Nostr Web Client

It could also theoretically open up new attack vectors. People talk a lot about the performance problems with PQC algos, but the recent history of proposed algos is littered with cases of people finding breaks/insecurities.

lontivero 1mo ago 💬 1

Oh yes, absolutely. In fact Trezor uses two signature algorithms for their firmwares, pre and post quamtum precisely for the case that the post quatum algo ends being unsafe. Unfortunately I don't remember the details. I hope some of them come and comment. ping nostr:npub1lz8xv2dnyryrk4vswkcgf52vqqzruqwuyp53s7pvusx4fef9fh2s7hh86s

Reply to this note

Please Login to reply.

Discussion

waxwing 1mo ago

Yes that's a very good point. I remember now that DJB is a strong advocate for exactly this.

Notice though how in performance critical applications, using even more space and time to do this is going to be ... ouch.

Hynek 1mo ago 💬 1

The Trezor Safe 7 boardloader uses a hybrid scheme:

Signed with both SLH-DSA and ECDSA (secp256r1).

The ECDSA signature also signs the SLH-DSA signature.

It is described in more technical details here https://trezor.io/guides/trezor-devices/trezor-safe-7/going-quantum

Hynek 1mo ago

Sorry there is mistake in article. Will be updated soon.

Bootloader is signed with ed25519 not ecdsa