Post quantum security of Concordium

I would like to know more about the post-quantum security of Concordium. From a cursory examination, it appears that quantum insecure primitives are used in several Concordium protocols (example: CL encryption in the identity scheme - and possibly the ZK-SNARK implementations used).

Much appreciated if the team could explain a bit about how Concordium is thinking about post-quantum security, and whether I am correct that the current system is quantum insecure (and if I am correct, whether the system is agile enough to be made plausibly quantum safe without a huge effort).

It is true that Concordium is using several cryptographic schemes that are based on elliptic curves and susceptible to quantum attacks. We are following developments in quantum computing and post-quantum cryptographic schemes and will replace the used schemes once necessary. For some schemes such as signatures and encryption, we can directly replace the schemes we use with post-quantum secure ones. For some other components, especially regarding the ZK proofs in the ID layer, some more work is required because we rely on specific features of the schemes there.


I have a follow-up question: What are the potential risks if someone gains the ability to utilize quantum technology before the changes are implemented? What actions could they potentially undertake, such as accessing all data or assuming control over identities? Additionally, if someone creates a backup before the changes are implemented, could that backup be utilized to gain access after the changes have been made?

If they manage to fully break the used signature scheme before it is replaced, they can sign transactions from arbitrary accounts and thereby steal all CCD. Note that the same is true for other chains as well.

With a backup of the current chain, they can in the future potentially break most privacy features, i.e., they can find out which accounts belong to the same identity and they can decrypt the amounts of shielded transfers. It is not possible to read the identity information of people (e.g., name and birthday) because that is not stored on chain in an exploitable way.

Thanks for the update. Interesting topic.