post-quantum cryptography - PQC

Could you review PQCrypto: Difference between revisions - Whonix please? @HulaHoop

Adopted changes but kept 2022 date as final deadline

Hey guys, first time using this forum so forgive me if i missed something.
We are a group of students from Germany and my colleagues and I developed a public website with the goal of presenting all known scientific papers that add to the Post-Quantum Cryptography research. You can visit it under the link:
https://cspub.h-da.io/cma/
We would very much appreciate your contribution, participation and feedback to the current status of the website and the general idea. Our goal is to have a central, regularly used accesspoint for the entire community to discuss and present the ongoing research of all aspects of the expected migration to post-quantum cryptography and cryptographic agility.

Hello and welcome to Whonix forums! Interesting!

Account upgraded. Links can be posted now.
(That’s just a crude spam filter to avoid some totally unrelated stuff such as SEO services to be advertised.)

Whonix ™ includes Codecrypt by default

Its dead project since 8 years and mostly no more updates: (only PR)

First, I really don’t have much time to actually develop this. It was a bachelor thesis, I was happy to put it out, now I’m doing completely different stuff… Lookin’ at the clock, it’s been whew almost whopping 8 years now!

I don think its worth to have it by default.

Why? Is its main functionality or cryptography broken?

Not sure if either is really checked thoroughly, if we talk about usage
well how many users or any other projects using it? and really did
checked the source code? and if we talk cryptographically do we have
anybody audited the code/checked for its security effectiveness?

The idea of using dead project is something, and using it to solve
future attacks which has yet to come something else.

Either something actively maintained exist or there is none.

Patrick via Whonix Forum:

I had someone very smart look at it and give it and give it his approval.

Sometimes mature codebases no longer need updates and work well into the future. Unless you have a paper on its mainly used algo being broken by a new attack, this software is good to go.

I see, ok cool then.

One thing i found here:

its talking about codecrypt usage with thunderbird but if we read here:

Caveats:

Cryptography is not intended for “online” use, because some algorithms (especially the MDPC decoding) are (slightly) vulnerable to timing attacks.

Thats mean its still ok to be used with thunderbird or not?

I am not sure what he means by that. Feel free to ask the author. What I think is this:

Using codecrypt isn’t “online” just because a message is sent over the internet. The message is created “offline”. Remote attackers will have a hard time using timing related side-channel attacks. So yes, fine to be used with Thunderbird.

What’s an example for “online”? For example TLS or Diffie–Hellman could be considered “online”. When these connections are negotiated between peers, a man-in-the-middle might attempt to tamper with the timing by adding artificial delay sometimes in the connection between the peers. If that in theory was to succeed in weakening or breaking the encryption, then that would be a successful “online” attack.

Online means implemented as for website ssl connections for example. In short, any automated decryption process without human eyes seeing decryption failure which is a sign of this attack.

I’m seeing a lot of misconceptions about QC in here, so I want to clear things up below. If you want to see my replys to the programs listed in the comments, scroll down furhter.

I feel like if Whonix wants to use PQC, then it would mean that the user would have to make everyone they are communicating with to agree on using a specific PQC-resistant cipher/signature program. With most people using RSA and ECC, this would be hard but not impossible to achieve. This would mean that people would have to manually crunch the numbers regarding the validity of your signature unless Whonix has an in-built GUI for PQC applications.

As far as I’m aware from my knowledge in Theoretical Computer Science, the integer factorization problem (RSA) and finding the value “p” in an eliptic curve (discrete log) (ECC) are NP-intermediate and co-NP respectively. It is currently debated on whether discrete log is NP-hard or not.

For the laymen here, this means that a classic computer has to brute-force or can only find the answer in an exponential function, that is that the time it takes for a computer to find the answer increases exponentially with the amount of possible answers.

In contrast, a very smart man from MIT (Peter Shor) figured out that quantum computers can do this process is “poly-logarithmic time” which says that the time it takes for a quantum computer to factor a number is equal to the logarithm of the amount of possible answers.

While this is scary, the caveat is that a quantum computer needs no noise or decoherence to be as effective as it can. Literally and figuratively breathing on a qubit or even the room being too hot that completely disrupt the superposition.

I’d say that the amount of scientists who say that QC is a fad compared to those who are genuinely worried is a 50/50. We just don’t know when quantum computers can finally have their true power revealed as they have so many obstacles to go through.

Currently, the biggest number factored only with a quantum computer that ran more than mere milliseconds was 21, and the biggest factored with a hybrid quantum-classical system was 261, 980, 999, 226, 226, with the calculation being 15538213 x 16860433 was done with 10 qubits and was only RSA-40 bits.

We are far from the Whonix project having to consider this so early in development, but I think that these first baby steps are fine, but developing a GUI/CLI tool equivalent to GnuPG/libgcrypt or gpa is absurd.

@Patrick if you absolutely need help with cryptographically approved methods, then I recommend crystals-kyber as it is NIST approved. NTRUEncrypt also seems fairly nice. Both of these have no known efficient polynomial (easy to solve and answer) problems on both classical computers and QC.

The articles you listed on PQC are very interesting, and I somewhat agree with Linus when he says that QC’s may not exist. I personally think that while QC’s will exist, they will always have noise that will make breaking RSA and ECC hard as their bit sizes go up. I expect in 20-30 years we will probably have the key sizes of today be broken.

Even with me saying that I find making PQC solutions for Whonix absurd I’m considering working on making a GUI/CLI tool for this in Whonix as I want to volunteer for a project that I love, but I have no idea where to propose one once the code is written. Any ideas?

Please consider maintaining this as an independent upstream project.

Making it specific to Whonix would only limit peer review, security and this is essential for such an application.

Please ask more people.

That depends… A new algorithm or implementation of existing algorithm into an app usable by users?

Also does it need to be a new application or would it be worthwhile to contribute to lets say GnuPG, Sequoia-PGP, signify, OTR, fork codecrypt, or other existing protocols / messengers?

While ago I’ve read that kicksecure wanted to use codecrypt signatures for extra security [unable to find source for that] and recently I got inspired by rhash[1] for a slight proposal, let’s call it paranoid-sign for now.

paranoid-sign would be simple cli program that would utilize the following libraries to produce recursive digest files that are recursively signed with multiple algorithms, as provided by stated libraries.

• https://github.com/open-quantum-safe/liboqs
• https://github.com/openssl/openssl
  • liboqs/docs/algorithms at main · open-quantum-safe/liboqs · GitHub
  • openssl dgst -list

    Supported digests:
    -blake2b512 -blake2s256 -md4
    -md5 -md5-sha1 -ripemd
    -ripemd160 -rmd160 -sha1
    -sha224 -sha256 -sha3-224
    -sha3-256 -sha3-384 -sha3-512
    -sha384 -sha512 -sha512-224
    -sha512-256 -shake128 -shake256
    -sm3 -ssl3-md5 -ssl3-sha1
    -whirlpool

So the result would be keys and signatures with higher disk / bandwidth cost, with the pro of defense in depth benefit.

Such approach is perfect for high security requirements, only project that I am aware of that stacks algorithms for maximum integrity is rhash[1] (and codecrypt partially).

Since all critical functions would be offloaded onto external libraries, it would be very low line count program making it easy to audit it. The only problem being - is another program needed?

How many people / projects would benefit from paranoid-sign? Is it better to urge projects like GnuPG (which should eventually get PQC support) to add something like --paranoid mode keys and signing or make program just for this purpose to get this functionality early?

I am aware that this may be slightly off-topic to Whonix, I am bringing this idea up because codecrypt signatures were meant to be used for kicksecure and Whonix.

Has anything ever come out of this?

[1] https://github.com/rhash/RHash

I wouldn’t call it paranoid as this implies a mental issue but PQC is very much accepted as potentially becoming an issue.

related: use codecrypt to sign Whonix releases

The assumption here is that if signed by multiple algorithms, that makes it quantum-resistant? While that is conceivable, I don’t know if that is true. Therefore this assumption could use (a few) reference(s).

If that was true, all that would be needed would be a wrapper script around openssl and maybe other existing hashsum creation tools? That would be nice but also somehow sounds too simple to be true. In that case, auditing would be trivial as the algorithms are implemented by already trusted, existing tools.

I don’t think campaigning them would speed up things. gpg could not even be convinced to use the most secure default security settings among other things. Maybe that is why there is now Sequoia-PGP (gpg replacement) - OpenPGP - Development - Kicksecure Forums which seems to have the intention to re-implement things in a better designed way.

Only contributing code the way they want it or forking/new source code would work.

Also consider checking PQC plans for sequoia and contributing to sequoia.

I used the word paranoid because I was inspired by Qubes OS[1] which has --paranoid-mode argument for qvm-backup-restore.

In the case of Qubes OS it implies distrust of backup integrity, in the case of paranoid-sign it would imply distrust in using single algorithm, ex. sha+rsa.

I will use the word hardened from now on to reduce confusion and stay more consistent with Whonix / kicksecure themes.

It would be quantum resistant, because it would use quantum resistant algorithms. It would just use all which are provided by liboqs[2].

Multiple algorithms would be chosen for signing because if only one was selected, it could be weaker than thought[3][4] and undermine security. With multiple algorithms, weakness in only one is less relevant for an attacker who wants to forge signatures or similiar.

For hashes - multiple algorithms are also used, in this case its used to mitigate any possible collision attack, ex. attacker has reliable sha256 0 day where it is possible to inject malicious code / binary without the checksum changing.

This is also the strategy which Signal[5] uses, although for encryption and not signing - it is still same base idea.

We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem. Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people’s communications.

Distros such as Gentoo[6] are using multiple hashes, in their case its for package integrity.

Hash types
The hashes currently supported by Portage include:
MD5
SHA1
SHA256 (SHA-2)
SHA512 (SHA-2)
SHA256 (SHA-3)
SHA512 (SHA-3)
RMD160 (RIPEMD) (strongly discouraged)
BLAKE2S
BLAKE2B
WHIRLPOOL (strongly discouraged)

Which is very similar list to openssl dgst -list output.

This is absolutely correct. Bash script as openssl wrapper is possible, not for liboqs as that is C library, so this could be split into 2 programs - hardened-sign and hardened-sum.

• hardened-sign would be simple C program that would invoke hardened-sum and sign the output with all available liboqs signing algorithms.
  • Additionally generate keys and output them to public / private files, this function is already present in liboqs, with only file handling missing - which is very simple to implement anyways.
  • Include timestamp and other metadata maybe.
• hardened-sum would be extremely simple bash script for wrapping openssl (as you described) to generate checksums, to be used by hardened-sign and for casual integrity checking unrelated to signatures.

I’ve made proof of concept hardened-sum to further compliment this idea.

#!/bin/bash

# TODO: maybe shellcheck
# TODO: maybe gnu parallel

# parse output of `openssl dgst -list`
# and convert it into array of `openssl` arguments,
# which can be used for generating list of digests with different algorithms
function parse_supported()
{
	local list_header="Supported digests: "
	algorithm_list=$(openssl dgst -list	\
		| tr -s " "			\
		| tr -d "\\n"			\
		| cut -c ${#list_header}-)

	IFS=" " read -ra algorithm_array <<< $algorithm_list
}

function hardened_sum()
{
	for algorithm_name in ${algorithm_array[@]}
	do
		# cut first character of every algorithm name which is '-', due to openssl expecting
		# `openssl sha256 ...` - and not
		# `openssl -sha256 ...`
		local cut_name=$(echo $algorithm_name | cut -c 2-)

		# some algorithms such as md4 output an error, remove `2>/dev/null` for err output
		# https://github.com/openssl/openssl/issues/21247
		# forced to use `default` provider - see `openssl list -providers` output
		local check_sum=$(openssl $cut_name $1 2>/dev/null)
		if [[ -n $check_sum ]]; then
			echo $check_sum
		fi
	done
}

parse_supported
hardened_sum $1

These programs could be used on top of GnuPG for additional security, ex. users who want to make 100% sure they aren’t being targeted by any forgery.

(By that I mean signing GnuPG signature with hardened-sign.) - to not force everyone to use some random program (random is arguable as it would be using completely public libraries so anyone could manually check signature/sum output even without hardened-sign and hardened-sum being present.)

• Ignore signature - no integrity.
• Verify GnuPG - integrity against classic computing attacks (debatable), but no assured integrity against quantum computing attacks…
• Verify hardened-sign - integrity against quantum computing attacks, but no assured integrity against classic computing attacks.
• Verify both - integrity against both.

Integrity here means that verifiability that data came from expected person, attacks mean discoverability of private key for future impersonation / man in the middle… etc.

Benefits of hardened-sign approach over something like codecrypt are seamless introduction of security fixes & new algorithms.

So to me seems like I should implement hardened-sign and hardened-sum and upload the source publicly ex. on github, then propose their hardened functionality to be included in GnuPG, its forks and other projects for security benefit.

[1] https://dev.qubes-os.org/projects/core-admin-client/en/stable/manpages/qvm-backup-restore.html
[2] https://github.com/open-quantum-safe/liboqs
[3] https://blog.cr.yp.to/20231125-kyber.html
[4] https://blog.cr.yp.to/20240102-hybrid.html
[5] https://signal.org/blog/pqxdh/
[6] https://wiki.gentoo.org/wiki/Repository_format/package/Manifest

Any non-C library? Rust? Python? Any other ways to avoid C?

I wouldn’t worry about GnuPG. It will always be possible to sign with multiple tools at once. Well, obviously just don’t use file extensions that are already taken by others such as .asc, .sig, .gpg.

I wouldn’t worry much about GnuPG compatibility. I’d suggest to think big and design this as a tool that can be used to replace GnuPG. Similar how signify was implemented. Legacy free.

But then the digest files might require version numbers because how else at a later time the program would now to insist on which algorithms to verify.

I don’t think this is how GnuPG development works. That has an almost zero percent chance of working. Check this out, dunno about it:

If you want to land patches in GnuPG or others you need to discuss this with them beforehand. Otherwise might hit a blocker.

Sequoia isn’t a a fork of gpg. It’s a rewrite from scratch in Rust. It implements the OpenPGP standard.

Both, GnuPG and Sequoia might be adamant about standardization.

https://github.com/open-quantum-safe/liboqs-go
https://github.com/open-quantum-safe/liboqs-python
https://github.com/open-quantum-safe/liboqs-cpp
https://github.com/open-quantum-safe/liboqs-rust

Library backend code still remains in C, but the projects listed above allow you to call the functions from different languages.

Sure.

Maybe and same can be said about hardened-sign automatically adding signature algorithms, hardened-sum could have additional output such as:

7/10 checksums verified successfuly
1 CHECKSUM FAILED THIS IS BAD OBVIOUS COMPROMISE (can’t think of anything better on the fly)
1 unknown hashing algorithm - imaginary-algorithm512
1 algorithm not present in digests file - madeup-algorithm512

Similar output could exist for hardened-sign. There are still other issues (mainly key files for signing) with this idea and possibly error prone, so for the sake of stability there could be static list of algorithms that are today considered safe and just use those, hardened-sum could retain --dynamic argument for standalone digests - not intended for signing.

Post-quantum algorithms seem to be chosen already and I don’t know the last time new hashing algorithm was added to openssl so maybe dynamic idea may be obsolete.

Overall currently needs more thinking.