Post-quantum security for NIP44

[paulmillr]

NIP44 is versioned, meaning, we could add post-quantum security easily. A proper audit would need to be executed, of course, but it could be done at any time.

Recently, two protocols incorporated PQ security:

• Signal https://signal.org/blog/pqxdh/
• iMessage https://security.apple.com/blog/imessage-pq3/

However, both of them do NOT protect against active post-quantum adversary which can do MITM in real-time. They only protect against harvest now, decrypt later kind of attacks. In fact, it's written in the Apple's blog post:

With PQ3, iMessage continues to rely on classical cryptographic algorithms to authenticate the sender and verify the Contact Key Verification account key, because these mechanisms can’t be attacked retroactively with future quantum computers. To attempt to insert themselves in the middle of an iMessage conversation, an adversary would require a quantum computer capable of breaking one of the authentication keys before or at the time the communication takes place. In other words, these attacks cannot be performed in a Harvest Now, Decrypt Later scenario — they require the existence of a quantum computer capable of performing the attacks contemporaneously with the communication being attacked. We believe any such capability is still many years away, but as the threat of quantum computers evolves, we will continue to assess the need for post-quantum authentication to thwart such attacks.

This discussion is just a placeholder for the future: for anyone who would like to do more research on the topic.

To reiterate:

• Simply using hybrid ecdh + ml-kem (kyber) is not enough
• There needs to be a way for post-quantum authentication and verification

[alexgleason]

I have been thinking about this. But more about NIP-01 and Bitcoin itself. Is a hard fork inevitable?

[paulmillr]

Maybe. It’s still unclear whether sufficiently powerful computers would be built at all.

I don’t think “hard forks” are that scary. Check out lopp’s post on them: https://blog.lopp.net/has-bitcoin-ever-hard-forked/ - there have been a bunch of changes which are technically similar to hard forks.