People working on post-quantum-proofing vulnerable encryption protocols (and curious onlookers) can find lots of value in this new post from Cloudflare. It discusses the herculean engineering challenges of revamping anonymous credentials that will be broken by a quantum computer. There's a growing need for this kind of privacy (for instance to make digital drivers licenses privacy preserving), which allows individuals to prove specific facts, like they have had a drivers license for more than 3 years, without divulging personal information like their birthday or place of birth. The long and short of of the challeng is that engineers can't simply drop quantum-resistant algorithms into AC protocols that currently use vulnerable ones. Instead, engineers will need to collaborate with standards bodies that build entirely new protocols, largely from scratch. The post goes on to name a few of the most promising approaches.

https://blog.cloudflare.com/pq-anonymous-credentials/

DATE CHANGE: Now on Tuesday July 25th!

Talking about the internet with cats next week. Books Inc in Mountain View is kindly hosting a book talk for How the Internet Really Works @nostarch

The (very early stage) draft of Merkle Tree Certificates is worth a read if you haven't already: https://www.ietf.org/id/draft-davidben-tls-merkle-tree-certs-00.html

The idea is to store domain name<->public key bindings in a Merkle tree, mirrored by browser vendors or other designated entities to clients and other interested parties. TLS servers are authenticated via a proof of membership in one of these Merkle trees, instead of via a bunch of signatures in an X.509 certificate chain -- which are huge in a postquantum world. This new form of authentication only works for certain types of clients and certain types of situations, so the whole thing falls back to traditional X.509 certificate chains otherwise. You can think of it as a PKI designed from scratch, with CAs and CT smooshed into one system, as an optimization layer on top of today's web PKI.

The main motivation is postquantum cryptography; PQ signatures are huge and this scheme allows a client to verify a domain name <-> public key association with 0 signatures. The Merkle tree proof is no bigger in a PQ world. There are lots of other interesting properties that MTCs lets us explore too, like being able to negotiate trust anchors -- that is, a client can signal which CAs it supports and the server can authenticate itself in a way that works with those supported CAs. In contrast today a server has to configure a single certificate to work with all clients it wants to support. This part isn't fully fleshed out yet but it's exciting. It's a great time to give feedback on the draft.

All credit to my colleagues David Benjamin and Devon O'Brien!