- cross-posted to:
- technology@kbin.social
- cross-posted to:
- technology@kbin.social
We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem. Instead, we are augmenting our existing cryptosystems such that an attacker must break both systems in order to compute the keys protecting people’s communications.
…
Our new protocol is already supported in the latest versions of Signal’s client applications and is in use for chats initiated after both sides of the chat are using the latest Signal software. In the coming months (after sufficient time has passed for everyone using Signal to update), we will disable X3DH for new chats and require PQXDH for all new chats. In parallel, we will roll out software updates to upgrade existing chats to this new protocol.
A nice and reasonable approach.
I just wonder why doubling up the cyphers is the way to go? Not confident in the post-quantum cipher yet?
Yeah they explain it in the article.
There was a “quantum safe” encryption scheme proposed that had a non-quantum vulnerability found in it. Perhaps they are hedging against that occuring again? The scheme was rejected in the end so didnt matter to much.
Google is also going with a combined approach: https://security.googleblog.com/2023/08/toward-quantum-resilient-security-keys.html
New ones are too young and not battle tested with time. Hybrid PQ is the norm until more data is available.
I never predict Signal will implement this QuanResist really fast pace than other messenger apps. Applause to the dev team!
We believe that the key encapsulation mechanism we have selected, CRYSTALS-Kyber, is built on solid foundations, but to be safe we do not want to simply replace our existing elliptic curve cryptography foundations with a post-quantum public key cryptosystem.
Does this sound like VX Junkies to anybody else? I feel the need to check on my turbo encabulator 😅
A clearer explanation is available here
Will
signald
be updated? Matrix wants to know.For anyone curious, I’ve opened an issue to confirm: https://gitlab.com/signald/signald/-/issues/377
Do we still like signal? I remember reading something about why you should stop using signal but this seems contrary to that
deleted by creator
Many people also fail to make a proper distinction between private and anonymous, which is why some people get mad at the phone number thing.
Ok that makes sense
Ah, yes, I’m not giving an instant messenger application my phone number, it doesn’t need it, especially if I’m not even using it on a phone.
That’s private information that I only give out to close friends and family members.
The phone number thing is a major problem but Signal just has the momentum imo. Ultimately, they’re gonna need to fix it or we’re all going to have to stop using it.
Private =/= anonymous
Signal is amazing
deleted by creator
For every thing on this world, there will be people disliking this thing and being very vocal about it.
EFF still recommend Signal (and others) for people fitting various risk profiles: https://ssd.eff.org/