Quantum Resistance and the Signal Protocol

292 点作者 dm超过 1 年前

15 条评论

It is good that they kept the classical crypto along. However, the general tendency towards quantum-resistant cryptography leaves me puzzled. From my perspective as a physics PhD graduate, I firmly believe that a quantum computer capable of breaking public key crypto will never be built. This is because as you add more qubits, there's increased interference between them due to the additional connections required.It's similar to how FM radio works: there's a main frequency and several sidebands. When you adjust the tuner to pick up a station, you're essentially "interacting" with the corresponding station. But if there are too many stations, you may no longer be able to hear the music, and as a result, there would be only a static noise present.This leads me to a somewhat cynical conspiracy. Imagine the moment when a curios government agency realises that building a quantum computer for this purpose is a futile endeavor. Instead of admitting this, they could perpetuate the idea that its construction is just around the corner. Then, act as a wolf in sheep’s skin and introduce everyone to quantum-resistant solutions, which are unfortunate to have secret hidden backdoors by having done more advanced research on them. Has anyone thought about this?

评论 #37575322 未加载

评论 #37575133 未加载

评论 #37575742 未加载

评论 #37575349 未加载

评论 #37576100 未加载

评论 #37575092 未加载

评论 #37579084 未加载

评论 #37575631 未加载

评论 #37575410 未加载

评论 #37575986 未加载

评论 #37581671 未加载

评论 #37581176 未加载

评论 #37580851 未加载

评论 #37576180 未加载

评论 #37577389 未加载

s17n超过 1 年前

Given that Signal's main innovation (compared to traditional end to end encryption) was to safeguard its users against future compromises via the ratchet protocol, this actually seems like a logical move for them to make.

swamp40超过 1 年前

There are 20 bitcoin wallets worth more than a billion dollars each.I think it will be pretty obvious when someone gets a quantum computer working.

评论 #37575094 未加载

评论 #37574816 未加载

评论 #37574884 未加载

评论 #37575715 未加载

评论 #37575041 未加载

评论 #37575888 未加载

评论 #37580341 未加载

macawfish超过 1 年前

Why not use something like backchannel? That way we wouldn't need phone numbers either...The initial shared private key exchange could be done with more expensive, quantum resistant cryptography but the actual communication could be done through symmetric encryption.<a href="https://www.inkandswitch.com/backchannel/" rel="nofollow noreferrer">https://www.inkandswitch.com/backchannel/</a>For the key exchange itself ("PAKE") maybe something like this: <a href="https://journal-home.s3.ap-northeast-2.amazonaws.com/site/icisc2021/presentation/paper_42.pdf" rel="nofollow noreferrer">https://journal-home.s3.ap-northeast-2.amazonaws.com/site/ic...</a>And for the symmetric encryption: <a href="https://github.com/Steppenwolfe65/eAES">https://github.com/Steppenwolfe65/eAES</a>

评论 #37578358 未加载

wolverine876超过 1 年前

That is very well-written, as someone else pointed out, though this common explanation for laypeople needs work (I'm not blaming Signal's blogger, who wrote it more carefully than most):"Instead of bits as in a classical computer, quantum computers operate on qubits. Rather than 0 or 1, qubits can exist in a superposition of states, in some sense allowing them to be both values at once."'Instead of beads as in a classical abacus, our Quabacus operates on Quabeads! Rather than positions 0 or 1, quabeads can be in both positions at once!'Beads that are simultaneously in both positions sounds like a f$@!#g annoying glitch and not a feature - how does that help anyone record or calculate numbers? ('Would someone take a look a this broken Quabacus-abacus and resolve these g#$%!m glitching quabeads?!!!') It mocks the non-technical reader, who assumes they must have been given enough information to understand why it's faster and possibly how it works, but can't figure it out.They have not been given enough. Does anyone who perhaps understands it better than I do want to take a stab at a new commonplace explanation, one that connects the dots between quantum superposition and performance (for certain calculations)?

评论 #37579618 未加载

评论 #37577013 未加载

评论 #37579277 未加载

评论 #37579535 未加载

评论 #37577179 未加载

awestroke超过 1 年前

Super cool.If current quantum computers were scaled up to more qubits, could they break modern crypto? Or would we need both more qubits and a new quantum computer architecture?

评论 #37572887 未加载

评论 #37573603 未加载

Boogie_Man超过 1 年前

Actively resisting future attackers and hardware is an incredibly forward-thinking thing to do, bravo. How long into the future is an achievable and desirable duration for encryption (barring any rapid, unforeseen paradigm shift)? If ten years is acceptable for declassification of standard documents in the US, is this a reasonable target for day to day signal chats?

评论 #37573711 未加载

评论 #37578585 未加载

Tutanota超过 1 年前

Congrats to Signal, this is a great step!At Tutanota we also use the Signal protocol to build post-quantum secure encryption for email and drive: <a href="https://tutanota.com/blog/pqdrive-project" rel="nofollow noreferrer">https://tutanota.com/blog/pqdrive-project</a>Post-quantum secure encryption can't be developed early enough. In the end all our data today will be at risk of being decrypted in the future - unless we secure it now!

评论 #37581070 未加载

评论 #37580992 未加载

miles_matthias超过 1 年前

Appreciate how well-written and approachable this post was!

sigmar超过 1 年前

Whitepaper says:>PQXDH provides post-quantum forward secrecy and a form of cryptographic deniability but still relies on the hardness of the discrete log problem for mutual authentication in this revision of the protocol.So that's why active mitm with a contemporary quantum computer is a concern mentioned in the blog post. Of course it isn't of any concern currently (since no one has the hardware to exploit this), but I'm curious why they couldn't fit the crystals-kyber method for mutual auth in this hybridized implementation? performance concerns?

评论 #37578627 未加载

jmprspret超过 1 年前

Very well written and digestable. I have much respect for the Signal people.However I'd like to mention using usernames instead of phone numbers has been met with the classic "soon™" response for years now. When will they actually do it? This the the only thing I really really dislike about Signal - their lack of communication on oddly specific things. Like them holding back the codebase for months on GitHub so as to not spoil the.. Surprise! MobileCoin!

评论 #37612301 未加载

Aachen超过 1 年前

About time! People picked this up soon after it was committed to the repository back in May, and the beta version of Signal has had dual keys aka "safety numbers" for a while now (maybe 1.5 months?). Happy to see they decided releasing a blog post about it after all :)Pick your platform: <a href="https://mobile.twitter.com/Th3Zer0/status/1661078047196364815" rel="nofollow noreferrer">https://mobile.twitter.com/Th3Zer0/status/166107804719636481...</a> <a href="https://ch.linkedin.com/posts/dr-angie-qarry-397538127_add-kyber-kem-and-implement-pqxdh-protocol-activity-7067943827482771456-5Qf7" rel="nofollow noreferrer">https://ch.linkedin.com/posts/dr-angie-qarry-397538127_add-k...</a> <a href="https://chaos.social/@luc/111048883207848400" rel="nofollow noreferrer">https://chaos.social/@luc/111048883207848400</a> (disclosure: the latter is myself; there was another Mastodon post I'm pretty sure, but when I search for PQXDH there it only shows my own post)The blog doesn't mention it, but based on a code comment, it seems that ~two months from now the new key fingerprints will become mandatory for peers to remain trusted after you update your clientFrom the blog post:> We want to extend our sincerest thanks and appreciation to all the people who contributed to the development of this protocol upgrade. This includes the cryptographic research community, the Kyber team, and the following people who directly contributed to our whitepaperAll that behind closed doors, apparently.There was scarcely a mention of PQXDH to be found on the web besides the Signal source code and the handful of people that picked up on it on social media. A github ticket about adding post-quantum support was responded to with "we have no announcements to make" and then closed due to inactivity. I suppose one only needs so many cooks, but why not have this whitepaper, the ideas going into the protocol design, the timeline, whatever goes into this security decision for an open source app visible, even if only read-only? Feels more like source-available than open source spirited, but I guess that's in line with "the ecosystem is moving" (Moxie's talk where he says that they can do better without a community developing more clients, integrations, federation, etc.)

sdeframond超过 1 年前

I am a bit puzzled: governments and big corp are pouring indecent amounts of money in developing quantum computers, which main application, afaict, is to break cryptography....and this is defeated by changing our algorithms ?Whats the use in developing quantum computers then?

评论 #37576968 未加载

评论 #37581180 未加载

m3kw9超过 1 年前

Doing quantum resistant algorithm right now is straight up posturing and signaling

评论 #37579527 未加载

评论 #37592262 未加载

tjrgergw超过 1 年前

Now explain why you had to add bitcoin to signal.

评论 #37577031 未加载