Mike Dilger ☑️'s avatar
Mike Dilger ☑️ mike@mikedilger.com 4 months ago
PQ cryptography has all kinds of wild key sizes and signature sizes, some very large. For Mosaic I've been ruminating about multiple algorithms (in support of nostr backwards compatibility) and from that considering not storing keys or signatures in the records themselves, but rather just hashes of these. Then you look up the keys and the signature by their hash on a keyserver (also serving signatures). Self-hosters would run their own keyserver. Separating large keys saves data by not repeating them, but separating large signatures does not since every record has to have a distinct signature... but in PQ cryptography it is usually the signatures that are wildly large. So it unfortunately doesn't quite fit my idea.

Replies (8)

Daniel Wigton's avatar
Daniel Wigton dwigton@getalby.com 4 months ago
I have run into the same issues. I am just saving files by their hash. They contain no metadata. The signature/decryption key are sent separately. This allows securely saving data anywhere without leaking any information about content or ownership. It also allows the recipient to make the choice of whether to download or not. But I am not really sure we need PQ cryptography. The best attacks would still take millions of years.
Garbage nsec's avatar
Garbage nsec garbagensec@NostrAddress.com 4 months ago
Dang. Gemini is suggesting FALCON-512 as the most efficient option at around 666 bytes for the sig, with public key itself ~897 bytes (okay still 10x sig size vs K1 but...). Is that flat out wrong or are there some tradeoffs that come with PQ and these "shorter" ones?
1 replies ↓
Garbage nsec's avatar
Garbage nsec garbagensec@NostrAddress.com 4 months ago
What do you think?
Garbage nsec's avatar Garbage nsec
Dang. Gemini is suggesting FALCON-512 as the most efficient option at around 666 bytes for the sig, with public key itself ~897 bytes (okay still 10x sig size vs K1 but...). Is that flat out wrong or are there some tradeoffs that come with PQ and these "shorter" ones?
View quoted note →
Mike Dilger ☑️'s avatar
Mike Dilger ☑️ mike@mikedilger.com 4 months ago
The sizes of the keys and signatures aren't even the most important factor. Security of the algorithm comes first. And I just don't know enough. All I really care about is flexibility at this point -- make things work with any key size and any signature size and any algorithm, so that it is PQ ready, without actually making any choices right now. I'm hoping the cryptographers make better stuff in the future before we need these.