As Quantum Computing Threats Loom, Microsoft Updates Its Core Crypto Library

An anonymous reader quotes a report from Ars Technica: Microsoft has updated a key cryptographic library with two new encryption algorithms designed to withstand attacks from quantum computers. The updates were made last week to SymCrypt, a core cryptographic code library for handing cryptographic functions in Windows and Linux. The library, started in 2006, provides operations and algorithms developers can use to safely implement secure encryption, decryption, signing, verification, hashing, and key exchange in the apps they create. The library supports federal certification requirements for cryptographic modules used in some governmental environments. Despite the name, SymCrypt supports both symmetric and asymmetric algorithms. It's the main cryptographic library Microsoft uses in products and services including Azure, Microsoft 365, all supported versions of Windows, Azure Stack HCI, and Azure Linux. The library provides cryptographic security used in email security, cloud storage, web browsing, remote access, and device management. Microsoft documented the update in a post on Monday. The updates are the first steps in implementing a massive overhaul of encryption protocols that incorporate a new set of algorithms that aren't vulnerable to attacks from quantum computers. [...]

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST). The KEM in the new name is short for key encapsulation. KEMs can be used by two parties to negotiate a shared secret over a public channel. Shared secrets generated by a KEM can then be used with symmetric-key cryptographic operations, which aren't vulnerable to Shor's algorithm when the keys are of a sufficient size. [...] The other algorithm added to SymCrypt is the NIST-recommended XMSS. Short for eXtended Merkle Signature Scheme, it's based on "stateful hash-based signature schemes." These algorithms are useful in very specific contexts such as firmware signing, but are not suitable for more general uses. Monday's post said Microsoft will add additional post-quantum algorithms to SymCrypt in the coming months. They are ML-DSA, a lattice-based digital signature scheme, previously called Dilithium, and SLH-DSA, a stateless hash-based signature scheme previously called SPHINCS+. Both became NIST standards last month and are formally referred to as FIPS 204 and FIPS 205. In Monday's post, Microsoft Principal Product Manager Lead Aabha Thipsay wrote: "PQC algorithms offer a promising solution for the future of cryptography, but they also come with some trade-offs. For example, these typically require larger key sizes, longer computation times, and more bandwidth than classical algorithms. Therefore, implementing PQC in real-world applications requires careful optimization and integration with existing systems and standards."

What threats?

[gweihir]

Seriously. This idiocy has to stop.

Re:

[Seven Spirals]

We get one of these stories a week. The thesis has been on the table at least since the movie Sneakers came out a zillion years ago (NO MORE SECRETS). What it proves is that IT journos have very little creativity and could be replaced by a ChatGPT script.

Re:

[gweihir]

That nicely sums it up.

Too late?

[Roger W Moore]

What it proves is that IT journos have very little creativity and could be replaced by a ChatGPT script.

How sure are we that this has not already happened?

The threat is Un-American activity.

[mmell]

But if you don't believe there is such a threat, you will have no need of advanced encryption technologies and therefore should have no opinion to venture on this subject (in describing this as idiocy, you are dismissing this issue along with your standing to express a meaningful opinion. Presumably, you aren't worried about your privacy on the internet so of course your opinion about encryption is irrelevant).

"Un-American activities" - once the catchphrase of 1950's MAGA supporters (back then, McCarthyis

Re:

[gweihir]

You are an idiot, do you know that? Well, you probably do. Obviously, as a security expert I can and should have insights into current and possible future developments.

NIST? Oh good.

[drinkypoo]

The first new algorithm Microsoft added to SymCrypt is called ML-KEM. Previously known as CRYSTALS-Kyber, ML-KEM is one of three post-quantum standards formalized last month by the National Institute of Standards and Technology (NIST).

womp [wired.com] womp [wikipedia.org]. Who still trusts NIST? Microsoft is part of PRISM and their operating system is an essential component of the spying systems of Five Eyes [wikipedia.org], so their opinion is worse than worthless.

So you'll be sticking with rot13 encryption?

[mmell]

I mean, with none of the NIST standards meeting your expectations, who will you trust to create encrytption for your use. As an amateur cryptographer, let me be the first to wish you luck. I know I can't do better, I'm quite certain you can't either.

Re:

[drinkypoo]

As an amateur cryptographer, let me be the first to wish you luck. I know I can't do better, I'm quite certain you can't either.

You're right. I will have to trust experts with a good reputation. But NIST doesn't have a good reputation since that probable back door and at best gross incompetence was found out, so that's a consistent statement.

Looms?

[RUs1729]

It has been looming for twenty years, and chances are it will still be looming in twenty years time.

Re:Looms?

[timeOday]

"Chances," as in what percentage chances? Breaking all fielded cryptography is a doomsday scenario. A 1% risk of it happening easily cost-justifies developing and pre-staging software countermeasures. Moreover if it does happen, we will likely not know for sure that has happened for years afterwards.

Re:

[phantomfive]

Breaking all fielded cryptography is a doomsday scenario. A 1% risk of it happening

That's optimistic.

Re:

[thegreatemu]

Quantum computer capability has been improving exponentially in just about every metric (coherence time, fidelity, number of qubits, error correction capability) for at least the last decade. Yes, a QC that can break RSA is still at least a decade away, barring an unexpected innovation. But it's not like fusion, where a big innovation is required. Continuing the steady, incremental progress we've been observing will get us there. If anything that progress is likely to increase given the billions of dollars

Re:

[RUs1729]

Quantum computer capability has been improving exponentially in just about every metric (coherence time, fidelity, number of qubits, error correction capability) for at least the last decade.

The money in your bank account (and mine) has also been improving exponentially for at least a decade, but we are not up there with the likes of Musk, Bezos, etc. 'Exponential' does not imply 'fast'. QC still has a long, long way to go if it is ever to become anything beyond a lab curiosity.

Yes, a QC that can break RSA is still at least a decade away, barring an unexpected innovation.

It was a decade away one decade ago too.

But it's not like fusion

No - it is far more hyped.

The arrival of quantum computers is not going to be nearly as transformative to society as widespread personal computing, but it is coming.

At a glacial pace that the preposterous hype that surrounds it can't conceal.

Re:

[CEC-P]

Don't they have 1000+ quibit computers assembled and working right now? That was their own press release so is it just Elon going to Mars in the nxt 2 years level of "buy my stocks, give me money" crap?

Re:

[CEC-P]

Let me introduce you to most dangerous footwear you've ever heard of. SNDL = store now, decrypt later. I heard that you can fit every SMS message that has been sent in all of human history on one hard drive. Not sure if it's true. Now expand that to just simple DNS requests over a VPN.

Re:

[Darinbob]

Yes, but state of the art is advanced. There are indeed new algorithms to help protect against newer attack methods including "quantum computers". They may not be here now, but the new methods must be in placed BEFORE they appear. From experience, it takes a very long time for people to dump their old infrastructures and put in new ones, to dump old libraries and use new ones, etc.

The good news is that some of the newer algorithms are much faster, using linear algebra rather than elliptic curves. Good n

Re:

[necro81]

Sounds nice, but I'd wait until the Bruce endorses it.

I don't normally reply to ACs, but you raise an interesting point. Scanning through his blog, it appears that he hasn't explicitly made an endorsement of the new NIST-endored lattice encryption algorithms, released in August. However, back in May of this year he had this essay [schneier.com] on the general subject. Towards the end of it he says:

Should NIST be doing anything differently now in its post–quantum cryptography standardization process? The answer

Miltary algorithms first

[AcidFnTonic]

How about the military just publicizes the secret algorithms they use since an algorithm being secret is apparently not a valid reason for security.

Or perhaps everyone is starting to see the real issue which is using public algorithms that super computers have pre-loaded attack vectors ready to go against.

Since supposedly keeping the algorithms secret doesnt help, lets get the military to share theirs. Since all the security is in the key why not? Tee hee

Threat to past messages

[FeelGood314]

Attackers are recording your encrypted messages today along with the key negotiation. If a quantum computer is built in 5 years that can break the key negotiation then the attacker can read your messages. If your messages where commands and authorizations then it doesn't matter. You would have to change any passwords that you used. If I'm a government though, these secrets could be very embarrassing and I would have to get any spies or other assets out of harms way.

The other problem is, that if quantum computers become available in 5 years that break key negotiations and signatures and we don't have a new system in place then all our privacy and authentication is broken and recovering at that time would be very difficult since we would be relying on the internet to negotiate a solution for the compromised internet.

Re:

[fluffernutter]

There aren't many use cases for encryption that would encrypt a message today that would be still useful in five years. Any company that knows what its doing has all passwords being changed regularly. The list of top secret informants for the US is protected by much more than just encryption, and is far more likely to be uncovered by Donald Trump giving it directly to Putin rather than a security breach.

And how will you encrypt your new password?

[FeelGood314]

There aren't many use cases for encryption that would encrypt a message today that would be still useful in five years. Any company that knows what its doing has all passwords being changed regularly.

So you change your password, I break the encryption and I know your new password.

Also if your company is asking you to change your password regularly then they don't know what they are doing. Human's suck at remembering passwords. I've worked at secure locations that required changing passwords every 90 days. I once surveyed a large number of people in the organization to try and point out how terrible this policy was. Over two thirds had a password that was a common 6 letter English word with the fi

Re:

[fluffernutter]

But you were talking about them talking the encrypted password now and decrypting them later were they not?

Also they don't give a shit if i can't remember my password. Then that's my problem and i have avenues to fix it. Personally i cannot remember passwords once there are more than two special characters so i use keepass.

I fear the future threat of quantum computing

[Rosco P. Coltrane]

less than I fear Microsoft's core crypto library.