The Unclear Impact

It’s 2023 and you’re designing a decentralised system based on public-key cryptography where a person’s identity(ies) are their public key(s).

Do you…

@kristof Oh thank you so much for that link, it’s so helpful (I love his articles; should make it a habit to check there first) :)

@aral he’s also on the Fediverse and is working on an encryption system for DMs: which looks a bit related to what you’re doing (although, obviously, building upon ActivityPub brings vastly different technical constraints)


@aral you'd ... use a blockchain :troll-peaking:

@robertpi *gives him the side-eye* :)

@aral I have literally no idea what you are talking about but, when in doubt, I go hybrid. 🥸

@sherold From what I just read, not a bad option.

Although I’m currently of the mind of keeping it as it is and implementing hybrid when/if the PG stuff is a bit more standardised. From what I’m learning it shouldn’t be hugely difficult to encapsulate one in the other (eg., post-quantum scheme within a classic channel)

@aral The recommended usage by the CRYSTALS designers is hybrid anyways.

@jimfl 👍

(And from what I’m learning as I dig deeper into it, I should be able to start with what I have and migrate to hybrid when/if I need to – and when things get a bit more standardised.)

@aral do what WireGuard does: X25519 now, but allow a symmetric pre-shared key to be mixed in to the key derivation. A separate PQ key exchange can then provide that symmetric key, and can evolve separately.

@neilmadden Thanks Neil, was just reading about how Wireguard does it a few hours ago. Given how well it does everything else no doubt a good recommendation :)

There seem to be only two good answers, 1 and 3. Kyber doesn't look good to me. Forward security seems important.


@RefurioAnachro Sadly, given it’s a web-based system where nodes may be hosted on untrusted servers (ie., at a VPS host), forward secrecy is a property it cannot provide. (It’s definitely not for folks targeted by state level actors but an attempt to raise the cost of mass surveillance and break folks out of de facto corporate surveillance.)

@kristof Ah, just tracked down his Mastodon handle only to realise I was already following him :)

And yeah, vastly different… and more complex. But I’m glad he’s on it :)

@aral from my last memories and quick google search ed25519 is enough quantum computing safe up to a couple million qbits. so unless we find another 3bit substrate before the comming decades it's safe.

@Toasterson Yeah, apparently roughly 20 million noisy qubits or 1,530 high-quality qubits. (

IBM, etc., seem to be making excellent progress on improving both qubit count and coherence though.

(Still no estimate I’ve seen puts in at less than a decade before we have a practical quantum attack.)

@aral option D: go back to Neal Stephenson's book "Fall; or Dodge in Hell" which has some thoughts on keys as identities :-)

@cmw I’ll add it to my reading list; thanks :)

That doesn't sound like an argument against forward security. Of course, I have no idwa what you mean, so I'm not saying you're not right.

Just to be safe, forward security is the idea to do regular key exchanges (e.g. Diffie-Hellman), authenticated by the existing keypairs, so that even if their private keys get compromised in the future, the attacker still can't read old messages, whose keys never went over the wire, and have long been erased.


@RefurioAnachro Indeed. But those keys have to be kept somewhere so messages can be decrypted in the future by the recipients (unless we’re talking about one-time view messages with ephemeral keys). On an app like Signal, you can persist them on the device. In a web browser, you don’t have the same guarantee. Especially after Apple decided they’d periodically nuke local storage in the name of “privacy” ( – almost as if they had an app store to protect or something 🤔

@aral I would definitely avoid using just public keys as long term identities. Unless they are published and replaceable out of band, in some kind of naming system - but then they don't need to be keys only.

@donchev Well, public key + domain. And it will be possible to change them but not in the initial release. (You would have to confirm it with the person out of band – as if a Signal phone number had changed – if you wanted to be absolutely sure it wasn’t compromised. But if someone managed to compromise the server to run arbitrary code, they could also just phish the person’s private key and impersonate them.)