Post-Quantum Cryptography #24
Labels
enhancement
New feature or request
future-maybe
Possible changes to land in a future version of libgossamer
help wanted
Extra attention is needed
please-give-feedback
Hey you! Yes, you! Tell us what you think about this.
security
Security-related issues and pull requests
Not today, but some day soon, the Internet may need post-quantum cryptography. NIST is currently putting forth the initial effort to standardize some asymmetric KEMs and signature algorithms for a post-quantum Internet.
There has been some debate on the IETF's CFRG mailing list about whether to switch immediately to post-quantum algorithms, or to implement a hybrid approach. Our internal consensus is on a hybrid signature scheme.
In a future release, we will need to add a definition for a new signature algorithm. This will be a hybrid algorithm consisting of Ed25519 and a post-quantum algorithm.
I've included a sketch for a hybrid signature scheme based on FALCON-512 below.
Example: Ed25519 + FALCON-512
Key Generation
Signing
Verifying
Remarks
By unifying two signature algorithms into one single "hybrid" algorithm, and treating it as if it was just EdDSA (or equivalent), we can prevent an entire class of algorithm misuse vulnerabilities.
Users would be expected to retain a 512-bit (64 byte) secret key, which will be used to create an Ed25519 keypair and PRNG seed for a FALCON-512 keypair. The result would be a single keypair.
As you can see, this pattern can be generalized to any post-quantum signature algorithm. (We chose FALCON-512 for this example because it's an attractive candidate in terms of bandwidth and performance.)
The text was updated successfully, but these errors were encountered: