[Pkg-swan-devel] Bug#803787: [strongswan] Enable post-quantum algorithms

Nicolas Braud-Santoni nicolas at braud-santoni.eu
Sun Feb 21 16:51:26 UTC 2016

In an out-of-band conversation with corsac, it appeared that I didn't
  make my point clearly enough, so here is a recap:

- It is known that nation-state adversaries, interested in mass
  surveillance, are currently recording encrypted traffic they observe,
  in the hope of being able to decrypt it in the future (by obtaining
  the keys or through cryptanalytic means).
- Currently available key exchange mechanisms are all broken by a
  passive, quantum adversary.
- Hence, the forward-secrecy of **currently-transmitted traffic** lasts
  at most as long as nation-state adversaries do not obtain quantum
- While quantum computers do not exist yet [0], estimates on the time
  before discovery vary wildly, from 5 to 50 years.

In that light, having a post-quantum kex makes sense.  The NTRU scheme
  has been first formulated 20 years ago and has withstood serious
  scrutiny.  Interestingly, the PQCRYPTO workgroup spoke is evaluating
  the Stehle–Steinfeld variant (not the one available in StrongSwan)
  for long-term security [1].

Note that this is purely about making future mass surveillance, assisted
  by quantum computers, more costly.  This isn't about targeted
  attacks against a specific IPSec deployment (where the situation is
  much more complex, and endpoint security plays a more prevalent role).

[0]: The DWave machines are quantum annealers, and aren't known to be
     able to run Shor's or Grover's algorithms, nor any other
     algorithm relevant for cryptanalysis.

[1]: http://pqcrypto.eu.org/docs/initial-recommendations.pdf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-swan-devel/attachments/20160221/b50cf406/attachment.sig>

More information about the Pkg-swan-devel mailing list