Post Quantum Cryptography

https://access.redhat.com/blogs/766093/posts/3031361?sc_cid=7016000000127ECAAY

The SSL/TLS protocol uses RSA, Diffie-Hellman (DH) or Elliptic Curve Diffie-Hellman (ECDH) primitives for the key exchange algorithm.

RSA is based on the fact that when given a product of two large prime numbers, factorizing the product (which is the public key) is computationally intensive, but a quantum computer could efficiently solve this problem using Shor’s algorithm. Similarly, DH and ECDH key exchanges could all be broken very easily using sufficiently large quantum computers.

For symmetric ciphers, the story is slightly different. It has been proven that applying Grover’s algorithm the strength of symmetric key lengths are effectively halved: AES-256 would have the same security against an attack using Grover’s algorithm that AES-128 has against classical brute-force search. Hashes are also affected in the same way symmetric algorithms are.

Therefore, we need new algorithms which are more resistant to quantum computations. This article introduces you to 5 proposals, which are under study.

228 Comments

  1. Tomi Engdahl says:

    The Register® — Biting the hand that feeds IT

    RESEARCH
    Actual quantum computers don’t exist yet. The cryptography to defeat them may already be here
    NIST pushes ahead with CRYSTALS-KYBER, CRYSTALS-Dilithium, FALCON, SPHINCS+ algorithms
    https://www.theregister.com/2022/07/05/nist_quantum_resistant_algorithms/

    Reply
  2. Tomi Engdahl says:

    NIST Announces First Four Quantum-Resistant Cryptographic Algorithms
    https://thehackernews.com/2022/07/nist-announces-first-four-quantum.html

    Reply
  3. Tomi Engdahl says:

    The cryptopocalypse is nigh! NIST rolls out new encryption standards to prepare
    Decision will be binding on many companies and change the way they protect your data.
    https://arstechnica.com/information-technology/2022/07/nist-selects-quantum-proof-algorithms-to-head-off-the-coming-cryptopocalypse/

    Reply
  4. Tomi Engdahl says:

    What Is the Future of Quantum-Proof Encryption? Bright, according to officials at NIST’s Post-Quantum Cryptography program
    https://spectrum.ieee.org/post-quantum-cryptography-nist?share_id=7130297

    On Tuesday, the National Institute of Standards and Technology (NIST) announced its first quantum-resistant algorithms—new encryption that will become the standard to guard against attacks by quantum computers, which are not yet here. The four algorithms are CRYSTALS-Kyber, for general encryption, and three schemes for digital encryption: CRYSTALS-Dilithium, FALCON, and SPHINCS+.

    Reply
  5. Tomi Engdahl says:

    Single-Core PC Breaks Post-Quantum Encryption Candidate Algorithm in One Hour
    By Francisco Pires published about 8 hours ago
    Defeating next-gen quantum cryptography with pure math.
    https://www.tomshardware.com/news/single-core-pc-breaks-post-quantum-encryption-candidate-algorithm-in-one-hour

    Reply
  6. Tomi Engdahl says:

    Quantum Computing Forces New Public-Key Cryptography Standard
    July 7, 2022
    NXP helps standardize the next-generation of public-key security in a post-quantum cryptography world.
    https://www.electronicdesign.com/technologies/embedded-revolution/video/21245977/electronic-design-quantum-computing-forces-new-publickey-cryptography-standard?utm_source=EG+ED+Auto+Electronics&utm_medium=email&utm_campaign=CPS220713123&o_eid=7211D2691390C9R&rdx.identpull=omeda|7211D2691390C9R&oly_enc_id=7211D2691390C9R

    Securing data is very important these days, and public key encryption is one of the methods that’s used all over the place. I spoke with Joppe Bos, Senior Principal Cryptographer at NXP, about a recent announcement by National Institute of Standards and Technology (NIST) and NXP regarding the next-generation CRYSTALS-Kyber algorithm. It’s designed for the post-quantum world where quantum computers can break current encryption in minutes. This process has taken many years to complete, and it will take many more to get new systems up to spec

    Reply
  7. Tomi Engdahl says:

    In cryptography, post-quantum cryptography (sometimes referred to as quantum-proof, quantum-safe or quantum-resistant) refers to cryptographic algorithms (usually public-key algorithms) that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor’s algorithm.

    SOURCE: https://en.wikipedia.org/wiki/Post-quantum_cryptography

    Reply
  8. Tomi Engdahl says:

    Kvanttisalaus sai ensimmäiset algoritminsa
    https://etn.fi/index.php?option=com_content&view=article&id=13782&via=n&datum=2022-07-15_15:03:17&mottagare=30929

    Yhdysvaltain kauppaministeriön alainen standardointijärjestö NIST (National Institute of Standards and Technology) on valinnut ensimmäisen ryhmän salaustyökaluja, jotka on suunniteltu kestämään tulevat kvanttitietokoneiden hyökkäykset. Neljästä valitusta salausalgoritmista tulee osa NIST:n kvanttisalausstandardia, jonka odotetaan valmistuvan seuraavan kahden vuoden aikana.

    Reply
  9. Tomi Engdahl says:

    Senators Introduce Quantum Encryption Preparedness Law https://www.infosecurity-magazine.com/news/senators-quantum-encryption-law/
    A bill to help secure US government cryptographic systems against attack from quantum computers has passed the House and has now advanced to the Senate. The Quantum Computing Cybersecurity Preparedness Act introduces requirements for federal agencies to identify systems using cryptography and prioritize them for migration.

    Reply
  10. Tomi Engdahl says:

    Post-quantum cryptography hits standardization milestone https://portswigger.net/daily-swig/post-quantum-cryptography-hits-standardization-milestone
    The first four standardized protocols for post-quantum cryptography have been unveiled, laying the foundations for the development of apps and web technologies that incorporate “future proof” encryption. An ongoing standardization process led by the US federal government’s National Institute of Standards and Technology (NIST) last week resulted in the announcement of a quartet of preferred protocols. The selected encryption algorithms will become part of NIST’s post-quantum cryptographic standard, expected to be finalized over the next two years. Four additional algorithms are still under consideration for inclusion in the standard. NIST said in a statement that it recommends two primary algorithms to be implemented for most use cases:
    CRYSTALS-KYBER (key-establishment) and CRYSTALS-Dilithium (digital signatures). More than one algorithm for each use case is being sought as backup in the event one or other approach proves vulnerable.

    Reply
  11. Tomi Engdahl says:

    NISTs Post-Quantum Cryptography Standards https://www.schneier.com/blog/archives/2022/08/nists-post-quantum-cryptography-standards.html
    Quantum computing is a completely new paradigm for computers. A quantum computer uses quantum properties such as superposition, which allows a qubit (a quantum bit) to be neither 0 nor 1, but something much more complicated. In theory, such a computer can solve problems too complex for conventional computers. Current quantum computers are still toy prototypes, and the engineering advances required to build a functionally useful quantum computer are somewhere between a few years away and impossible. Even so, we already know that that such a computer could potentially factor large numbers and compute discrete logs, and break the RSA and Diffie-Hellman public-key algorithms in all of the useful key sizes.

    Reply
  12. Tomi Engdahl says:

    Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath https://research.nccgroup.com/2022/08/08/implementing-the-castryck-decru-sidh-key-recovery-attack-in-sagemath/
    Last weekend (July 30th) a truly incredible piece of mathematical/cryptanalysis research was put onto eprint. Wouter Castryck and Thomas Decru of KU Leuven published a paper An efficient key recovery attack on SIDH (preliminary version) describing a new attack on the Supersingular Isogeny Diffie-Hellman (SIDH) protocol together with a corresponding proof-of-concept implementation. SIDH is at the core of the Post-Quantum key encapsulation mechanism SIKE, which was expected to continue to round four of the NIST Post-Quantum Project for consideration of standardisation. The paper says that their proof of concept code can break the proposed NIST level 1 parameters (supposedly approximating security on-par with AES-128) in an hour of single core computation, and the strongest parameter set in less than 24 hours.

    Reply
  13. Tomi Engdahl says:

    Experiment with post-quantum cryptography today
    https://blog.cloudflare.com/experiment-with-pq/

    Practically all data sent over the Internet today is at risk in the future if a sufficiently large and stable quantum computer is created. Anyone who captures data now could decrypt it.

    Luckily, there is a solution: we can switch to so-called post-quantum (PQ) cryptography, which is designed to be secure against attacks of quantum computers. After a six-year worldwide selection process, in July 2022, NIST announced they will standardize Kyber, a post-quantum key agreement scheme. The standard will be ready in 2024, but we want to help drive the adoption of post-quantum cryptography.

    Today we have added support for the X25519Kyber512Draft00 and X25519Kyber768Draft00 hybrid post-quantum key agreements to a number of test domains, including pq.cloudflareresearch.com.

    Reply
  14. Tomi Engdahl says:

    Kvanttisalaus sai ensimmäiset algoritminsa
    https://etn.fi/index.php?option=com_content&view=article&id=13782&via=n&datum=2022-07-15_15:03:17&mottagare=30929

    Yhdysvaltain kauppaministeriön alainen standardointijärjestö NIST (National Institute of Standards and Technology) on valinnut ensimmäisen ryhmän salaustyökaluja, jotka on suunniteltu kestämään tulevat kvanttitietokoneiden hyökkäykset. Neljästä valitusta salausalgoritmista tulee osa NIST:n kvanttisalausstandardia, jonka odotetaan valmistuvan seuraavan kahden vuoden aikana.

    Ensimmäisten algoritmien valinta on tärkeä virstanpylväs arkaluonteisten tietojen turvaamisessa. Kvanttikoneiden muodostamaan uhkaan viitataan usein termillä kvanttiuhka. Tällä hetkellä kvanttiuhka tarkoittaa, että kvanttikone murtaa kaikki 128-bittisen julkiseen avaimeen perustuvat salaukset kahden vuoden sisällä. Monen analyytikon mukaan NIST-standardi valmistuu auttamattomasti myöhässä.

    Reply
  15. Tomi Engdahl says:

    NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC
    https://www.securityweek.com/nist-post-quantum-algorithm-finalist-cracked-using-classical-pc

    An algorithm submitted to the NIST post-quantum encryption competition – and one that made it to the fourth round – has been defeated. The algorithm, Supersingular Isogeny Key Encapsulation (SIKE), was broken by Wouter Castryck and Thomas Decru at KU Leuven, and the process described in a paper written at the end of July 2022.

    Cryptographers are not surprised by such an event; but security leaders concerned about their ability to protect secrets after the arrival of quantum computers, need to consider the implications.

    The defeat of SIKE follows a key recovery attack on the Supersingular Isogeny Diffie-Hellman key exchange protocol and its instantiation as SIKE in the NIST competition. The attack is based on the ‘glue and split’ theorem developed in 1997 by mathematician Ernst Kani.

    The attack was run on a single classical computer – specifically an Intel Xeon CPU. “Ran on a single core, the appended Magma code breaks the Microsoft SIKE challenges… in about 4 minutes and 6 minutes, respectively. A run on the SIKE parameters, previously believed to meet NIST’s quantum security level 1, took about 62 minutes, again on a single core.”

    This defeat effectively eliminates SIKE from the NIST competition, but it doesn’t necessarily prevent the algorithm from being modified and returned to the competition.

    AN EFFICIENT KEY RECOVERY ATTACK ON SIDH
    (PRELIMINARY VERSION)
    https://eprint.iacr.org/2022/975.pdf

    Reply
  16. Tomi Engdahl says:

    Amazon, IBM Move Swiftly on Post-Quantum Cryptographic Algorithms Selected by NIST
    A month after the algorithms were revealed, some companies have already begun incorporating the future standards into their products and services.
    https://www.darkreading.com/dr-tech/amazon-ibm-move-swiftly-on-post-quantum-cryptographic-algorithms-selected-by-nist

    Reply
  17. Tomi Engdahl says:

    Preparing Critical Infrastructure for Post-Quantum Cryptography https://www.cisa.gov/uscert/ncas/current-activity/2022/08/24/preparing-critical-infrastructure-post-quantum-cryptography
    CISA has released CISA Insights: Preparing Critical Infrastructure for Post-Quantum Cryptography, which outlines the actions that critical infrastructure stakeholders should take now to prepare for their future migration to the post-quantum cryptographic standard that the National Institute of Standards and Technology (NIST) will publish in 2024. = CISA strongly urges critical infrastructure stakeholders follow the recommendations in the Insights now to ensure a smooth migration to the post-quantum cryptography standard. . = File: . = https://www.cisa.gov/sites/default/files/publications/cisa_insight_post_quantum_cryptography_508.pdf

    Reply
  18. Tomi Engdahl says:

    CISA Urges Critical Infrastructure to Prepare for Post-Quantum Cryptography
    https://www.securityweek.com/cisa-urges-critical-infrastructure-prepare-post-quantum-cryptography

    The US Cybersecurity and Infrastructure Security Agency (CISA) has outlined the steps that critical infrastructure organizations should take to prepare for the migration to the new post-quantum cryptographic standard.

    The National Institute of Standards and Technology (NIST) is expected to publish the standard in 2024, but CISA urges stakeholders to prepare in advance, citing potential risks from quantum computing to the entire critical infrastructure.

    Quantum computers use qubits, or ‘quantum bits’, to deliver higher computing power and speed in certain scenarios, including solving mathematical problems that the current encryption standards rely on.

    As such, quantum computing is expected to become a threat to current cryptographic standards, which support network security and also ensure data confidentiality and integrity.

    “In the hands of adversaries, sophisticated quantum computers could threaten U.S. national security if we do not begin to prepare now for the new post-quantum cryptographic standard,” CISA says.

    Reply
  19. Tomi Engdahl says:

    CISA: Prepare now for quantum computers, not when hackers use them https://www.bleepingcomputer.com/news/security/cisa-prepare-now-for-quantum-computers-not-when-hackers-use-them/
    Although quantum computing is not commercially available, CISA (Cybersecurity and Infrastructure Security Agency) urges organizations to prepare for the dawn of this new age, which is expected to bring groundbreaking changes in cryptography, and how we protect our secrets.

    Reply
  20. Tomi Engdahl says:

    How to take quantum cryptography mainstream
    New systems promise widespread secure quantum communication by using cost-effective detectors that monitor for telltale noise in properties of optical signals sent along standard communication fibres.
    https://www.nature.com/articles/d42473-022-00104-2

    Reply
  21. Tomi Engdahl says:

    Quantum infrastructure hits the encryption market
    Toshiba is releasing its first commercial quantum key distribution system, capable of supporting city- and national-scale quantum-secured communication.
    https://www.nature.com/articles/d42473-022-00133-x?utm_source=facebook&utm_medium=social&utm_campaign=HSCR_FOCAL_ENGM_GL_CEAP_ToSHB_CF-Phot22&fbclid=IwAR2221rraAAEiHCOhz9dUJaiUmfy3UKLG764Cn9WiBn6gL6XCQaHdwHzcF0

    Reply
  22. Tomi Engdahl says:

    Laiteriippumatonta kvanttiavainten jakelua
    https://www.nanobitteja.fi/uutiset.html?215050

    Kolme koetta osoittaa kvanttisalausjärjestelmän avainelementit, joiden ennusteiden mukaan pitäisi olla hakkeroitumattomia, mikä tuo kvanttisalaustekniikoiden lupauksen askeleen lähemmäksi todellisuutta.

    Kvanttiavainjakelun (QKD) turvallisuus perustuu yleensä siihen, että käyttäjien laitteet on hyvin karakterisoitu turvatodistuksessa tehtyjen turvamallien mukaisesti. Sitä vastoin laiteriippumaton (DIQKD) – lomittumiseen perustuva protokolla – sallii suojauksen jopa ilman tietoa taustalla olevista kvanttilaitteista. Huolimatta teorian kauneudesta, laiteriippumaton QKD on vaikea toteuttaa nykytekniikalla.

    Reply
  23. Tomi Engdahl says:

    “In my opinion, quantum practicality is likely still 10 to 15 years away. However, progress toward that goal is not just steady; it’s accelerating.”

    Disentangling the Facts From the Hype of Quantum Computing IEEE Quantum Week is a chance to celebrate progress and acknowledge the challenges
    https://spectrum.ieee.org/ieee-quantum-week?share_id=7228601&socialux=facebook&utm_campaign=RebelMouse&utm_content=IEEE+Spectrum&utm_medium=social&utm_source=facebook#toggle-gdpr

    Few fields invite as much unbridled hype as quantum computing. Most people’s understanding of quantum physics extends to the fact that it is unpredictable, powerful, and almost existentially strange. A few years ago, I provided IEEE Spectrum an update on the state of quantum computing and looked at both the positive and negative claims across the industry. And just as back in 2019, I remain enthusiastically optimistic today. Even though the hype is real and has outpaced the actual results, much has been accomplished over the past few years.

    First, let’s address the hype.

    Over the past five years, there has been undeniable hype around quantum computing—hype around approaches, timelines, applications, and more. As far back as 2017, vendors were claiming the commercialization of the technology was just a couple of years away—like the announcement of a 5,000-qubit system by 2020 (which didn’t happen). There was even what I’d call antihype, with some questioning if quantum computers would materialize at all

    More recently, companies have shifted their timelines from a few years to a decade, but they continue to release road maps showing commercially viable systems as early as 2029.

    And these hype-fueled expectations are becoming institutionalized: The Department of Homeland Security even released a road map to protect against the threats of quantum computing, in an effort to help institutions transition to new security systems. This creates an “adopt or you’ll fall behind” mentality for both quantum-computing applications and postquantum cryptography security.

    Market research firm Gartner (of the “Hype Cycle” fame) believes quantum computing may have already reached peak hype, or phase two of its five-phase growth model. This means the industry is about to enter a phase called “the trough of disillusionment.” According to McKinsey & Company, “fault tolerant quantum computing is expected between 2025 and 2030 based on announced hardware roadmaps for gate-based quantum computing players.” I believe this is not entirely realistic, as we still have a long journey to achieve quantum practicality—the point at which quantum computers can do something unique to change our lives.

    In my opinion, quantum practicality is likely still 10 to 15 years away. However, progress toward that goal is not just steady; it’s accelerating. That’s the same thing we saw with Moore’s Law and semiconductor evolution: The more we discover, the faster we go. Semiconductor technology has taken decades to progress to its current state, accelerating at each turn. We expect similar advancement with quantum computing.

    Reply
  24. Tomi Engdahl says:

    Is OTP a Viable Alternative to NIST’s Post-Quantum Algorithms?
    https://www.securityweek.com/otp-viable-alternative-nists-post-quantum-algorithms

    The quantum threat to RSA-based encryption is deemed to be so pressing that NIST is seeking a quantum safe alternative

    The cracking of the SIKE encryption algorithm (deemed to be on its way to NIST standardization) on a single classical PC should make us evaluate our preconceptions on what is necessary for the post-quantum era. SecurityWeek has spoken to several cryptography experts to discuss the implications of the SIKE crack.

    So, since no mathematical encryption can be proven secure, any communication using that algorithm can be decrypted if the algorithm can be broken – and SIKE demonstrates that it doesn’t always require quantum power to do so. So, at the very best, NIST’s quantum safe algorithms provide no guarantee of long-lasting security.

    “There are multiple research organizations and companies working on these problems,” says Bledsoe. “In the future we will see algorithms based on OTP concepts that have answers to the current shortcomings. They will leverage information theory and become viable options as an alternative to NIST-approved algorithms.”

    The pros and cons of OTP

    The NIST competition is solely focused on developing new encryption algorithms that should, theoretically, survive quantum decryption. In other words, it is an incremental advance on the current status quo. This will produce quantum safe encryption. But quantum safe is not the same as quantum secure; that is, encrypted communications will only remain encrypted until the encryption is broken.

    History and mathematical theory suggest this will inevitably, eventually, happen. When that does happen, we will be back to the same situation as today, and all data harvested during the use of the broken algorithm will be decrypted by the adversary. Since there is an alternative approach – the one-time pad – that is secure against quantum decryption, we should consider why this approach isn’t also being pursued.

    SecurityWeek spoke to senior advocates on both sides: NIST’s computer security mathematician Dustin Moody, and Qrypt’s cofounder and CTO Denis Mandich.

    Moody accepts that one-time pads provide theoretically perfect security, but suggests their use has several drawbacks that make them impractical. “The one-time pad,” he said, “must be generated by a source of true randomness, and not a pseudo-random process. This is not as trivial as it sounds at first glance.”

    Mandich agrees with this, but comments, “[This is] why Qrypt uses quantum random number generators (QRNGs) licensed from the Oak Ridge National Laboratory and the Los Alamos National Laboratory.” These are quantum entropy sources that are the only known source of genuine randomness in science. (See Mitigating Threats to Encryption From Quantum and Bad Random for more information on QRNGs.)

    Moody also suggests that OTP size is a problem. “The one-time pad must be as long as the message which is to be encrypted,” he said. “If you wish to encrypt a long message, the size of the one-time pad will be much larger than key sizes of the algorithms we [NIST) selected.”

    Again, Mandich agrees, saying the trade-off for higher security is longer keys. “This is true for 100% of all crypto systems,” he says: “the smaller the keys, the less security is a general statement.” But he adds, “One of the other [NIST] finalists is ‘Classic McEliece’ which also has enormous key sizes but will likely be standardized. In many common use cases, like messaging and small files, McEliece keys will be much larger than OTPs.”

    Moody’s next concern is authentication. “There is no way to provide authentication using one-time pads,” he said.

    Here, Mandich simply disagrees. “Authentication can be provided for any type of data or endpoint.” He thinks the idea may stem from the NSA’s objection to QKD. The NSA has said, “QKD does not provide a means to authenticate the QKD transmission source.”

    But Mandich adds, “A simple counter example is that the OTP of an arbitrary length may be hashed and sent in the clear between parties to authenticate that they have the same OTP. This could be appended to the encrypted data.”

    “As the name implies,” said Moody, “one-time pads can only be used once. This makes them very impractical.”

    But Mandich responds, “This is the trade-off to achieve higher security. Re-use of encryption keys means that breaking or getting access to the key facilitates decryption of all the previously encrypted data. OTPs are only used once, so if someone gets access to one OTP, it does not help in any other decryption.”

    For Moody, the biggest problem for OTPs is the exchange of ‘keys’. “Probably the most major drawback,” he told SecurityWeek, “is that to use a one-time pad with another party, you must have securely exchanged the secret one time pad itself with the other party.”

    He believes this distribution at scale is impossible and doesn’t work where the requirement is to communicate with another party that hasn’t been communicated with before. “You could send the one-time pad through the mail or via a courier, but not electronically,” he continued. “And if you could securely send the one-time pad, why didn’t you just send the message you wanted to share with the other party? Which makes the one-time pad not needed.”

    Mandich points out that the difficulty in key transfer and distribution at scale apply equally to all the public key encryption keys currently being considered by NIST. “There is nothing unique about OTPs other than size,” he said. “OTPs can be generated continuously and consumed when the messages are created at a later date. There is no reason to do it simultaneously unless it is a realtime communications channel.” He adds that combining keys for decryption with the encrypted data makes it easy to attack. “Decoupling these two mechanisms [as with OTPs] makes it almost impossible.”

    Finally, comments Moody, “Modern cryptosystems overcome these obstacles and are very efficient.”

    Mandich concedes this point but refers to the distinction between NIST’s quantum safe approach, and the OTP’s ability to be quantum secure. “Modern systems are very efficient and a one-size-fits-all solution – but at the cost of less security. Obstacles to using OTPs have long been overcome by the cloud, high bandwidth networks, and distributed and decentralized data centers. The PQC evolution from RSA is just changing an algorithm based on a 1970s pre-internet architecture, when Alice and Bob were connected by a single copper wire channel and a few network switches.”

    NIST Post-Quantum Algorithm Finalist Cracked Using a Classical PC
    https://www.securityweek.com/nist-post-quantum-algorithm-finalist-cracked-using-classical-pc

    Reply
  25. Tomi Engdahl says:

    As NIST Prepares For Quantum Safe Security, IBM Rolls Out Support
    https://www.forbes.com/sites/tiriasresearch/2022/10/07/as-nist-prepares-for-quantum-safe-security-ibm-rolls-out-support/?sh=19dbefb83ba5
    The world of cryptography moves at a very slow, but steady pace. New cryptography standards must be vetted over an extended period and therefore new threats to existing standards need to be judged by decades-long timelines because updating crypto standards is a multiyear journey.

    Reply
  26. Tomi Engdahl says:

    Vahvinkin julkisen avaimen salaus murretaan 2035
    https://etn.fi/index.php/13-news/14112-vahvinkin-julkisen-avaimen-salaus-murretaan-2035

    RSA on tunnetuin ja käytetyin julkisen avaimen salausmenetelmä. Vahvin RSA-salaus on 2048-bittinen ja kvanttikoneilla sekin murretaan vuoteen 2035 mennessä. Näin ennustaa kvanttiturvallisia algoritmeja kehittävä NIST eli National Institute of Standards and Technology.

    Tutkimuslaitos Tirias Research muistuttaa artikkelissaan, että kvanttiuhka on todellinen. Ikävä kyllä salausstandardien kehitys vie aikaa. Sen takia monen valtiollisen toimijan tiedetään tallentavan dataa nyt ajatuksenaan murtaa sen salaus myöhemmin. Kvanttitietokoneet voivat ratkaista useita yhtälöitä samanaikaisesti, ja Shorin algoritmin perusteella kryptoasiantuntijat arvioivat pystyvänsä murtamaan epäsymmetrisen salauksen. Asiantuntijoiden mukaan kysymys ei ole siitä, onnistuuko salausten murtaminen vaan siitä, milloin se tapahtuu.

    Nykypäivän salausalgoritmit käyttävät matemaattisia ongelmia, kuten suurten lukujen tekijöiden jakamista tietojen suojaamiseksi. Vikasietoisilla kvanttitietokoneilla faktorointi voidaan ratkaista teoriassa vain muutamassa tunnissa Shorin algoritmilla. Tämä sama ominaisuus vaarantaa myös salausmenetelmät, jotka perustuvat diskreettien logaritmiongelmien ratkaisemisen vaikeuteen.

    Uusia järeämpiä salausstandardeja kutsutaan “kvanttiturvallisiksi”. Haasteena on, ettemme tiedä tarkalleen, milloin vikasietoisilla kvanttitietokoneilla on valta rikkoa jatkuvasti olemassa olevia salausstandardeja, jotka ovat nyt laajasti käytössä. On myös huolestuttavaa, että jotkut osapuolet voivat ladata ja tallentaa salattua dataa salauksen purkamista varten myöhemmin, kun sopivasti kykeneviä kvanttitietokoneita on saatavilla. Vaikka tiedot ovat yli kymmenen vuotta vanhoja, tallennetuissa tiedoissa voi silti olla olennaista luottamuksellista tietoa, jopa valtiosalaisuuksia.

    NIST uskoo, että on mahdollista, että RSA2048-salaus voidaan murtaa vuoteen 2035 mennessä. Muilla Yhdysvaltain valtion virastoilla ja muilla turvallisuudesta kiinnostuneilla tahoilla on samanlaiset käsitykset kehityksestä. Tämän takia instituutti aloitti kilpailun kvanttiturvallisen salauksen kehittämiseksi jo vuonna 2016. Useiden tarkistuskierrosten jälkeen NIST valitsi tämän vuoden heinäkuun 5. päivänä neljä algoritmia tarkistuksen viimeiseen vaiheeseen.

    IBM:llä oli iso rooli kvanttisalauksen uusien algoritmien kehittämisessä. IBM kehitti neljästä ehdokkaasta kolme

    NIST:n lopullisten valintojen odotetaan valmistuvan vuonna 2024

    Reply
  27. Tomi Engdahl says:

    Chicago scientists are testing an unhackable quantum internet in their basement closet
    Quantum research at a University of Chicago lab could help prevent hacking and connect a future web of supercomputers
    https://www.washingtonpost.com/technology/2022/10/09/quantum-internet-chicago-argonne/

    Reply
  28. Tomi Engdahl says:

    Quantum Computing and Crypto Standards
    Oct. 19, 2022
    Rambus’s Security Technologies Fellow explains how new encryption standards will address the problem of quantum-computing attacks.
    https://www.electronicdesign.com/technologies/embedded-revolution/video/21252816/electronic-design-quantum-computing-and-crypto-standards

    Quantum computing is in its infancy, but hardware and software related to this technology are improving rapidly. It can address a wide range of problems, particularly the ability to crack some of the encryption systems we currently employ. This isn’t to say that our current security tools have been bypassed now, but they could be in the future.

    To address this issue, new encryption standards are in the works. These will require changes in applications in the future. However, it might be a good idea to start doing so soon.

    Reply
  29. Tomi Engdahl says:

    Mastercard’s New Card: Safer From Quantum Attacks?
    https://hackaday.com/2022/10/25/mastercards-new-card-safer-from-quantum-attacks/

    Quantum computers present a unique threat to many aspects of modern information technology. In particular, many cryptographic systems could be at risk of compromise in the event a malicious actor came into possession of a capable quantum computer.

    Mastercard is intending to stay ahead of the game in this regard. It has launched a new contactless credit card that it says is impervious to certain types of quantum attack.

    Hack-Proof?

    The card is based on new industry standards from EMVco, a technical body that works in the secure payment space. Known as the EMV Contactless Kernel Specifications, they outline functionality for payment devices like ATMs and point-of-sale terminals to process transactions. The specification includes a new “Secure Channel” method of communication between card and reader that aims to protect against common attacks like eavesdropping, relay, and man-in-the-middle attacks. The new cards are intended to be compatible with existing payment hardware out in the field.

    The main highlight of the new cards, though, is in how they operate, cryptographically speaking. Traditionally, payment card systems have relied on public-key cryptography, using methods like the ever-popular RSA algorithm.

    A quantum computer with a sufficient number of qubits can run Shor’s algorithm to quickly find prime factors of very large numbers. This can be used to reveal the private key for a wide variety of encryption algorithms.

    . Experts believe it’s only a matter of time, however, and even the US government is rapidly moving to alternative quantum-secure encryption methods.

    Mastercard’s new plastic will thus shift towards new algorithms it says are “quantum-resistant,” and thus not subject to these attacks. This will also involve the use of longer key lengths to further increase the robustness of the encryption method. Ease of use is also important, though, so the new system will keep the authentication process to under 0.5 seconds.

    Interestingly, the documentation from EMVco indicates that the new cards will include Elliptic Curve Cryptography (ECC) for authentication purposes. Traditional ECC is not actually considered quantum-secure. In fact, for the key lengths currently in common use, ECC is likely slightly easier to break than RSA with a quantum computer.

    So it could just be marketing bluster from Mastercard. It would seem foolhardy for one of the world’s largest payment processors to roll out new technology that was already known to be incapable of solving the stated problem. Instead, it’s perhaps more likely that Mastercard is using some new variant of ECC that is potentially secure against typical quantum computing attacks. Various ideas have sprouted in this area, though some have recently been proven insecure. Maybe they are focusing on some other algorithm, but will also support ECC. But then how to stop degrade attacks?

    Reply
  30. Tomi Engdahl says:

    Quantum Computing and Security
    Quantum computing requires new hardware technology but it offers significant performance improvements for many computational problems.
    https://www.electronicdesign.com/magazine/51352

    Reply
  31. Tomi Engdahl says:

    Governments seek ways to avert quantum’s encryption apocalypse https://www.axios.com/2022/12/02/quantum-computing-encryption-apocalypse-cybersecurity
    The U.S. is barreling toward a quantum computing future, but until its here, it’s unknown if all the investments and time spent preparing the countrys cybersecurity will pay off. The big picture: Experts have long feared quantum computing would allow foreign adversaries and hackers to crack the otherwise unbreakable encryption standards that protect most online data leaving everything from online payment systems to government secrets vulnerable.

    Reply
  32. Tomi Engdahl says:

    Breaking RSA with a Quantum Computer
    https://www.schneier.com/blog/archives/2023/01/breaking-rsa-with-a-quantum-computer.html
    A group of Chinese researchers have just published a paper claiming that they canalthough they have not yet done sobreak 2048-bit RSA.
    This is something to take seriously. It might not be correct, but its not obviously wrong. Alkup. https://arxiv.org/pdf/2212.12372.pdf

    Reply
  33. Tomi Engdahl says:

    Chinese Researchers Claim They Cracked Encryption With Quantum Computers
    Skeptical technology experts believe the declaration is a hoax intended to cause panic.
    https://decrypt.co/118529/chinese-researchers-claim-to-have-cracked-encryption-with-quantum-computers

    Reply
  34. Tomi Engdahl says:

    2023 Will See Renewed Focus on Quantum Computing https://www.darkreading.com/tech-trends/2023-will-see-more-focus-on-quantum-computing
    2022 was a big year for quantum computing. Over the summer, the National Institute of Standards and Technology (NIST) unveiled four quantum computing algorithms that eventually will be turned into a final quantum computing standard, and governments around the world boosted investments in quantum computing. 2023 may be the year when quantum finally steps into the limelight, with organizations preparing to begin the process of implementing quantum computing technologies into existing systems. It will also be the year to start paying attention to quantum computing-based attacks

    Reply
  35. Tomi Engdahl says:

    China’s new quantum code-breaking algorithm raises concerns in the US
    The new algorithm could render mainstream encryption powerless within years.
    https://interestingengineering.com/innovation/china-quantum-code-breaking-algorithm-catastrophic

    Reply
  36. Tomi Engdahl says:

    RSA’s demise from quantum attacks is very much exaggerated, expert says
    Expert says the focus on quantum attacks may distract us from more immediate threats.
    https://arstechnica.com/information-technology/2023/01/fear-not-rsa-encryption-wont-fall-to-quantum-computing-anytime-soon/

    Reply
  37. Tomi Engdahl says:

    RSA’s demise from quantum attacks is very much exaggerated, expert says | Ars Technica
    https://arstechnica.com/information-technology/2023/01/fear-not-rsa-encryption-wont-fall-to-quantum-computing-anytime-soon/
    Expert says the focus on quantum attacks may distract us from more immediate threats.
    Scientists and cryptographers have known for two decades that a factorization method known as Shor’s algorithm makes it theoretically possible for a quantum computer with sufficient resources to break RSA. That’s because the secret prime numbers that underpin the security of an RSA key are easy to calculate using Shor’s algorithm. Computing the same primes using classical computing takes billions of years.
    The only thing holding back this doomsday scenario is the massive amount of computing resources required for Shor’s algorithm to break RSA keys of sufficient size. The current estimate is that breaking a 1,024-bit or 2,048-bit RSA key requires a quantum computer with vast resources. Specifically, those resources are about 20 million qubits and about eight hours of them running in superposition.
    The paper, published three weeks ago by a team of researchers in China, reported finding a factorization method that could break a 2,048-bit RSA key using a quantum system with just 372 qubits when it operated using thousands of operation steps. The finding, if true, would have meant that the fall of RSA encryption to quantum computing could come much sooner than most people believed.
    RSA’s demise is greatly exaggerated
    At the Enigma 2023 Conference in Santa Clara, California, on Tuesday, computer scientist and security and privacy expert Simson Garfinkel assured researchers that the demise of RSA was greatly exaggerated. For the time being, he said, quantum computing has few, if any, practical applications.
    “In the near term, quantum computers are good for one thing, and that is getting papers published in prestigious journals,” Garfinkel, co-author with Chris Hoofnagle of the 2021 book Law and Policy for the Quantum Age, told the audience. “The second thing they are reasonably good at, but we don’t know for how much longer, is they’re reasonably good at getting funding.”
    Even when quantum computing becomes advanced enough to provide useful applications, the applications are likely for simulating physics and chemistry, and performing computer optimizations that don’t work well with classical computing. Garfinkel said that the dearth of useful applications in the foreseeable future might bring on a “quantum winter,” similar to the multiple rounds of artificial intelligence winters before AI finally took off.
    Within short order, a host of researchers pointed out fatal flaws in Schnorr’s algorithm that have all but debunked it. Specifically, critics said there was no evidence supporting the authors’ claims of Schnorr’s algorithm achieving polynomial time, as opposed to the exponential time achieved with classical algorithms.
    The research paper from three weeks ago seemed to take Shor’s algorithm at face value. Even when it’s supposedly enhanced using QAOA—something there’s currently no support for—it’s questionable whether it provides any performance boost.
    “All told, this is one of the most actively misleading quantum computing papers I’ve seen in 25 years, and I’ve seen … many,” Scott Aaronson, a computer scientist at the University of Texas at Austin and director of its Quantum Information Center, wrote. “Having said that, this actually isn’t the first time I’ve encountered the strange idea that the exponential quantum speedup for factoring integers, which we know about from Shor’s algorithm, should somehow ‘rub off’ onto quantum optimization heuristics that embody none of the actual insights of Shor’s algorithm, as if by sympathetic magic.”
    In geological time, yes; in our lifetime, no
    On Tuesday, Japanese technology company Fujitsu published a press release that provided further reassurance that the cryptocalypse isn’t nigh. Fujitsu researchers, the press release claimed, found that cracking an RSA key would require a fault-tolerant quantum computer with a scale of roughly 10,000 qubits and 2.23 trillion quantum gates, and even then, the computation would require about 104 days.
    “For example, when [the Fujitsu researchers] say 10,000 qubits in the press release, do they mean logical or physical qubits?” Samuel Jaques, a doctoral student at the University of Cambridge, wrote in an email. “In my view, the best estimate for quantum factoring is still [Craig] Gidney and [Martin] Ekerå from 2020, who estimate that factoring RSA-2048 would need 20 million physical qubits and 8 hours. If Fujitsu’s result drops the physical qubit count from 20 million to 10,000, that’s a huge breakthrough; if instead they need 10,000 logical qubits, then that’s much more than Gidney and Ekerå so I would need to check carefully to see why.”
    Even when the day comes that there’s a quantum computer with the power envisioned by Gidney and Ekerå, the notion that RSA will fall in one stroke is misleading. That’s because it would take this 20 million-qubit quantum system eight hours in constant superposition to crack a single encryption key. That would certainly be catastrophic since someone might be able to use the capability to cryptographically sign malicious updates with a Microsoft or Apple key and distribute them to millions of people.
    But even then, the scenario that nation-states are storing all encrypted communications in a database and will decrypt them all in bulk once a quantum computer becomes available is unrealistic, given the number of keys and the resources required to crack them all.

    Reply
  38. Tomi Engdahl says:

    Cryptography’s Future Will Be Quantum-Safe. Here’s How It Will Work.
    By
    LEILA SLOMAN
    November 9, 2022
    https://www.quantamagazine.org/cryptographys-future-will-be-quantum-safe-heres-how-it-will-work-20221109/

    Lattice cryptography promises to protect secrets from the attacks of far-future quantum computers.

    Reply
  39. Tomi Engdahl says:

    Data Protection
    Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse
    https://www.securityweek.com/cyber-insights-2023-quantum-computing-and-the-coming-cryptopocalypse/

    The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

    SecurityWeek Cyber Insights 2023 | Quantum Computing and the Coming Cryptopocalypse – The waiting time for general purpose quantum computers is getting shorter, but they are still probably decades away. The arrival of cryptanalytically-relevant quantum computers (CRQCs) that will herald the cryptopocalypse will be much sooner – possibly less than a decade.

    At that point our existing PKI-protected data will become accessible as plaintext to anybody; and the ‘harvest now, decrypt later’ process will be complete. This is known as the cryptopocalypse. It is important to note that all PKI-encrypted data that has already been harvested by adversaries is already lost. We can do nothing about the past; we can only attempt to protect the future.

    Here we are going to examine the why, what, and how we need to prepare for that cryptopocalypse – but first we need a few definitions to ensure we’re all singing the same song.

    CRQC: A quantum computer capable of running Shor’s algorithm and cracking current PKI encryption.
    Cryptopocalypse: The point at which the existence of CRQCs are able to turn our currently encrypted data into plaintext.
    Quantum safe: Cryptography that is believed to be resistant to CRQCs, but cannot be proven to be so.
    Quantum secure: Cryptography that is provably secure against CRQCs, and cannot be broken.
    Post quantum cryptography (PQC): A term for cryptography designed for the post CRQC era, but one that doesn’t differentiate between ‘safe’ and ‘secure’.

    The cryptopocalypse

    The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption. Since public key encryption is used to secure almost all data in transit, both between separate IT infrastructures and even within individual infrastructures, that data will become accessible by anyone with a sufficiently powerful quantum computer.

    “That means that all secrets are at risk,” explains Bryan Ware, CEO at LookingGlass; “nuclear weapons, banks, business IP, intelligence agencies, among other things, are at risk of losing their confidentiality and integrity.”

    But this is not a threat for the future – the threat exists today. Adversaries are known to be stealing and storing encrypted data with the knowledge that within a few years they will be able to access the raw data. This is known as the ‘harvest now, decrypt later’ threat. Intellectual property and commercial plans – not to mention military secrets – will still be valuable to adversaries when the cryptopocalypse happens.

    “Even if a cryptographically relevant quantum computer is still years away, the time to start preparing is now,” warns Rebecca Krauthamer, co-founder and CPO at QuSecure.

    The one thing we can say with certainty is that it definitely won’t happen in 2023 – probably. That probably comes from not knowing for certain what stage in the journey to quantum computing has been achieved by foreign nations or their intelligence agencies – and they’re not likely to tell us. Nevertheless, it is assumed that nobody yet has a quantum computer powerful enough to run Shor’s algorithm and crack PKI encryption in a meaningful timeframe.

    It is likely that such computers may become available as soon as three to five years. Most predictions suggest ten years. Note that a specialized quantum computer designed specifically for Shor does not need to be as powerful as a general-purpose quantum computer – which is more likely to be 20 to 30 years away.

    It has been suggested that as many as 1,000 physical qubits may be required for each logical qubit. This will depend on the quality of the error correction in use – and this is an area of intense research. So, at some time in the next few years, as the number of physical qubits increases, and the number of required physical qubits per logical qubit decreases, quantum developers will have a quantum computer able to crack PKI. It has been estimated that this will require between approximately 1,000 and 2,000 logical qubits.

    To put some flesh on this skeleton, we can look at an announcement made by IBM on November 9, 2022: a new 433 qubit Osprey processor. This was accompanied by a roadmap that that shows a progression toward a 4,000 plus qubit quantum computer, codenamed Kookaburra, due in 2025.

    Error correction is being approached by a new version of IBM’s Qskit Runtime software that allows ‘a user to trade speed for reduced error count with a simple option in the API’. This is supported by a new modular IBM Quantum System Two able to combine multiple processors into a single system with communication links. System Two is expected to go live in 2023, around the same time that IBM expects to have a 1k+ qubit processor codenamed Condor.

    System Two will be a building block in what IBM calls quantum-centric supercomputing. Scott Crowder, the VP of IBM quantum adoption and business, explains in more detail: “Quantum-centric supercomputing (which describes a modular architecture and quantum communication designed to increase computational capacity, and which employs hybrid cloud middleware to seamlessly integrate quantum and classical workflows) is the blueprint for how quantum computing will be used in the years to come.”

    The additional threat from AI

    Skip Sanzeri, co-founder and COO at QuSecure, warns that the threat to current encryption is not limited to quantum decryption. “New approaches are being developed promising the same post-quantum cybersecurity threats as a cryptographically relevant quantum computer, only much sooner,” he said. “It is also believed that quantum advancements don’t have to directly decrypt today’s encryption. If they weaken it by suggesting or probabilistically finding some better seeds for a classical algorithm (like the sieve) and make that more efficient, that can result in a successful attack. And it’s no stretch to predict, speaking of predictions, that people are going to find ways to hack our encryption that we don’t even know about yet.”

    Steve Weston, co-founder and CTO at Incrypteon, offers a possible illustration. “Where is the threat in 2023 and beyond?” he asks. “Is it the threat from quantum computers, or is the bigger threat from AI? An analysis of cryptoanalysis and code breaking over the last 40 years shows how AI is used now, and will be more so in the future.”

    QKD

    Quantum key distribution (QKD) is a method of securely exchanging encryption keys using quantum properties transmitted via fiber. While in this quantum state, the nature of quantum mechanics ensures that any attempt to access the transmission will disturb the content. It does not prevent attacks, but ensures that an attempted attack is immediately visible, and the key can be discarded. Successful QKD paves the way for data to be transmitted using the latest and best symmetrical encryption. Current symmetrical algorithms are considered safe against quantum decryption.

    “Symmetric encryption, like AES-256, is theorized to be quantum aafe, but one can speculate that key sizes will soon double,” comments Silvio Pappalardo, chief revenue officer at Quintessence Labs.

    The practical difficulties in introducing wide-scale fiber based QKD means that it cannot be implemented everywhere. Its immediate use will likely be limited to point-to-point communications between high value sites – such as some government agencies and between major bank offices.

    Post Quantum Cryptography
    NIST

    NIST began a competition to select and standardize post quantum encryption algorithms in 2016. “We’re looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers,” said NIST mathematician Dustin Moody at the time. “They deal with encryption, key establishment and digital signatures, all of which use forms of public key cryptography.”

    In July 2022, NIST announced its first four finalists. However, it emerged in August 2022 that a different finalist, the Supersingular Isogeny Key Encapsulation (SIKE) algorithm had already been broken. SIKE is designed to deliver keys securely from source to destination across an untrusted network. Researchers had demonstrated, however, the algorithm could be cracked on a single classical PC in little over an hour.

    This illustrates a problem that all security professionals need to confront. Any encryption algorithm is secure only until it is cracked. Whitehat researchers will tell you if they can crack an algorithm — foreign governments will not. In effect, this means that the ‘later’ part of ‘harvest now, decrypt later’ is an optimistic view. We believe that encrypted IP being stolen today cannot yet be decrypted — but we cannot be certain.

    We do, however, know that current PKI encryption will certainly be broken by quantum computers in the relatively near future. The solution from NIST is to replace current vulnerable PKI algorithms with more complex algorithms — that is to solve more powerful computing by using more powerful algorithms.

    Ultimately, we will be in the same position we are in today. We will believe our IP protected by NIST’s post quantum algorithms will be safe — but we cannot be certain. Remember that at least one proposed post-quantum algorithm has been broken on a PC. So, even if we switch to a NIST-approved post quantum encryption standard tomorrow, we cannot be certain that the harvest now decrypt later philosophy has been beaten.

    One-time pads

    NIST’s PQC algorithms are ‘quantum safe’, they are not ‘quantum secure’. The former is thought to be safe against quantum decryption but cannot be proven to be so (since they are mathematical in nature and susceptible to mathematical decryption). Cryptography that can be proven to be safe is known as ‘quantum secure’ — and the only way to achieve this is to remove mathematics from the equation.

    The only quantum secure cryptography known is the one-time pad because it relies on information security rather than mathematical security. Technically, QKD could be described in similarly secure terms since any attempt to obtain the keys for mathematical decryption could result in the immediate destruction of the keys (preventing them from being usefully decrypted). We have already seen that QKD has problems for widespread use — but it remains an open question whether modern technology is able to deliver usable one-time pads.

    Historically, OTP has been considered unworkable for the internet age because it requires keys of the same length or longer than the message being encrypted. Nevertheless, several companies have been exploring the possibilities becoming available with new technology.

    Qrypt started from the basis that the quantum threat comes from the communication of encryption keys from source to destination. If you can avoid the necessity to communicate the keys, you can eliminate the threat. It consequently developed a process that allows the generation of the same quantum random numbers simultaneously at both source and destination

    However, since the generation of the numbers can be performed and stored until use, there remains the potential to chain the process to provide genuine OTP for the keys without requiring them to be transmitted across the internet. Solutions based on this process are quantum secure.

    Incrypteon, a British startup, has taken a different route by applying Shannon’s information theories to the one-time pad.

    A third and potentially future approach to the one-time pad could evolve from current advances in tokenization – more specifically cloud-based vaultless tokenization protected by immutable servers.

    Rixon, another startup, is involved in this area. Its primary purpose is to protect PII stored by organizations with a web presence – but the principles could easily be extended. Plaintext is immediately tokenized in the cloud, and no plaintext is held onsite. Nor is the plaintext held at the tokenization engine in the cloud – all that is stored is the tokenization route for each tokenized character (for the purpose of comparison, this tokenization route is equivalent to the cryptographic key, but is random for each character).

    This provides the primary parallel with the OTP – the ‘key’ is the same length as the message. Currently, Rixon concentrates on tokenizing PII; but the same concept could be extended to secure high value files at rest such as intellectual property and commercial plans.

    Transition to post quantum cryptography

    The coming cryptopocalypse requires organizations to transition from known quantum-vulnerable encryption (such as current PKI standards) to something that is at least quantum safe if not quantum secure. This will be a long process, and in 2023 businesses will need to start planning their route in greater detail.

    Most companies will start from the viewpoint that NIST post-quantum algorithms is the only way forward. We have discussed OTP developments in some depth to show that the NIST route is not the only available route – and we expect further OTP developments during 2023.

    The full transition to post quantum readiness will take many years, and will not be achieved by throwing a switch from classical to PQC. This has led to the concept of ‘crypto agility’. “It will be essential that quantum ready algorithms (QRAs) are able to coexist with existing cryptographic capabilities, in a hybrid manner, while the complete transition to quantum safe occurs,” explains Silvio Pappalardo, chief revenue officer at Quintessence Labs.

    “Crypto agility enables applications to migrate between key types and cryptographic algorithms without the need to update the application software — transitioning from homogenous towards micro-service architecture,”

    Such agility also allows companies to switch from one quantum safe algorithm to another if the one in use gets broken.

    For now, government agencies will have little choice but to follow NIST. On November 18, 2022, the White House issued a memorandum to the heads of executive departments and agencies requiring that CRQC readiness begins with taking an inventory of vulnerable assets. “By May 4, 2023, and annually thereafter until 2035”, states the memo, “agencies are directed to submit a prioritized inventory of information systems and assets, excluding national security systems, that contain CRQC-vulnerable cryptographic systems to ONCD and the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA).”

    On December 21, 2022, Biden signed the Quantum Computing Cybersecurity Preparedness Act into law. “Quantum computers are under development globally with some adversarial nation states putting tens of billions of dollars into programs to create these very powerful machines that will break the encryption we use today,” comments Sanzeri. “While not here yet, quantum computers will be online in coming years, but it will take more than a few years for our federal agencies and commercial enterprises to upgrade their systems to post quantum cybersecurity.”

    This Act, he continued, “requires federal agencies to migrate systems to post quantum cryptography which is resilient against attacks from quantum computers. And the Office of Management and Budget is further required to send an annual report to Congress depicting a strategy on how to assess post-quantum cryptography risks across the federal government.”

    The government is clearly wedded to the NIST proposals. This may be because NIST is correct in its assertion that OTP is not realistic.

    “The one-time pad must be as long as the message which is to be encrypted,” added Moody. “If you wish to encrypt a long message, the size of the one-time pad will be much larger than key sizes of the algorithms we [NIST] selected.” This is also being challenged as a problem by both Qrypt and Incrypteon, and potentially tokenization firms like Rixon.

    Nevertheless, most companies will follow the incremental process of NIST rather than the more revolutionary process of OTP,

    Reply
  40. Tomi Engdahl says:

    AI Helps Crack NIST-Recommended Post-Quantum Encryption Algorithm
    https://www.securityweek.com/ai-helps-crack-a-nist-recommended-post-quantum-encryption-algorithm/

    The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

    The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST in July 2022 for post-quantum cryptography has been broken. Researchers from the KTH Royal Institute of Technology, Stockholm, Sweden, used recursive training AI combined with side channel attacks.

    A side-channel attack exploits measurable information obtained from a device running the target implementation via channels such as timing or power consumption. The revolutionary aspect of the research (PDF) was to apply deep learning analysis to side-channel differential analysis.

    “Deep learning-based side-channel attacks,” say the researchers, “can overcome conventional countermeasures such as masking, shuffling, random delays insertion, constant-weight encoding, code polymorphism, and randomized clock.”

    The NIST-recommended encryption algorithms are the result of a NIST competition designed to provide encryption able to withstand quantum-computer attacks. Shor’s quantum algorithm will be able to defeat current classical encryption in polynomial time when quantum computers become a reality. This is expected by some to be within the next five to ten years – and has been called the cryptopocalypse.

    Reply
  41. Tomi Engdahl says:

    QuSecure Unveils Quantum-Resilient Communications Satellite Link
    https://www.securityweek.com/qusecure-unveils-quantum-resilient-communications-satellite-link/

    QuSecure announced an end-to-end quantum resilient encrypted communications link that protects data delivered by satellite.

    Reply
  42. Tomi Engdahl says:

    Experts Discover Flaw in U.S. Govt’s Chosen Quantum-Resistant Encryption Algorithm
    https://thehackernews.com/2023/03/experts-discover-flaw-in-us-govts.html

    A group of researchers has revealed what it says is a vulnerability in a specific implementation of CRYSTALS-Kyber, one of the encryption algorithms chosen by the U.S. government as quantum-resistant last year.

    The exploit relates to “side-channel attacks on up to the fifth-order masked implementations of CRYSTALS-Kyber in ARM Cortex-M4 CPU,” Elena Dubrova, Kalle Ngo, and Joel Gärtner of KTH Royal Institute of Technology said in a paper.

    CRYSTALS-Kyber is one of four post-quantum algorithms selected by the U.S. National Institute of Standards and Technology (NIST) after a rigorous multi-year effort to identify a set of next-generation encryption standards that can withstand huge leaps in computing power.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*