post-quantum cryptography - PQC

Could you please review this change?

PQCrypto: Difference between revisions - Whonix

1 Like

Looks good.

1 Like

Could you review and confirm this edit please? PQCrypto: Difference between revisions - Whonix

1 Like

I like it!

Linus Torvald doesnt believe in Quantum computers will exist at all.

Tech News Tuesday - Sep 4, 2018 - Linux Creator “Unbeliever” in Quantum Computing

1 Like

It’s been in the news recently that Intel has it.

But I haven’t researched how/if Intel is any close to the real thing.

1 Like

All you need to know about the state of PQC NIST submissions and Qunatum advancements: - The year in post-quantum crypto


Requested support for multiple recipients

1 Like

Stateful hashes are especially dangerous in virtual environments because they can be easily used improperly. Opened feature request for stateless sig schemes like SPHINCS

1 Like

Could you review PQCrypto: Difference between revisions - Whonix please? @HulaHoop

1 Like

Adopted changes but kept 2022 date as final deadline

1 Like

Hey guys, first time using this forum so forgive me if i missed something.
We are a group of students from Germany and my colleagues and I developed a public website with the goal of presenting all known scientific papers that add to the Post-Quantum Cryptography research. You can visit it under the link:
We would very much appreciate your contribution, participation and feedback to the current status of the website and the general idea. Our goal is to have a central, regularly used accesspoint for the entire community to discuss and present the ongoing research of all aspects of the expected migration to post-quantum cryptography and cryptographic agility.


Hello and welcome to Whonix forums! Interesting!

Account upgraded. Links can be posted now.
(That’s just a crude spam filter to avoid some totally unrelated stuff such as SEO services to be advertised.)

1 Like

Whonix ™ includes Codecrypt by default

Its dead project since 8 years and mostly no more updates: (only PR)

First, I really don’t have much time to actually develop this. It was a bachelor thesis, I was happy to put it out, now I’m doing completely different stuff… Lookin’ at the clock, it’s been whew almost whopping 8 years now!

I don think its worth to have it by default.

Why? Is its main functionality or cryptography broken?

Not sure if either is really checked thoroughly, if we talk about usage
well how many users or any other projects using it? and really did
checked the source code? and if we talk cryptographically do we have
anybody audited the code/checked for its security effectiveness?

The idea of using dead project is something, and using it to solve
future attacks which has yet to come something else.

Either something actively maintained exist or there is none.

Patrick via Whonix Forum:

I had someone very smart look at it and give it and give it his approval.

Sometimes mature codebases no longer need updates and work well into the future. Unless you have a paper on its mainly used algo being broken by a new attack, this software is good to go.


I see, ok cool then.

One thing i found here:

its talking about codecrypt usage with thunderbird but if we read here:


Cryptography is not intended for “online” use, because some algorithms (especially the MDPC decoding) are (slightly) vulnerable to timing attacks.

Thats mean its still ok to be used with thunderbird or not?

1 Like

I am not sure what he means by that. Feel free to ask the author. What I think is this:

Using codecrypt isn’t “online” just because a message is sent over the internet. The message is created “offline”. Remote attackers will have a hard time using timing related side-channel attacks. So yes, fine to be used with Thunderbird.

What’s an example for “online”? For example TLS or Diffie–Hellman could be considered “online”. When these connections are negotiated between peers, a man-in-the-middle might attempt to tamper with the timing by adding artificial delay sometimes in the connection between the peers. If that in theory was to succeed in weakening or breaking the encryption, then that would be a successful “online” attack.

1 Like

Online means implemented as for website ssl connections for example. In short, any automated decryption process without human eyes seeing decryption failure which is a sign of this attack.