Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Encryption

Could NIST Delays Push Post-Quantum Security Products Into the Next Decade? (esecurityplanet.com) 45

Slashdot reader storagedude writes: A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.

That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.

"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.

"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."

And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."

This discussion has been archived. No new comments can be posted.

Could NIST Delays Push Post-Quantum Security Products Into the Next Decade?

Comments Filter:
    • by gtall ( 79522 )

      Such as your social security data, your biometric data, those porn sites you visited, those drugs you took, that hookup you'd like to forget, the nuclear codes to launching nukes, recipes for chemical and biological weapons, your bank numbers, you entire genelogic history, your health data, your insurance data, your investments and your access accounts to those investments, your sexual orientation, etc.

      So could you please publish all that here so that we may know this isn't some zephyr of an idea that fizze

      • a lot of people spend their entire lives thinking about and supporting zephyrs. other peoples' zephyrs at that. sad! many such cases!!

      • ... your biometric data, those porn sites you visited, those drugs you took, that hookup you'd like to forget, [... your] entire [genealogical] history, your health data, [...], your sexual orientation ...

        If we stopped demanding society's 'normal' be some checklist of perfect outcomes (See: Utopia) and accepted normal includes a lot of weird crap, this wouldn't matter.

        ... the nuclear codes to launching nukes, recipes for chemical and biological weapons ...

        If we stopped declaring we have more rights than our neighbours, we wouldn't have weapons that could be used against us.

        ... social security data, [...] your bank numbers, [...] your insurance data, your investments and your access accounts to those investments ...

        If we stopped putting a price on life and using money to keep 'score', this wouldn't matter.

        I'll admit points 2 & 3 aren't going to be solved anytime soon. We can change the values of society (Eg. Slavery). Large parts

      • I have no social security, no biometric data (look, mama, no fingerprints), I don't visit porn sites, I don't use drugs, I'd rather have no nukes and no launching codes, I have no bank account, I don't know what "genelogic" is, I am uninsured and without investments, and my sexual orientation is obvious. Or, as Asimov would have it, I am Gaia.

  • I'll bet there is a *lot* of encrypted stuff out there that people will wish couldn't be q-decrypted.

    • No need to panic. AES 128 isn't susceptible to attack by quantum computers and RSA can easily use bigger numbers to negate them.

      • by HiThere ( 15173 )

        How do you apply those encryptions to files that are already out there?

        • You can't (obviously) but they're going to be quite old files by the time QC can decrypt them and only RSA will be vulnerable, symmetric ciphers with more than 64-bit keys should still be OK.

          I don't know how many "files" are encrypted with RSA but I don't think it's many. It would mostly be email that uses RSA because of the public keys.

      • I'm not arguing with you (because I know nothing about this stuff), but if AES 128 isn't suscrptible, why is NIST looking for a new solution?

      • Nothing is vulnerable to quantum computers, and probably never will be. The state of the art in quantum cryptanalysis is factoring the number 21. Not a 21 digit number or even a 21 bit number, but the product of 3 and 7. And that's been the state of the art for the last ten years or so, so no progress is being made.

        It doesn't matter if NIST doesn't standardise PQC for another million years, they've got all the time in the world before quantum computers become any kind of threat to crypto. Some crypto g

        • Nothing is vulnerable to quantum computers, and probably never will be. The state of the art in quantum cryptanalysis is factoring the number 21. Not a 21 digit number or even a 21 bit number, but the product of 3 and 7. And that's been the state of the art for the last ten years or so, so no progress is being made.

          I didn't know that, I thought they were up to 10 or more bits these days but it turns out those results were "cheats". Thanks for posting.

          Ref: https://en.wikipedia.org/wiki/... [wikipedia.org]

  • Like NASA, NIST has fallen behind. Quantum encryption will be better and arrive faster from a private company or research group.
    • by gtall ( 79522 )

      Yep, whacking together quantum algorithms that are provably security is easy. Why, I'll bet you could do a few a day, right? And the first private companies that get out in front on this will be subject to lawsuits if their new whizzies fail.

      • That is all NIST does in the end. They have no staff scientist to come up with new algorithms, they opened up a challenge for anyone in the private sector to submit algorithms, and there are a few strong candidates.

        Now NIST needs to put up a formal peer review of these systems, a process which has already happened to some extent outside of NIST, they also need someone internal at eg NSA (which by definition is unlikely to have the necessary expertise) to review it.

        The delay isnâ(TM)t technical it is pu

  • ...is in making sure that the new algorithms have the hidden weaknesses required by the CIA.
  • by DrLudicrous ( 607375 ) on Sunday July 30, 2023 @07:57AM (#63725290) Homepage
    They only get a billion a year, and are mostly forgotten by Congress and the lay public. Extremely understaffed and heavily reliant on newly minted PhDs to do the grunt work. They donâ(TM)t hire very many people permanently so there is continuous brain drain. You get what you pay for as the taxpayer.
    • Given what they do, where does all that money go?
      • by DrLudicrous ( 607375 ) on Sunday July 30, 2023 @01:04PM (#63725760) Homepage
        They develop, set, and maintain various standards. They perform fundamental research. They produce Nobel Prize winners.
        • by tlhIngan ( 30335 )

          They develop, set, and maintain various standards.

          This is a bigger problem than it seems, because they have to make sure the standard they produce still remains the same despite changing conditions.

          NIST had a huge standards database - many of which you can actually buy. These are called Standard Reference Material and they have to test identically sample to sample. Even when things change. If you want to know the caloric value of say, peanut butter, you can rely on NIST SRM 2387 - which is a standard sampl

    • How do you change that? Would internal status data made public help?

      The solution is not "hand them a billion more dollars".

    • You get what you pay for as the taxpayer.

      We get what we're told to pay for, whether or not we like it.

      It's no mistake that libraries are first on the list to have their budgets cut as "unnecessary" but rogue, questionably constitutional agencies like DEA and BATFE are never put to the screws during the "government shutdown" propaganda/punishment events.

  • by RUs1729 ( 10049396 ) on Sunday July 30, 2023 @08:38AM (#63725352)
    At this point, it has yet to be clear whether it is even possible, from an engineering point of view: the problem of having a sufficiently large number of qubits in superposition for a a sufficiently long time in order to be able to do something useful that can't be done by digital computers just as efficiently remains open - as in not only we do not know how to solve it but, we do not even know whether we can solve it.
    • by gweihir ( 88907 )

      Indeed. I also noted that the last few great announcements glossed over how many effective Qbits are there. (Hint: much, much fewer than the announced numbers.) Now take into account that to break, say, RSA 4096, you need something like 16k effective (!) Qbits that need to stay entangled for a long and complex calculation. We currently have (maybe) 100 effective Qbits that can do short and simple calculations only. And forget about breaking block-ciphers. That is even more complex.

      The whole thing is an arti

      • by HiThere ( 15173 )

        You are underestimating the problem, but the constraints you mention DO exist. Planning either way is a gamble, but for most communications it isn't significant. (Will it matter if your message is decrypted 10 years from now? If it would, is anyone likely to invest the [scarce] resources?)

        There are definitely cases where this is properly a real concern. They are rare.

        • by gweihir ( 88907 )

          I am not underestimating the problem. I am pointing out that the "problem" is a fantasy not grounded in reality. It is a lot of clueless people following a panic-hype, nothing else.

  • Quantum Computing, Blockchain, Crypto, AI, LLVM, now give me VC cash pronto.

    That's the entire value of these buzzwords -- to let fools part with their gold.

    Quantum Computing doesn't exist, but don't fret, because one day it will. Until then we have quantum annealing, which is not the same, and not much better than classical annealing. https://www.pnas.org/doi/10.10... [pnas.org].

    Still ONE DAY maybe quantum [crap spew] and then we can "break all encryption." However, anything encrypted with PFS won't be able to be de

  • More like centuries away and it is still unclear whether possible at all. Wake me when QCs can at least beat my 40 year old programmable pocket calculator. I do not think that will happen in the next few decades though. I have no idea who profits of this inane fear-mongering, but somebody with a lot of power clearly does.

    • by HiThere ( 15173 )

      The time estimate is purely speculative. It could be impossible. Someone could come up with a (relatively) simple way to make it work tomorrow. It's probably somewhere in between those extremes. My guess is that effective quantum computers are a decade away, and they will be expensive enough that only governments and a few large corporations will own them. But It's a guess.

      Sometimes it's important to be prepared against low-probability events, and an effective quantum computer within 7 years is somethi

  • by Anonymous Coward

    Thankfully OpenSSH 9.0 [openssh.com] implements quantum-safe encryption in the form of hybrid Streamlined NTRU Prime + x25519 key exchange.

    "Hybrid" means NTRU [wikipedia.org] and X25519 ECDH are used together for key exchange, so if a vulnerability in NTRU is later found, the combination can be no weaker than the previous X25519 ECDH default.

    As of OpenSSH 9.3, the default key exchange algorithms are, in order:
    sntrup761x25519-sha512@openssh.com,
    curve25519-sha256, curve25519-sha256

    • It looks like that was already available in openssh 8.6. On macOS 12.6.8:

      $ /usr/bin/ssh -V
      OpenSSH_8.6p1, LibreSSL 3.3.6

      $ /usr/bin/ssh -Q kex
      diffie-hellman-group1-sha1
      diffie-hellman-group14-sha1
      diffie-hellman-group14-sha256
      diffie-hellman-group16-sha512
      diffie-hellman-group18-sha512
      diffie-hellman-group-exchange-sha1
      diffie-hellman-group-exchange-sha256
      ecdh-sha2-nistp256
      ecdh-sha2-nistp384
      ecdh-sha2-nistp521
      curve25519-sha256
      curve25519-sha256@libssh.org
      sntrup761x25519-sha512@openssh.com

  • Quantum is a toy. It can barely factor 121 in less than a week. The posts with large number factorizations (or even 143) are special cases that use classical computing to get started, or use tricks that work for particular numbers, but do not work with all numbers.

    NIST will verify the algorithms work, without simple traps to get around them. It should take years to prove them out through mathematicians and cryptographers.

  • That used to be a silly question, but after the whole debacle where the NSA convinced NIST to put their seal of approval on a deliberately crippled random number generator designed to weaken both encryption and signatures, I'm not so sure. I have yet to see any evidence that it will never happen again.

    Add in that NIST pushed an elliptic curve algo that requires strong random numbers over one that doesn't need random numbers at all.

  • This article has the feel of someone working on the assumption that if he doesn't understand why it's hard it must be easy; which rarely goes well when dealing with fiddly specialty requirements.

    He says that "The FIPS 140-3 standard did not change encryption algorithms or key size. What did change in FIPS 140-3 is that the standard now evaluates security requirements at all stages of cryptographic module creation, including design, implementation and final operational deployment. FIPS 140-3 also requires
  • Alien Wizbot got my funds recovered back to my bank account after chatting with them for a week, i manage to finish my recovery process and requirement, my scammed funds got verified and i received it on my bank account which i requested only 30% of it to be sent to my Crypto wallet address of which they did, i was so shocked to be question by the bank when i got my recovered funds back. i thought they were going to be happy with me instead this same people who i have cried to all day and night and yet noth

Is knowledge knowable? If not, how do we know that?

Working...