Giters

signalapp / libsignal

Home to the Signal Protocol as well as other cryptographic primitives which make Signal possible.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[RFC] Protocol-Forkless Post-Quantum Resistance Through Out-Of-Band Communications, New Algorithms Need Not Apply

wryMitts opened this issue · comments

commented

Purpose

PQ Resistance? Wasn't a protocol upgrade already merged?

  • Post-quantum algorithms are still immature on a time scale compared to algorithms such as AES, Diffie-Hellman, and even Elliptical Curves.
  • Implementation errors may still lurk, even in later versions of PQ implementations. [1]
  • Undiscovered mathematical design weaknesses may permanently aid cryptanalysis on long time scales, especially with threat models where an adversary stores all messages.

Therefore, adding post-quantum resistance using existing algorithms with complete backwards compatibility and user-experience considerations may be of interest.

Design

The Signal Double Ratchet Protocol provides an initial level of cryptanalysis resistance by requiring that an adversary record all past ratchet public keys, and thus sent messages, in order to compute the plaintext of current sessions [2]. In the case of a protocol compromise, such as the passive cryptanalysis of asymmetric algorithms in quantum computing environments, the absence of a recorded message may hamper the decryption of further messages in the chain, particularly with the lack of KDF inputs.

To make use of this weakness in the Store Now, Decrypt Later attack, a new function should be added within the Signal Safety Number Verification UI, that permits out-of-band seeding of future Double-Ratchet Root Keys with Double-Ratchet messages sent via a local interface, whether in Bluetooth, NFC, or QR codes.

While Bluetooth provides extensibility with allowing out-of-band seeding automatically, the Bluetooth transmission is a privacy-unfriendly long-range radio broadcast revealing device MAC addresses. Alternatively, a short-range radio may be used instead, such as NFC, although this may also bring risks as are also present in radio transmissions.

The best, although slowest option, may be QR code scanning that involves 2-way communication, such as the one implemented in the GrapheneOS Auditor app. [3]

Once out-of-band messages have been passed between Alice and Bob, external passive adversaries now lack KDF inputs to decrypt future messages sent in-band. The process may be repeated if desired, although the benefits of this are unclear.

Concept

Signal Verify Safety Numbers UI with new Add Post-Quantum Resistance Button
Image adapted from: https://signal.org/blog/verified-safety-number-updates/

References

[1, a] https://cloudsecurityalliance.org/blog/2023/04/03/is-pqc-broken-already-implications-of-the-successful-break-of-a-nist-finalist
[1, b] https://eprint.iacr.org/2022/1713

[2] https://signal.org/docs/specifications/doubleratchet/

[3, a] https://github.com/GrapheneOS/Auditor
[3, b] https://attestation.app/about
[3, c] https://github.com/GrapheneOS/Auditor/blob/76/app/src/main/java/app/attestation/auditor/AttestationProtocol.java#L120-L193