Post-Quantum Encryption Contender is Taken Out by Single-Core PC and 1 Hour (arstechnica.com) 45
In the US government's ongoing campaign to protect data in the age of quantum computers, a new and powerful attack that used a single traditional computer to completely break a fourth-round candidate highlights the risks involved in standardizing the next generation of encryption algorithms. From a report: Last month, the US Department of Commerce's National Institute of Standards and Technology, or NIST, selected four post-quantum computing encryption algorithms to replace algorithms like RSA, Diffie-Hellman, and elliptic curve Diffie-Hellman, which are unable to withstand attacks from a quantum computer. In the same move, NIST advanced four additional algorithms as potential replacements pending further testing in hopes one or more of them may also be suitable encryption alternatives in a post-quantum world. The new attack breaks SIKE, which is one of the latter four additional algorithms. The attack has no impact on the four PQC algorithms selected by NIST as approved standards, all of which rely on completely different mathematical techniques than SIKE.
different types of risk (Score:2)
Re: (Score:2)
Re: (Score:2)
Either way, if your algorithm can't stand against a single core PC, it has problems.
Re: (Score:3)
But it's not exactly a brute force attack. It's attacking some core components in the algorithm. And these were weaknesses in the algorithm that had long been suspected. Part of the NIST testing is to hash this stuff out, so it did its job. In that sense, the fact that the attack was fast is not that important, since once you uncover a flaw in an algorithm you expect the attacks to be fast.
Re: (Score:2)
I'm not exactly sure what your point is, or how it relates to the post you replied to.
Re: (Score:3)
The point (I think) is that the fact that there is a flaw is the problem. That the flaw can be found on a single core PC is immaterial. And finding flaws is exactly why they are doing these tests.
Re: (Score:3)
It's hard to compare apples to oranges. Which risk is greater - that China will create a quantum decryptor within the storage horizon of current usage? Or that a newfangled, quantum-resistant algorithm will turn out to be flawed, either inherently or in implementation?
First, I wouldn't be worried about Chinese, I'd be worried about your own government, whoever that is. I mean, what are the Chinks gonna do to you if they find something in your emails that they don't like? Send predator drones to a different country? Your own govt on the other hand can toss you in prison on real or trumped up charges, make you unemployable, lock your bank account, go after your loved ones too, etc etc.
Second, you can have best of both worlds: encrypt your message with something quantum-
Re: (Score:3, Insightful)
You will be singing a much different tune if Taiwan gets "annexed", Japan is "pacified", Seoul is shelled to a crater, most manufacturing in Asia is halted, and the orcs move the Iron Curtain to the Atlantic Ocean. Look at the US solar industry how it was systematically eradicated due to espionage and IP theft in the early 2010s.
If you think the US is bad, I wouldn't recommend making references to a certain bear that went public domain anywhere on the mainland, especially in HK. You might just find yourse
Re: (Score:2)
I mean, what are the Chinks gonna do to you
Well this conversation took a surprising turn real fast...
Re: (Score:2)
That's why the process is 5 years + 5 years, plus (Score:5, Insightful)
> newfangled, quantum-resistant algorithm will turn out to be flawed
That "new-fangled" thing is why the standardization process started more than five years ago. That's five years for mathematicians and cryptographers to explore them and talk about anything they see as a potential weakness, before NIST chose some (not this one) that you're ALLOWED to use. Then another five years before they are widely used for extremely sensitive communications.
That's also why cryptography is moving toward provably secure systems. If you did geometric proofs in high school, the same can be done with cryptography - we can sometimes show it's impossible for there to be a weakness (within the scope). Unfortunately there isn't a lot of overlap between provably secure and quantum resistant currently.
It's ALSO why TLS, IPSec, etc do NOT specify a particular algorithm. Rather than specify how to parties negotiate an algorithm. Algorithms are upgraded every year or so, without needing to re-invent TLS, IKE, etc. And that's why Wireguard is fucking stupid as hell. Wireguard is simply "skip TLS or anything and hadcode ChaCha20. Because surely ChaCha20 will never, ever have a weakness." Fucking stupid.
Re: (Score:3)
If you did geometric proofs in high school, the same can be done with cryptography
I was going to say that one of these things is way harder than the other, but on the other hand, for some of those high school geometric proofs, it took thousands of years to come up with an answer. So maybe it's not harder.
Re: (Score:2)
That's an interesting thought. I too was at first thinking the cryptographic proofs are harder. But then I realized I was TAUGHT the geometric proofs. I was able to derivd some of the cryptographic proofs all in my own, without being taugh the proof ahead of time. So maybe some crypto proofs are easier than some geometric proofs.
The cryptography-specific proofs rely on proofs of certain mathematical functions (or lacking proofs, assumptions of the same). I would say that some of the proofs in elliptic curve
Troll fail (Score:2)
You fail. You attempted trolling to TOO stupid, TOO clueless, for anyone to take seriously.
"Mathematical proofs are just marketing slogans" - you might bait someone on Facebook with that. We know that nobody on Slashdot is actually that stupid.
Re: (Score:3)
Re: (Score:2)
Mod parent up.
Re: (Score:2)
It's only hard coded in the sense that nobody has done the work to add other options. It's not a fundamental requirement of the Wireguard protocol. It will get upgraded as time goes on.
Harcoding is the entire point of Wireguard (Score:2)
The entire POINT of Wireguard is that it is skipping the negotiation phase entirely. That's to make it faster, for short connections. It just starts sending packets with the hardcoded algorithm - there is at no point any opportunity to negotiate any other option.
Wireguard is pretty much TLS with the first two packets gone - the packets that are used to choose the algorithms.
Re:different types of risk (Score:4, Interesting)
The snag here is the key generation or key exchange. We have algorithms resistant to quantum attacks as long as we have a secure key. This attack on SIKE is attacking the key generation method, allowing a third party to deduce what the key is in less than exponential time.
If you can create a great key then physically transport it to the second party then destroy the material afterwords, it's good. This is how things were done in the past and it's clumsy. So in the modern era you want the public key algorithms, or at least secure key generation by two parties over an unsecure medium. If quantum makes this too hard then I can see the return to a sort of cold war spy like methodology of trying to exchange keys without being intercepted. However in the commercial world it could be a disaster, because commercial entities are highly resistant to adapting to newer and better security because it slows down their road to a fast profit, so they will adopt new standards before they're fully tested, and even adopting standards with known security flaws. Things like WSA and WSA2 for example.
Re: (Score:2)
So which is it? Are 'commercial entites' (ooh, evil), 'highly resistant to adapting new and better security', or do they 'adopt new standards before they're tested'? One of these things is not like the other.
The idea that we could ever return to 'cold war spy like methodology' is ludicrous. Yeah, you can do that if there are a handful of entities dealing with a few thousands of (trusted) contacts. Do that with literally millions of entities with billions of untrusted contacts? Nope.
The alternative to e
Re: (Score:3)
Examples would be adopting WSA and WSA2 for wifi security, even while knowing that they were very weak. The snag is that once those got adopted that they stuck with it, because it was too expensive to change the standard again; devices were in the field, not upgradable, etc.
Kinda perfect (Score:4, Funny)
post-quantum encryption (Score:4, Informative)
If you like post-quantum encryption, DJB usually posts interesting things about it [twitter.com]. Although sometimes it gets a little mathematical.
Re: (Score:2)
The important thing about DJB is, he's right. All your other points don't matter after that. That is, people might complain that it's a personal attack, but he's just pointing out their mistakes.
Re: (Score:2)
All I've seen in this conversation is personal attacks from you against DJB.
Re: (Score:2)
Not only is he right, you are involved in personal attacks. QED.
Re: (Score:2)
"Every war is a civil war because all men are brothers."
Slava Ukraini.
That's the point. (Score:2)
Math based insecurities can exist in all types of encryption which is why there are multiple rounds to weed out candidate algorithms. The entire purpose of this is to evaluate algorithms and identify weaknesses before it reaches the point of becoming a standard.
This is the whole point of post quantum crypto (Score:2)
Intelligence agencies have had four decades to break RSA and have mostly failed the whole time. Now they want to social engineer the world into accepting complex gibberish justified by FUD... merely an unfalsifiable always true notion that something "could" happen in the future.
Once there is a post quantum scheme they will pursuit their goal of demanding everyone abandon RSA for the new scheme thru government sponsored standardization / regulatory means and everyone will be compelled to fall in line.
Re: (Score:2)
Negative.
One can have post-quantum crypto with pre-quantum crypto simultaneously.
Concretely, see: https://csrc.nist.gov/Projects [nist.gov]...
You're looking for the question near the bottom: "Does NIST consider the hybrid key establishment modes and dual signatures to be long-term solutions? (added 1/28/20)"
Sure you can inject post quantum schemes to implement forward secrecy so that Pre-quantum won't be cracked in a PQ world or swap out parts of a cipher suite to your hearts content yet when it comes to key exchanges this notion everyone is going to deploy two completely separate trust anchors for everything and run all signing operations twice with 2x associated bandwidth for the purpose of improving security is not operationally credible. Nobody is going to do that in the real world. What will actually ha
Reaction (Score:3)
The NSA was like "So close!!!".
I worked on PQ computing for Entrust (Score:5, Insightful)
why should crypto standards start being secure? (Score:1)
https://www.techdirt.com/2015/... [techdirt.com]
the NSA and the like have no intention of making our encryption strong. better us to be vulnerable that whistleblowers and journalists having secure communications.. RIGHT?
Not that big a deal (Score:3, Funny)
How insecure can this actually make this encryption contender? I mean, where can you even find a single core computer these days?