Encryption
About security assumptions
Aetrna is using a number of standardized algorithms for encryption, such as:
Keccak256 for hashing (pre-NIST-approved version)
ECIES — ECDH, HKDF with Keccak256 inside, with AES-GCM for classical encryption
MLKEM — Kyber-1024 with SHAKE-128 inside, with AES-256 for post-qunatum encryption
Argon2 for key derivation from passwords
ECDSA for signatures (with Keccak256 inside)
All these algorithms are widely known and battle-tested.
The resistance against quantum computers
The minimal requirement by today's science is to have at least 2256-bit security for quantum-computer threat. Currently there are 3 algorithms that people care about:
Shor's algorithm — solves integer factorization and discrete lograithmic problems via finding the Hidden Subgroup Period by utilizing Quantum Furier Transform (QFT).
Grover's algorithm — provides quandratic speed-up for the unstructured search, so 2128-bit security becomes 264-bit. Therefore 2256-bit security is required to have a minimal 2128-bit security after Grover's algo becomes effective enough.
Brassard-Hoyer-Tapp (BHT) algorithm its improvement Chailloux-Naya-Plasencia-Schrottenloher (CNS) — provides a worst-case scenario of cubic speed-up in quantum collision search against hashing algorithms specifically. So 2256-bit security becomes 285-bit quantum security. Based on Birthday Paradox and Grover's algorithm. Therefore it is required for hashing algorithms to have at least 2384-bit security to arrive at 2128 after BHT is applied. This is considered highly theoretical and likely the van Oorschot-Wiener (vOW) algorithm is the better solution which is founded on Pollard's Rho algorithm on classical computers in parallel.
Now, the security of the used protocols can be described the the following:
ECDSA / Keccak256
Vulnerable if qRAM ever invented, but is not related to the encryption of data.
MLKEM (Kyber-1024)
Provides a classical 2254 and 2230 quantum (Grover) security under
Block-Korkine-Zolotorev (BKZ) lattice basis reduction algorithm. Is not affected by Shor's algorithm since the math here includes noise.
However, in the beginning it generates the random seed of 32 bytes, that then splitted and extended via SHAKE-128. So in some sense the security here is as strong as in AES-256, which is the minimal 2128-bit
ECIES
Consists of AES-GCM of (256 classical / 128 quantum security), ECDH (gets broken by Shor's algo), and HKDF (vulnerable by BHT).
Argon2id
The params used like in RFC 9106:
64 MegaByte memory
3 iterations
4 parallelism
32-byte output
12 characters minimal length
Security here is measured differently:
Breaking it with quantum computers is extremely difficult because of hardware bottlenecks (needs billions of qubits), but easier in classical sense with botnets, that is why a minimum of 12 characters is asked which yields at least 271-bit security coming from password entropy alone, the hardness comes from huge costs coming along to just be able to try breaking it.
Generally speaking, the security of passwords in this case is entirely shifted on the length and readibility of the password, and on the efficiency of the botnets.
Last updated