post-quantum cryptography - PQC



We ought to document this mess. It’s said that the first quantum computer will exist in 10 to 15 years. It’s save to assume, that all encrypted communication has been logged. Once quantum computers exist most asymmetric past communications will be decrypted. That’s a strong blow.

Even if there are no replacement tools available yet, users should be aware of this. “use symmetric encryption and agree upon a pre-shared key through a secure channel”, where “secure channel” practically would only be a personal meeting may not be practically possible in most cases but still be the only fallback.

Doesn’t look like PQC is on the horizon for gnupg or openssh unfortunately.



Good day,

the main problem here is, that civilans like us don’t really have access to quantum computers. There is very little public information about how they operate and even less on their true capabilities. We can’t be sure that cryptography, which is based on a “secrete-key”, rather then some defined mathematical system, is enough, especially when keeping in mind that, even though not based on elliptic curves, they still necessitate a set of base rules which are to be followed. This in turn again means, that while it may not seem possible at the moment, with technological advances, even less predictable solutions may be vulnerable. Though, like I’ve said, this (and pretty much everything regarding cryptography and qantum computers) is mainly speculation and theoryzing, as, like I’ve said, the access to such devices isn’t public.

Have a nice day,



What should a page about PQCrypto cover?

Its a large topic. Complicated.

Within 3 versions Tor will begin using PQCrypto “hybrid” handshakes to future proof itself against the collect and decrypt attack.


Just a small summary directed at users. Document what might happen in 10 to 15 years [all gnupg asymmetric encryption broken etc.] and point out best practices for PQC proof tools and workarounds as best understood at the moment.


Small summary. Feel free to change:


I wonder if a new page is justified?

Perhaps either https://www.whonix.org/wiki/Security_Guide or https://www.whonix.org/wiki/Advanced_Security_Guide makes is better?

That reminds me, that we perhaps should add an “you should encrypt your communications if possible” chapter to [advanced] security guide? That briefly explains this and then links to the following two pages that already cover encryption?


The topic is a big milestone for crypto so a dedicated page makes sense IMO. I don’t think we should link to it from these other topics because there is not much a user can do operationally today to defend besides waiting for projects to upgrade their ciphersuites.



The topic is a big milestone for crypto so a dedicated page makes
sense IMO. I don’t think we should link to it from these other topics
because there is not much a user can do operationally today to defend
besides waiting for projects to upgrade their ciphersuites.

There are a few things for users to consider:

  • to be aware of this mess - I am glad to know that likely mails I
    asynchronously encrypt today will definitely not remain secret for long,
    no matter opsec whatever. The same goes for past ones.

  • therefore considering to use pre-shared keys and symmetric encryption
    for critical communication - we could recommend using gnupg symmetric
    encryption for that

  • to consider [additionally] using codecrypt from github


Agree with points 1 and 2. I’m not sure how to contextualize this page when discussing email and other topics.

This page could serve as a research effort of what solutions are out there today though codecrypt does not inspire confidence:

Author is a self-taught cryptographer.

Maybe we should list it still in case someone does a code review and blesses it safe.


We have the recommendation to encrypt communications (implicitly?) covered on the warning page.

The author is honest and humble, which is a good basis. However, quoting that when linking to that project is fine.


Codecrypt looks very interesting. It was written for a bachelor thesis and not some weekend experiment by a hobbyist so you are right about him being humble.

Have you had any success building it from source? The only packages provided are 64 bit only and unfortunately not signed.


For added protection against the NSA, encrypt using AES chain block cipher mode, then encrypt the cipher text (the result from the first encryption) again, and repeat as many times as you can afford to repeat. The NSA would probably try brute force searching to go through the search space, and figure out they’ve cracked the code by determining the entropy of the result for each of the keys they test. They know when to stop when they see meaningful text as the result. By encrypting several times, you make it harder for them to determine when they have cracked a code because if they did try the right key, then they would see jumble as the result, almost indistinguishable from the results of the incorrect keys. As you increase the number of re-encryptions, the difficulty of cracking encrypting content becomes more difficult. The NSA will lose its mind trying to figure out when they have cracked the code.

Software like TrueCrypt can do multiple encryption for you. But beware of naive encryption that simply runs in the “Encrypted Code Book” mode. You will need encryption that runs in one of the more sophisticated modes like “Chain Block Cipher” or “Cipher Feedback.” Yes, a quantum computer would make it easier for the NSA to go through the possible keys to try. But by encrypting multiple times (with a DIFFERENT key for each encryption repeat of course), you make the search space difficult by a factor of the key length. Hopefully this helps you keep your stuff out of the NSA’s reach.

-The implications of applying multiple layers of encryption can be quite complex and in the worst case reduce the individual layers’ security - take for example XORing the entire message twice - you end up with the original message! And even if you use two different keys, it’s still equivalent to XORing with one entirely different key. It’s of course more complex with AES, but you’d really do yourself a favour by increasing the key size instead… – Tobias Kienzler


Thirty-Year-Old Encryption Formula Can Resist Quantum-Computing Attacks That Defeat All Common Codes

1978 Cryptosystem Resists Quantum Attack



If you mean me , i have no idea , i am not programmer , i copy\paste that links & texts from my research on internet.


Codecrypt has made it into Debian :smiley:



Adoption checklist:

  1. Quantum-resistant algorithms reviewed by academic journals
  2. Algorithms tested by well-regarded hackers
  3. Code audited for correct implementation
  4. Enough adoption so I’m not the only user

I would guess #1 has been completed. Will look into it further as time permits…


How to get codecrypt on Debian has been documented by @HulaHoop.




Blogged about this.