No, Quantum Computers Won't Break All Encryption
Posted by Practical-Ideal6236@reddit | programming | View on Reddit | 47 comments
Posted by Practical-Ideal6236@reddit | programming | View on Reddit | 47 comments
LoreBadTime@reddit
Some encryption schemes cannot be broken, like the one time pad.The key exchange is a problem, but it is not if super secrecy is really needed.
Takeoded@reddit
What if someone breaks the šļø?
ub3rh4x0rz@reddit
OTP is theoretically perfect and practically unusable. You need to preshare key material equal to all communication that needs to happen between key exchanges, and if you use some other algo to perform the exchange instead of the sneakernet, you have now downgraded security to that weaker link.
LoreBadTime@reddit
Indeed, if you know what you need to do and have the resources. If really needed you can personally exchange the key, and when needed you use it.
MartinMystikJonas@reddit
Nobody ever said it will break all encryption. It would break most used asymetric cryptography algos used for key exchange and signing.
look@reddit
There are already NIST standards for quantum resistant asymmetrical algorithms.
Did you think many people notice when a website replaces an RSA key with an ECC?
Itāll be the same non-issue when CRYSTALS or similar replaces those.
sopunny@reddit
The concern is whoever builds the first practical computer that can break existing encryption doesn't tell anyone, so we don't switch over
GayMakeAndModel@reddit
I donāt think there will ever be a practical quantum computer.
https://spectrum.ieee.org/quantum-computing-skeptics
lolfail9001@reddit
I believe. I just don't believe they will ever get 1000 usable qubits large, but you don't need to get so far to extract use of them for quantum chemistry and the like last i checked my quantum computing research.
GayMakeAndModel@reddit
the number of qubits is only one problem cited in the link
amaurea@reddit
RemindMe! 30 years "Do practical quantum computers exist?"
GayMakeAndModel@reddit
heheheheh
RemindMeBot@reddit
I will be messaging you in 30 years on 2054-11-05 23:48:15 UTC to remind you of this link
CLICK THIS LINK to send a PM to also be reminded and to reduce spam.
^(Parent commenter can ) ^(delete this message to hide from others.)
baseketball@reddit
Have you seen today's quantum computers? They're huge and require cooling to near absolute zero. They're also nowhere close to being able to control the number of bits required to break something like RSA 2048. We'll know when someone gets close.
MartinMystikJonas@reddit
Well I would not bet on that USA or China would not be able build big quantum computer in secret military facilities without general public know about that.
baseketball@reddit
We're no longer in manhattan project days. If top quantum computing scientists and researchers were spending a lot of time in secret bunkers, we'd probably hear about it.
MartinMystikJonas@reddit
Yeah but buulding big enough quantum computer probably would be more about huge amount of money and good engineering than about some new scientific breakthrought.
lolfail9001@reddit
This is like fusion "engineering": engineering so precise it is a scientific breakthrough or twenty all on it's own.
jausieng@reddit
Almost certainly, a substantial part of the world will not switch over even when a cryptographically relevant quantum computer is publicly demonstrated.
aueioaue@reddit
That is not a legitimate concern, though. There will be no secret "zero day" quantum computer that suddenly appears in a secret lab somewhere while the rest of the world is caught completely off guard. It'll instead be slow and steady progress toward incrementally-more-practical QC systems hand-in-hand with a gradual transition to quantum-safe algorithms. Even companies that fall behind are likely to be caught out by browsers and other client systems dropping support for legacy crypto as QCs become viable security threats.
MartinMystikJonas@reddit
Replacing it in webaites woukd be trivial. Replacing it in shitton of old network hardware, IoT devices, printers,...
randomguy4q5b3ty@reddit
But it is a popular misconception that quantum computers would be the end of all encryption.
I-like-IT-Things@reddit
My quantum computer beat encryption last week.
a_printer_daemon@reddit
Pack it up, people, we are done here.
loup-vaillant@reddit
Which in practice, is pretty much the same as saying it will break all encryption. Because let's be honest, the use of pure symmetric cryptography is pretty marginal.
Except for encryption at rest. Encrypted drives and password databases come to mind.
a_printer_daemon@reddit
I have heard people say this. Colleagues with PhDs, even. I brought it up with a cybersecurity colleague at a previous institution after students told me he said it in class.
He still didn't quite believe me when I explained the mechanics.
chengiz@reddit
... if your product of two primes is a two digit number. Jk.
abitofevrything-0@reddit
The problem is that "quantum-unsafe" algorithms like RSA or ECC are used to encrypt the keys for the symmetrical algorithms like AES, so hosts can agree on which key to use without an attacker being able to intercept that key.
So if you break RSA, you then have the key for the AES encrypted data, and no amount of quantum safety is going to stop an attacker that has the key...
look@reddit
There are quantum resistant replacements for ECC and RSA. https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
abitofevrything-0@reddit
Of course. But this article is saying that RSA/ECC being broken does not undermine the security of AES.
This is true taken in isolation, but in a lot of cases the security of AES is only provided by the key being encrypted by RSA/ECC. So we must move towards using these new algorithms, and not assume we're safe because "everything uses AES, which is apparently quantum safe anyway".
Pharisaeus@reddit
In most cases you have something like (EC)DH parameters encrypted with RSA, so someone would have to break first the RSA, then that particular DH exchange and then finally could decrypt that one ciphertext.
loup-vaillant@reddit
No you don't. Any given message/session tend to use RSA or elliptic curves. And the point is moot anyway, if you break the first stage you break all the rest.
Pharisaeus@reddit
No, it doesn't. Ever seen
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256? DH is completely independent from the signature, so it can be DH or ECDH combined with any other signature (RSA, DSA, ECDSA, EdDSA...).loup-vaillant@reddit
Okay, okay, I forgot about handshakes involving signing the ephemeral public key with a signature scheme, and didn't think people would be inane enough to use EC for one and RSA for the other. I'm guessing this is a combination of backwards compatibility and patents.
Furthermore, I'm biased towards modern handshake protocols like Noise, that do everything with Diffie-Hellman ā authenticated handshake without signatures, I love when protocols have few dependencies.
Well you should have been clearer and talked about signing the DH public key, instead of of "something like "(EC)DH parameters encrypted with RSA".
But do note in this case that breaking the signature alone would still get you the plaintext: just impersonate everyone and MitM the conversation you want to eavesdrop, no need to break DH. And if you break DH it's almost as bad: you won't be able to initiate a new connections, but you can decrypt messages, as well as hijack existing sessions.
Anyway, the point is kinda moot: with quantum computing both RSA and EC are toast. And considering the prevalence of quantum vulnerable public key cryptography out there, it is totally reasonable to approximate it as "QC will break all crypto". The only significant exception is password based encryption, which relies only on symmetric cryptography. And, possibly the military, which used cryptography before the advent of public keys, and as such is used to pre-share symmetric keys.
jausieng@reddit
(Informally) you sign the whole key exchange process (algorithm support lists, extensions, etc), not just the (EC)DH public key.
'Inconsistent' cryptography such as an RSA signature on a session established with ECDH can happen perfectly naturally. You set up your SSH client, TLS server, or whatever years ago and created an RSA signing key, because that's what was available at the time. Client and server implementations get upgraded over time and opportunistically select ECDH when both endpoints to any given session support it. But unless you created a new signing key, you still end up with RSA signatures.
AFAIK the payments sector is still full of symmetric cryptography, some of it not even upgraded to AES yet.
loup-vaillant@reddit
My mistake. It doesn't change the rest of my argument though: breaking the signature scheme still gets you the plaintext.
I believe it goes beyond signature keys having longer lives than ephemeral DH keys. It is a factor, but if I recall correctly, EC signatures were hampered by patents from quite some time.
Makes sense. Though IĀ hear the payment sector generally has abysmal security, and IĀ tend to ignore them to preserve my sanity.
edgmnt_net@reddit
True, but it should be noted that (EC)DHE is vulnerable to QC just like RSA and unlike symmetric crypto. There are other key exchange algorithms that fulfill post-quantum needs.
abitofevrything-0@reddit
And that's one ciphertext too many ;)
somecucumber@reddit
Wtf are you talking about, Jesse?
The article is about algorithms, not use cases. Symmetric encryption is safe, as long as the key is secure. That's crypto 101 m8
somecucumber@reddit
Wtf are you talking about, Jesse?
The article is about algorithms, not use cases. Symmetric encryption is safe, as long as the key is secure. That's crypto 101 m8
loup-vaillant@reddit
Those replacements have various safety/space/CPU tradeoffs that aren't very good right now, and interested parties can already store encrypted communications now in the hope of cracking them later.
I don't want to be worried (I have a horse in this race, and it isn't post-quantum), but I'm worried all the same.
PaluMacil@reddit
Looks like a pretty sweet library. Do you have a GitHub even just as a mirror so that I can bookmark it?
loup-vaillant@reddit
Strange that it was hard to find, normally the link is found on the Downloads pageā¦ Oh, on mobile the navigation menu is at the bottom, maybe I should try another way to display it.
yawkat@reddit
Keys are mostly exchanged by DH/ECDH, not key encapsulation using RSA or ECC equivalents. Just as broken, but different tech.
mattbas@reddit
Rot13 is still safe
Pharisaeus@reddit
Risky, I'd suggest doing 2Rot13 just in case, applying it twice.
sagittarius_ack@reddit
Are you saying that a quantum computer cannot break the Caesar cipher that I implemented in high school?