Quantum Computer Not Ready To Break Public Key Encryption For At Least 10 Years, Some Experts Say (theregister.co.uk) 84
physburn writes: The Register has spoken to some experts to get a better understanding of the risk quantum computers present to the existing encryption systems we have today. Richard Evers, cryptographer for a Canadian security biz called Kryptera, argues that media coverage and corporate pronouncements about quantum computing have left people with the impression that current encryption algorithms will soon become obsolete. But they will not be ready for at least 10 years, he said. As an example, Evers points to remarks made by Arvind Krishna, director of IBM research, at The Churchill Club in San Francisco last May, that those interested in protecting data for at least ten years "should probably seriously consider whether they should start moving to alternate encryption techniques now." In a post Evers penned recently with his business partner Alastair Sweeny, he contends, "The hard truth is that widespread beliefs about security and encryption may prove to be based on fantasy rather than fact." And the reason for this, he suggests, is the desire for funding and fame.
10? (Score:1)
Re: (Score:3)
10 years? Where have I heard that before? Oh, right, AI in the 1960s.
Seriously though, if your security is immediately breached when someone breaks your encryption, you should rethink your security. Security is about depth - how many layers an adversary must breach before he gains access to your valuables. If you only have one layer between you and your adversary, your valuables are not very secure.
I thinking of you, blockchain.
Re: (Score:2, Insightful)
Ah. Spoken like a true armchair security warrior. I love the sweeping declarations. If your security is breached when someone can open all your locks then you should rethink your security.
Here are a few points to consider for you:
1) My electronic security isn't all (or even necessarily mostly) in my hands any more. It's in the hands of banks, government agencies, and (not me bu
Re:10? (Score:4, Interesting)
AES is currently broken in a cryptographic sense
That cries out for a citation much as a man lost in the desert for a week cries out for water. As far as I know, the very best known attacks of AES256 reduce it to an effective 253 bits. That is FAR from broken in any sense.
To say it's broken is like saying you can break a 2x4 with your bare hands as long as it came from a diseased tree and you saw 90% of the way through it first.
Re: (Score:1)
That cries out for a citation much as a man lost in the desert for a week cries out for water.
Other people might not appreciate the hyperbole but I do. Well done.
As far as I know, the very best known attacks of AES256 reduce it to an effective 253 bits. That is FAR from broken in any sense.
No, this is precisely what broken means. In a cryptographic sense (which I was careful to mention as being what I meant) broken is any attack which renders a result in less than brute-force time. AES's break is significant because it's not a reduced-round version that is vulnerable. It's the full version version. Rijndael's primary competitor in the AES competition was Serpent. Serpent's design philosophy was safety. Their design str
Re: (Score:2)
Actually broken means it is possible to come up with the key in a practical timeframe. Weakness is highly variable and somewhat subjective. In this case, the weakening doesn't look like it will make more progress and notably, it cannot actually be used since even for a 128 bit key you have to store 9 petabytes of data to use the technique (and anyone serious about security is using 256 bits).
All that and you still have to use enough guesses that your grandchildren will be dead before you get the key.
It's a
Re: (Score:2)
Nice ad-hominem you got going there. Let me offer a point for you to consider.
I've left my front door open before. Forget locked, I've left the door wide open intending to go back inside, changed my mind in the 20 feet to the car and driven off forgetting the door was wide open.
My security was not breached.
I live in a neighborhood with watchful neighbors and a healthy police presence. Strangers poking around are noticed, reported, stopped. I could leave my door unlocked every day and it's unlikely I'd be bu
Hardware, not software, prediction (Score:2)
10 years? Where have I heard that before? Oh, right, AI in the 1960s.
AI is all based on the ability of software, which is why predictions of reaching a specific point (which itself wasn't all that specific anyway, very nebulous) can and will be wildly inaccurate.
When talking about quantum computing though, you aren't talking about anything nebulous or so hard to predict progress of. Generally predictions around when hardware will be developed by have been pretty accurate (if not underestimated).
Re: (Score:3)
Technology projection:
1 year: The technology works, we are just trying to find a vendor to sell it.
5 years: We have a proof of concept working, however we don't know how to mass produce it.
10 years: We have a theory that a proof of concept should work, trending shows it is possible a goal.
20 years: We have no idea, but it seems possible
100+ years: Impossible and have no idea on where to start. But it sounds nice.
Re: (Score:2)
"10 years" is the time were most people making predictions hope that nobody will remember what they predicted. Here, it is obvious complete nonsense, but only experts can see that. All the others, including a large group of self-proclaimed experts that in reality do not know what they are talking about, are just going with the demented hype.
Re: (Score:3, Insightful)
I've been led to thinking that it will never be feasible. We don't know yet, but there are good reasons to think it might not pan out - for breaking crypto.
E.G. The energy required to cool a volume of space for an n-qbit machine to temps that will maintain entanglement between the qbits will scale with 2^n. So you spend just as much energy doing it in parallel on a quantum computer as you would in a classical computer serially. This isn't known to be true, but try plotting the size of fridge against n for e
Re: (Score:2)
I've been led to thinking that it will never be feasible. We don't know yet, but there are good reasons to think it might not pan out - for breaking crypto.
E.G. The energy required to cool a volume of space for an n-qbit machine to temps that will maintain entanglement between the qbits will scale with 2^n. So you spend just as much energy doing it in parallel on a quantum computer as you would in a classical computer serially. This isn't known to be true, but try plotting the size of fridge against n for existing quantum computers and see what the curve looks like.
Also: Increasing key size is very easy. If quantum computers look like they're getting close we can simply double the key size.
The reality is that only old messages will be decrypted and those messages are already out there so there's nothing you can do about that anyway.
.
Re: (Score:2)
Key size doesn't help with public key crypto. Shor's attack is a logarithmic speed up. Key size helps with the Grover attack for symmetric crypto since it's a square root speed up, but that wasn't the topic of TFA.
Re:10? (Score:5, Informative)
Sure, do you remember when DES was going to take the lifetime of the Universe to crack, then some egg-heads had custom ASICS fabbed and built Deep Crack (EFF DES Cracker) [wikipedia.org], which could break DES in a day?
No, I don't remember that for two reasons the most important being that nobody sane ever made such an idiotic claim. In fact in the wikipedia page linked by yourself (that you obviously didn't read) contains this: "One of the major criticisms of DES, when proposed in 1975, was that the key size was too short. Martin Hellman and Whitfield Diffie of Stanford University estimated that a machine fast enough to test that many keys in a day would have cost about $20 million in 1976, an affordable sum to national intelligence agencies such as the US National Security Agency".
So not only didn't anybody make your ludicrous claim but people at the time said it was too easy to crack and estimated that one could realistically build a DES cracker.
Level of un-crackability (Score:2)
No there are fundamentally different level.
Old encryption standard, be it the venerable Enigma or more recently DES, were considered "hard to crack" because the key-space couldn't realistically be searched with the hardware available at the time.
But lo and behold:
- Computer technology emerged, making the enigma search-space manageable (well that, and a few short-coming of the Enigma algorithms, making it easier to crack thanks to clever tricks).
- As mentioned above, DES couldn't be realisti
Again types of unbreakable. (Score:2)
funny, it seems like we are always being told that we are given encryption tools that are unbreakable, only in hindsight to find out that they were nowhere as secure as advertised.
Maybe the long post wasn't clear enough.
I'm not saying that the algorithms are guaranteed 100% unbreakable for ever.
I'm just saying that the reason of unbreakability have change drastically over time.
- Old algorithms were unbreakable because to break them requires additional computing power. It wasn't available at the time. But with time (and Moore's law) a big enough computer is guaranteed to emerge, eventually.
They were (in a way) *guaranteed* to be breakable one day in the future. Just a matter of (compu
Re: (Score:1)
That DES by itself was too weak to withstand a state-funded attack was well known in the 90s, I was not exactly part of the cryptography in-crowd in those days, but I knew that much. I remember discussing the key length issue in a crypto discussion in college in 1985 or so, after a presentation about DES. No hindsight needed.
If by "extremely limited" you mean tens of thousands of people I agree, but it was not exactly a secret. The big issue was that this was before there was "the web" so accessing informat
Re: (Score:2)
Sure, do you remember when DES was going to take the lifetime of the Universe to crack,
Nope. The precise limitations of DES key size (56 bits) were known from day one, nobody ever thought it would take that long to crack.
Math. It works.
Re: (Score:2)
Math. It works.
Like basically all things based on rational thought, it is not accessible to most people though.
Re: (Score:3)
If there ever was an encryption algorithm that whose creators were realistic about how it would be attacked and the real threat posed, it was DES.
They knew that 56 bits was "right" for the algorithm. That's why you see triple-DES, but not quadruple-DES. It only works well under very specific circumstances and the creators knew those circumstances well. They also knew enough to harden it against differential cryptanalysis, before differential cryptanalysis was publicly discussed.
Re: (Score:3)
Not only is the ability likely more than 10 years out, once it arrives it will be fantastically expensive, and fiddly as hell to keep the things running. You would have to be a very high value target (billions of dollars) to even be worth hacking for a while.
Re: (Score:3)
I agree. The number of entangled qbits has been scaling atrociously bad over the last few decades. A linear increase in qbits may well come with an exponential increase in effort and we may never reach even 100 of them. Also, the computations done with entangled qbits do not yet conclusively prove that quantum computing is really possible. The complexity of the computations done so far is so low that this could still be some other effect. Sure, the theory says it works, but remember that basically every phy
Re: (Score:2)
That sounds optimistic
The latest issue of IEEE Spectrum has an article from a quantum computing expert who opines that true quantum computing for any serious task will never happen. It's an argument based on how many qubits are required to create a computing element and how precise the measurments of the wave functions have to be. That's paraphrasing it, but that's the idea.
I tried finding an online link to it but can't.
I disagree (Score:2)
Re: (Score:1)
"I don't think the military/intelligence agencies are ahead tech wise" I would re-think this erroneous and quite frankly stupid statement. Every government organization even peripherally connected with developing military or security related technology are what drives advances in technology. From times of war where budgets and cost factors are supplanted with only one goal which is to survive. To the trillions of dollars spent creating our modern technology base.
Re: (Score:2)
Since it is more like > 100 years for publicly available, and may well be "never", nobody has anything here. Also, if any such machine were used, there would be indications. There is none. In fact, the demented push against encryption is repeated again and again, rather strongly indicating that nobody can get into good encryption.
Also remember that even a perfect QC cannot break something like AES-256 in this universe. It would still require 2^128 or so computations and that is just not feasible, no matt
Re:10 Years == nonexistent security margin (Score:4, Interesting)
10 years to break today's encryption. We have more modern ciphers that will become used in the next few years that are resistant to the current theoretical models of quantum-computing based attacks.
Also, quantum computing still has trouble of scale with larger keys, I assume that we'll see the next 10 years require 4096 or 8192 bit keys as scalable rental CPU and GPU becomes more powerful.
And people really have to stop planning to have the same security model for the next 10 years in the future. Upgrades and long term support are becoming a necessity.
Re: (Score:2)
10 years is also not a time were we will see any significant advances in Quantum Computing. Maybe in 100 years, maybe never. Remember that we have been at this for like 50 years now and there is _still_ no viable computing hardware. All other alternate computing approaches have gone to the trash-heap of tech history long before that. But because many people associate "quantum" with "magic", this is still going, despite no practical results.
The experts say... (Score:4, Insightful)
The "experts" say "not possible for 10 years".
This means it will likely happen in the next 18 months.
Re: (Score:1)
The "experts" say "not possible for 10 years".
This means it will likely happen in the next 18 months.
Well, either that, or every ten years the experts will say "ten more years."
Re: (Score:3)
Apply the NSA rule (Score:3)
The "experts" say "not possible for 10 years".
There's also the aspect of, the NSA is about 10 years ahead in relation to crypto and computing related technologies so...
Nothing to worry about! Move along!
Re: (Score:2)
Just as we have fusion reactors in our cars and intelligent computers.
Re: (Score:2)
That is our "flying" cars, of course!
Completely agree, the whole thing is BS. There is no threat to encryption from QCs at this time. Maybe when they can break DES or factor arbitrary 512 bit numbers, we need to think about it, but that looks unlikely to happen in the next 50 years, if the last 50 years are any indication.
Yet to see a demo of useful quantum computing (Score:1)
When will we see a traditional computer and quantum computer side by side, showing the quantum computer actually performing the same computation a million, or maybe just a thousand, or perhaps just ten times faster than the traditional computer?
Let me know when, because before then it's nothing but quantum schmantum pipe-dreaming and weird research projects.
Depends on relevant lifetime of messages (Score:2, Interesting)
Whether or not people should be switching to encryption methods today that will be resistant to decrypting by quantum computers in thee future depends on the expected relevance of those messages in the future. If you assume that no message sent today will be relevant 10 years from now, then there is no hurry to update encryption methods. On the other hand, if you need to ensure that an encrypted message sent today or in the near future remains unreadable 10 years from now, then maybe you should be researc
Re: Depends on relevant lifetime of messages (Score:2)
Right. Another way of saying "it won't be broken for at least 10 years" would be "it could be broken in as soon as 10 years!" -- which, for the purposes of at least some organizations, is a "ZOMG THE SKY IS FALLING WE'RE SCREWED AAAAAAAH!!1!" scenario.
Smoke and Mirrors because RSA = broken already (Score:1)
Quantum computers work by solving the "hard" problem of prime factorization.
Essentially an RSA key is the product of 2 randomly selected prime numbers. One is chosen by Alice and one is chosen by Bob at which point they exchange their halves, then they multiply to construct the key. Since the key is never transmitted, only the halves, the theory is that anyone attempting to decrypt their communications needs to guess the two halves of the whole key.
So all of RSA is based on this idea that it is very hard
Re: (Score:1)
You really don't know how the numbers used in RSA are generated. I suggest becoming educated on the subject, and cryptography in general, so you don't sound like /.'s mental case who preaches local file based machine name lookups as security but with crypto instead. You are advocating switching from prime factorization based to elliptical curve based public key crypto which is really dumb when talking about quantum computers. Elliptical curve crypto is even easier to break with Shor's Algorithm than regular
Re: (Score:2)
RSA is not broken. Stop pushing lies.
Re: (Score:2)
there are a limited number of prime numbers currently known, roughly 2 billion
Totally wrong.
Look at just the approximate number of 2048-bit primes which is in the range [2^2047 ... 2^2048-1].
Approximate number of primes less than x is x/ln(x)
So, we have (2^2048-1)/ln(2^2048-1) - (2^2047-1)/ln(2^2047-1)
Which is ~ 1.14 x 10^613; a truly monstrous number.
How long do you want that document to be secure? (Score:2)
So if you encrypt something today, do you care if itâ(TM)s secret 10 years from now? Depending on what youâ(TM)re encrypting, yes you do.
If your oposition is nation-states, theyâ(TM)re probably collecting things that are interesting now, for decryption later when they have the ability, so ya, you probably care now.
Iâ(TM)ve had multiple professional conversations about âoepost-quantum cryptographyâ in the last 2 years because of exaclty this. Todayâ(TM)s emails are eviden
Re:How long do you want that document to be secure (Score:4, Interesting)
Randy
"Using today's technology," Avi shot back, "that is true. But what about quantum computers? And what if new mathematical techniques are developed that can simplify the factoring of large prime numbers?"
"How long do you want these messages to remain secret?" Randy asked, in his last message before leaving San Francisco. "Five years? Ten years? Twenty-five years?"
After he got to the hotel this afternoon, Randy decrypted and read Avi's answer. It is still hanging in front of his eyes, like the after image of a strobe:
I want them to remain secret for as long as men are capable of evil.
Re: (Score:2)
The only reason we use public key encryption is because it's a lot easier than meeting up in person to exchange a
Re: How long do you want that document to be secur (Score:2)
Please turn off "smart" quotes in your keyboard settings.
In other news (Score:2)
Burglar just released from prison says not ready to break into houses for a least a few years. "If anyone sees a break in," he offers, "It wasn't me. No sir."
10 years to read our traffic (Score:2)
On the assumption they think it will take 10 years to crack existing crypto before there is a need to migrate to post-quantum algorithms, leads me to think they already have it or will very soon.
I attended the RSA Data Security Conference In, I think it was 1993, when Diffie talked about cracking DES with dedicated hardware in a matter of hours. That same year, 512 bit RSA was cracked as one of the RSA Challenges.
Y2Q! plus 10 (Score:1)
We've been told that once quantum computers reached quantum supremacy they would be able to break current encryption also known as Y2Q. Now you're saying it will be another 10 years? I don't buy it.
https://en.wikipedia.org/wiki/Quantum_supremacy
False (Score:2)
If that's what they're announcing then it means they've broken it and are now trying to put our minds at ease, in order to "catch the bad guys" of course.
Suuuuuuuure....... (Score:2)
"Quantum Computer Not Ready To Break Public Key Encryption For At Least 10 Years, Some Experts Say"
That's what they want you to believe.
You know, the mysterious, shadowy "they" that's behind everything- chemtrails, the flat-earth, anti-vaxxers, Reptilians, C++ pointers...it's all them and they. Hopefully they won't delete this post where I blow the lid off of their nefarious activities.
The light in your fridge burned out? They did it. One of your tires suddenly gets low? They did it. Who ate all the i