In an out-of-band conversation with corsac, it appeared that I didn't
  make my point clearly enough, so here is a recap:

- It is known that nation-state adversaries, interested in mass
  surveillance, are currently recording encrypted traffic they observe,
  in the hope of being able to decrypt it in the future (by obtaining
  the keys or through cryptanalytic means).
- Currently available key exchange mechanisms are all broken by a
  passive, quantum adversary.
- Hence, the forward-secrecy of **currently-transmitted traffic** lasts
  at most as long as nation-state adversaries do not obtain quantum
  computers.
- While quantum computers do not exist yet [0], estimates on the time
  before discovery vary wildly, from 5 to 50 years.


In that light, having a post-quantum kex makes sense.  The NTRU scheme
  has been first formulated 20 years ago and has withstood serious
  scrutiny.  Interestingly, the PQCRYPTO workgroup spoke is evaluating
  the Stehle–Steinfeld variant (not the one available in StrongSwan)
  for long-term security [1].


Note that this is purely about making future mass surveillance, assisted
  by quantum computers, more costly.  This isn't about targeted
  attacks against a specific IPSec deployment (where the situation is
  much more complex, and endpoint security plays a more prevalent role).


[0]: The DWave machines are quantum annealers, and aren't known to be
     able to run Shor's or Grover's algorithms, nor any other
     algorithm relevant for cryptanalysis.

[1]: http://pqcrypto.eu.org/docs/initial-recommendations.pdf

Attachment: pgpPefJJWc3Ci.pgp
Description: PGP signature

Reply via email to