P-256 ECDH between mobile and TEE is vulnerable to quantum attacks

The current key exchange between the mobile SDK and proving server (TEE) uses P-256 ECDH, which is vulnerable to quantum computer attacks (using Shor's algorithm). This creates a "harvest now, decrypt later" risk where an adversary could record encrypted traffic today and decrypt it once quantum computers become available.

The solution I would propose is to implement [PQXDH](https://en.wikipedia.org/wiki/Post-Quantum_Extended_Diffie–Hellman) (Post-Quantum Extended Diffie-Hellman), following [Signal's specification](https://signal.org/docs/specifications/pqxdh/pqxdh.pdf). This uses a hybrid approach combining the classical X25519 ECDH and the post-quantum ML-KEM-768 (Kyber). This protocol has recently been [formally verified](https://www.usenix.org/conference/usenixsecurity24/presentation/bhargavan).

This hybrid design provides defense in depth: an attacker would need to break _both_ X25519 and ML-KEM-768 to recover the session key.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

P-256 ECDH between mobile and TEE is vulnerable to quantum attacks #1315

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

P-256 ECDH between mobile and TEE is vulnerable to quantum attacks #1315

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions