[ccppurcell]

As I understand it, the only reason pqc is of "practical" concern is the issue of "store now, decrypt later".

Is it possible to defend against this attack in a classical way? Some sort of time limit on decryption? Or an argument that it's impossible?

[thadt]

Strong pre-shared keys will continue to remain secure, even against a quantum computer.

Wireguard, for example, provides the ability to add a pre-shared key for endpoints, which it mixes in during key exchange. Wireguard sessions collected under such a configuration should remain safe when attacked by a future quantum computer, assuming that the shared keys remain secret.

Pre-shared keys are just inconvenient to handle safely.

[Panino]

> Pre-shared keys are just inconvenient to handle safely.

You can transfer PSKs safely and easily with OpenSSH 9.0 (released 2022-04-08) or later, which uses sntrup761x25519-sha512@openssh.com as the default key exchange method.

[Gh0stRAT]

If your threat model includes someone with a quantum computer intercepting all of your traffic and storing it to decrypt later, you probably don't want to share your keys over a non-PQC channel unless you can guarantee that they haven't started eavesdropping on your traffic yet.

[thadt]

While sntrup761x25519-sha512 is a QC secure key exchange, sending a key over it doesn't count. It's not really a "pre-shared" key unless the sharing is done using organic, locally sourced sneakers. Unless FIPs, and then it's boots.

[red_admiral]

The NSA has a copy of your ciphertexts on their disks today. What could stop them from trying to decrypt it in 5 years' time? It's not like they will be held back by any Terms & Conditions.

The only way you can do any "not after X time" decryption even for honest-ish users is if the decryption involves getting extra key material from some server that erases it or shuts down at some point. But even that doesn't help if someone can break the crypto.

[dogsledsleddog]

I don't think that is true, current PFS algorithms are probably all just an inconvenience PQ, but I think they suggest strategies where one has to have a key at the time of a negotiation or even be part of a decision in a negotiation to ever have the session key as long as the parties discard it.

[IncRnd]

Have crypto agility, so that when you want to transition algorithms, the move will be as seamless as possible. You can start to use a blended or hybrid crypto today, where you simultaneously use both classical and pqc algorithms. For your classical algorithms, you should adjust your keys' security strength in accordance with your threat model. See CNSA 2.0 for a starter reference. For data in motion, you can use two VPNs, configured appropriately.

There are a number of things you can do today, more than I listed. I suggest you discuss with an appsec person who is familiar with your threat model.

[notresidenter]

Quantum cryptography, not post-quantum cryptography, would allow schemes in which the store now, decrypt later attack is impossible.

[candiddevmike]

Sneakernet or OTP