[tor-talk] Post Quantum Tor

[s7r]

Lodewijk andré de la porte wrote:
> RSA/ECDSA are both screwed.
> 
> SPHINCS seems good.
> 
> Post quantum asymcrypt doesn't seem generally ready yet, but hashes work.
> 

You claim this based upon what evidence? Do you have any technical
document or citation in order to sustain your claim? I am not talking
about something you read on an anonymous blog here. Also, which RSA?
There is limited evidence that RSA 1024 might not be sufficient with
current existing computing power (not even evidence, more like an
assumption), but RSA 2048 / 4096 should be sufficient. Even  for RSA
1024 you might need to be a real threat in order to be worth the
resources to be spent on you.

There is no evidence of ECDSA and ECDH being screwed (regardless of the
curve used, NIST ones, cv25519, secp256k1, etc.).

I understand that some might be inclined to think that everything is
screwed, and that the NSA/CIA have the power to do anything, but there
is no evidence to sustain such a claim. To be frank, I am very happy to
have people like this in the community because problems might get fixed
even before they become real problems.

Everyone who correctly used encryption tools with up to date recommended
standards were safe, the cases where it failed relied purely on human
error, social engineering or other kind of side channel attacks. If I am
able to spy on the passphrase of your private key (or if you have a weak
dictionary passphrase that I can break with brute force in like 1 year)
this does not mean I have the power to break the algorithm of your
encryption key (RSA, ECC). Unfortunately way too many people use small,
easy to remember passphrases (even related to their names, dates of
birth, spouse names, pet names, etc.). A good brute force tool will take
for example 2 years to break a relatively simple passphrase, but if fed
with hints (names, dobs, friends, pets, places) that can be narrowed
down exponentially to 2 months.

Let's keep this discussion productive. Tor _needs_ post quantum
resistant crypto as a _feature_, so that current traffic if captured and
stored cannot be decrypted within reasonable time in the future. The
time frame is variable an dependent on each case and threat model, but
let's say like one or two decades. So, this is just an extra security
measure Tor takes as the number one privacy tool, one that can be relied on.

There is no evidence that quantum computers will be strong enough in 5
or 10 years to break the current NON QUANTUM RESISTANT crypto used. At
current moment quantum computers barely can do a square root of a two
digit number. Also, I think it's safe to assume this type of threat is
irrelevant if the current crypto in Tor might be broken in 100 years
from now, because even if the subject is still alive at that moment, it
might not matter at all.

Taking the discussion just a little further, quantum computers face a
physics problems related to time and space. A proven physics assumption
tells us that something can only be in one place/position at a time.
Like bits in normal computers nowadays, that can be either 0 either 1.
Qbits have to be both at the same time. So, being a true lover of
technology and believer, I am not stating it's impossible and it will
never happen, but it is surely not knocking on our doors, from my opinion.

Before experts struggle to answer this one, let us be productive and
work on the proposals Nick quoted in a previous email to this thread, so
we eliminate risk and don't have to worry if / when this becomes reality.