Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Encryption

State-of-the-Art Crypto Goes Post-Quantum (with Containerized TinySSH) (opensource.com) 40

emil (Slashdot reader #695) writes: The advent of quantum computing poses a well-recognized threat to RSA and other well-known asymmetric cryptosystems. It has been four years since NIST opened the post-quantum cryptography competition, and we are seeing extensive delays compared to AES.

A new and (hopefully) quantum-secure SSH key exchange, based on NTRU Prime, has been present in OpenSSH since January 2019, first implemented in TinySSH shortly before. This key exchange is marked by OpenSSH as experimental, and not enabled by default.

For those ready to evaluate NTRU Prime, or otherwise seeking an SSH server with "state-of-the-art crypto" (as described by TinySSH author Jan Mojí), a complete procedure for a Musl build and Busybox container deployment is presented, with additional focus on supplemental servers and key conversion.

This discussion has been archived. No new comments can be posted.

State-of-the-Art Crypto Goes Post-Quantum (with Containerized TinySSH)

Comments Filter:
  • by BAReFO0t ( 6240524 ) on Saturday July 25, 2020 @11:59AM (#60330495)

    No not "quantum"-safe?

    Why is there not a single word in TFS, *about* how this new KEX actually works?
    This is like "Wanna buy a new vehicle? It is a vehicely vehicle that is a vehicle, sold at vehicle dealers. Now I have successfully informed, by summarizing this new vehicle! -- Posted by Person".

    • This is like "Wanna buy a new vehicle? It is a vehicely vehicle that is a vehicle, sold at vehicle dealers. Now I have successfully informed, by summarizing this new vehicle! -- Posted by Person".

      OK, but if instead of a real automobile, it was 200 years ago and you were selling it based on a picture out of one out of Leonardo's notebooks, and promising you were going to finish building it soon? Then that would be an honest, accurate, precise description.

    • by raymorris ( 2726007 ) on Saturday July 25, 2020 @01:46PM (#60330929) Journal

      You bring up some interesting questions / assumptions.
      The answers are no, no, and no. None of those assumptions is correct.

      First, is NTRU Prime "based on prime numbers"? No.
      I'm cryptography, "prime" means "other". It's symbol is '

      A typical math conversation in cryptography might have lines like this:

      Message M is encrypted with function E(k)
      Message M' is encrypted with function E(k')

      The second line reads "message M prime is encrypted with function E(k prime)", meaning a different message is encrypted with a different key.

      So NTRU Prime is using naming kinda like C++, which means "the next C".

      Secondly, are "problems involving prime numbers" "not quantum secure".

      No. Not any more than "problems involving numbers" are broken by quantum computing. What is a concern with quantum computers is factoring large integers. Sure the answer ends up being prime numbers, but that's one specific problem involving prime numbers, not all problems involving prime numbers.

      NTRU Prime is not based on factoring integers. It's based on the Shortest Vector Problem (SVP) for lattices. SVP is NP-hard in the general case, and particular known cases. I assume they chose lattices such that it is NP-hard for NTRU Prime.

    • I should have answered this question:

      > Why is there not a single word in TFS, *about* how this new KEX actually works?

      I imagine the author didn't know how to explain that in a way that readers gain any understanding, without assuming knowledge of lattices as a prerequisite to undermine the explanation.

      If you're familiar with P and NP problems, the problem is based on is NP-hard, meaning it is at least as hard as the hardest problem in P. You kinda need a P problem for decryption to work*, so assuming th

  • Durrr (Score:4, Interesting)

    by Aighearach ( 97333 ) on Saturday July 25, 2020 @12:04PM (#60330525)

    The advent of quantum computing poses a well-recognized threat to RSA and other well-known asymmetric cryptosystems.

    Nope. The advent of quantum computing caused a bunch of blowhards to blow as hard as they could, but in reality quantum computers have not even shown an ability to do basic math as fast as conventional computers.

    The speculation is generally based on a thought experiment where the quantum computer is conceived as a magical device with theoretically perfect components. The same sort of thought experiment would also show that you can power all the world's heat engines from one glass of water, but notice no motor companies are shutting down due to the speculation? LOL

    With one small perfect switch, one small perfect capacitor, and one small perfect inductor, I can build a power conversion station that fits in the palm of my hand, can provide any output voltage from any input voltage, and can support the load of all electrical devices on planet Earth, not only now, but any that may be conceived in the future. Oh, yeah, but theory itself also says that perfect components can't be built; oops. So even in theory, there is no such thing as a perfect switch. And also, in theory the prognostications about quantum computers are still premised on perfect quantum "switches" that haven't ever been built. The actual switches that have been built aren't even capable of simple algorithms, and they certainly don't demonstrate anything that would be an efficiency improvement in an actual calculation.

    It reminds me of when a person is first learning about electronics engineering, and they don't understand how noise limits analog systems; they think of an analog voltage as continuous, so it seems like an op-amp should give a more precise answer than a digital math circuit. But it doesn't, and for proof, the "analog" op-amp isn't analog anymore, it is a mixed circuit that is mostly digital. Because you improve the analog signal by making it appear less continuous. Right now, a non-quantum system can emulate a quantum system faster than the quantum system can be run. The quantum systems are so bad, they can't even manage a clock; each "clock" cycle involves the whole machine being reset and reconfigured by hand. There is no objective reason to presume that the actual quantum system will actually run faster than the conventional circuit that simulates it, just as there is no objective reason to presume that in the future a better analog op-amp will finally have more bandwidth than the same op-amp converted into a "chopper" circuit.

    • This comparison of 'analog' to 'digital' reminds me of something I was told recently by an EE. I had learned about old fashioned radio tuners with comb capacitors to create the right resonance frequency to tune in a particular channel. Supposedly now they just use fast Analog to Digital convertors and do the 'tuning' in software. Even oscilloscopes nowadays I think are supposed to use fast A to D converters.

      I probably wouldn't go so off topic if it weren't for the blasted quarantine.

      • Comment removed based on user account deletion
      • In any digital storage oscilloscope,(all modern scopes) by necessity you have ADCs. The ones they have are fast because they're big; parallelized in analog at the very front such that each ADC is covering a narrower voltage band.

        In an op-amp, you have a chopper circuit that is very similar to what you'd have in an ADC on the input side, but the output side is still analog. There is ADC and DAC, but this is like an ADAC. It is sortof in the middle between analog and digital, with the cheapest ones being clos

    • by Anonymous Coward

      Right now, a non-quantum system can emulate a quantum system faster than the quantum system can be run.

      Not true according to: https://www.nature.com/article... [nature.com]
      And yes, I know the paper isn't referring to a general purpose quantum computing machine.
      If you set your number of entangled qubits arbitrarily large, then a classical system will never be able to compute the outcome in a reasonable timeframe.

      The quantum systems are so bad, they can't even manage a clock; each "clock" cycle involves the whole machine being reset and reconfigured by hand.

      Doing a QC computation in a single clock isn't a "bad" thing, that's exactly how they are intended to work. You're trying to cram pipeline stages and von Neuman machine thinking into the QC model. It doesn't work

    • You point out something that's true, and there is something missing from that analysis.

      To break modern cryptography, you'd need something like 4096 cubits. The biggest quantum computer today is about 53 qubits.

      The first commercially successful microchips had three transistors. At the time, some people saw the potential of microchips and talked about things they could theoretically do - but realistically doing those things would require ICs with THOUSANDS of transistors. That was FAR beyond what any compan

      • There is something missing from your analysis, too:
        You'd need more than 4096 cubits. You'd also need a working clock of some sort, which doesn't exist.
        And that is just to do the calculation; there is no evidence as to what the speed would actually be, once you overcome all the engineering challenges. Based on the speed of current quantum computers, it would not actually be faster.

        You can't just get a certain number of qubits and boom, encryption is broken, you also need your contraption to complete its work

        • > And those 53 qubits include 0 that are of the specific sort

          At least 3 different groups have in fact run Shor's algorithm on different quantum computers. You say they can't - well they have, several times.

          > There is no evidence as to what the speed would actually be

          The speed is O(log N). That is, O(b^3) for a b-bit number.
          Contrast a classical computer, where factoring is approximately O(2^b/2). What does that mean, you ask ...

          On a quantum computer, factoring a 1024-bit number takes 1,073,741,824 op

          • I should be clear, that absolutely does leave open the very big question of if a quantum computer with thousands of qubits can ever be built. Just like in 1960 it was abig question whether ICs with thousands of transistors could ever be built.

            If and when such a quantum computer is built, RSA is fucked.

            • by tlhIngan ( 30335 )

              I should be clear, that absolutely does leave open the very big question of if a quantum computer with thousands of qubits can ever be built. Just like in 1960 it was abig question whether ICs with thousands of transistors could ever be built.

              If and when such a quantum computer is built, RSA is fucked.

              The problem is it may not be physically possible to build such a large quantum computer. This is based on physics, not "the technology doesn't exist". Unless some major breakthrough happens that changes the wa

              • It's one of those fundamental problems - a whole new model of quantum computing needs to be thought up as the current method is not scalable.

                It is sad that however many times this is explained, the same people here on slashdot just wave their hands and insist it can scale the next time it is discussed.

          • I should mention that number of years *looks* a little too big to me, though that's the result I got from my calculator. Suffice to say:

            Supercomputers with racks of GPUs can't factor a 1024-bit semiprime.
            A 0.01 Mhz quantum computer could do it in a day.

            • A 0.01 Mhz quantum computer could do it in a day.

              Now invent a clocked quantum computer, because while your results are currently time-constrained, you have to set up the whole experiment each time you run it.

              Quantum computer clock speed, in Mhz, is currently 1/infinity Hz

              Now, you went to college and like to make wild, unfounded time extrapolations, so try this one out: How many orders of magnitude do you have to speed up the current quantum computers before you get to 0.01 Mhz?

              And... "in a day" LOL what?! That isn't even how these algorithms work.

              • > And... "in a day" LOL what?! That isn't even how these algorithms work.

                Look up Shor's algorithm and try using it on paper to factor 35.
                Then get back to me. You can treat the quantum part as a black box and just assume it returns 3 on the first run.

      • by gweihir ( 88907 )

        You point out something that's true, and there is something missing from that analysis.

        To break modern cryptography, you'd need something like 4096 cubits. The biggest quantum computer today is about 53 qubits.

        Actually, it is worse. Shor's algorithm needs at least 3x the QBits and that is without error correction. (No QC can do any meaningful computation sequence without error correction and Shor's algorithm requires a rather long computing sequence....). Hence you need > 12'000 QBits that you then need to do rather complex calculations on to break RSA 4096. That scaling to 53 QBits is after decades of research and it cannot actually do complex calculations. What they currently do its simulate the sequence by

  • Is that the point when the suckers funding quantum computing research finally realize they have been swindled?
    • by ceoyoyo ( 59147 )

      Anybody who invested in QC in order to read other people's mail did indeed get swindled. Smart people invest in it for the ability to do things like computational chemistry.

      If the NSA didn't invent it ten years ago, or if you're not particularly interested in reading old news, the ship has sailed on quantum code breaking.

      • Smart people invest in it for the ability to do things like computational chemistry.

        Quantum computers are not doing any computational chemistry, though.

        And yet, there is lots of computational chemistry being done.

        • by ceoyoyo ( 59147 )

          What a wonderful soundbite. Let me try: steam engines aren't doing any weaving today, and yet there is lots of weaving being done.

          Quantum computers offer a lot of possibilities for doing computational chemistry that is well beyond anything you can do with a conventional computer, barring some startling advancements in math. You can't do anything particularly practical today, that's why research and development is required. The problem is a good match for the methods, it's plausible (more so than quantum cod

          • What a wonderful soundbite. Let me try: steam engines aren't doing any weaving today, and yet there is lots of weaving being done.

            F
            Your arrow of time isn't even oriented in the same direction. You've got a bit of work to do before you get to apples-apples.

            It would be funny already, but you're the one who introduced "computational chemistry" as a future goal for quantum computing. But then when you go to pick up the goalposts, instead of moving the goalposts, you just ran away down the street yelling something.

            What is worse though is in the meat of your argument:

            offer a lot of possibilities for doing computational chemistry that is well beyond anything you can do with a conventional computer, barring some startling advancements in math

            If you can't do it with conventional computers, you actually can't do it

            • Dude, you're not making any sense. He kept a consistent goalpost: this would be useful for computational chemistry. You countered that computational chemistry happens without quantum computers, and only without quantum computers. He pointed out that lots of things in the past have happened even before groundbreaking advances in that field happened. There's no motion to the goalposts, it's always been "this would be useful for computational chemistry".

              As a note, I don't have any personal knowledge or po

              • Dude, you're not making any sense. He kept a consistent goalpost: this would be useful for computational chemistry. You countered that computational chemistry happens without quantum computers, and only without quantum computers. He pointed out that lots of things in the past have happened even before groundbreaking advances in that field happened. There's no motion to the goalposts, it's always been "this would be useful for computational chemistry".

                False. Specifically:

                He pointed out that lots of things in the past have happened even before groundbreaking advances in that field happened.

                1) Didn't happen.
                2) It does move the goalposts. Do you even understand the Law of Identity? I am not you. You are not me. Claiming a thing is useful is not supported by pointing at different things having been useful in the past. As I pointed out, the arrow of time isn't even pointing in the right direction to make a claim! "New things happen" is not a counter-argument to "you have no evidence of utility." It simply ignores which thing is being talked about. It attempts a philosophical a

      • If the NSA didn't invent it ten years ago, or if you're not particularly interested in reading old news, the ship has sailed on quantum code breaking.

        Can you explain what you mean?

        • by ceoyoyo ( 59147 )

          If the NSA invented practical quantum code breaking ten years ago, they've been reading everyone's mail for those ten years.

          If you've been saving up encrypted mail and there's some reason why you think decrypting it will still be useful ten years from now, then quantum decryption might be of use to you, if it eventually works, a decade or so from now.

          Otherwise, you're out of luck. Most people with really secret stuff have been using non-quantum vulnerable algorithms to protect it for some time already. The

          • by chrish ( 4714 )

            > Most people with really secret stuff have been using non-quantum vulnerable algorithms to protect it for some time already.

            That's extremely optimistic. Any sort of large organization is paralyzed with inertia due to their lowest-common-denominator systems or even just a lack of resources given to their IT departments.

            There are large financial institutions still using DES; that was broken in under 24 hours more than 20 years ago... your phone can probably do it on one battery charge now. Government webs

    • This is the point where we move from Hamiltonian to Lagrangian formalism and ask for more grants.

    • by gweihir ( 88907 )

      Is that the point when the suckers funding quantum computing research finally realize they have been swindled?

      Hopefully this will happen soon. I am getting really tired of this bullshit.

  • Marketing spew: "quantum computers are a threat to crypto!" nevermind they can factor 15 slower than a ten year old presently if you count the time to cool the machine and tune for setup.

    Marketing spew: "this is a quantum-secure algorithm!" Assertion made without a shred of proof against a problem that doesn't yet exist and may never exist, and about a "solution" which might even be broken by conventional math and extant systems in the near future.

  • Shor's Algorithm is an algorithm that runs on a quantum computer that can find the period of a function. RSA works because given primes p and q we do math on the set of numbers co-prime to p*q. This set has (p-1) * (q-1) elements but only the person with the private key knows this value. In classical computing the best way to find (p-1) * (q-1) is to find p and q (factor p*q). Shor's algorithm actually finds (p-1) * (q-1) directly. Of coarse once you have (p-1) * (q-1) with a bit more work you could f
  • Unfortunately many posts here saying that quantum computers aren't ever going to be capable enough to break cryptography, we have nothing to worry about, and they are being modded +5.

    The research and capabilities out there are advancing at a similar pace to that of the transistor: from a large clunky piece of silicon composing one transistor, to the billions of transistors on something the size of a dime, all in the matter of 50 years.

    Encryption isn't only valuable instantaneously, the data needs to often b
  • There is absolutely no indications quantum computers can scale even remotely to the sizes needed.

  • This new encryption scheme cannot be broken by currently known quantum computing algorithms.

Garbage In -- Gospel Out.

Working...