                           Post Quantum Cryptography
                My thoughts on Post Quantum Cryptography in 2022
--------------------------------------------------------------------------------

Post Quantum Cryptography
=========================

5 min read

/[cendyne: access-granted]-----------------------------------------------------\
| Today we rely primarily upon cryptography that is hard for classical         |
| computers to crack. The underlying strength relies on trapdoor functions     |
| [L1], which are easy to go one way and hard to go the other way. We consider |
| something secure if the cryptography is so hard to crack with current        |
| methods that the time taken to intelligently explore all possibilities would |
| surpass the heat death of the universe.                                      |
\------------------------------------------------------------------------------/

/[cendyne: looking-ych]--------------------------------------------------------\
| We expect the future will deliver quantum computers that can disrupt         |
| classical cryptography and undo the trapdoor functions in use today. We call |
| that future "post-quantum". Post-quantum cryptography (PQC) is cryptography  |
| that is resistant to an adversary with a sufficiently advanced quantum       |
| computer. PQC is an active field of research and PQC solutions are still     |
| being investigated and analyzed.                                             |
\------------------------------------------------------------------------------/

/------------------------------------------------------------[kyrmeso: hopeful]\
|   "Crypto Agile" has been a buzz word in the security space lately. Can I be |
|                                             agile and transition to PQC now? |
\------------------------------------------------------------------------------/

/[cendyne: galaxy-brain2]------------------------------------------------------\
| Only as an experiment! By experimenting you will see where your existing     |
| system will break. However, PQC algorithms have not reached approved and     |
| recommended status! (2022) The keys and signatures (either or) are           |
| absolutely massive. If your system limits how large your key sizes and       |
| signatures may be then your system will break because of PQC.                |
\------------------------------------------------------------------------------/

/---------------------------------------------------------------[kyrmeso: blep]\
|                             I've heard about doing hybrids, what about that? |
\------------------------------------------------------------------------------/

/[cendyne: bonked]-------------------------------------------------------------\
| Hybrids exist as a transitionary stage in case classical cryptography is     |
| broken. But the PQC side may also be broken like SIKE did [L2].              |
\------------------------------------------------------------------------------/

/-----------------------------------------------------------[kyrmeso: ych-boop]\
|                                    What about Hybrid TLS Certificates [L3] ? |
\------------------------------------------------------------------------------/

/[cendyne: conspiracy]---------------------------------------------------------\
| X.509 [L4], the technology behind certificates, is an extensible             |
| specification for storing cryptographically bound assertions and             |
| establishing trust. While the technology is sound, paying money for these    |
| certificates is not. NIST and others have not settled on what our future     |
| holds. Browsers and other applications will not deploy PQC algorithms        |
| outside of limited experiments.                                              |
\------------------------------------------------------------------------------/

/---------------------------------------------------------------[kyrmeso: give]\
| My CISO thinks we should get these in production and he found a vendor ready |
|                                  to sell us some certificates at a discount! |
\------------------------------------------------------------------------------/

/[cendyne: bullshit2]----------------------------------------------------------\
| Push back on that. Wait until Lets Encrypt deploys PQC hybrid certificates   |
| before hopping on the bandwagon with any certificate authority. History      |
| repeats itself as the PKI dot com bubble [L5] toots its horns again.         |
\------------------------------------------------------------------------------/

/---------------------------------------------------------------[kyrmeso: math]\
|           How would I do a crypto agile hybrid algorithm for my application? |
\------------------------------------------------------------------------------/

/[cendyne: objection]----------------------------------------------------------\
| That's dangerous! Do you really want to roll your own cryptography [L6] ?    |
| Without knowing these tools or options, you might invent a flexible          |
| cryptography engine. With that in place, can you protect yourself from       |
| downgrade attacks [L7] ? Will you have dedicated resources later to migrate  |
| away from whatever crypto you invented when it breaks? PQC is an active area |
| of research. Unless you are experimenting, stay far away and do not bring    |
| cryptographic experiments into your product.                                 |
\------------------------------------------------------------------------------/

/--------------------------------------------------------------[kyrmeso: money]\
|        Oh! So I should buy a product off the shelf instead! They've done the |
|                                     experiments already to know what's good! |
\------------------------------------------------------------------------------/

/[cendyne: cupcake]------------------------------------------------------------\
| Don't waste your business's resources. PQC is still new and being evaluated  |
| by experts [L8]. Adding PQC to your application is likely premature [L9].    |
| You can be crypto agile without PQC, for more see Cryptographic Agility      |
| [L10].                                                                       |
\------------------------------------------------------------------------------/

--------------------------------------------------------------------------------

 [L1]: https://en.wikipedia.org/wiki/Trapdoor_function
 [L2]: https://eprint.iacr.org/2022/975.pdf
 [L3]: https://archive.ph/3gsEj
 [L4]: https://www.itu.int/rec/T-REC-X.509-198811-S
 [L5]: https://en.wikipedia.org/wiki/Dot-com_bubble
 [L6]: https://archive.ph/M1YYw
 [L7]: https://en.wikipedia.org/wiki/Downgrade_attack
 [L8]: https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-
       quantum-resistant-cryptographic-algorithms
 [L9]: https://lwn.net/Articles/890788/
[L10]: /topics/crypto-agility.html