-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 1/3/2016 11:24 PM, Ryan Carboni wrote:
Given the slow time it takes to roll things out, a timeline which begins with trusted directory keys include post-quantum crypto first, and which ends in enabling clients to use post-quantum crypto would be best.
That is wrong. Read Yawning's previous message to this thread. If we try to do things on all-or-nothing and right-now-dont-care basis we might end up doing nothing at all and waste precious time. Post quantum crypto for directory signing keys is useless at this moment, because quantum computers don't exist yet. A conspiracy theory that the NSA already has super duper quantum computers since n years ago and already cracks all curves is something too much to digest, and I prefer to build a timeline and establish priorities based on real world evidence and research papers as opposite to conspiracy theories and assumptions.
Back to the point, the directory signing keys are used to sign consensus documents. A consensus document has a very short limited lifetime (valid until). This means that if the keys are compromised (broken by quantum computers) after the end of life date, it's an useless attack that offers nothing. The only way this attack would work is if the attacker had the ability to compromise the directory keys in real time (almost instantly), not probably at some time in the future.
On the other hand, we have evidence that netflow traffic and whole internet traffic (even if encrypted) is captured and might be stored in unknown quantities for unknown periods. While "it is safe to assume" quantum computers so powerful to make a difference don't exist yet, and probably won't for a while longer, we can be certain that the technology to store massive amounts of data already exists and it is quite accessible and relatively cheap for attackers such the ones in our threat models.
So, yes, the threat of data collection now for future compromise is a much more realistic threat than someone having right now a super duper quantum computer which can crack currently used crypto in real time. Adding something quantum safe in link encryption for starters is worth looking into, and in the future of course changes will be applied to upper layer crypto as well.