Earlier today, a paper was released which describes how to break the cryptography used in the quantum secure part of the xxDK and xx messenger.
High Level Summary:
- The xx consensus and xx sleeve are NOT impacted.
- The conventional part of the xx messenger’s key negotiation is not broken - your messages are safe.
- The quantum secure portion of the xx messenger’s key exchange will need to be replaced.
- This has no impact on the privacy of cMix.
- The team will upgrade to an alternate scheme as soon as possible, likely CSIDH.
The preprint paper can be found here:
https://eprint.iacr.org/2022/975
First, the xx team would like to congratulate and thank the authors for finding this attack and publishing it. While we wish you had not posted this attack on a Saturday morning, work like this is critical to ensuring the cryptography we use is safe and secure.
Second, this attack ONLY partially impacts the xx messenger and the xxDK. No other xx network software is affected. The xx consensus (when deployed) and sleeve uses hash based cryptography exclusively, which is believed to be the strongest and least vulnerable post quantum cryptography.
Given the experimental nature of all currently proposed quantum resistant algorithms (excluding the hash based algorithms), the team did not rely solely on SIDH for the security of its key exchange and paired it with a 3072 bit classical log based DiffieHelman, which is not impacted. As a result, under classical assumptions, the xx messenger is still secure.
The xx messenger and the xxDK use more experimental algorithms to achieve quantum security because its tasks, like key negotiation, cannot be accomplished with hash based cryptography. That is not the case with xx consensus.
It is also important to note that even with this break, the xx messenger is far more secure against quantum computers than most competitors due to its use of a 3072 bit discrete log DiffieHelman instead of an ECC based one. The 3072 bit discrete log DiffieHelman likely will require significantly more qubits to break than more common ECC based solutions.
The breaking of these post-quantum schemes is natural when working with cutting edge research. SIDH was considered secure and was a 4th round finalist in the NIST process to select quantum secure public key systems, which ended only a few weeks ago. It also is not the only finalist to be broken recently. For example, Rainbow has a similar break of similar severity.
It looks like a different algorithm using supersingular isogeny, CSIDH, may not be vulnerable, and we are looking into making an upgrade soon. It would be relatively quick to move to CSIDH due to its similar structure and we still believe that the underlying post-quantum protection techniques used by supersingular isogeny are functional.
You can find a more detailed incident report here:
xx network security advisory 30 July 2022.pdf (47.9 KB)
This post has been reviewed by mysef, David Chaum, Will Carter, Mario Yaksetig, and Ben Wenger.