Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security

Post-Quantum Encryption Contender is Taken Out by Single-Core PC and 1 Hour (arstechnica.com) 45

In the US government's ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms. From a report: Last month, the US Department of Commerce's National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE.
This discussion has been archived. No new comments can be posted.

Post-Quantum Encryption Contender is Taken Out by Single-Core PC and 1 Hour

Comments Filter:
  • It's hard to compare apples to oranges. Which risk is greater - that China will create a quantum decryptor within the storage horizon of current usage? Or that a newfangled, quantum-resistant algorithm will turn out to be flawed, either inherently or in implementation?
    • False dilemma. It's important research and they have to start somewhere.
    • Either way, if your algorithm can't stand against a single core PC, it has problems.

      • But it's not exactly a brute force attack. It's attacking some core components in the algorithm. And these were weaknesses in the algorithm that had long been suspected. Part of the NIST testing is to hash this stuff out, so it did its job. In that sense, the fact that the attack was fast is not that important, since once you uncover a flaw in an algorithm you expect the attacks to be fast.

        • I'm not exactly sure what your point is, or how it relates to the post you replied to.

          • by bws111 ( 1216812 )

            The point (I think) is that the fact that there is a flaw is the problem. That the flaw can be found on a single core PC is immaterial. And finding flaws is exactly why they are doing these tests.

    • It's hard to compare apples to oranges. Which risk is greater - that China will create a quantum decryptor within the storage horizon of current usage? Or that a newfangled, quantum-resistant algorithm will turn out to be flawed, either inherently or in implementation?

      First, I wouldn't be worried about Chinese, I'd be worried about your own government, whoever that is. I mean, what are the Chinks gonna do to you if they find something in your emails that they don't like? Send predator drones to a different country? Your own govt on the other hand can toss you in prison on real or trumped up charges, make you unemployable, lock your bank account, go after your loved ones too, etc etc.

      Second, you can have best of both worlds: encrypt your message with something quantum-

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        You will be singing a much different tune if Taiwan gets "annexed", Japan is "pacified", Seoul is shelled to a crater, most manufacturing in Asia is halted, and the orcs move the Iron Curtain to the Atlantic Ocean. Look at the US solar industry how it was systematically eradicated due to espionage and IP theft in the early 2010s.

        If you think the US is bad, I wouldn't recommend making references to a certain bear that went public domain anywhere on the mainland, especially in HK. You might just find yourse

      • I mean, what are the Chinks gonna do to you

        Well this conversation took a surprising turn real fast...

    • by raymorris ( 2726007 ) on Tuesday August 02, 2022 @01:49PM (#62756524) Journal

      > newfangled, quantum-resistant algorithm will turn out to be flawed

      That "new-fangled" thing is why the standardization process started more than five years ago. That's five years for mathematicians and cryptographers to explore them and talk about anything they see as a potential weakness, before NIST chose some (not this one) that you're ALLOWED to use. Then another five years before they are widely used for extremely sensitive communications.

      That's also why cryptography is moving toward provably secure systems. If you did geometric proofs in high school, the same can be done with cryptography - we can sometimes show it's impossible for there to be a weakness (within the scope). Unfortunately there isn't a lot of overlap between provably secure and quantum resistant currently.

      It's ALSO why TLS, IPSec, etc do NOT specify a particular algorithm. Rather than specify how to parties negotiate an algorithm. Algorithms are upgraded every year or so, without needing to re-invent TLS, IKE, etc. And that's why Wireguard is fucking stupid as hell. Wireguard is simply "skip TLS or anything and hadcode ChaCha20. Because surely ChaCha20 will never, ever have a weakness." Fucking stupid.

      • If you did geometric proofs in high school, the same can be done with cryptography

        I was going to say that one of these things is way harder than the other, but on the other hand, for some of those high school geometric proofs, it took thousands of years to come up with an answer. So maybe it's not harder.

        • That's an interesting thought. I too was at first thinking the cryptographic proofs are harder. But then I realized I was TAUGHT the geometric proofs. I was able to derivd some of the cryptographic proofs all in my own, without being taugh the proof ahead of time. So maybe some crypto proofs are easier than some geometric proofs.

          The cryptography-specific proofs rely on proofs of certain mathematical functions (or lacking proofs, assumptions of the same). I would say that some of the proofs in elliptic curve

      • I won't lie, I had to actually look up ChaCha20. What's next, The Dabbing40 algorithm?
      • by AmiMoJo ( 196126 )

        It's only hard coded in the sense that nobody has done the work to add other options. It's not a fundamental requirement of the Wireguard protocol. It will get upgraded as time goes on.

        • The entire POINT of Wireguard is that it is skipping the negotiation phase entirely. That's to make it faster, for short connections. It just starts sending packets with the hardcoded algorithm - there is at no point any opportunity to negotiate any other option.

          Wireguard is pretty much TLS with the first two packets gone - the packets that are used to choose the algorithms.

    • by Darinbob ( 1142669 ) on Tuesday August 02, 2022 @02:18PM (#62756614)

      The snag here is the key generation or key exchange. We have algorithms resistant to quantum attacks as long as we have a secure key. This attack on SIKE is attacking the key generation method, allowing a third party to deduce what the key is in less than exponential time.

      If you can create a great key then physically transport it to the second party then destroy the material afterwords, it's good. This is how things were done in the past and it's clumsy. So in the modern era you want the public key algorithms, or at least secure key generation by two parties over an unsecure medium. If quantum makes this too hard then I can see the return to a sort of cold war spy like methodology of trying to exchange keys without being intercepted. However in the commercial world it could be a disaster, because commercial entities are highly resistant to adapting to newer and better security because it slows down their road to a fast profit, so they will adopt new standards before they're fully tested, and even adopting standards with known security flaws. Things like WSA and WSA2 for example.

      • by bws111 ( 1216812 )

        So which is it? Are 'commercial entites' (ooh, evil), 'highly resistant to adapting new and better security', or do they 'adopt new standards before they're tested'? One of these things is not like the other.

        The idea that we could ever return to 'cold war spy like methodology' is ludicrous. Yeah, you can do that if there are a handful of entities dealing with a few thousands of (trusted) contacts. Do that with literally millions of entities with billions of untrusted contacts? Nope.

        The alternative to e

        • Examples would be adopting WSA and WSA2 for wifi security, even while knowing that they were very weak. The snag is that once those got adopted that they stuck with it, because it was too expensive to change the standard again; devices were in the field, not upgradable, etc.

  • by DarkRookie2 ( 5551422 ) on Tuesday August 02, 2022 @01:26PM (#62756450)
    SIKE, this isn't an encryption thingie you want to use.
  • by phantomfive ( 622387 ) on Tuesday August 02, 2022 @01:44PM (#62756504) Journal

    If you like post-quantum encryption, DJB usually posts interesting things about it [twitter.com]. Although sometimes it gets a little mathematical.

  • Math based insecurities can exist in all types of encryption which is why there are multiple rounds to weed out candidate algorithms. The entire purpose of this is to evaluate algorithms and identify weaknesses before it reaches the point of becoming a standard.

  • Intelligence agencies have had four decades to break RSA and have mostly failed the whole time. Now they want to social engineer the world into accepting complex gibberish justified by FUD... merely an unfalsifiable always true notion that something "could" happen in the future.

    Once there is a post quantum scheme they will pursuit their goal of demanding everyone abandon RSA for the new scheme thru government sponsored standardization / regulatory means and everyone will be compelled to fall in line.

  • by SuperKendall ( 25149 ) on Tuesday August 02, 2022 @03:17PM (#62756854)

    The NSA was like "So close!!!".

  • by FeelGood314 ( 2516288 ) on Tuesday August 02, 2022 @04:59PM (#62757190)
    The thing most businesses don't get is you need protection today. This isn't like a patch that can be added after a quantum computer is able to break your key negotiation. The bad guys are recording your messages and the message key negotiation today. When the bad guys get their quantum computer they will break the key negotiation and read your message. So if you want your diplomatic cables you are sending today to stay secret for 50 years your options are hand deliver them or hand deliver a one time pad. Also replacing the existing math is hard. We want drop in replacements for what we have today. There are elliptic curve signatures that can add less bytes than the size of a point to a message. So you could sign something in 22 bytes. Many of the post quantum solutions for the same security are adding hundreds of KBs. If my message is a simple on or off I don't want it to be over a mega byte after error correction is added.
  • https://www.techdirt.com/2015/... [techdirt.com]

    the NSA and the like have no intention of making our encryption strong. better us to be vulnerable that whistleblowers and journalists having secure communications.. RIGHT?

  • by Anonymous Coward on Tuesday August 02, 2022 @07:43PM (#62757556)

    How insecure can this actually make this encryption contender? I mean, where can you even find a single core computer these days?

Enzymes are things invented by biologists that explain things which otherwise require harder thinking. -- Jerome Lettvin

Working...