[RFC] Protocol-Forkless Post-Quantum Resistance Through Out-Of-Band Communications, New Algorithms Need Not Apply
wryMitts opened this issue · comments
Purpose
PQ Resistance? Wasn't a protocol upgrade already merged?
- Post-quantum algorithms are still immature on a time scale compared to algorithms such as AES, Diffie-Hellman, and even Elliptical Curves.
- Implementation errors may still lurk, even in later versions of PQ implementations. [1]
- Undiscovered mathematical design weaknesses may permanently aid cryptanalysis on long time scales, especially with threat models where an adversary stores all messages.
Therefore, adding post-quantum resistance using existing algorithms with complete backwards compatibility and user-experience considerations may be of interest.
Design
The Signal Double Ratchet Protocol provides an initial level of cryptanalysis resistance by requiring that an adversary record all past ratchet public keys, and thus sent messages, in order to compute the plaintext of current sessions [2]. In the case of a protocol compromise, such as the passive cryptanalysis of asymmetric algorithms in quantum computing environments, the absence of a recorded message may hamper the decryption of further messages in the chain, particularly with the lack of KDF inputs.
To make use of this weakness in the Store Now, Decrypt Later attack, a new function should be added within the Signal Safety Number Verification UI, that permits out-of-band seeding of future Double-Ratchet Root Keys with Double-Ratchet messages sent via a local interface, whether in Bluetooth, NFC, or QR codes.
While Bluetooth provides extensibility with allowing out-of-band seeding automatically, the Bluetooth transmission is a privacy-unfriendly long-range radio broadcast revealing device MAC addresses. Alternatively, a short-range radio may be used instead, such as NFC, although this may also bring risks as are also present in radio transmissions.
The best, although slowest option, may be QR code scanning that involves 2-way communication, such as the one implemented in the GrapheneOS Auditor app. [3]
Once out-of-band messages have been passed between Alice and Bob, external passive adversaries now lack KDF inputs to decrypt future messages sent in-band. The process may be repeated if desired, although the benefits of this are unclear.
Concept
Image adapted from: https://signal.org/blog/verified-safety-number-updates/
References
[1, a] https://cloudsecurityalliance.org/blog/2023/04/03/is-pqc-broken-already-implications-of-the-successful-break-of-a-nist-finalist
[1, b] https://eprint.iacr.org/2022/1713
[2] https://signal.org/docs/specifications/doubleratchet/
[3, a] https://github.com/GrapheneOS/Auditor
[3, b] https://attestation.app/about
[3, c] https://github.com/GrapheneOS/Auditor/blob/76/app/src/main/java/app/attestation/auditor/AttestationProtocol.java#L120-L193