post-quantum cryptography - PQC

Patrick · April 17, 2017, 9:42pm

Could you please review this change?

PQCrypto: Difference between revisions - Whonix

HulaHoop · April 18, 2017, 2:09pm

Looks good.

Patrick · August 25, 2018, 7:28am

Could you review and confirm this edit please? PQCrypto: Difference between revisions - Whonix

HulaHoop · August 25, 2018, 12:59pm

I like it!

nurmagoz · January 15, 2019, 3:29pm

Linus Torvald doesnt believe in Quantum computers will exist at all.

Tech News Tuesday - Sep 4, 2018 - Linux Creator “Unbeliever” in Quantum Computing

Patrick · January 15, 2019, 5:03pm

It’s been in the news recently that Intel has it.

But I haven’t researched how/if Intel is any close to the real thing.

HulaHoop · January 16, 2019, 3:45pm

All you need to know about the state of PQC NIST submissions and Qunatum advancements: media.ccc.de - The year in post-quantum crypto

HulaHoop · May 10, 2019, 8:20pm

Requested support for multiple recipients

HulaHoop · May 12, 2019, 2:42am

Stateful hashes are especially dangerous in virtual environments because they can be easily used improperly. Opened feature request for stateless sig schemes like SPHINCS

#9 - Stateless Hash Sigs - codecrypt - Gitea on blesmrt.net

Patrick · July 31, 2020, 9:27am

Could you review PQCrypto: Difference between revisions - Whonix please? @HulaHoop

HulaHoop · July 31, 2020, 12:25pm

Adopted changes but kept 2022 date as final deadline

Tobias_G · July 15, 2021, 5:01pm

Hey guys, first time using this forum so forgive me if i missed something.
We are a group of students from Germany and my colleagues and I developed a public website with the goal of presenting all known scientific papers that add to the Post-Quantum Cryptography research. You can visit it under the link:
https://cspub.h-da.io/cma/
We would very much appreciate your contribution, participation and feedback to the current status of the website and the general idea. Our goal is to have a central, regularly used accesspoint for the entire community to discuss and present the ongoing research of all aspects of the expected migration to post-quantum cryptography and cryptographic agility.

Patrick · July 15, 2021, 6:22pm

Hello and welcome to Whonix forums! Interesting!

Account upgraded. Links can be posted now.
(That’s just a crude spam filter to avoid some totally unrelated stuff such as SEO services to be advertised.)

nurmagoz · August 9, 2021, 8:25pm

Whonix ™ includes Codecrypt by default

Its dead project since 8 years and mostly no more updates: (only PR)

First, I really don’t have much time to actually develop this. It was a bachelor thesis, I was happy to put it out, now I’m doing completely different stuff… Lookin’ at the clock, it’s been whew almost whopping 8 years now!

I don think its worth to have it by default.

Patrick · November 5, 2022, 1:35pm

Why? Is its main functionality or cryptography broken?

nurmagoz · November 8, 2022, 12:36pm

Not sure if either is really checked thoroughly, if we talk about usage
well how many users or any other projects using it? and really did
checked the source code? and if we talk cryptographically do we have
anybody audited the code/checked for its security effectiveness?

The idea of using dead project is something, and using it to solve
future attacks which has yet to come something else.

Either something actively maintained exist or there is none.

Patrick via Whonix Forum:

HulaHoop · November 8, 2022, 3:29pm

I had someone very smart look at it and give it and give it his approval.

Sometimes mature codebases no longer need updates and work well into the future. Unless you have a paper on its mainly used algo being broken by a new attack, this software is good to go.

nurmagoz · November 17, 2022, 11:49pm

I see, ok cool then.

One thing i found here:

its talking about codecrypt usage with thunderbird but if we read here:

Caveats:

Cryptography is not intended for “online” use, because some algorithms (especially the MDPC decoding) are (slightly) vulnerable to timing attacks.

Thats mean its still ok to be used with thunderbird or not?

Patrick · November 18, 2022, 6:03am

I am not sure what he means by that. Feel free to ask the author. What I think is this:

Using codecrypt isn’t “online” just because a message is sent over the internet. The message is created “offline”. Remote attackers will have a hard time using timing related side-channel attacks. So yes, fine to be used with Thunderbird.

What’s an example for “online”? For example TLS or Diffie–Hellman could be considered “online”. When these connections are negotiated between peers, a man-in-the-middle might attempt to tamper with the timing by adding artificial delay sometimes in the connection between the peers. If that in theory was to succeed in weakening or breaking the encryption, then that would be a successful “online” attack.

HulaHoop · November 18, 2022, 8:15am

Online means implemented as for website ssl connections for example. In short, any automated decryption process without human eyes seeing decryption failure which is a sign of this attack.