Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption

Swiss Company Claims Weakness Found in Post-Quantum Encryption, Touts Its New Encryption Protocol (bloombergquint.com) 63

"A Swiss technology company says it has made a breakthrough by using quantum computers to uncover vulnerabilities in commonly used encryption," reports Bloomberg: Terra Quantum AG said its discovery "upends the current understanding of what constitutes unbreakable" encryption... Terra Quantum AG has a team of about 80 quantum physicists, cryptographers and mathematicians, who are based in Switzerland, Russia, Finland and the U.S. "What currently is viewed as being post-quantum secure is not post-quantum secure," said Markus Pflitsch, chief executive officer and founder of Terra Quantum, in an interview. "We can show and have proven that it isn't secure and is hackable..."

The company said that its research found vulnerabilities that affect symmetric encryption ciphers, including the Advanced Encryption Standard, or AES, which is widely used to secure data transmitted over the internet and to encrypt files. Using a method known as quantum annealing, the company said its research found that even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now. Vinokur said in an interview that Terra Quantum's team made the discovery after figuring out how to invert what's called a "hash function," a mathematical algorithm that converts a message or portion of data into a numerical value. The research will show that "what was once believed unbreakable doesn't exist anymore," Vinokur said, adding that the finding "means a thousand other ways can be found soon."

The company, which is backed by the Zurich-based venture capital firm Lakestar LP, has developed a new encryption protocol that it says can't be broken by quantum computers. Vinokur said the new protocol utilizes a method known as quantum key distribution. Terra Quantum is currently pursuing a patent for the new protocol. But the company will make it available for free, according to Pflitsch. "We will open up access to our protocol to make sure we have a safe and secure environment," said Pflitsch. "We feel obliged to share it with the world and the quantum community."

This discussion has been archived. No new comments can be posted.

Swiss Company Claims Weakness Found in Post-Quantum Encryption, Touts Its New Encryption Protocol

Comments Filter:
  • by Ostracus ( 1354233 ) on Sunday February 07, 2021 @03:52PM (#61038028) Journal

    Quantum Key Distribution.

    Isn't that what the Chinese satellite is about?

    https://www.cbc.ca/news/techno... [www.cbc.ca]

    • by gtall ( 79522 )

      Hmmm, well the Chinese do use physics with their satellites. QKD uses physics. So the answer to your question is yes, most definitely.

    • It is indeed. Hopefully someone has also come up with some other secure terrestrial way of distribution, like a quantum version of a diffie hellman exchange, so this could be truly useful. As you've already pointed out indirectly, coming up with quantum keys is not a real breakthrough, others are already doing it who have the means.
  • by peppepz ( 1311345 ) on Sunday February 07, 2021 @04:00PM (#61038042)
    Hmmm, reminds me of something... [washingtonpost.com]
    • by PolygamousRanchKid ( 1290638 ) on Sunday February 07, 2021 @04:07PM (#61038056)

      For some non-paywall info:

      Crypto AG was a Swiss company specialising in communications and information security. It was secretly jointly owned by the American Central Intelligence Agency (CIA) and West German Federal Intelligence Service (BND) from 1970 until about 1993, with the CIA continuing as sole owner until about 2018.[1] With headquarters in Steinhausen, the company was a long-established manufacturer of encryption machines and a wide variety of cipher devices.

      The company has been criticised for selling backdoored products to benefit the American, British and German national signals intelligence agencies, the National Security Agency (NSA), the Government Communications Headquarters (GCHQ), and the BND, respectively.[

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      • by rtb61 ( 674572 )

        That is all I got too. Swiss company sells encryption, wait what, are they kidding, surely they must be joking. Swiss company sells encryption and everyone goes yeah nahhh, you have got to be fucking kidding. Want to sell encryption don't fucking do it out of Switzerland, encryption is dead in Switzerland and the Swiss murdered it to, FEED THEIR GREED.

        The profited off world war two pillaging of everyone else and then they profited off secret banking for organised crime, terrorists and corrupt governm

      • "From 1970 to about 1993"?

        One of the reasons that the British government kept the whole WW2 breaking of Enigma a secret until the mid-1970s was so that people would continue using it, trusting to it's unbroken encryption capabilities. So from 1945 to the mid-70s, the British government could read a significant proportion of the world's encrypted traffic.

        Obviously the CIA and/ or BND decided to get in on the act after the UK's 20-odd years of owning, in a quite real sense, the world of encryption.

        (Not for

    • Or more simply... company says current something is broken, but they're patenting and will be selling something that's not -- sorry, "make it available for free". Only time will tell about both parts ...

    • by Great_Geek ( 237841 ) on Sunday February 07, 2021 @04:19PM (#61038090)
      See Grover's algorithm which is proven optimal for searching arbitrary sets (like the output of a hash or AES). It is optimal because it has a proven bound, which is O(sqrt(n)).

      Which means at most a quadratic speed up, so doubling key length completely negates the quantum advantage. In practice, the (hypothetical) quantum computer would have to be very large and run for a very long time. Neither of which is projected to be possible for quite a long time.
      • See Grover's algorithm which is proven optimal for searching arbitrary sets (like the output of a hash or AES). It is optimal because it has a proven bound, which is O(sqrt(n)).

        Which means at most a quadratic speed up, so doubling key length completely negates the quantum advantage. In practice, the (hypothetical) quantum computer would have to be very large and run for a very long time. Neither of which is projected to be possible for quite a long time.

        This. There are also algorithms that have security guarantees beyond 'safe from Shor and Grover'. Mostly around entropy extraction. The proofs show there is no arrangement of atoms following quantum rules, that are fully entangled with the state of an entropy source that can predict the output of the downstream entropy extraction algorithm better than chance. 2-EXT by Prof Yevgeny Dodis is an example algorithm. The underlying mechanism is entangling every internal state with some other internal state so ext

  • So they managed to invert a hash function and this somehow break AES?
    Do they mean the key schedule? I don't remember AES using any hash function. Anyway, their solution is quantum key distribution.
    How does key distribution solve the problem of the encryption algorithm being broken?
    Or do they mean they didn't break AES at all, but the key distribution currently used for AES?
    • by Entrope ( 68843 ) on Sunday February 07, 2021 @04:13PM (#61038080) Homepage

      I think they are claiming that they've found a way to feasibly invert the pseudorandom permutation [wikipedia.org] (round function) that is the heart of Feistel ciphers [wikipedia.org]. But like Brent Waters says, it is hard to understand their claims -- much less figure out if they are right -- until they publish a solid technical description.

      For example, it would be interesting to know whether (they think) their attack is usable against crypto protocols that use the sponge construction. NIST selected Keccak for SHA-3 because the construction is different enough from SHA-2 that the resulting digest functions were not likely to share many weaknesses.

      • they are assuming use of QC that don't exist and won't exist for a while... or will never exist.

      • Thanks, that already makes way more sense to me than the article.
        • by Entrope ( 68843 )

          Don't put too much weight on my guess -- I am just trying to translate their claim of inverting a hash function into something more with more concrete meaning in cryptography. Like Great_Geek said up-thread, most cryptographers think Grover's algorithm is the most feasible attack on general cryptosystems. If they are claiming to have a significantly better general result, it would upset a lot of assumptions about crypto.

          • AES is one of the few symmetric algorithms that does NOT use a Feistel network. AES uses array multiplication to encrypt, and then multiplication by the inverse of that array to decrypt, essentially.

            As to what Quantum computers/algorithms can do, I have never found an intelligible explanation.

      • Stuff 1024 bits into a hash algorithm and pull out 256. An inversion will on average map each output state to 2^768 possible input states.
        So that isn't going to be very effective at breaking the primary hash property. First and second preimage resistance might be up for grabs if you have the rainbow unicorn quantum computer and the Swiss firm isn't as compromised as Crypto AG was.

    • by iggymanz ( 596061 ) on Sunday February 07, 2021 @04:18PM (#61038088)

      They are claiming the quantum machines and algorithms that don't yet exist could attack AES someday, that someday is not today.

      In short, nothing is threatened, no action need be taken. The machines that don't exist may continue to not exist indefinitely.

      • I wonder how and why /. editors have let this slip:

        even the strongest versions of AES encryption may be decipherable by quantum computers that could be available in a few years from now

        A classic example of could-be, would-be, should-be. Let's get back to the topic when such quantum computers are even remotely real. Quantum computers have been touted as being able to solve anything and everything, only so far they've seen quite limited application.

      • > In short, nothing is threatened, no action need be taken. The machines that don't exist may continue to not exist indefinitely.

        May not exist, may exist. Probably will.

        So the question is:
        Are you encrypting something today that still needs to remain secret ten years from now?

        If your secrets will no longer matter in ten years, no action is needed now. You can say "maybe they can decrypt it in2030; I don't care if they can."

        If today's secrets need to STAY secret for a long time, you have reason to think a

        • Don't know why you pick 10 years, quantum computers have existed for over 20 years and are still very pathetic and useless for any practical application. At this rate let's say another 20 years will pass and they'll still be nifty grad school projects.

          • You and Thomas Watson seem awfully sure of your predictions.

            Things might go the way you predict, you may turn out to be just as prescient as Ken Olsen and Robert Metcalf.

          • by ytene ( 4376651 )
            The timescales that you suggest are likely valid, but also potentially disqualifying [if I understand the premise of quantum encryption, that is].

            They’re valid because we understand that most nations now have a SigInt function which collects encrypted transmissions created by foreign nations. Even if the collector lacks the technical capability to access the data immediately, steady advances in cryptanalysis and the inexorable march of hardware capabilities may gradually combine to give that collec
            • One thing that can be of use much later is the key.
              Some systems keep using the same master key even as they update the choices of algorithms. So it's entirely possible that the VPN at your job is using the same key as when it was set up eight years ago, and it may still be using the same key eight years from now. Some systems mitigate this threat.

              There is theoretical work that perhaps one day quantum crypto could be used to detect a tap. It's still a long way from a product you can buy that isn't easily d

            • Entangled quantum communication to detect eavesdropping is another matter, that doesn't have anything to do with use or nonuse of encryption. Seeing the state of an entangled photon for example lets one know the state of its pair. The goal would be to prevent interception and also storage for later time. That has been done in laboratory at least.

              Meanwhile QC are going nowhere fast, the IBM ones of this article are 3 years old. Adding qubits makes holding system in coherent state for any useful length o

        • May not exist, may exist. Probably will.

          Can you offer credible evidence to support this?

          If today's secrets need to STAY secret for a long time, you have reason to think about how quantum computers are going to be used in ten years to decrypt something you encrypt today.

          What I find most amusing about all of this is QC was never known to be a credible threat to symmetric ciphers in the first place even in the alternate reality where QC's capable of killing off RSA are readily accessible.

          The problem with "thinking about" is there is almost never any reasonable basis upon which to make any kind of useful determination at all. For all anyone knows their favorite key exchange and or cipher will stand for a million years or fall t

    • I'm not sure what they mean by the other stuff, but when they talk about quantum key distribution as a solution, they are referring to a technique to share a one time pad https://en.wikipedia.org/wiki/... [wikipedia.org] . One-time pads are basically uncrackable unless the attacked gets hold of the pad, and the belief is that using quantum key distribution to share the pad prevents eavesdropping.
  • What a mess. Inverting hash functions, then randomly throwing out quantum annealing. Then moving into a key derivation protocol that says still use some other kind of crypto post key generation.

    Is there any news at all here?

    • Well, you have to remember that whatever is being said by the company is passing through the filter of a journalist (who may be more technically minded than most other journalists; but, in the end, isn't an expert in the field).

      I've seen this happen fairly often in academia as well - a researcher says something, the news person interprets it differently, and even after some back-and-forth... what comes out in the press doesn't necessarily accurately convey what the researcher said.

      Of course, there's also a

    • > Inverting hash functions

      If they mean putting in a megabyte of data and getting 64 bytes out, then 'reversing' that, "because quantum" - I think nobody who is an engineer would be working there any more.

      So, yeah, publish a paper, not a press release guys.

  • "too many secrets". Quantum decryption (in theory) is the decryption chip in the movie Sneakers. Although it's nowhere near a small individual chip yet.
  • How will we know if this idea works?

    It will be when we wake up one morning and find that Bitcoin has suddenly become worthless. Imagine a million Redditors stumbling out of their basements into the unaccustomed sunlight, not knowing what to do with themselves next...

  • ... has a lot of holes in it.

  • Company looking for funding makes extraordinary claim to press.

    Offers no evidence nor useful specificity.

    Company then proceeds to claim they are seeking a "patent" on the solution.

    I believe in the concept of crypto agility (where applicable) to hedge against the unknown yet jumping the shark and switching to some newfangled untested scheme in an anticipation of something for which there is no evidence is a fools errand.

  • Where is a technical paper backing this claim?

  • by AnotherBlackHat ( 265897 ) on Sunday February 07, 2021 @09:45PM (#61038832) Homepage

    It's hard to prove unbreakable, but easy to prove broken.
    If they could invert a hash function, then they could easily find a collision in that hash function.
    Publishing a collision in even a weakened version of any hash function in use would be easy, and would be nearly irrefutable evidence of what they claim.
    The fact that they didn't, makes their claim highly suspect.

  • I wrote this simple data encryption / decryption algorition and am curious what anyone thinks of whether or not it is easy to crack, as my intent was to do the quickest, shortest thing that's good enough for now.

    Looks like O(N^3) to me to decrypt, it's basically an accumulated increment and XOR shift. Being XOR I'd imagine that'd make it much more complex, and I can change the accumalation to something with more complexity and add a nounce. //Encryption of filedata[]
    int iter=0;
    int accum=0;
    for(int di=0;difi

  • Apparently, they call classical encryption, namely AES, "post-quantum", then go on to show you can break it with regular quantum algorithms, which is exactly the whole point of quantum conputing and always has been, but treat it as if they invented a new type of crack, ... and then present regular quantum encryption methods, know for quite some time now, as their "new" "one step further" algorithm.

    How fuckin stupid do they think we are??
    Or is the article just *insanely" badly written. (I mean they do put "h

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...