Fully post-quantum Zcash #805
Description
There are three components necessary for a post-quantum Zcash:
- a plausibly post-quantum [PPQ] public key encryption scheme;
- reanalysis of symmetric crypto parameter choices against quantum attacks;
- a practical PPQ-zk-SNARK.
(For spend authorization, there are two options: use a PPQ signature scheme, or incorporate spend authorization fully into the SNARK circuit. So only the three components above are strictly necessary.)
The first of these is already available, for example using New Hope [edit: or CRYSTALS-Kyber as suggested below] key exchange in place of Curve25519 elliptic curve key exchange. A complication is that New Hope has larger public keys and larger ciphertexts (2048 bytes each; see section 7.1 of the New Hope paper). The public key size means that a New Hope key can't be encoded directly in an address, but that is not a fundamental obstacle: it might be possible to use an address registration protocol as described in #340, for example. The ciphertext size is quite large compared to the rest of a Pour description (and remember that we need two of them), but not totally impractical. Alternatively some other scheme may have shorter ciphertexts.
For the PPQ-zk-SNARK, in principle the existence of one-way functions is sufficient for the existence of ZK proof systems. The issue is practicality: practical zk-SNARKs use pairing-based cryptography, and it is not clear whether or not that is available for PQ public key cryptosystems. [Edit 2024-02-05: this is no longer true; there are plenty of schemes that do not use pairings, some of which are PPQ.]
Note that even though lacking a PPQ-zk-SNARK means that arbitrary currency could be forged by a quantum attacker (if quantum computers are ever practical), there is still value in switching to a PPQ encryption scheme and ensuring that the symmetric parameter choices are sufficient. This is because a quantum attacker could otherwise break the Curve25519-based encryption (for known addresses) and obtain past transaction metadata.
It is also useful to reanalyse the symmetric parameter choices in order to check whether Zcash already achieves PPQ past privacy for payments to addresses that have been kept secret. [Edit: it does.] If this were the case then it would allow Zcash to be used now by people who require that property.