| Deutsch English Français Italiano |
|
<v1kf1r$1726o$1@dont-email.me> View for Bookmarking (what is this?) Look up another Usenet article |
Path: ...!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail From: Jakob Bohm <jb-usenet@wisemo.invalid> Newsgroups: sci.crypt Subject: Re: State of Post Quantum Cryptography? Date: Fri, 10 May 2024 08:32:26 +0200 Organization: WiseMo A/S Lines: 88 Message-ID: <v1kf1r$1726o$1@dont-email.me> References: <ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com> <v1ancg$2jieu$1@dont-email.me> <v1jf6i$srv9$1@dont-email.me> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Injection-Date: Fri, 10 May 2024 08:32:27 +0200 (CEST) Injection-Info: dont-email.me; posting-host="65bd4a72cea69ad221432d6d9a7ca5ca"; logging-data="1280216"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1/fBpgwWDHoz77nTEAt7SJALJVml4nX3ig=" Cancel-Lock: sha1:vIf6T3P5lKIzTJCJiO45bETm3AA= In-Reply-To: <v1jf6i$srv9$1@dont-email.me> X-Mailer: Epyrus/2.1.2 Content-Language: en-US Bytes: 4614 On 2024-05-09 23:28, Peter Fairbrother wrote: > On 06/05/2024 14:53, Jakob Bohm wrote: >> On 2024-05-02 10:20, The Running Man wrote: >>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? >>> I know the NIST has held a contest and that there are winners, but do >>> you guys think they're safe to use? >>> >>> I fear they may be broken in the future thereby destroying the >>> security and privacy of millions of unsuspecting users. > > Yep, that's a risk. PQC algorithms are of necessity less mature than > current cryptographic algorithms. If I may quote Schneier's law it its > original form: > > "Anyone, from the most clueless amateur to the best cryptographer, can > create an algorithm that he himself can’t break. It’s not even hard. > What is hard is creating an algorithm that no one else can break, even > after years of analysis. And the only way to prove that is to subject > the algorithm to years of analysis by the best cryptographers around." > > The winning PQC algorithms have had some of that analysis, but perhaps > not enough. I would not be surprised if, like some of the candidates, > the winners were comprehensively broken. > > And there is another risk: that they will broken in ways we don't know > about now. Quantum computers of the needed scale still don't exist, and > we don't have years of practice using them - so it is practically > inevitable that new attack techniques using quantum computers will be > developed. > See further below where Fairbrother returns to this subject. > >> If any bad actor has a quantum computer with just a few more Qubits >> than the ones demonstrated in public, they can break most current >> public key algorithms using known attack algorithms written a long >> time ago for >> such (then hypothetical) computers. > > Err, no. Just no. Note that I was talking logarithmic steps, not single Qbit steps. > > You would need about 1,000 reliable entangled error-free qubits > equivalent (REEFQe) to do any useful cryptanalysis of present day public > key algorithms, and we are nowhere near that. Not even 100 REEFQe, more > like 20. > > Having 1,000 error prone qbits, which has been done in a couple of > cases, is not nearly enough. Neither is D-wave's 1,200 calibrated > annealing qbits. > Would those numbers apply to things like EdDSA and ECDSA? > > Not even close. > > And close only counts in horseshoes and hand grenades. > > >> They can also break symmetric >> encryption at the same difficulty as if the key length was half as many >> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES >> 128). [..] Any PQC public key algorithm will need to be combined with >> double strength symmetric algorithms. > > Now there we agree, in fact double strength symmetric algorithms should > be de rigueur in general use as of yesterday: but I don't see why we > can't double up and use classic public key algorithms *as well as* PQC > public key algorithms, at least for a while. > Yes, doubling up the types of algorithms used is a good way to hedge bets against bad algorithms. Staying with known at-risk algorithms is problematic. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded