 2001 [3].<p>Now we have three points. There is a trend that the factorised number grows by a number of 10 for every ten years. Thus, to get a quantum computer that facilitates RSA-2048, we shall wait for 2^2048 years.<p>[1]: <a href="https://arxiv.org/pdf/2103.13855v1.pdf" rel="nofollow">https://arxiv.org/pdf/2103.13855v1.pdf</a><p>[2]: <a href="https://www.nature.com/articles/nphoton.2012.259" rel="nofollow">https://www.nature.com/articles/nphoton.2012.259</a><p>[3]: <a href="https://www.nature.com/articles/414883a" rel="nofollow">https://www.nature.com/articles/414883a</a>
Just from reading this it's a bit unclear to me why they recommend only SPHINCS+ for "Firmware Signatures", while for "Software Signatures" they recommend Dilithium3+hybrid <i>or</i> SPHINCS+.<p>Is SPHINCS+ more lightweight?
I’ve wondered if the institutional buy up of BTC via ETFs and corporate and governmental balance sheets has adequately considered this risk. Could a bad actor steal BTC by cracking sha256 keys on a quantum computer? There could be a catch-22 - doing so would zero the value of btc, so if they didn’t immediately transfer to a quantum resistant asset, their heist would be worthless. Still, they could profit by shorting or it could be on agenda of other assets to just zero btc.
In short all encrypted data transiting through internet will get uncrypted once quantum computing is there. As if we didn't already had enough threats to worry about...