Discussion:
State of Post Quantum Cryptography?
(too old to reply)
The Running Man
2024-05-02 08:20:27 UTC
Permalink
What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?

I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.

I myself am very much in doubt whether to use PQC or stick with known ciphers.
Jakob Bohm
2024-05-06 13:53:18 UTC
Permalink
Post by The Running Man
What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.
If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers. They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128).
Post by The Running Man
I myself am very much in doubt whether to use PQC or stick with known ciphers.
From what I read so far, the most promising PQC signature algorithm is
the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
will take serious work.

Key exchange will be harder, though the DJB-sponsored proposal for a
"Classic McElice" variant may be solid.

Any PQC public key algorithm will need to be combined with double
strength symmetric algorithms.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Jan Panteltje
2024-05-07 05:06:24 UTC
Permalink
On a sunny day (Mon, 6 May 2024 15:53:18 +0200) it happened Jakob Bohm
Post by Jakob Bohm
Post by The Running Man
What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are
winners, but do you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current
cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the
promise of eternal confidentiality which current ciphers cannot guarantee.
If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers. They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128).
Post by The Running Man
I myself am very much in doubt whether to use PQC or stick with known ciphers.
From what I read so far, the most promising PQC signature algorithm is
the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
will take serious work.
Key exchange will be harder, though the DJB-sponsored proposal for a
"Classic McElice" variant may be solid.
Any PQC public key algorithm will need to be combined with double
strength symmetric algorithms.
Enjoy
Jakob
Experiment opens door for millions of qubits on one chip:
https://www.sciencedaily.com/releases/2024/05/240506131552.htm
Summary:
Researchers have achieved the first controllable interaction between two hole spin qubits in a conventional silicon transistor.
The breakthrough opens up the possibility of integrating millions of these qubits on a single chip using mature manufacturing processes

?
The Running Man
2024-05-08 04:05:16 UTC
Permalink
Post by Jakob Bohm
Post by The Running Man
What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.
If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers. They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128).
Define: "a few more qubits." I've read that maybe up to a million qubits are needed to compensate for the errors and noise to be able to break current asymmetric encryption algorithms. Symmetric algorithms aren't vulnerable in any case since quantum algorithms only halve the number of bits of security (i.e. 256 bits becomes 128 bits which cannot be broken).
Peter Fairbrother
2024-05-09 21:28:49 UTC
Permalink
Post by Jakob Bohm
Post by The Running Man
What is you guys take on PQC (Post Quantum Cryptography) algorithms? I
know the NIST has held a contest and that there are winners, but do
you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the
security and privacy of millions of unsuspecting users.
Yep, that's a risk. PQC algorithms are of necessity less mature than
current cryptographic algorithms. If I may quote Schneier's law it its
original form:

"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break. It’s not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis. And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around."

The winning PQC algorithms have had some of that analysis, but perhaps
not enough. I would not be surprised if, like some of the candidates,
the winners were comprehensively broken.

And there is another risk: that they will broken in ways we don't know
about now. Quantum computers of the needed scale still don't exist, and
we don't have years of practice using them - so it is practically
inevitable that new attack techniques using quantum computers will be
developed.
Post by Jakob Bohm
If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers.
Err, no. Just no.

You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day public
key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
like 20.

Having 1,000 error prone qbits, which has been done in a couple of
cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
annealing qbits.

Not even close.

And close only counts in horseshoes and hand grenades.
Post by Jakob Bohm
They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128). [..] Any PQC public key algorithm will need to be combined with double
strength symmetric algorithms.
Now there we agree, in fact double strength symmetric algorithms should
be de rigueur in general use as of yesterday: but I don't see why we
can't double up and use classic public key algorithms *as well as* PQC
public key algorithms, at least for a while.


Peter Fairbrother

who doesn't see why we need the u in qubits
Jakob Bohm
2024-05-10 06:32:26 UTC
Permalink
Post by Peter Fairbrother
Post by Jakob Bohm
Post by The Running Man
What is you guys take on PQC (Post Quantum Cryptography) algorithms?
I know the NIST has held a contest and that there are winners, but do
you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the
security and privacy of millions of unsuspecting users.
Yep, that's a risk. PQC algorithms are of necessity less mature than
current cryptographic algorithms. If I may quote Schneier's law it its
"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break. It’s not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis. And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around."
The winning PQC algorithms have had some of that analysis, but perhaps
not enough. I would not be surprised if, like some of the candidates,
the winners were comprehensively broken.
And there is another risk: that they will broken in ways we don't know
about now. Quantum computers of the needed scale still don't exist, and
we don't have years of practice using them - so it is practically
inevitable that new attack techniques using quantum computers will be
developed.
See further below where Fairbrother returns to this subject.
Post by Peter Fairbrother
Post by Jakob Bohm
If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current
public key algorithms using known attack algorithms written a long
time ago for
such (then hypothetical) computers.
Err, no. Just no.
Note that I was talking logarithmic steps, not single Qbit steps.
Post by Peter Fairbrother
You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day public
key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
like 20.
Having 1,000 error prone qbits, which has been done in a couple of
cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
annealing qbits.
Would those numbers apply to things like EdDSA and ECDSA?
Post by Peter Fairbrother
Not even close.
And close only counts in horseshoes and hand grenades.
Post by Jakob Bohm
They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128). [..] Any PQC public key algorithm will need to be combined with
double strength symmetric algorithms.
Now there we agree, in fact double strength symmetric algorithms should
be de rigueur in general use as of yesterday: but I don't see why we
can't double up and use classic public key algorithms *as well as* PQC
public key algorithms, at least for a while.
Yes, doubling up the types of algorithms used is a good way to hedge
bets against bad algorithms. Staying with known at-risk algorithms is
problematic.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Peter Fairbrother
2024-05-10 16:28:07 UTC
Permalink
Post by Jakob Bohm
Post by Peter Fairbrother
You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day
public key algorithms, and we are nowhere near that. Not even 100
REEFQe, more like 20.
Would those numbers apply to things like EdDSA and ECDSA?
A thorny question.

The publicity for quantum computers is usually splashed about measured
solely in qubits (approximately, quantum storage bits, a bit like a
register in a cpu with only one register); but that's not immediately
relevant to the amount of computation they can do - they also need
quantum gates, qubits by themselves can't do any computing.

So even 1,000 "real" qubits is just a very rough ballpark figure which
doesn't actually mean very much.


In terms of comparing breaking RSA and breaking ECDSA, you would need
more qubits but less gates for RSA - but as you can, above some
minimums, pretty much swap needed qubits for needed gates, that doesn't
help much.

I believe the minimum number of "real" qubits needed is about 350 for
ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
a LOT more quantum gates.

Overall it's pretty hard to say which is easier to do, and would depend
on more than the number of qubits a computer has. Quantum gates are
noisy too, especially the ones which do entanglement.



[1] I could be wrong here, I'm a bit out-of-touch. And these are
_theoretical_ minimums, and even then estimates vary, a lot.

In practice, realistically the best I've seen uses about 6,000 real
qubits and 10^12 gates to break 2k RSA in months. You would also need a
depth of about 10^11 (depth is the longest chain of quantum gates used,
and they all have to work...)


We are closer to getting to Alpha Centaurus and taming fusion than doing
that.


Peter Fairbrother
The Running Man
2024-05-13 06:17:38 UTC
Permalink
Post by Peter Fairbrother
Post by Jakob Bohm
Post by Peter Fairbrother
You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day
public key algorithms, and we are nowhere near that. Not even 100
REEFQe, more like 20.
Would those numbers apply to things like EdDSA and ECDSA?
A thorny question.
The publicity for quantum computers is usually splashed about measured
solely in qubits (approximately, quantum storage bits, a bit like a
register in a cpu with only one register); but that's not immediately
relevant to the amount of computation they can do - they also need
quantum gates, qubits by themselves can't do any computing.
So even 1,000 "real" qubits is just a very rough ballpark figure which
doesn't actually mean very much.
In terms of comparing breaking RSA and breaking ECDSA, you would need
more qubits but less gates for RSA - but as you can, above some
minimums, pretty much swap needed qubits for needed gates, that doesn't
help much.
I believe the minimum number of "real" qubits needed is about 350 for
ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
a LOT more quantum gates.
Overall it's pretty hard to say which is easier to do, and would depend
on more than the number of qubits a computer has. Quantum gates are
noisy too, especially the ones which do entanglement.
[1] I could be wrong here, I'm a bit out-of-touch. And these are
_theoretical_ minimums, and even then estimates vary, a lot.
In practice, realistically the best I've seen uses about 6,000 real
qubits and 10^12 gates to break 2k RSA in months. You would also need a
depth of about 10^11 (depth is the longest chain of quantum gates used,
and they all have to work...)
We are closer to getting to Alpha Centaurus and taming fusion than doing
that.
Peter Fairbrother
<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>

They now believe they can build million-qubit processors using ultra-pure silicon.
Phil Carmody
2024-05-13 20:45:23 UTC
Permalink
Post by The Running Man
<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
They now believe they can build million-qubit processors using ultra-pure silicon.
You have confused "could" with "can".

Phil
--
We are no longer hunters and nomads. No longer awed and frightened, as we have
gained some understanding of the world in which we live. As such, we can cast
aside childish remnants from the dawn of our civilization.
-- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/
The Running Man
2024-05-14 05:50:43 UTC
Permalink
Post by Phil Carmody
Post by The Running Man
<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
They now believe they can build million-qubit processors using ultra-pure silicon.
You have confused "could" with "can".
Phil
--
We are no longer hunters and nomads. No longer awed and frightened, as we have
gained some understanding of the world in which we live. As such, we can cast
aside childish remnants from the dawn of our civilization.
-- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/
And here's another one:

<https://www.spacedaily.com/reports/Experiment_Allows_for_Potential_Millions_of_Qubits_on_Single_Chip_999.html>
Loading...