3

My company builds an encrypted data transfer app that has two layers of encryption. There is an outer layer of TLS encryption using ECDHE with Curve 25519 that runs between app clients and servers. There is also an inner layer of encryption that encrypts data end to end between clients using a 1024-bit Diffie-Hellman key agreement (yes we need to replace that)

Our customers are asking for post quantum protection now because of the long term value of the data they want to protect. Instead of replacing one layer of encryption with a classical/post quantum hybrid scheme (which seems to be popular) we would like to leave the key management for our outer layer TLS protection with Curve 25519 intact and replace the only inner layer key management (the 1024-bit Diffie-Hellman) with a post quantum hybrid scheme like Kyber, New Hope, or SIDH.

Would it be accurate to tell our customers that a layer of classical public key based encryption covering a layer of post quantum public key based encryption is an roughly equivalent to replacing one layer of the encryption with a classical/post quantum hybrid? We need to replace our inner layer key management anyway and putting in a post quantum solution there would be convenient.

Andrea Russo
  • 139
  • 5

1 Answers1

2

From your description, I am picturing your setup like this:

Outer encryption (server decrypts and re-encrypts):

client1 <----> server <----> client2

Inner encryption (server passed encrypted blobs on)

client1 <----server----> client2

Your question:

Would it be accurate to tell our customers that a layer of classical public key based encryption covering a layer of post quantum public key based encryption is an roughly equivalent to replacing one layer of the encryption with a classical/post quantum hybrid?

I'm going to go with No. Reasoning: the idea of Classical+PQ schemes was born by considering two separate threat models:

  1. The attacker has a quantum computer.
  2. The attacker knows about a zero-day weakness in Kyber, New Hope, SIDH, wtv PQ crypto you choose. The risk if this is "high" because PQ schemes have not yet had the decades of public scrutiny we would like in a cryptosystem.

The goal of creating hybrids is to couple these two threat models by requiring an attacker to have access to both a quantum computer and a zero-day against the chosen PQ cryptosystem.

Let's see how your proposal stacks up:

  1. An attacker with a quantum computer can successfully man-in-the-middle your classical outer TLS sessions. This doesn't give them access to plaintext messages, but is certainly a partial break of your system, and may have other security implications, for example if any usernames/passwords, or identifying information are sent over this TLS connection.
  2. An attacker with a zero-day against your PQ crypto is not a direct attack, but it becomes a full break if they can compromise the server, or if you are worried about insider threat from your admins.

So it looks like your proposal isn't completely broken, but is certainly not what a customer would expect if you tell them it's a classical/post quantum hybrid, and is a weaker security model then replacing one or both layers with proper hybrid schemes.

Mike Ounsworth
  • 3,627
  • 1
  • 18
  • 28