Quantum-Safe encryption

[onkq]

Sup,

I just came across this project and I'm looking forward to seeing it bloom.

I checked the encryption page and it would be beneficial to have a section about Quantum Computing (QC) and how CryFS (AES in this case) can withstand it for a long while to come. Since the future is here and QC seems like a hot topic, adding that for the people wondering, and for those that might be afraid of the "Store now, decrypt later" / "Harvest now, decrypt later" strategy.

I would like for you to mention NIST website on this topic (To protect against the threat of quantum computers, should we double the key length for AES now? (It's on the bottom of the page)) and possibly add a quote: https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/faqs

The website Contact page is not working, or so it seems. I am writing this here instead. The website also has Facebook connected to it, why is that? I'm not quite the fan of that behavior.

[Opening-Button-8988]

I would like to see these changes as well.

[smessmer]

Quantum-Safe encryption is an interesting topic. Symmetric crypto as used by CryFS is still relatively safe and not as easily broken as the public key crypto most people talk about when they say quantum computers will break crypto. If using CryFS with aes-gcm, it uses a key size of 256bits by default which should be secure. Note that starting with CryFS 0.11, the default algorithm is not aes256-gcm anymore, but XChaCha20-Poly1305.

Increasing the key size could be a reasonable precaution, but the libraries we're using don't support that yet. The future of CryFS will be its Rust implementation, which currently lives in the feature/rust branch, and for rust there are several crypto libraries available:

• https://crates.io/crates/aes-gcm
• https://crates.io/crates/openssl
• https://crates.io/crates/chacha20poly1305
• https://crates.io/crates/sodiumoxide

None of those support key size larger than 256bit and implementing aes ourselves sounds like a horrible idea.

Once supported and well-vetted implementations of symmetric crypto with larger key sizes are available, I'm happy to make the switch.

[Opening-Button-8988]

@smessmer

I don't know what I'm talking about, but I think argon2id allows you to modify certain variables and I've heard it's more secure than its competition. No idea if that's relevant here, and you're probably already aware of it.

[smessmer]

CryFS currently uses scrypt not argon2, but they're conceptually similar. Both are memory hard hash functions based on ideas from symmetric crypto. I would be open to adding argon2, but that's unrelated to this discussion.

For post quantum safety, I haven't found any concrete research about it, but my understanding is that, on top of symmetric crypto being relatively unaffected, memory hard hash functions make it especially difficult for quantum computers because it needs a very large number of qubits.

But as I said, I haven't found any concrete research about it. If you find any research or public statements about this, please let me know.