In an out-of-band conversation with corsac, it appeared that I didn't make my point clearly enough, so here is a recap:
- It is known that nation-state adversaries, interested in mass
surveillance, are currently recording encrypted traffic they observe,
in the hope of being able to decrypt it in the future (by obtaining
the keys or through cryptanalytic means).
- Currently available key exchange mechanisms are all broken by a
passive, quantum adversary.
- Hence, the forward-secrecy of **currently-transmitted traffic** lasts
at most as long as nation-state adversaries do not obtain quantum
computers.
- While quantum computers do not exist yet [0], estimates on the time
before discovery vary wildly, from 5 to 50 years.
In that light, having a post-quantum kex makes sense. The NTRU scheme
has been first formulated 20 years ago and has withstood serious
scrutiny. Interestingly, the PQCRYPTO workgroup spoke is evaluating
the Stehle–Steinfeld variant (not the one available in StrongSwan)
for long-term security [1].
Note that this is purely about making future mass surveillance, assisted
by quantum computers, more costly. This isn't about targeted
attacks against a specific IPSec deployment (where the situation is
much more complex, and endpoint security plays a more prevalent role).
[0]: The DWave machines are quantum annealers, and aren't known to be
able to run Shor's or Grover's algorithms, nor any other
algorithm relevant for cryptanalysis.
[1]: http://pqcrypto.eu.org/docs/initial-recommendations.pdf
pgpPefJJWc3Ci.pgp
Description: PGP signature

