Could NIST Delays Push Post-Quantum Security Products Into the Next Decade? (esecurityplanet.com) 45
Slashdot reader storagedude writes: A quantum computer capable of breaking public-key encryption is likely years away. Unfortunately, so are products that support post-quantum cryptography.
That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.
"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.
"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."
And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."
That's the conclusion of an eSecurity Planet article by Henry Newman. With the second round of NIST's post-quantum algorithm evaluations — announced last week — expected to take "several years" and the FIPS product validation process backed up, Newman notes that it will be some time before products based on post-quantum standards become available.
"The delay in developing quantum-resistant algorithms is especially troubling given the time it will take to get those products to market," Newman writes. "It generally takes four to six years with a new standard for a vendor to develop an ASIC to implement the standard, and it then takes time for the vendor to get the product validated, which seems to be taking a troubling amount of time.
"I am not sure that NIST is up to the dual challenge of getting the algorithms out and products validated so that vendors can have products that are available before quantum computers can break current technology. There is a race between quantum technology and NIST vetting algorithms, and at the moment the outcome is looking worrisome."
And as encrypted data stolen now can be decrypted later, the potential for "harvest now, decrypt later" attacks "is a quantum computing security problem that's already here."
I have a simple answer! (Score:2)
No more secrets!
Re: (Score:2)
Such as your social security data, your biometric data, those porn sites you visited, those drugs you took, that hookup you'd like to forget, the nuclear codes to launching nukes, recipes for chemical and biological weapons, your bank numbers, you entire genelogic history, your health data, your insurance data, your investments and your access accounts to those investments, your sexual orientation, etc.
So could you please publish all that here so that we may know this isn't some zephyr of an idea that fizze
Re: (Score:2)
a lot of people spend their entire lives thinking about and supporting zephyrs. other peoples' zephyrs at that. sad! many such cases!!
Re: (Score:2)
If we stopped demanding society's 'normal' be some checklist of perfect outcomes (See: Utopia) and accepted normal includes a lot of weird crap, this wouldn't matter.
If we stopped declaring we have more rights than our neighbours, we wouldn't have weapons that could be used against us.
If we stopped putting a price on life and using money to keep 'score', this wouldn't matter.
I'll admit points 2 & 3 aren't going to be solved anytime soon. We can change the values of society (Eg. Slavery). Large parts
Re: (Score:2)
I have no social security, no biometric data (look, mama, no fingerprints), I don't visit porn sites, I don't use drugs, I'd rather have no nukes and no launching codes, I have no bank account, I don't know what "genelogic" is, I am uninsured and without investments, and my sexual orientation is obvious. Or, as Asimov would have it, I am Gaia.
decrypting old stuff (Score:2, Insightful)
I'll bet there is a *lot* of encrypted stuff out there that people will wish couldn't be q-decrypted.
Re: (Score:2)
No need to panic. AES 128 isn't susceptible to attack by quantum computers and RSA can easily use bigger numbers to negate them.
Re: (Score:2)
How do you apply those encryptions to files that are already out there?
Re: (Score:2)
You can't (obviously) but they're going to be quite old files by the time QC can decrypt them and only RSA will be vulnerable, symmetric ciphers with more than 64-bit keys should still be OK.
I don't know how many "files" are encrypted with RSA but I don't think it's many. It would mostly be email that uses RSA because of the public keys.
Re: (Score:1)
I'm not arguing with you (because I know nothing about this stuff), but if AES 128 isn't suscrptible, why is NIST looking for a new solution?
Re: (Score:2)
It's asymmetric encryption algorithms like RSA that are vulnerable to known quantum attacks, not symmetric algorithms like AES.
More precisely: algorithms that rely on factorization of numbers for their security.
But see comment below...
Re: (Score:2)
Nothing is vulnerable to quantum computers, and probably never will be. The state of the art in quantum cryptanalysis is factoring the number 21. Not a 21 digit number or even a 21 bit number, but the product of 3 and 7. And that's been the state of the art for the last ten years or so, so no progress is being made.
It doesn't matter if NIST doesn't standardise PQC for another million years, they've got all the time in the world before quantum computers become any kind of threat to crypto. Some crypto g
Re: (Score:2)
Nothing is vulnerable to quantum computers, and probably never will be. The state of the art in quantum cryptanalysis is factoring the number 21. Not a 21 digit number or even a 21 bit number, but the product of 3 and 7. And that's been the state of the art for the last ten years or so, so no progress is being made.
I didn't know that, I thought they were up to 10 or more bits these days but it turns out those results were "cheats". Thanks for posting.
Ref: https://en.wikipedia.org/wiki/... [wikipedia.org]
The private sector will do it (Score:1)
Re: (Score:2)
Yep, whacking together quantum algorithms that are provably security is easy. Why, I'll bet you could do a few a day, right? And the first private companies that get out in front on this will be subject to lawsuits if their new whizzies fail.
Re: The private sector will do it (Score:2)
That is all NIST does in the end. They have no staff scientist to come up with new algorithms, they opened up a challenge for anyone in the private sector to submit algorithms, and there are a few strong candidates.
Now NIST needs to put up a formal peer review of these systems, a process which has already happened to some extent outside of NIST, they also need someone internal at eg NSA (which by definition is unlikely to have the necessary expertise) to review it.
The delay isnâ(TM)t technical it is pu
Re: The private sector will do it (Score:4, Interesting)
Re: (Score:2)
You don't need to quantum computer to do encryption that's proof against decryption by a quantum computer.
OTOH, "I think there is a world market for maybe five computers." Change that to quantum computers, and double the number. There are VERY few things that quantum computers are known to be better at than regular computers. Factoring number is one of them, though. But there are grounds for believing that any decent quantum computer will be hellaciously expensive. So MOST users shouldn't expect to b
Re: (Score:2)
The delay isn't technical? So quantum-proof software and hardware is out there right now?
Yes, and has been in use for 20 years (eg AES).
Part of the delay... (Score:2, Funny)
NIST is underfunded (Score:4, Insightful)
Re: (Score:2)
Re:NIST is underfunded (Score:4, Interesting)
Re: (Score:2)
This is a bigger problem than it seems, because they have to make sure the standard they produce still remains the same despite changing conditions.
NIST had a huge standards database - many of which you can actually buy. These are called Standard Reference Material and they have to test identically sample to sample. Even when things change. If you want to know the caloric value of say, peanut butter, you can rely on NIST SRM 2387 - which is a standard sampl
Re: (Score:2)
How do you change that? Would internal status data made public help?
The solution is not "hand them a billion more dollars".
Re: NIST is underfunded (Score:2)
Re: (Score:1)
You get what you pay for as the taxpayer.
We get what we're told to pay for, whether or not we like it.
It's no mistake that libraries are first on the list to have their budgets cut as "unnecessary" but rogue, questionably constitutional agencies like DEA and BATFE are never put to the screws during the "government shutdown" propaganda/punishment events.
Years away (Score:3)
Re: (Score:3)
Indeed. I also noted that the last few great announcements glossed over how many effective Qbits are there. (Hint: much, much fewer than the announced numbers.) Now take into account that to break, say, RSA 4096, you need something like 16k effective (!) Qbits that need to stay entangled for a long and complex calculation. We currently have (maybe) 100 effective Qbits that can do short and simple calculations only. And forget about breaking block-ciphers. That is even more complex.
The whole thing is an arti
Re: (Score:2)
You are underestimating the problem, but the constraints you mention DO exist. Planning either way is a gamble, but for most communications it isn't significant. (Will it matter if your message is decrypted 10 years from now? If it would, is anyone likely to invest the [scarce] resources?)
There are definitely cases where this is properly a real concern. They are rare.
Re: (Score:2)
I am not underestimating the problem. I am pointing out that the "problem" is a fantasy not grounded in reality. It is a lot of clueless people following a panic-hype, nothing else.
Quantum and other buzzwords (Score:2)
Quantum Computing, Blockchain, Crypto, AI, LLVM, now give me VC cash pronto.
That's the entire value of these buzzwords -- to let fools part with their gold.
Quantum Computing doesn't exist, but don't fret, because one day it will. Until then we have quantum annealing, which is not the same, and not much better than classical annealing. https://www.pnas.org/doi/10.10... [pnas.org].
Still ONE DAY maybe quantum [crap spew] and then we can "break all encryption." However, anything encrypted with PFS won't be able to be de
Years away? Bullshit! (Score:2)
More like centuries away and it is still unclear whether possible at all. Wake me when QCs can at least beat my 40 year old programmable pocket calculator. I do not think that will happen in the next few decades though. I have no idea who profits of this inane fear-mongering, but somebody with a lot of power clearly does.
Re: (Score:2)
The time estimate is purely speculative. It could be impossible. Someone could come up with a (relatively) simple way to make it work tomorrow. It's probably somewhere in between those extremes. My guess is that effective quantum computers are a decade away, and they will be expensive enough that only governments and a few large corporations will own them. But It's a guess.
Sometimes it's important to be prepared against low-probability events, and an effective quantum computer within 7 years is somethi
OpenSSH 9.0 has quantum-safe encryption (Score:1)
Thankfully OpenSSH 9.0 [openssh.com] implements quantum-safe encryption in the form of hybrid Streamlined NTRU Prime + x25519 key exchange.
"Hybrid" means NTRU [wikipedia.org] and X25519 ECDH are used together for key exchange, so if a vulnerability in NTRU is later found, the combination can be no weaker than the previous X25519 ECDH default.
As of OpenSSH 9.3, the default key exchange algorithms are, in order:
sntrup761x25519-sha512@openssh.com,
curve25519-sha256, curve25519-sha256
Re: (Score:2)
It looks like that was already available in openssh 8.6. On macOS 12.6.8:
$ /usr/bin/ssh -V
OpenSSH_8.6p1, LibreSSL 3.3.6
$ /usr/bin/ssh -Q kex
diffie-hellman-group1-sha1
diffie-hellman-group14-sha1
diffie-hellman-group14-sha256
diffie-hellman-group16-sha512
diffie-hellman-group18-sha512
diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256
ecdh-sha2-nistp256
ecdh-sha2-nistp384
ecdh-sha2-nistp521
curve25519-sha256
curve25519-sha256@libssh.org
sntrup761x25519-sha512@openssh.com
The problem isn't close to being "already here" (Score:1)
Quantum is a toy. It can barely factor 121 in less than a week. The posts with large number factorizations (or even 143) are special cases that use classical computing to get started, or use tricks that work for particular numbers, but do not work with all numbers.
NIST will verify the algorithms work, without simple traps to get around them. It should take years to prove them out through mathematicians and cryptographers.
Do we even trust NIST? (Score:2)
That used to be a silly question, but after the whole debacle where the NSA convinced NIST to put their seal of approval on a deliberately crippled random number generator designed to weaken both encryption and signatures, I'm not so sure. I have yet to see any evidence that it will never happen again.
Add in that NIST pushed an elliptic curve algo that requires strong random numbers over one that doesn't need random numbers at all.
I'm not entirely sold... (Score:2)
He says that "The FIPS 140-3 standard did not change encryption algorithms or key size. What did change in FIPS 140-3 is that the standard now evaluates security requirements at all stages of cryptographic module creation, including design, implementation and final operational deployment. FIPS 140-3 also requires
HOW TO RECOVER SCAM CRYPTOCURRENCY (Score:1)