80 lines
3.3 KiB
Markdown
80 lines
3.3 KiB
Markdown
# Tick 28 — 2026-05-22 09:40 UTC
|
|
|
|
**Thread:** ADR-108 (Kyber post-quantum key exchange)
|
|
**Verdict:** Final ADR in the privacy + federation chain. Closes the quantum-resistance gap deferred from ADR-107. Hybrid mode (Kyber-768 + X25519) for 2027-2030 migration; pure Kyber-768 for Phase 3.
|
|
|
|
## What shipped
|
|
|
|
- `docs/adr/ADR-108-kyber-post-quantum-key-exchange.md` — full ADR draft.
|
|
|
|
## Headline
|
|
|
|
| Phase | Timeline | Cryptography |
|
|
|---|---|---|
|
|
| Phase 0 | NOW (2026) | Classical X25519 (ADR-107 default) |
|
|
| Phase 1 | 2026-Q4 → 2027 | Kyber-768 opt-in via `--enable-pqc` |
|
|
| Phase 2 | 2027-Q2 → 2028 | Hybrid (X25519 + Kyber-768) becomes default |
|
|
| Phase 3 | 2030+ | Pure Kyber-768 (classical retired) |
|
|
|
|
**Why Kyber-768**: NIST FIPS 203 (2024); ~AES-192 equivalent; CNSA 2.0 default; used by Cloudflare/Google/AWS in 2024-2026 rollouts.
|
|
|
|
**Why hybrid for Phase 2**: belt-and-braces against future Kyber breaks (Kyber is ~5 years old) OR classical breaks OR implementation bugs in either primitive.
|
|
|
|
## Why now (the record-now-decrypt-later argument)
|
|
|
|
Adversaries can record federated updates today and decrypt them in 2035 when quantum capabilities arrive. Without ADR-108, the (ε, δ) guarantees of ADR-106 **silently expire** when quantum computers arrive.
|
|
|
|
## Bandwidth + LOC budgets
|
|
|
|
Bandwidth: ~3 kB/round/installation extra during hybrid mode (negligible).
|
|
|
|
LOC: +220 on top of ADR-107.
|
|
|
|
**Total federation budget across ADR-105+106+107+108**: ~1,550 LOC.
|
|
|
|
## ADR chain closes
|
|
|
|
Final ADR in the privacy + federation chain:
|
|
|
|
| # | ADR | What it closes |
|
|
|---|---|---|
|
|
| 1 | ADR-100 | cog packaging (foundation) |
|
|
| 2 | ADR-103 | first cog example (cog-person-count) |
|
|
| 3 | ADR-104 | MCP + CLI distribution |
|
|
| 4 | ADR-105 | within-installation federation |
|
|
| 5 | ADR-106 | DP-SGD + biometric primitive isolation |
|
|
| 6 | ADR-107 | cross-installation + secure aggregation |
|
|
| 7 | **ADR-108** | **post-quantum key exchange** |
|
|
|
|
**No remaining unspecified privacy gap** at any threat horizon (classical OR quantum).
|
|
|
|
## Composes with prior threads
|
|
|
|
- R3 / R14 / R15 / R7 / R12 PABS — privacy chain intact through quantum transition
|
|
- R10 / R11 (long-deployment wildlife / maritime) — benefit most from forward secrecy because data ages for years
|
|
|
|
## Honest scope
|
|
|
|
- Kyber is ~5 years old (less battle-tested than X25519); hybrid mode mitigates
|
|
- "When do we need this?" is uncertain (2030 aggressive / 2050+ conservative); proactive migration is cheap insurance
|
|
- ESP32-S3 timing impact (~10 ms per handshake) estimated negligible vs 30 s round duration; needs benchmarking
|
|
- Migration timeline depends on `pqcrypto-kyber` Rust crate maturity
|
|
- Phase 3 retirement of classical needs future decision
|
|
|
|
## Future ADRs catalogued
|
|
|
|
- **ADR-109**: PQC signatures (Dilithium for cog signing, replaces Ed25519 in ADR-100)
|
|
- **ADR-110**: PQC hardware acceleration on Cognitum-v0 if timing becomes binding
|
|
- **ADR-111**: PQC for `cog-store` distribution chain
|
|
|
|
## Coordination
|
|
|
|
`ticks/tick-28.md`. No PROGRESS.md edit. Branch `research/sota-adr108-kyber`.
|
|
|
|
## Remaining loop work
|
|
|
|
- R12.1: pose-PABS closed loop (needs Rust, out of scope for synthetic ticks)
|
|
- Loop retrospective / 00-summary.md (~2.3h until cron stop — premature)
|
|
|
|
~2.3h to cron stop. **28 ticks landed.** 4 ADRs in the privacy chain (105/106/107/108). Loop covers everything except R12.1 implementation.
|