[Feature request] Post-quantum encryption

[beantaco]

Summary

KeePassXC currently uses AES or Twofish block cipher to encrypt a database. This issue is a feature request to add support for an established post-quantum encryption algorithm. I searched for related issues but didn't find anything.

Context

I'm aware that quantum computing won't be a realistic threat for a long time, but I believe it's wise to prepare for it sooner rather than later. If someone uses KeePassXC to store secrets meant to be held for a long time, the database might become vulnerable at some point. Further, databases that exist now might become vulnerable to harvest now decrypt later attacks by quantum computing.

I honestly don't know how effective quantum computing based attacks would be if/when quantum computing becomes feasible. My understanding is AES-256 remains secure for now because of its large key size, but could change with time. Grover's algorithm effectively halves AES's key size, making AES-128 insecure (equivalent to brute-forcing a 64-bit key) but AES-256 still secure against that particular attack, but other quantum attacks might break AES-256 in the future.

Implementations by other projects:

• Signal
• Tuta

I don't know that an established post-quantum block cipher exists yet or will ever be created, or whether or not post-quantum encryption should be added via key encapsulation or another way. I don't propose that this be implemented immediately but when it has been properly hashed out.

My understanding is adding this kind of support would require an update to the database format (to allow for a new encryption algorithm) as well as client support.

• How credible does the KeePassXC community believe the risk of quantum computing is?
• What would be the best way to add post-quantum encryption?
• How difficult would adding support for a post-quantum encryption algorithm be?
• Aside from old versions of KeePassXC being unable to open databases that use a new encryption algorithm, what unintentional consequences could arise by adding support for a new encryption algorithm?
• Overall, what is the KeePassXC community's stance?

[beantaco]

Further, databases that exist now might become vulnerable to harvest now decrypt later attacks by quantum computing.

This is of grave concern for applications that are designed to send/receive ciphertexts over networks (email, web, instant messaging and so on), but less so for databases that tend to stay on devices. Even so, some scenarios merit strong crpytography:

• A user's device containing a database is lost or stolen in an unlocked state.
• The contents including a database of a user's device is backed up to a server in plaintext.
• A user's device containing a database is hacked into remotely.
• The contents including a database of a user's device is copied while unattended or via coercion.
• A user sends/receives a database over the internet unencrypted.

[taylor-p-mason]

Most currently popular public-key cryptographic systems rely on the integer factorization problem or discrete logarithm problem, both of which would be easily solvable on large enough quantum computers using Shor's algorithm.

Post-Quantum Cryptography (PQC), also known as Quantum Safe Cryptography (QSC), refers to cryptographic algorithms designed to withstand attacks by quantum computers.

CRYSTALS-Kyber algorithm can be applied for general encryption like password managers, and CRYSTALS-Dilithium, FALCON, and SPHINCS+ for digital signatures.

CRYSTALS-Kyber offers several advantages, including comparatively small encryption keys that can be easily exchanged between two parties and its speed of operation
. It is designed to create secure websites and protect sensitive information from quantum attacks like Kyber-1024-90s.

Having the ability in KeePassXC to digitally sign documents, to establish identity, is also extremely useful.