Semiconductor Makers Scramble to Support New Post-Quantum Cryptography Standard (eetimes.com) 40
IoT Times brings an update on "the race to create a new set of encryption standards."
Last month, it was announced that a specialized security algorithm co-authored by security experts of NXP, IBM, and Arm had been selected by the U.S. Government's National Institute of Standards and Technology (NIST) to become part of an industry global standard designed to counter quantum threats.
IoT Times interviews the cryptography expert who co-created the Crystals-Kyber lattice-based algorithm selected by NIST — Joppe W. Bos, a senior principal cryptographer at the Competence Center for Cryptography and Security at NXP Semiconductors.
And what worries his colleagues at the semiconductor company isn't the "imminent threat of quantum computers," Bos says, but an even closer and more practical deadline: "the timeline for these post-quantum crypto standards." "Two weeks ago, NIST announced the winners of these new public standards, the post-quantum crypto standards, and their timeline is that in 2024, so in roughly two years, the winners will be converted into standards. And as soon as the standards are released, our customers will expect NXP Semiconductors, as one of the leaders in crypto and security, to already have support for these standards, because we are, of course, at the start of the chain for many end products. Our secure elements, our secure platforms, SOCs, are one of the first things that need to be integrated into larger platforms that go into end products. Think about industrial IoT. Think about automotive applications. So, our customers already expect us to support post-quantum crypto standards in 2024, and not only support but, for many companies, being able to compute the functional requirements of the standard.
"It took over ten years to settle down on the best methods for RSA and ECC, and now we have a much shorter timeline to get ready for post-quantum crypto."
"When you ask the experts, it ranges from one to five decades until we can see quantum computers big enough to break our current crypto," Bos says in the interview. So he stresses that they're not driven by a few of quantum computers. "The right question to ask, at least for us at NXP is, when is this new post-quantum crypto standard available? Because then, our customers will ask for post-quantum support, and we need to be ready.
"The standard really drives our development and defines our roadmap."
But speaking of the standard's "functional requirements", in the original story submission Slashdot reader dkatana raised an interesting point. There's already billions of low-powered IoT devices in the world.
Will they all have the memory and processing power to use this new lattice-based encryption?
IoT Times interviews the cryptography expert who co-created the Crystals-Kyber lattice-based algorithm selected by NIST — Joppe W. Bos, a senior principal cryptographer at the Competence Center for Cryptography and Security at NXP Semiconductors.
And what worries his colleagues at the semiconductor company isn't the "imminent threat of quantum computers," Bos says, but an even closer and more practical deadline: "the timeline for these post-quantum crypto standards." "Two weeks ago, NIST announced the winners of these new public standards, the post-quantum crypto standards, and their timeline is that in 2024, so in roughly two years, the winners will be converted into standards. And as soon as the standards are released, our customers will expect NXP Semiconductors, as one of the leaders in crypto and security, to already have support for these standards, because we are, of course, at the start of the chain for many end products. Our secure elements, our secure platforms, SOCs, are one of the first things that need to be integrated into larger platforms that go into end products. Think about industrial IoT. Think about automotive applications. So, our customers already expect us to support post-quantum crypto standards in 2024, and not only support but, for many companies, being able to compute the functional requirements of the standard.
"It took over ten years to settle down on the best methods for RSA and ECC, and now we have a much shorter timeline to get ready for post-quantum crypto."
"When you ask the experts, it ranges from one to five decades until we can see quantum computers big enough to break our current crypto," Bos says in the interview. So he stresses that they're not driven by a few of quantum computers. "The right question to ask, at least for us at NXP is, when is this new post-quantum crypto standard available? Because then, our customers will ask for post-quantum support, and we need to be ready.
"The standard really drives our development and defines our roadmap."
But speaking of the standard's "functional requirements", in the original story submission Slashdot reader dkatana raised an interesting point. There's already billions of low-powered IoT devices in the world.
Will they all have the memory and processing power to use this new lattice-based encryption?
Re: (Score:1)
Fusion has made much, much better progress and a 50-200 year goal (to practical application) is actually realistic. QCs that matter? Not so much.
Re: (Score:1)
I am not an expert in nuclear fusion. But I am a PhD-level engineer and I can understand what actual experts say about the matter and I can do some fact checking on that. You probably are missing those skills, so you think I must be faking it because you could not do it.
Re: More scams (Score:2)
QCs that matter? Not so much.
At least that's whst the NSA would like you to believe.
Re: (Score:2)
The NSA is very much only using what other people have, with the one exception of mathematics. In the physical space they are not more advanced than anybody else.
Re: (Score:2)
At current funding levels, 50-200 years is plausible. Funding could be massively increased, albeit at the expense of marginally reducing subsidies to fossil fuels, at any time. Had this been done 10-20 years ago, ITER could have been fully funded at negligible impact to fossil fuels. Experiments that must now be done sequentially could have been done in parallel. We have to assume ITER could have laid hands on sufficient researchers for their original proposals.
Therefore we can contract that timeline up to
Actually, it is still quite possibly "never" (Score:5, Interesting)
For QCs that can break current encryption that is. These systems would need to be massively larger than what we have today. Now, QCs scale abysmally badly because everything needs to be entangled and stay so for the whole computation. It is quite possible we will be hitting a wall far below the, say, 6000 effective (!) QBits that are needed to break RSA-2048. Currently IBM claims 50 effective QBits as a world record, after something like 50 years of research. But that is only one factor. The second is the need to stay entangled. Currently even small computations need to be repeated very often to find one run that did not decohere and hence did deliver results. This problem gets much, much worse with more QBits (probably exponentially worse) and much, much worse with more computation steps (likely exponentially worse). Hence we may eventually get there, but QCs may simply take far too long for any practical implications.
And there is another dirty little secret: There have _never_ been any quantum calculations that would reliably rule out small effects that could completely kill the concept for larger computations. At the moment QCs that can practically break current encryption are a complete fantasy and extrapolating the history of QCs results more in a > 100 years prediction than in "may be 10 years". But then you look where this guy gets his meal-ticket and you see how he came up with that "10-50 years" estimate.
The whole thing also has still another problem: Apparently these post-quantum encryption algorithms are not very good. Anybody sane will give them at least 10 years and possibly longer before using them. And anybody sane will only use them together with classical algorithms so that _both_ have to be broken to get in.
All his building of air-castles in the sky and then pretending these are real that we have in the CS/IT field these days really gets on my nerves.
Wait, what? (Score:2)
Are you saying that quantum computers running semi-concious artificial neural networks controlling Elons latest brain fart arn't just around the corner then?
Re: (Score:2)
Assholes like Elon cannot be controlled. That should be obvious. Well, maybe he crosses the wrong people at some point and gets "suicided"....
Re: (Score:1)
Re: (Score:2)
Thank you.
Re: (Score:2)
Indeed. I also urgently need to top-off my crypto-vallet and buy a ticket to Mars!
Re: (Score:2)
You seem to be unaware that only effective QBits can be used for computations. These are far, far fewer than the physical QBits present and scale much worse.
Re: (Score:2)
On the flipside though is the problem that if a quantum computer could be built in 30 years, an attack
Re: (Score:2)
Part of my old job was working on post quantum encryption and I definitely believe that there is a good chance that a quantum computer able to break modern signing or key exchanges could be physically impossible. There are different "things" we can entangle but every method seems to have a hard limit on the number of QBits times the number of operations that can be done on them while they stay entangled.
Yes, that is what I what I also found on digging a bit. Many people seem to completely overlook that these things have to stay entangled for the whole computation or the results become meaningless and that ensuring this or at least making it highly probably is exceptionally hard. Most people think these are conventional computers and you can just "throw in more memory" and "run them longer". That is very much not the case.
On the flipside though is the problem that if a quantum computer could be built in 30 years, an attacker who recorded your messages and their key exchange today could read your messages. They could also get the symmetric keys your IoT devices are using, or spoof your sensors. I'm not sure if I will care 30 years from now if someone can read my Messenger texts but diplomatic messages can be embarrassing 30 years later. I doubt any of my IoT devices will still be working but there will be lots of industrial control devices that are deployed today that will still be working 30 years from now. This will make a problem with industrial control even worse. While many commands to control remote infrastructure are already properly authenticated many automated systems make decisions based on sensor inputs that are not.
Yes, that is basically the situation. In actual reality most things encrypted will be
Re:Untested crypto in silicon is a waste (Score:1)
As an example SIKE was shown weak to Torsion within 1 week of being announced as a finalist. Implementing these algorithms now is a waste of time and money, as they will likely be tweaked several times in the next 10 years. Those tweaks can't be applied to silicon directly.
The previous poster has a great point. There is no threat, and it doesn't look like there will be a threat for several decades.
This is the time to wait and see how these new algorithms get reshaped, implemented more efficiently, and wh
Re: (Score:2)
Yes, the SIKE incident gave me pause. It is really, really bad that a finalist was so incredible weak.
I completely agree that these things need more work and that there is time for this. I also think the work on these should continue.
Re: (Score:2)
My suspicion is that the exponential growth in difficulty of keeping a large system of fully entangled qubits cohered neatly cancels out the exponential speedup expected for more abstract quantum algorithms like Shor's.
That doesn't mean quantum computers will be useless though. They should be very good at simulat
Re: (Score:2)
That said, better crypto is a win, might as well shake it out sooner. I remember thinking we were safe with md5, ssl, tls, rsa, all that.
If the quantum boogeyman lights a fire, I won't argue. If someone insists we use an untested algorithm because quantum, I'll come back to your comment.
Not a bad thing (Score:2)
I suspect they're more worried about some clever hack that allows a massive distributed system to crack some current algo than they are about QCs. Standard computers are still getting more powerful every year despite Moores Law no longer generally applying.
I salute... (Score:2)
Scrambling .. (Score:2)
Re: (Score:2)
No need to scramble, that's already been achieved a long time ago.
Trust THEM, what could go wrong? (Score:2)
Agencies within the US government have a sordid history of trying to backdoor encryption standards, or build in weaknesses. Because these standards are being rushed, there us even more opportunity for shenanigans.
I hope the implementors will folliw the suggestions made by skeptics: first, encrypt using a classical algorithm. Then encrypr again, using the new post-quantum standard. Worst case, it costs a bit of extra processing power.
Re: (Score:2)
These sorts of problems are being discussed on the public post-quantum cryptography mailing list.
Good idea, wrong target (Score:2)
How about scrambling to get the fucking chips produced again?
Re: (Score:2)
This post-quantum thing pertains to engineers who design new chips, not the people who operate the fabs that manufacture existing designs. Working on one doesn't take away from the other.
rando comments (Score:3, Interesting)
It should be pointed out that it takes awhile for any standard to evolve and continue to evolve (i.e. even tcp just had a standards based rfc just released).
Some background to the NIST process (I am not an expert, but have been occasionally following this):
This touches on the NIST process, showing some key milestones and that it takes years:
https://www.cryptomathic.com/n... [cryptomathic.com]
A presentation that goes over several submissions early into the process (a year or so?)
https://media.ccc.de/v/35c3-99... [media.ccc.de]
I know wiki is bad for a post, but this does go through the list of algos and their rounds in the selection process:
https://en.wikipedia.org/wiki/... [wikipedia.org]
For those that are interested: A post quantum library was created: https://libpqcrypto.org/ [libpqcrypto.org] [this includes many submitted items including the finalists]
It's not clear to me the difference between round4 and the "selected algorithms". Does this mean round4 candidates were algos that took longer to develop and they are just being submitted, but could still end up on the selected list?
https://csrc.nist.gov/Projects... [nist.gov]
I see that rainbow was a round 3 finalist but the keys were 100s of KBs; was this the only downfall for rainbow...?
While I appreciate a standard universal hardware backed-encryption; but could some algos have a good fit in "bigger infrastructure" (non iot) or long-standing (vpn) connections?
Re: (Score:2)
Rainbow is a broken algorithm that can be cracked in a day on any old laptop computer, as discussed on the mailing list. There seems to be a consensus that it can't be fixed.
Wait, why silicon for the crypto? (Score:2)
Are the new algorithms really expensive computationally? I don't know if they are like RSA but RSA verification is pretty cheap these days. Why would these new algorithms need silicon support from the get go?
Re: (Score:2)
The quantum crypto algorithms are extremely resource-hungry. Keys are huge, processing is slow, so much of the discussion on the mailing list is on how much things can be weakened.
NIST is worthless (Score:2)
If it comes from NIST it has a back door or just be too weak to matter. They don't recommend anything until the NSA have check that they can break it. And if the NSA can break it, China can. And if China can, then that Chinese company that is your big rival in Asia can break it.
http://blog.cr.yp.to/20220805-... [cr.yp.to]
Re: (Score:2)
Itâ(TM)s not about you (Score:1)
Lattice-based crypto and memory bottleneck (Score:2)