Wire and post-quantum resistance

The state of quantum computing

Quantum computers that could break today’s cryptography do not exist today yet. The physicists are only experimenting with tiny quantum computers including fewer than 50 quantum bits (or qubits) that are able to run only for microseconds.

One of the article authors, JP Aumasson, giving a talk on the post-quantum impact on current cryptography.
  • Physicists are making some progress towards a system that could solve some computational problem effectively faster than any classical computer — the so-called quantum supremacy milestone.
  • NIST is running a Post-Quantum Cryptography project, in order to standardize one or more post-quantum algorithm around 2020–22. This follows a recommendation from the NSA to start adopting post-quantum cryptography as an insurance against an engineering breakthrough.
  • A number of companies are offering post-quantum solutions, academic researchers in related fields seek funding for their research projects, and both are incentivized to communicate about and sometimes exaggerate the risk of quantum computers.

Threat model in detail

What could an attacker do against Wire today, if they expect to have access to a quantum computer in a near future?

  1. Capture all the communications between two parties communicating on Wire, since the very beginning of their session, and without missing a data packet;
  2. Wait… until a quantum computer is commercially available;
  3. Use a quantum computer to retrieve the cryptographic keys protected by the Diffie-Hellman operations.

How to prepare

With quantum computers still a thing of the future the reasonable question to ask is — what changes can be made to improve security until quantum computers emerge?

Towards a post-quantum Wire

The core cryptographic component of Wire is Proteus, the library performing all cryptographic operations taking place during a Wire conversation, including the elliptic-curve Diffie-Hellman operations. To simplify a lot, Proteus will first compute a master secret as follows:

master_secret = HKDF(DH(A,b) | DH(a,B) | DH(a,b))
master_secret = HKDF(DH(A,b) | DH(a,B) | DH(a,b) | PQ(PQA, PQB))

What’s next?

We see this as a research project and more work is needed, be it performance assessment or general security scrutiny, before this can be deployed in a production system.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Wire

Wire

The most secure collaboration platform.