Australia Moves To Drop Some Cryptography By 2030

An anonymous reader shares a report: Australia's chief cyber security agency has decided local orgs should stop using the tech that forms the current cryptographic foundation of the internet by the year 2030 -- years before other nations plan to do so -- over fears that advances in quantum computing could render it insecure.

The Land Down Under's plans emerged last week when the Australian Signals Directorate (ASD) published guidance for High Assurance Cryptographic Equipment (HACE) -- devices that send and/or receive sensitive information -- that calls for disallowing the cryptographic algorithms SHA-256, RSA, ECDSA and ECDH, among others, by the end of this decade.

Bill Buchanan, professor in the School of Computing at Edinburgh Napier University, wrote a blog post in which he expressed shock that the ASD aims to move so quickly. "Basically, these four methods are used for virtually every web connection that we create, and where ECDH is used for the key exchange, ECDSA or RSA is used to authenticate the remote server, and SHA-256 is used for the integrity of the data sent," he wrote. "The removal of SHA-256 definitely goes against current recommendations."

Re:

[Big Hairy Gorilla]

Ha ha Dr. Evil here, I'm going to take my very very expensive Quantum Computer and crack you like a walnut at Xmas. ALL of you. I don't care if it costs 1 Million Dollars! or 1 Billion Dollars!!

oH. That's a lot of money. Maybe I won't crack ALL of you. Just ... a couple of big Bitcoin wallets.... them move to the Moon.. or Mars... wherever my peeps are now... I mean then, when I get a Quantum Computer, which will be... soon, right?

are there alternatives that will actually work?

[Jayhawk0123]

I'm all for replacing these 4 with more resistant algorithms... but are there any that are viable?

When we started swapping out for Elypticals... we ran into a host of issues with implementations and hardware performance issues.

Haven't heard much in terms of vendor support at the security appliance vendor side, or the cert providers side for anything we can migrate to without breaking things. Will need to caveat that with me not spending days looking into it. Just from cursory research for client lifecycle

Re:

[Martin Blank]

I think they're trying to push vendors to support the preferred options (ML-KEM for key establishment, ML-DSA and SLH-DSA for digital signature algorithms). NIST IR 8547 [nist.gov] (still in draft) calls for the same algorithms but with a target date of 2035. OpenSSL is starting to implement these in their mainstream code (Github ticket for ML-KEM-2014 and ML-KEM-512 implementation [github.com]), but it will likely be a while until they're production ready. They've been experimenting with them in the open-quantum-safe project for

Re:

[Myria]

They really should use quantum-resistant algorithms alongside a traditional algorithm for now so that you have to crack both. Quantum algorithms are very new compared to our old favorites. One of the NIST finalists for quantum-resistant crypto was cracked using classical computing near the end of the standardization process, highlighting the danger of relying on these alone.

Bitcoin and post-quantum algorithms

[Posthoc_Prior]

The summary of this article would have benefitted from the mention that the algorithms mentioned are going to be replaced with post-quantum algorithms. Also, it's worth mentioning, as many governments move away from factorization and discrete-log methods of cryptography to, say, lattice and other methods of post-quantum cryptography, Bitcoin isn't.

One reason that I suspect Bitcoin isn't is because post-quantum algorithm byte lengths are long, most are greater than 700. In comparison, BLS signatures, which E

Experts disagree

[fgrieu]

Quoting a recent "EMVCo Position Statement, Quantum Computing and EMV® Chip Cryptography"

> The most optimistic projections suggest that the earliest date that a cryptographically significant quantum computer could be built would be around 2040.

Source: an expert report commissioned by EVMco, dated 2024/03/08, marked published 2024/09, online since 2024/12/17 at https://www.emvco.com/resource... [emvco.com] (requires click-thru approval of license terms). I second their opinion.

OMG

[ceoyoyo]

Australia wants to replace all the cryptography algorithms on the secret systems they use to transmit highly classified data! But the web depends on thses algorithms!

Fortunately, the web is not a secret Australian high security transmission system.

It is interesting they want to replace SHA-256, but maybe they're just replacing it with SHA-512. Doubling key lengths IS a current recommendation.

In such cases, care must be taken to ensure that an appropriate alternative hashing algorithm is being used, such as

Re:

[93 Escort Wagon]

Yeah, it was an interesting choice to include SHA-256 - since that's not thought to be particularly susceptible to quantum attack. But probably the actual review was broader, and (as you pointed out) the reviewers figured "if we're already looking at encryption standards because of quantum attack concerns, we might as well also mandate a move to SHA-512 since that has to happen eventually regardless".

Re:

[ceoyoyo]

Most of the recommendations regard SHA (and AES) as "quantum resistant" which means that quantum computers could theoretically speed up cracking them, but not enough to "break" them. So to be safe the recommendation is to increase your key length, which restores your safety to many lifetimes of the universe instead of just a few.

IIRC the quantum attack against hasing and symmetric encryption is search via Grover's algorithm, which optimistically gives you a quadratic speedup, rather than the exponential spe

Most of you have the problem wrong

[FeelGood314]

This isn't about being secure the day that a quantum computer can break a TLS hand shake. The problem is I can record your TLS hand shake now, break it in the future and then read all the messages you sent today.

Re:

[gweihir]

Only if you use short-ass keys for the DH. One reason to _not_ use ECDH, but DH is usually fine.

Also, no relation to SHA-256.

x509 certs are already insecure - attack vector

[FeelGood314]

x509 certs are written in ASN1. ASN1 is like (type, length, value) triplets on steroids. They are nested many layers deep and the length value can be set to variable. Most people think parsing them is straight forward but if the lengths of the nested elements don't match the length of the parent's most parsers have at least one instance where they won't catch the problem. Worse, for well crafted ASN1, this can be exploited such that different parsers will parse it differently. This means I can submit a

Re:

[gweihir]

That really is not a problem of x.509. Limit cert structure or fix your ASN.1 parser.

Do not let politicians make tech decisions

[gweihir]

Or inane, insane crap like this is the result. Yes, DSA (EC or not) is a pretty bad algorithm, but there is nothing wrong with the others and that is not going to change anytime soon.