7

Is SRP-6a post-quantum secure? If it is not post-quantum secure, do any post-quantum secure alternatives similar to SRP-6a exist?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
mpr
  • 255
  • 1
  • 5

2 Answers2

4

No, since finding $a$ allows offline checking of passwords. $\:$ No, although I can't back this part up.

2

The problem arises from the fact that the security of the SRP protocol heavily relies on the hardness of the discrete logarithm problem. And as was shown by Shor the discrete logarithm problem can be broken by quantum computers in the near future.

Post-Quantum Secure Remote Password Protocol from RLWE Problem describes one possible solution using a RLWE-based SRP protocol (RLWE-SRP) which inherits the advantages from SRP and the elegant design from an RLWE key exchange. Additionally the reference implementation of the protocol is said to be significantly faster than the original SRP for a 112-bits of security.

Itay Grudev
  • 121
  • 4