[Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms
nicolas at braud-santoni.eu
Sun Feb 21 16:51:26 UTC 2016
In an out-of-band conversation with corsac, it appeared that I didn't
make my point clearly enough, so here is a recap:
- It is known that nation-state adversaries, interested in mass
surveillance, are currently recording encrypted traffic they observe,
in the hope of being able to decrypt it in the future (by obtaining
the keys or through cryptanalytic means).
- Currently available key exchange mechanisms are all broken by a
passive, quantum adversary.
- Hence, the forward-secrecy of **currently-transmitted traffic** lasts
at most as long as nation-state adversaries do not obtain quantum
- While quantum computers do not exist yet , estimates on the time
before discovery vary wildly, from 5 to 50 years.
In that light, having a post-quantum kex makes sense. The NTRU scheme
has been first formulated 20 years ago and has withstood serious
scrutiny. Interestingly, the PQCRYPTO workgroup spoke is evaluating
the Stehle–Steinfeld variant (not the one available in StrongSwan)
for long-term security .
Note that this is purely about making future mass surveillance, assisted
by quantum computers, more costly. This isn't about targeted
attacks against a specific IPSec deployment (where the situation is
much more complex, and endpoint security plays a more prevalent role).
: The DWave machines are quantum annealers, and aren't known to be
able to run Shor's or Grover's algorithms, nor any other
algorithm relevant for cryptanalysis.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 801 bytes
Desc: not available
More information about the Pkg-swan-devel