post-quantum cryptography - PQC


What should a page about PQCrypto cover?

Its a large topic. Complicated.

Within 3 versions Tor will begin using PQCrypto “hybrid” handshakes to future proof itself against the collect and decrypt attack.


Just a small summary directed at users. Document what might happen in 10 to 15 years [all gnupg asymmetric encryption broken etc.] and point out best practices for PQC proof tools and workarounds as best understood at the moment.


Small summary. Feel free to change:


I wonder if a new page is justified?

Perhaps either https://www.whonix.org/wiki/Security_Guide or https://www.whonix.org/wiki/Advanced_Security_Guide makes is better?

That reminds me, that we perhaps should add an “you should encrypt your communications if possible” chapter to [advanced] security guide? That briefly explains this and then links to the following two pages that already cover encryption?


The topic is a big milestone for crypto so a dedicated page makes sense IMO. I don’t think we should link to it from these other topics because there is not much a user can do operationally today to defend besides waiting for projects to upgrade their ciphersuites.



The topic is a big milestone for crypto so a dedicated page makes
sense IMO. I don’t think we should link to it from these other topics
because there is not much a user can do operationally today to defend
besides waiting for projects to upgrade their ciphersuites.

There are a few things for users to consider:

  • to be aware of this mess - I am glad to know that likely mails I
    asynchronously encrypt today will definitely not remain secret for long,
    no matter opsec whatever. The same goes for past ones.

  • therefore considering to use pre-shared keys and symmetric encryption
    for critical communication - we could recommend using gnupg symmetric
    encryption for that

  • to consider [additionally] using codecrypt from github


Agree with points 1 and 2. I’m not sure how to contextualize this page when discussing email and other topics.

This page could serve as a research effort of what solutions are out there today though codecrypt does not inspire confidence:

Author is a self-taught cryptographer.

Maybe we should list it still in case someone does a code review and blesses it safe.


We have the recommendation to encrypt communications (implicitly?) covered on the warning page.

The author is honest and humble, which is a good basis. However, quoting that when linking to that project is fine.


Codecrypt looks very interesting. It was written for a bachelor thesis and not some weekend experiment by a hobbyist so you are right about him being humble.

Have you had any success building it from source? The only packages provided are 64 bit only and unfortunately not signed.


For added protection against the NSA, encrypt using AES chain block cipher mode, then encrypt the cipher text (the result from the first encryption) again, and repeat as many times as you can afford to repeat. The NSA would probably try brute force searching to go through the search space, and figure out they’ve cracked the code by determining the entropy of the result for each of the keys they test. They know when to stop when they see meaningful text as the result. By encrypting several times, you make it harder for them to determine when they have cracked a code because if they did try the right key, then they would see jumble as the result, almost indistinguishable from the results of the incorrect keys. As you increase the number of re-encryptions, the difficulty of cracking encrypting content becomes more difficult. The NSA will lose its mind trying to figure out when they have cracked the code.

Software like TrueCrypt can do multiple encryption for you. But beware of naive encryption that simply runs in the “Encrypted Code Book” mode. You will need encryption that runs in one of the more sophisticated modes like “Chain Block Cipher” or “Cipher Feedback.” Yes, a quantum computer would make it easier for the NSA to go through the possible keys to try. But by encrypting multiple times (with a DIFFERENT key for each encryption repeat of course), you make the search space difficult by a factor of the key length. Hopefully this helps you keep your stuff out of the NSA’s reach.

-The implications of applying multiple layers of encryption can be quite complex and in the worst case reduce the individual layers’ security - take for example XORing the entire message twice - you end up with the original message! And even if you use two different keys, it’s still equivalent to XORing with one entirely different key. It’s of course more complex with AES, but you’d really do yourself a favour by increasing the key size instead… – Tobias Kienzler


Thirty-Year-Old Encryption Formula Can Resist Quantum-Computing Attacks That Defeat All Common Codes

1978 Cryptosystem Resists Quantum Attack



If you mean me , i have no idea , i am not programmer , i copy\paste that links & texts from my research on internet.


Codecrypt has made it into Debian :smiley:



Adoption checklist:

  1. Quantum-resistant algorithms reviewed by academic journals
  2. Algorithms tested by well-regarded hackers
  3. Code audited for correct implementation
  4. Enough adoption so I’m not the only user

I would guess #1 has been completed. Will look into it further as time permits…


How to get codecrypt on Debian has been documented by @HulaHoop.




Blogged about this.


Could you please review this change?



Looks good.