There seem to be only two good answers, 1 and 3. Kyber doesn't look good to me. Forward security seems important.
Conversation
Notices
-
Refurio Anachro (refurioanachro@toot.cat)'s status on Tuesday, 21-Feb-2023 03:59:46 JST 
Refurio Anachro
-
Aral Balkan (aral@mastodon.ar.al)'s status on Tuesday, 21-Feb-2023 03:59:45 JST 
Aral Balkan
@RefurioAnachro Sadly, given it’s a web-based system where nodes may be hosted on untrusted servers (ie., at a VPS host), forward secrecy is a property it cannot provide. (It’s definitely not for folks targeted by state level actors but an attempt to raise the cost of mass surveillance and break folks out of de facto corporate surveillance.)
-
Aral Balkan (aral@mastodon.ar.al)'s status on Tuesday, 21-Feb-2023 04:41:53 JST
Aral Balkan
@RefurioAnachro Indeed. But those keys have to be kept somewhere so messages can be decrypted in the future by the recipients (unless we’re talking about one-time view messages with ephemeral keys). On an app like Signal, you can persist them on the device. In a web browser, you don’t have the same guarantee. Especially after Apple decided they’d periodically nuke local storage in the name of “privacy” (https://ar.al/2020/03/25/apple-just-killed-offline-web-apps-while-purporting-to-protect-your-privacy-why-thats-a-bad-thing-and-why-you-should-care/) – almost as if they had an app store to protect or something 🤔
-
Refurio Anachro (refurioanachro@toot.cat)'s status on Tuesday, 21-Feb-2023 04:41:57 JST
Refurio Anachro
That doesn't sound like an argument against forward security. Of course, I have no idwa what you mean, so I'm not saying you're not right.
Just to be safe, forward security is the idea to do regular key exchanges (e.g. Diffie-Hellman), authenticated by the existing keypairs, so that even if their private keys get compromised in the future, the attacker still can't read old messages, whose keys never went over the wire, and have long been erased.
-
All 076萌SNS content and data are available under the