This request was originally added as an issue under the 'element-web' repo (/vector-im/element-web); they advised that it should be moved here

Original Request URL - element-hq/element-web#19835

Going to republish my original request below for convenience.

Upgrading Cryptographic Scheme for Matrix - Feasibility?

Recently, the NSA deprecated 128-bit strength cryptography (secp256k1 specifically; I think the NIST SP reference still recommends ed25519).

This isn't something that I believe is an impending security issue but it does fall in line with the overall ethos of Matrix, which is to provide an unprecedented and unrivaled level of security in their chat app.

First Proposal - Intermediate Upgrade

At some point in the not so distant future, it is expected that there will be a mass migration to some of the quantum-resistant ciphers we saw appear in the NIST's PQC competition (now in its 3rd round). Putting speculation about quantum computers to the side, there have been many other advances in cryptanalysis and computing in general that seem to put 128-bit security in question in the longer-term.

The most recent Suite B published by NSA dropped sha256 and secp256k1. While ed25519 is not secp256k1, the removal of sha256 alongside the latter led me to wonder if the NSA felt that 128-bit strength cryptography was no longer sufficient to secure data & communications vs. simply having misgivings about secp256k1. I am aware that there are properties specific to the secp256k1 algorithm that make it uniquely susceptible to cryptanalytic attacks (i.e., 'nonce leakage'), in a way that ed25519 is not. However, this is not the case with sha256.

Its hard for me to justify that the deprecation of sha256 was done in preparation for quantum-capable computers in the near term or future since there is no perceptible advantage quantum computers will have when it comes to attempting to 'crack' the hash (the biggest fear comes from the potential destruction of ecdh + pki schemes).

This Has to be Done at Some Point Anyway

Its obviously up for debate whether this must be done now. Many would likely argue that there is no impending risk at this very point in time. But there is a virtual unanimous consensus that these cryptographic schemes will need to be swapped out at some point in the not so distant future (likely before the end of the decade, if not sooner).

When its too late, its too late obviously. That statement isn't meant to fearmonger at all but rather emphasize the greater point that even if this is done prematurely, it won't be for naught. Also, getting the ball rolling on this earlier will allow time for proper testing, feedback, further ideas etc.; nobody wants to be swapping out cryptographic algorithms with a gun to their heads, so to speak.

Willing to Work on This Implementation Independently

If the team feels this proposal is interested but is swamped with work, I'd be more than happy to give this a swing under appropriate guidance.

Please advise whenever you all get a chance. Great job with this project overall though - Matrix is something we needed in the open source community & hopefully it is here to stay for a very long time.