I would like to see FIRO remain at the forefront of privacy and security innovation. With the advent of quantum computing, today’s encryption standards would be broken with relative ease. The implications of this is staggering. Projects like Tidecoin are utilizing a “post quantum” encryption algorithm in an attempt to mitigate this future threat. At what point should we start to consider the implementation of such algorithms? At what point would it be too late? Should FIRO start to consider the testing of post quantum algorithms?

Hey FIDO,

Thank you for your question!

Quantum-resistant schemes are definitely on our radar.

The main concern is that while work can be done to implement ‘post quantum’ encryption schemes today there are many factors to be considered.

- Many such schemes are still experimental and there have been cases where previously thought secure quantum-resistant algorithms are shown to be insecure. While you are only POSSIBLY securing yourself against quantum computers of sufficient power which may or may not exist in the next couple of years, you could end up using an algorithm that is found to be broken today.

Here are some examples:

NIST finalist for post-quantum encryption was cracked. NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC - SecurityWeek. Similarly, the code and libraries of these algorithms have not stood the test of time.

NTRU Prime: NTRU Prime is a lattice-based cryptographic algorithm designed to be resistant to quantum attacks. In 2020, researchers Bai, Galbraith, and Li discovered an attack on NTRU Prime that was able to recover the private key in certain scenarios. This attack exploited the structure of the polynomial rings used in NTRU Prime, which led to the development of NTRU Prime variants with improved security properties. However, the attack did not completely break the security of NTRU Prime, and it remains a viable post-quantum cryptographic candidate. (Source: Reconstructing with Less: Leakage Abuse Attacks in Two-Dimensions)

SABER: SABER is another lattice-based post-quantum encryption scheme that was submitted to the NIST Post-Quantum Cryptography Standardization process. In 2020, researchers Albrecht, Bai, and Ducas showed that SABER was vulnerable to what is called a “reduction attack” that could potentially break the security of the scheme. The attack relied on a weakness in the “Learning With Errors” (LWE) problem used in SABER, but did not completely break the algorithm. The authors provided recommendations for improving the security of SABER, and it remains a promising candidate for post-quantum cryptography. (Source: WBCD: White-box Block Cipher Scheme Based on Dynamic Library)

As you can see, using post-quantum algorithms today poses risks today vs much more well established algorithms that have been battle-tested over years.

- Besides the potential security risks of using new PQ schemes, many of these schemes come with huge drawbacks in performance be it in size or time. For example, STARK proofs can be 20-100x larger than what we use.

So here we are suffering from known drawbacks of scalability and performance at the cost of only potentially protecting against PQ and also being open to potential vulnerabilities of these new schemes.

But we aren’t just twiddling our thumbs and are identifying potential areas of upgrade where quantum attacks are becoming more of a reality and what are candidates to use to replace. For e.g., we currently use Groth one out of many proofs, but there are already lattice-based versions of it which may be more PQ resistant.

I hope this answers your questions!

Note that there have been many other projects that make quantum resistance their entire selling point, but without naming them, they typically have not fared well and predictably so given the trade-offs.

Some post-quantum updates:

Signal messenger is now integrating the quantum resistant algorythm PQXDH in their service. Here is the article.

Monero is researching post quantum strategies.

Yup we are tracking them closely