Post Quantum Cryptography

Is there any discussion or progress on PQC? There are already photonic silicon spin qubits available with over

1 million qubits.

Irrespective of how powerful quantum computers are in the moment, for some critical data you’d need to consider an attacker who stores asym. encrypted traffic and waits until QC are powerful enough to break the encryption afterwards.

NIST chose some algorithms – I guess they could be plugged in as replacements for RSA (or whatever is currently used).

Google used some of those algorithms for Chrome and TLS and has some performance comparisons.

Would increased key lengths and reduced speed pose problems for TOR nodes etc.?

Hello, and welcome to the Tor community forum!

I just answered a similar question over on r/tor on Reddit. Going to copy and paste my answer here. The short answer is yes, we will eventually be moving to a hybrid encryption scheme for post-quantum encryption. We have a significant dependency we need to fix and deploy in the network before we can do so, though, and that’s “fragmented cells.”

Fragmented cells will allow us to split messages over multiple cells within the Tor network, thus opening us up to having much larger handshake material passed around amongst relays and clients. This is needed since most of the post-quantum handshakes bring significantly larger payloads with them. The most up-to-date specification for fragmented cells can be seen at proposals/ · main · The Tor Project / Core / Tor Specifications · GitLab

We plan on rolling out fragmented cells later this year as we begin the work on supporting UDP within the Tor network as well.

Once fragmented cells are in, we can begin the development of circuit-level post-quantum cryptography. For the outer TLS layer, we will likely need support in the commonly used TLS libraries deployed in the Tor network (OpenSSL, LibreSSL, etc.).

1 Like

Unlikely. PQC will add some overhead to the handshake, but we don’t do many of those. The asymmetric encryption/decryption will be just as fast as before. Basically, connecting and expanding circuits in the network will be slightly slower, but once you start transferring payload data, the speed should remain the same as before.

1 Like

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.