Quantum computing and Harvest now, decrypt later - hype?

I lack the technical knowledge to assess the discussions around quantum computing and what it implies for harvest now, decrypt later surveillance strategies.

I am wanting to move to self-hosting and then encrypting all my data, but for the time being lean on things like Cryptomator with OneDrive for backup and sync.

Interested to hear the peoples thoughts on this.

How seriously can we take an org like Tuta, for example, saying they are preparing for quantum level decryption technology?

How well placed is Cryptomator technology for this possible future?

Chrome and Edge 124 on desktop have already rolled out quantum resistant key agreement via Kyber for supported websites (largely just Google and Cloudflare hosted).

• Chromium Blog: Protecting Chrome Traffic with Hybrid Kyber KEM
• Test page here: https://pq.cloudflareresearch.com/

Vanadium, Mulch, and Mull do this too on Android since a few weeks now.

• Releases | GrapheneOS
• News - DivestOS Mobile

You can enable it in Firefox by setting security.tls.enable_kyber to true via about:config.

Signal and SimpleX also use Kyber as part of E2EE:

• Signal >> Blog >> Quantum Resistance and the Signal Protocol
• SimpleX blog: SimpleX Chat v5.6 (beta): adding quantum resistance to Signal double ratchet algorithm

Mullvad also supports similar:

• Stable Quantum-resistant tunnels in the app! | Mullvad VPN

Fedora/Red Hat also has some experimental stuff to work system wide:

• TEST-PQ: enable X25519-KYBER768 / P384-KYBER768 for openssl (1e3a2e49) · Commits · redhat-crypto / fedora-crypto-policies · GitLab

There is little downside to layering the current crypto with eg. Kyber.
If it works, it works. If it doesn’t, the only thing wasted is a bit more bandwidth.

As for the harvesting, this exists: Utah Data Center - Wikipedia

EFF_photograph_of_NSA's_Utah_Data_Center5184×3456 3.29 MB

So do likely many, many more.

Can anyone give a TLDR on how Kyber works?

Symmetric encryption like AES which is commonly used for encrypting storage (Cryptomator uses AES-256) is safe from quantum attacks.

Quantum computing only significantly affects asymmetric encryption algorithms like RSA, which are commonly used when transmitting data between parties because it doesn’t require both people to have a pre-shared key between them.

This is why things like HTTPS and E2EE instant messaging applications with communications between multiple people have to worry about quantum attacks, but your data stored with Cryptomator or on an encrypted hard drive is generally perfectly safe.

God save us.

Hi there, the tactic by intelligence agencies of “harvest now, decrypt later” is already on-going. You can see this in the US by the number of giant data centers being operated by the NSA like the one linked by @SkewedZeppelin. The threat of quantum computers has also led to the US government pushing for new security requirements. Other companies have also taken steps to protect data from quantum computers, like Signal with their PQXDH.

Currently, for data being stored at rest AES256 is considered to be quantum-safe. However, for communication things become a bit more tricky and a post-quantum asymmetric encryption is required. This is where Kyber comes into play.

What is important with PQ encryption is to avoid security being dependent upon the “hardness” of solving the mathematical problems. Kyber uses what is called “learning with errors” which hides the secrets used for encrypting data by adding extra noise. We have created a full write-up explaining the ins-and-outs of how we are using Kyber on our blog.