How the US is Preparing For a Post-Quantum World (msn.com) 45
To explore America's "transition to a post-quantum world," the Washington Post interviewed U.S. federal official Nick Polk, who is focused on national security issues including quantum computing and is also a senior advisor to a White House federal chief information security officer):
The Washington Post: The U.S. is in the early stages of a major shift focused on bolstering government network defenses, pushing federal agencies to adopt a new encryption standard known as post-quantum cryptography that aims to prevent systems from being vulnerable to advanced decryption techniques enabled by quantum computers in the near future...
Nick Polk: We've been using asymmetric encryption for a very long time now, and it's been ubiquitous since about 2014, when the U.S. government and some of the large tech companies decided that they're going to make it a default on most web browsers... Interestingly enough, regarding the post-quantum cryptographic standards being developed, the only thing that's quantum about them is that it has "quantum" in the name. It's really just a different type of math that's much more difficult for a quantum computer to be able to reverse-engineer. The National Institute of Standards and Technology is looking at different mathematical models to cover all their bases. The interesting thing is that these post-quantum standards are actually being used to protect classical computers that we have now, like laptops...
Given the breadth of the U.S. government and the amount of computing power we use, we really see ourselves and our role as a steward of the tech ecosystem. One of the things that came out of [this week's Inside Quantum Technology conference in New York City] was that we are very quickly moving along with the private sector to migrate to post-quantum cryptography. I think you're gonna see very shortly a lot of very sensitive private sector industries start to migrate or start to advertise that they're going to migrate. Banks are a perfect example. That means meeting with vendors regularly, and testing their algorithms to ensure that we can accurately and effectively implement them on federal systems...
The administration and national security memorandum set 2035 as our deadline as a government to migrate our [national security] systems to post-quantum cryptography. That's supposed to time with the development of operational quantum computers. We need to ensure that we start now, so that we don't end up not meeting the deadline before computers are operational... This is a prioritized migration for the U.S. government. We're going to start with our most critical systems — that includes what we call high-value assets, and high-impact systems. So for example, we're gonna prioritize systems that have personal health information.
That's our biggest emphasis — both when we talk to private industry and when we encourage agencies when they talk to their contractors and vendors — to really think about where your most sensitive data is and then prioritize those systems for migration.
Nick Polk: We've been using asymmetric encryption for a very long time now, and it's been ubiquitous since about 2014, when the U.S. government and some of the large tech companies decided that they're going to make it a default on most web browsers... Interestingly enough, regarding the post-quantum cryptographic standards being developed, the only thing that's quantum about them is that it has "quantum" in the name. It's really just a different type of math that's much more difficult for a quantum computer to be able to reverse-engineer. The National Institute of Standards and Technology is looking at different mathematical models to cover all their bases. The interesting thing is that these post-quantum standards are actually being used to protect classical computers that we have now, like laptops...
Given the breadth of the U.S. government and the amount of computing power we use, we really see ourselves and our role as a steward of the tech ecosystem. One of the things that came out of [this week's Inside Quantum Technology conference in New York City] was that we are very quickly moving along with the private sector to migrate to post-quantum cryptography. I think you're gonna see very shortly a lot of very sensitive private sector industries start to migrate or start to advertise that they're going to migrate. Banks are a perfect example. That means meeting with vendors regularly, and testing their algorithms to ensure that we can accurately and effectively implement them on federal systems...
The administration and national security memorandum set 2035 as our deadline as a government to migrate our [national security] systems to post-quantum cryptography. That's supposed to time with the development of operational quantum computers. We need to ensure that we start now, so that we don't end up not meeting the deadline before computers are operational... This is a prioritized migration for the U.S. government. We're going to start with our most critical systems — that includes what we call high-value assets, and high-impact systems. So for example, we're gonna prioritize systems that have personal health information.
That's our biggest emphasis — both when we talk to private industry and when we encourage agencies when they talk to their contractors and vendors — to really think about where your most sensitive data is and then prioritize those systems for migration.
Any day now ... (Score:3)
All the clickbait articles based on papers that turns out to be false or at least not possible to replicate, have made me take on a highly cynical attitude towards the entire field.
Sales have of course taken this into any marketing regarding encryption and are now consistently referring to AES as "Quantum Safe Encryption", which is just hilarious. It's not like you can just replace asymmetric with symmetric encryption to be "futrure proof", they kinda have different use cases.
The Cartman rule (Score:2)
You're absolutely right. This is a perfect example of where the Cartman Rule works.
If you can take a random assertion and start with "Cartman says" and it still makes sense... it was nonsense to begin with.
Cartman says quantum decryption [feel free to finish the as you like].
Cartman says computers in five years will be so fast that [yada yada yada...]
Cartman says we better get something by 2030 because if we don't, the bad guys will [yada yada yada yada].
Will there be quantum encyption/decryption and will
Re: (Score:1)
> If you can take a random assertion and start with "Cartman says" and it still makes sense... it was nonsense to begin with.
Cartman says communism works it just hasn't been properly implemented in practice.
Re:Any day now ... (Score:5, Insightful)
Sure, people don't think that "cryptographically relevant quantum computers" (CRQCs) will be developed until "until at least the 2030s [rand.org]", and they'll likely have huge power draws for a while longer.
But we need to study alternative algorithms now so that we can be comfortable about them and deploy them for large-scale use before they are needed. You mentioned "any laptop on the planet could break this" breaks in cryptography: that literally happened [schneier.com] with the full strength of a serious candidate for post-quantum cryptography that had been scrutinized for a while. After the right kind of scrutiny, the SIKE algorithm fell apart entirely.
Applications that want to preserve privacy or confidentiality also need to worry about record-and-then-break attacks, where a well-resourced attacker records some encrypted exchange they want to decrypt and keep it until a CRQC can break it.
Re: (Score:3)
But we need to study alternative algorithms now so that we can be comfortable about them and deploy them for large-scale use before they are needed. You mentioned "any laptop on the planet could break this" breaks in cryptography: that literally happened with the full strength of a serious candidate for post-quantum cryptography that had been scrutinized for a while. After the right kind of scrutiny, the SIKE algorithm fell apart entirely.
I agree with contingencies to address emergence of previously unknown threats. What I have no faith in is that PQC won't be pushed on the masses in the total absence of such a threat materializing.
I fully expect in the next two years to see industry pushed via tweaks to existing security standards document to perform wholesale switch from a RSA key exchange to PQC.
This will be justified by evidence free claims of "inevitability" even in in the absence of any known practical means to achieve required scalin
Re: (Score:3)
> I fully expect in the next two years to see industry pushed via tweaks
> to existing security standards document to perform wholesale switch
> from a RSA key exchange to PQC.
I think it is a false dilemma. You can take a hybrid approach, where a system combines PQC and classic algorithms to achieve its purpose. If you don't have full confidence in post-quantum crypto algorithms yet, you can use them without letting RSA go.
Of course, it comes at the cost of some complexity in the software, but you st
Re: (Score:2)
I think it is a false dilemma. You can take a hybrid approach, where a system combines PQC and classic algorithms to achieve its purpose. If you don't have full confidence in post-quantum crypto algorithms yet, you can use them without letting RSA go.
Of course, it comes at the cost of some complexity in the software, but you still get to use RSA as a battle-tested primitive.
I don't believe as a practical matter this is likely for PKI. It would require redundant keying for everything and I don't think people are going to accept that.
Of course, it comes at the cost of some complexity in the software, but you still get to use RSA as a battle-tested primitive.
I think for forward secrecy it makes a lot sense and addresses issues related to the prospect of future compromise.
Re: (Score:2)
RSA isn't a key exchange algorithm, it's an encryption algorithm. You're probably thinking of Diffie-Hellman key exchange. Frankly, RSA and non-EC DH deserve to be left behind at this point; the only real question is what to replace them with.
Do you have the same concerns about elliptic-curve algorithms and updating PKI for those? Even though they're smaller and faster than factoring-problem algorithms (such as RSA) with many fewer side channels?
How would you solve the problem of record-and-then-break at
Re: (Score:2)
RSA isn't a key exchange algorithm, it's an encryption algorithm. You're probably thinking of Diffie-Hellman key exchange.
I don't agree. The role of RSA in TLS is to provide authentication and assist in the secure establishment of session encryption keys. RSA provides or assists in secure establishment of symmetric session encryption keys depending on whether or not a forward secure cipher suite is used.
Frankly, RSA and non-EC DH deserve to be left behind at this point; the only real question is what to replace them with.
RSA is over 40 years old and ubiquitous yet still offers high levels of security. Demonstrated longevity (devil you know) of RSA has substantive value.
Do you have the same concerns about elliptic-curve algorithms and updating PKI for those? Even though they're smaller and faster than factoring-problem algorithms (such as RSA) with many fewer side channels?
Personally I don't care about ECC. It's nice that it exists as a credibl
Re:Any day now ... (Score:5, Interesting)
Still, sooner or later (and very probably "later"), we probably will get quantum computers capable of reversing today's encryption at least to some kind of meaningful extent. For a lot of encrytpted data in existence today, that won't matter in the slightest, but there are definitely usage cases where you would not want today's data decrypted within the potential timescales of that happening, and that's where the focus on moving to a "post-quantum world" now is mostly focussed; data with national security implications, mostly. Of couse, the waters of somewhat muddied by noone really knowing when the post-quantum world will begin, or even what it might look like for that matter, so that provides a lot of the opportunities for selling snake oil we're now clearly seeing.
There are a few encryption algorithms that - so far at least - seem like they are not susceptible to breaking with Shor's Algorithm or similar quantum approaches but, AFAIK, no one is able to mathematically prove any of them beyond all doubt, so caveat emptor definitely applies. Most current implementations of AES are not in this group, but given a suitably large key size it is thought (see above re. mathematical proof) that you'd need more qubits than is likely to be practical for some time to break it. There is one algorithm that is definitely quantum-safe though; OTPs using datasets of arbitrary length. Encryption schemes that XOR against pre-sampled whitenoise have been around for decades, well before quantum computers became a realistic proposition, but only in niche applications where the logistical overhead of managing and securing the OTP data makes it worthwhile.
Re: Any day now ... (Score:2)
AES ought to be safe. The real issue is with key exchanging. That's what asymmetrical encryption is used for. After the key exchange is performed, then that key is used for a symmetric encryption that's far more efficient to transmit the bulk of the data. It's the relatively small encryption keys that present the real issue and is the focus for a post quantum era.
Re: Any day now ... (Score:5, Informative)
Yes, AES is fairly safe -- unless someone finds another weakness in it, it's only vulnerable to Grover's algorithm [wikipedia.org] rather than Shor's algorithm. Because it requires O(sqrt(N)) work, doubling the AES key length provides the "same" protection against a theoretically perfect quantum computer compared to a classical computer.
But digital signatures are the other killer application for asymmetric cryptography. Unfortunately, these tend to have poor performance tradeoffs: SPHINCS+ has enormous signatures (30+ KB), Dilithium has largish keys and signatures (several KB each) with long compute times, while FALCON seems like the best size and reasonable speed but doesn't have a FIPS standard yet.
Re:Any day now ... (Score:4, Insightful)
Absolutely, it's silly to do simple things now to prepare for something catastrophic that may or may not happen in the future. Much better to wait until it does happen and then panic.
Re: (Score:2)
What you are not asking is what does an example of it being broken actually look like? Does it look like a demo someone shows you, for brownie points? Or does it look like millions of dollars disappearing off crypto exchanges, or high level mysterious hacks? In my opinion, basing security off conjecture was a terrible idea. If we have gotten to the point where the public is incentivized to not know what is going on, because the payoffs for holding the truth are too high, we are truly in a new dark age.
Re: (Score:3)
Any block cipher with > 200 bit effective key-length is not at all threatened by QCs. For the asymmetric ones, long key lengths are your friend. And you need these anyways.
No, there is no credible threat from QCs either. I suspect this is some scummy group in Government trying to push backdoored encryption.
Universe Hunting (Score:2)
To explore America's "transition to a post-quantum world,"
Quantum physics is baked into the nature of our universe so the only way you are going to transition to a "post-quantum" world is by moving to another reality. Although, come to think of it, many politicians already seem to have made the move.
Re: (Score:2)
Although, come to think of it, many politicians already seem to have made the move.
We should at least be thankful they decided to tell us to use asymmetric encryption in 2014.
I'm from the government (Score:1)
Re: (Score:2)
and I'm here to help.
To be fair, that is the Republican motto.
Re: (Score:2)
Reagan made that popular. And to help that along, he turned a good many government functions over to the private sector, which is also known collectively as "the Beltway Bandits". It worked a charm for rewarding campaign contributors to the GQP. Then he thought government spending was out of control, so he increased the size of the deficits by ill-considered tax cuts. The GQP learned that they could continue to buy their fat cats' campaign contributions by passing more tax cuts. They've been doing it so lon
Re: (Score:2)
It is and it isn't.
Re: I'm from the government (Score:2)
As regards the anti-vaccine crowd, you don't need to blame Reagan. That brand of insanity has been with us far longer. When Edward Jenner invented the smallpox vaccine, there were anti-vaxers back in 1796. And prior to Jenner's development of the vaccine, they used inoculation which used the scabs of smallpox victims to give mild cases of smallpox to prevent later major cases. Inoculation was fairly successful, so of course there were idiots protesting that as well ... back in 1721.
Re: I'm from the government (Score:2)
You'll note the modern explanation leaves out about a hundred "etc"s.
Re: I'm from the government (Score:1)
Start with Eisenhower. He was quite the religious man. Helped bake âoeIn God We Trustâ
That not withstanding his contribution to operation Overlord.
Re: (Score:1)
Because Reagan convinced the GQP that running against the government, we have jackasses out there telling us vaccinations are somehow bad. A brief look at the Covid deaths between Red states and Blue states should have convinced even the mentally concussed that lack of vaccinations meant the Red states had much higher death rates due to Covid.
There is no credible evidence to support this partisan fantasy. A brief look is insufficient to perform such an analysis. The study that has been done used a single age bucket including over 60% of the overall population and a variance of 60x in terms of death risk as a function of age according to CDC statistics such studies become worthless.
Those still supporting such crackpot studies are not serious people interested in the truth. They are merely partisan hacks looking to affirm what they already thin
Re: (Score:2)
While the current Speaker of the House claims to be a fundamentalist Christian, he's avoided issues such as women's rights and abortion. It's why he got elected, he's actually good at working the political system. Far more worrying is his second passion: A Trump fanboi. He was doubling-down on Trump's conspiracies when most politicians realised Trump's rhetoric wasn't working.
Re: (Score:2)
Re: (Score:2)
Thanks! How many days of my yearly income would you like as payment?
Re: (Score:2)
Re: (Score:2)
I'm always ready to share resources, comrade. Yours first :)
Banks used to give clients transaction numbers (Score:2)
Now they'll give them a bunch of one-time-pads.
Heh. (Score:3)
Re:Heh. (Score:4, Informative)
Quantum-AI-Nano-Micro-Giga-Cyber-Synergy. (Score:2)
The world has been post-quantum for a while now (Score:2)
QFT FTW!
What a waste of time and resources... (Score:2)
Quantum is still a toy that can't even factor 143 into 2 primes 11 and 13 in under a week. There is no fear to having 2010 symmetric crypto (RSA 1024) broken, let alone current (RSA 2048) or future (RSA 3096+) any time soon.
This seems like an effort to drive interest in the tech field, not solve any sort of actual potential problem.
Re: (Score:3)
Re: (Score:2)
My take is they want to push ciphers with backdoors here. Nothing else makes sense besides abject stupidity. Of course, it could be abject stupidity as well.
That lie is still being pushed? (Score:2)
I guess there are just enough morons around to eat it up. By now, it is completely clear that the only reason for "post quantum encryption" is that some organizations on the US think current encryption is too secure, so they are trying to push something much worse. QCs that can do anything useful (except simulating themselves) are not even on the distant horizon. There is zero need for any "preparation" here.
you have to do this thinking now because: (Score:2)
1) people are storing data now that needs to be protected past the time that "quantum" hits. So safe algorithms are needed even now.
2) large scale systems with lots of parties etc. take forever to effect change. You have to get everyone to agree that something needs to be done, then get them to agree on what to do, then get them to actually do it. Barring a worldwide disaster/alien attack/etc., this just won't happen in a matter of weeks, or months, or even years in some cases. It can take decades to get