Microsoft Adds Post-Quantum Cryptography To an OpenVPN Fork

An anonymous reader writes: Microsoft recently published an interesting open source project called "PQCrypto-VPN" that implements post-quantum cryptography (PQC) within OpenVPN. Being developed by the Microsoft Research Security and Cryptography group, as part of their research into post-quantum cryptography, this fork is being used to test PQC algorithms and their performance and functionality when used with VPNs.

Microsoft's PQCrypto-VPN is published on Github and allows anyone to build an OpenVPN implementation that can encrypt communications using three different post-quantum cryptography protocols, with more coming as they are developed. These protocols are: (1) Frodo: a key exchange protocol based on the learning with errors problem (2) SIKE: a key exchange protocol based on Supersingular Isogeny Diffie-Hellman and (3) Picnic: a signature algorithm using symmetric-key primitives and non-interactive zero-knowledge proofs.

Picnic is already broken.

[CajunArson]

Picnic might be secure from quantum computers.

But its basket structures are clearly vulnerable to bear based attacks where the attacker is mathematically proven to be smarter than average.

Re:Picnic is already broken.

[Roger W Moore]

But its basket structures are clearly vulnerable to bear based attacks where the attacker is mathematically proven to be smarter than average.

That's definitely a major boo-boo.

Re:

[PoopMonkey]

How do honeypots factor into this?

Re:

[PolygamousRanchKid]

Microsoft? Security? Something doesn't seem quite right.

For me, security and Microsoft is not the issue. It's trust and Microsoft.

As in, "I trust Microsoft, as far as I can throw them."

Re:

[NicknameUnavailable]

Yeah, I fully expect them to implement a secure VPN. I don't trust them not to have backdoors (actual, rotating security holes, or otherwise) at each endpoint. They want access to your data, they have a vested interest in assuring others don't get it without going through them.

Re:

[AlanBDee]

Well, you can download the source code and examine it for back doors. I know not many will do this but it would be a huge breach of trust by Microsoft if anyone found anything like a back door. Because of this I believe it's far more likely that they created this tool to appease international customers and released it as an open source project to prove it.

Re:Wait!

[PolygamousRanchKid]

Well, you can download the source code and examine it for back doors.

Well, google on "ken thompson compiler backdoor" :-)

You can put some source code in that looks innocuous, but the compiler adds a backdoor when it sees that code:

In 1984 KenThompson was presented with the ACM TuringAward. Ken's acceptance speech Reflections On Trusting Trust (http://cm.bell-labs.com/who/ken/trust.html) describes a hack (in every sense), the most subversive ever perpetrated, nothing less than the root password of all evil.

Ken describes how he injected a virus into a compiler. Not only did his compiler know it was compiling the login function and inject a backdoor, but it also knew when it was compiling itself and injected the backdoor generator into the compiler it was creating. The source code for the compiler thereafter contains no evidence of either virus.

Re: Wait!

[Zero__Kelvin]

What are you going on about? Microsoft doesn't provide the compiler unless you decide to use theirs. No self respecting security expert would use Microsoft's compiler to build secure code. It's gcc or llvm, which are also open source.

Combine with underhanded C:

[Anonymous Coward]

It doesn’t even have to be visible in the original source code.

There was a whole contest, revolving around getting backdoors in under the radar: The Underhanded C Contest (The official perfectly innocent web page for law-abiding good guys) [underhanded-c.org]

And you can bet this is serious business for any spying agency on the planet. (Would you ignore it, if you were a spying agency?)

Re:

[NicknameUnavailable]

Firstly, I said rotating security holes or otherwise (e.g. "bugs" which get patched regularly with new bugs added in their place.) Secondly, I said endpoints - as in Windows 10 itself is spyware, they aren't so much interested in breaking the VPN if they have the endpoint.

Re: Wait!

[Zero__Kelvin]

You don't seem to understand how git works or any SCM tool works. It is trivially easy to see what has changed and look closely at those changes. So no they won't be "rotating" intentional flaws.

Re:

[NicknameUnavailable]

You mean they won't do what they've done with every windows product since 95: release monthly patches for known security holes, thereby effectively creating a rotating backdoor only they have access to in a steady state manner due to obfuscation of what "bugs" exist at a given time? That's quite the prediction you've made there, contrasting to several decades of known practice by Microsoft.

Re:

[NicknameUnavailable]

Also, on a separate note, it's not trivial to rewrite git history but you can Google can the commands for it easily (but perhaps re-read what I've written because I wasn't suggesting anything along those particular lines.) I actually do that when I pushed to GitHub to turn all commits into organizational level bot authors and remove internal email addresses from the list of committers.

Re:

[Skuld-Chan]

Hur hur - Micro$haft am I right?

Re:

[Gr8Apes]

Not so. The properties of quantum computers are well understood; you can learn about them on an undergrad CS course. It's the engineering that's a problem.

The properties of something we are still investigating and have no samples of are well understood?

Re: Wait!

[Zero__Kelvin]

If my trust in Microsoft could be quantified it would be a large negative number. I trust the code however as it is available on github and I have zero doubt it will be reviewed by experts more qualified than anyone who works at Microsoft. Microsoft knows this as well and even they aren't so stupid as to chance getting caught trying anything unscrupulous in this case.

Re:

[Gr8Apes]

If my trust in Microsoft could be quantified it would be a large negative number.

It exceeds the lower bounds of a long?

I'm 99% sure they will try to slide something into the source. Who says all code submitted was written by MS employees?

Re:

[shubus]

Yah, it sure doesn't sound right. I doubt Microsoft would release code like this unless they've already figured out a backdoor even if it's not obvious in the source code.

Re:

[AHuxley]

https://www.theguardian.com/wo... [theguardian.com] (12 Jul 2013)
Recall "... newsletter entry stated that NSA already had pre-encryption access to Outlook email"

MS likes to help with tricky new crypto. Help the NSA.

GitHub...

[Aethedor]

GitHub... sounds familiar. Can't remember what it was...

Re:A HARD problem.

[BitterOak]

So where's the quantum hardware to making this all work?

I was confused by this point too, till I did some reading. "Post-quantum cryptography" is NOT the same thing as "Quantum cryptography". The former merely refers to cryptographic algorithms for which there are no known algorithms for quantum computers which can break them. So, RSA would not be considered post-quantum, because Shore's algorithm can break it.

Re:A HARD problem.

[swillden]

So where's the quantum hardware to making this all work?

I was confused by this point too, till I did some reading. "Post-quantum cryptography" is NOT the same thing as "Quantum cryptography". The former merely refers to cryptographic algorithms for which there are no known algorithms for quantum computers which can break them. So, RSA would not be considered post-quantum, because Shore's algorithm can break it.

All of our current asymmetric algorithms are vulnerable to Shor's (note spelling) algorithm, assuming a sufficiently-large quantum computer. Grover's algorithm can solve any problem that requires searching a solution space of size N in sqrt(N) time. The first means we need new asymmetric algorithms (public/private key algorithms, like RSA and ECC) that are quantum resistant. The second means that our symmetric algorithms and hashes (like AES and SHA-256) have effectively half the bits of security that we thought, so we may need to reach for larger sizes.

Note that at this point all of these issues are theoretical, because no quantum computers large enough to make these attacks practical exist. With respect to Grover's algorithm, the quantum computers not only have to be sufficiently large, they also have to be quite fast because, for example, finding an AES-128 key will require 2^64 operations which is still a lot. However, it seems unwise to assume that we will never have sufficiently large/fast quantum computers and that these attacks will always remain impractical. Cryptographers like to say "attacks always get better", because they almost always do. If you see a vulnerability that might become practial in two or three decades, then you should start thinking about how to address it now, because the attacks may improve more than you expect, faster than you expect, and changing cryptosystems is going to take at least one of those decades.

We have no real way of predicting how fast progress in quantum computing will move, so we should experiment with post-quantum algorithms now, and begin trying to move to them seriously in the near future.

Re:

[Anonymous Coward]

You're making too many assumptions. We don't know whether a sufficiently capable quantum computer exists, However, given the NSA's estimated yearly budget, their previous track record, and the estimated number of their employees, it's not unlikely that they could be far ahead of civilian quantum computer development, for example. Other intelligence agencies may have comparable resources. If the history of cryptography has told us anything, then certainly that adversaries with the budget and resources have o

Shame nobody on /. will be using it.....

[Computershack]

Given that its hosted on Github which since Microsoft bought most of /. say they won't use, then I guess there won't be that many people trying it....

Trust

[manu0601]

We need a lot of independent researchers opinion on that.

Everyone remember Dual EC DRBG [wikipedia.org]?

post quantum crypto!

[iggymanz]

what a stupid pandering meaningless sound-bite.

it is not known that any current crypto is unbreakable by quantum computing.

Re:

[micahraleigh]

That's like saying first a tidal wave has to crash into the power plant to demonstrate it is defeatable.

Source supposedly in other repo

[Mathinker]

The source is supposedly in a different repo: https://github.com/Microsoft/o... [github.com]

See: https://github.com/Microsoft/P... [github.com]

OTOH, by not reading the repo README, you are supporting a long /. tradition, bravo!