Post quantum cryptography

[forty]

Hello,

Is there any plan to add PQ algorithms to libsodium? I feel it would be nice to have nicely packaged hybrid algorithms using the PQ algorithms selected by NIST last year for example https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022 ?

The only discussion on the topic I found is #371 which is from 2016, but I might have missed others (sorry if I did, I'm happy to read them if they exist).

See some discussion on the topic by Age author https://words.filippo.io/dispatches/post-quantum-age/

[jedisct1]

Not until Kyber is finalized.

What we have now is very unlikely to be what NIST will standardize.

[jedisct1]

The current version of Kyber is not even the one described in that Filipo's post any more (it's now using SHAKE as a hash function).

You can (and should!) run experiments with it, but using it for production deployments would be premature. So would its inclusion in libsodium, that tries to avoid breaking changes.

[forty]

I understand, thanks for the explanation.

[mhemmings]

NIST have just finalised standards:
https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

[samuel-lucas6]

However, there's no non-interactive key exchange (NIKE), I don't think people are that happy with the signature schemes, and Round 4/Standardization of Additional Digital Signature Schemes are ongoing.

If a library isn't careful with which PQC algorithms and parameter sets to support, it'll end up becoming a kitchen sink. For this type of library, it's not necessarily something to rush into. Having said that, PQC algorithms aren't one size fits all algorithms so maybe this is unavoidable to an extent.

[jedisct1]

There's no standardized hybrid scheme (which is what everybody wants to use, not ML-KEM alone) either yet.