Kikuri - Tech

NIST has formally published three post-quantum cryptography standards from the competition it held to develop cryptography able to withstand the anticipated quantum computing decryption of current asymmetric encryption.

There are no surprises – but now it is official. The three standards are ML-KEM (formerly better known as Kyber), ML-DSA (formerly better known as Dilithium), and SLH-DSA (better known as Sphincs+). A fourth, FN-DSA (known as Falcon) has been chosen for future standardization.

IBM, along with industry and academic partners, was involved in developing the first two. The third was co-developed by a researcher who has since joined IBM. IBM also worked with NIST in 2015/2016 to help establish the framework for the PQC competition that officially kicked off in December 2016.

With such deep involvement in both the competition and winning algorithms, SecurityWeek talked to Michael Osborne, CTO of IBM Quantum Safe, for a better understanding of the need for and principles of quantum safe cryptography.

It has been understood since 1996 that a quantum computer would be able to decipher today’s RSA and elliptic curve algorithms using (Peter) Shor’s algorithm. But this was theoretical knowledge since the development of sufficiently powerful quantum computers was also theoretical. Shor’s algorithm could not be scientifically proven since there were no quantum computers to prove or disprove it. While security theories need to be monitored, only facts need to be handled.

“It was only when quantum machinery started to look more realistic and not just theoretic, around 2015-ish, that people such as the NSA in the US began to get a little concerned,” said Osborne. He explained that cybersecurity is fundamentally about risk. Although risk can be modeled in different ways, it is essentially about the probability and impact of a threat. In 2015, the probability of quantum decryption was still low but rising, while the potential impact had already risen so dramatically that the NSA began to be seriously concerned.

It was the increasing risk level combined with knowledge of how long it takes to develop and migrate cryptography in the business environment that created a sense of urgency and led to the new NIST competition. NIST already had some experience in the similar open competition that resulted in the Rijndael algorithm – a Belgian design submitted by Joan Daemen and Vincent Rijmen – becoming the AES symmetric cryptographic standard. Quantum-proof asymmetric algorithms would be more complex.

According to the Andy Yen, CEO of Proton, Proton does not support Monero in any way and will probably never offer a Monero payment nor a Monero wallet. They don’t want to be associated with criminals, they’re afraid of the government putting a target on their back, like with Tornado Cash or Samourai Wallet, and there are auditing requirements in Switzerland that prevent them from accepting Monero.

There is really no good reason to use Proton at this point. They are trying to become the crappier alternative to Google and Microsoft with the goal of providing “privacy”, yet they fork over data on demand and go the opposite direction of the privacy community.

If you want email, self-host with Modoboa, Maddy, Mail-in-a-Box, iRedMail, or any of the other open-source mail servers.

If you want productivity tools, use LibreOffice. If you want it on a server, spin up a linux server and install Nextcloud with Nextcloud Office.

If you need a monero wallet, use the monero wallet cli, monero gui, feather wallet, or cake wallet.

If you want to save passwords, use KeePassXC and store them on an encrypted container.

If you want to exchange coins, there is a table of options on dread: http://dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/9102fba1f90b5df1e0f5

With all that said, fuck Proton!

Podcast: http://optoutkoplzfgs7wl3gkg5nmtrrs7ki6ljcguf7c4w7rdsrtozlghxad.onion/episodes/protonwallet-andy-yen/

Proton Mail has come under scrutiny for its role in a legal request involving the Spanish authorities and a member of the Catalan independence organization, Democratic Tsunami.

Proton Mail is a secure email service based in Switzerland, renowned for its commitment to privacy through end-to-end encryption and a strict no-logs policy. In 2021, Proton Mail faced controversy when it complied with a legal request that led to the arrest of a French climate activist. Under Swiss law, Proton Mail was compelled to collect and provide information on the individual’s IP address to Swiss authorities, who then shared it with French police.

The recent case involving the Spanish police this time, highlights privacy concerns and the limits of encrypted communication services under national security pretexts, and brings a long-debated subject to the forefront once again.

The core of the controversy stems from Proton Mail providing the Spanish police with the recovery email address associated with the Proton Mail account of an individual using the pseudonym ‘Xuxo Rondinaire.’ This individual is suspected of being a member of the Mossos d’Esquadra (Catalonia’s police force) and of using their internal knowledge to assist the Democratic Tsunami movement.

Upon receiving the recovery email from Proton Mail, Spanish authorities further requested Apple to provide additional details linked to that email, leading to the identification of the individual.

This case is particularly noteworthy because it involves a series of requests across different jurisdictions and companies, highlighting the complex interplay between technology firms, user privacy, and law enforcement. The requests were made under the guise of anti-terrorism laws, despite the primary activities of the Democratic Tsunami involving protests and roadblocks, which raises questions about the proportionality and justification of such measures.

Like before, Proton Mail’s compliance with these requests is bound by Swiss law, which mandates cooperation with international legal demands that are formalized through proper channels (Swiss court system).

Last year, when we noted that Proton Mail complied with nearly 6,000 data requests in 2022, Proton provided us with an explanation that inbox contents remain secure.

Yet another vulnerability, because we can't seem to get enough of them lately.