back to article IBM puts NIST’s quantum-resistant crypto to work in Z16 mainframe

IBM has started offering quantum-resistant crypto – using the quantum-resistant crypto recommended by the US National Institute of Standards and Technology (NIST). Quantum computers are expected to be so powerful they’ll carve through conventional encryption, exposing secrets in seconds. China is felt to be stealing data today …

  1. Pascal Monett Silver badge

    Um, guys, get your story straight

    "exposing secrets in seconds" ?

    At the beginning of the month you published an article which stated that "it should be possible to factor a 2,048-bit integer in an RSA cryptosystem in about eight hours, given a 20 million-qubit quantum computer"

    Ok, so it will expose secrets in seconds, I agree.

    28 800 of them.

    1. DS999 Silver badge

      Re: Um, guys, get your story straight

      If that secret allowed someone to drain your bank account, along with everyone else who used your bank, I think you would say that 28,800 seconds is still way too quick!

      If a quantum computer able to factor a 2048 key in 8 hours arrives, odds are probably pretty good one that allows factoring that same key in 8 seconds will follow before long, so it will be "seconds" as far as a single digit number someday unless some roadblock to improving quantum computers is hit. You're just picking an arbitrary example from a single article.

      1. T. F. M. Reader

        Re: Um, guys, get your story straight

        One relevant question is whether 4096/8192/more bit RSA will still be safe or using radically different algorithms will be the only way forward.

        But then, as far as I understand, much of the strength of the quantum-resilient algorithms lies in the size of their keys...

        1. Michael Wojcik Silver badge

          Re: Um, guys, get your story straight

          One relevant question is whether 4096/8192/more bit RSA will still be safe

          Depends entirely on your threat model. As phrased, it's a meaningless question.

          Today, monoalphabetic substitution is "safe" when it's used for data that no one wants to put any effort into decrypting.1 A Post-It on the monitor is "safe" if no attacker ever looks at it.

          The vast majority of asymmetric encryption today is HTTPS. The vast majority of HTTPS is uninteresting to everyone but the systems legitimately using the connection. We employ it widely because that's easier than trying to ensure it's used on the rare occasions where it might be required.

          But then, as far as I understand, much of the strength of the quantum-resilient algorithms lies in the size of their keys

          Nope. At any rate, that's not what makes PQC "post-quantum". Obviously key length has to be sufficient to make classical attacks infeasible.

          PQC algorithms are quantum-resistant because they employ problems for which there are no known algorithms in complexity class BQP (which aren't also in P, since BQP is a superset of P, obviously). All of this is somewhat speculative; we have some proofs about what isn't in BQP under common assumptions,2 and there are all sorts of intermediate results and strong reasons to believe this and that and so forth. So problems like finding the shortest vector in a lattice that satisfies some requirement, or learning a ring using a set of inputs into which errors have been injected, and so on are used, because there are good reasons to believe these are not tractable even for general quantum computers.

          1Yes, comparing symmetric to asymmetric encryption. The larger point stands.

          2For example, assuming P≠NP, then there's nothing faster (by complexity) than Grover's algorithm in BQP for doing what Grover's algorithm does.

      2. Michael Wojcik Silver badge

        Re: Um, guys, get your story straight

        If that secret allowed someone to drain your bank account, along with everyone else who used your bank, I think you would say that 28,800 seconds is still way too quick!

        By the time we have general QC at that scale, at a price point where it's sensible to use it to "drain [someone's] bank account" (based on some hypothetical attack that you didn't bother outlining), I suspect we'll either have much bigger problems to worry about, or more likely will be long dead and hence not worried about anything.

        General QC has made impressive progress in recent years. It is still nowhere near the point where "hey, I'll just break any asymmetric public key I run across" is at all plausible. If things go very well for QC research, we just might have, in a few years, a machine which can break a modestly-sized public key with some days' worth of setup and a day or so to run. A key. One at a time. At very large cost. (Dilution refrigerators aren't exactly cheap to run.1)

        Ain't no one gonna lose their savings to a QC attack on their HTTPS connection to their bank. That would be a bit like being murdered by nuclear weapon. You may have some enemies, and it's theoretically possible for one of them to put together a working fission bomb in their garage, lug it over to your place, and blow you to smithereens; but it's not a realistic threat. There are much, much, much easier and cheaper ways to achieve the same end.

        1And how soon before we're at Peak Helium? That stuff is easy enough to make – if you're the sun. Here on Earth it's kind of a problem. The geniuses in Congress got rid of a big chunk of the US supply, so...

  2. alain williams Silver badge

    CRYSTALS-Dilithium

    Encryption Jim, but not as we know it.

    1. TheSirFin

      Re: CRYSTALS-Dilithium

      "hhhmmmm .... Crystal Dilithium have you then .... yes"

  3. Anonymous Coward
    Paris Hilton

    CRYSTALS-Kyber

    But what color are the Kyber Crystals? I need to know for my light saber.

    I assume IBM chose the names to avoid taking sides in the battle between Star Trek and Star Wars.

    1. Michael Wojcik Silver badge

      Re: CRYSTALS-Kyber

      They're not IBM's names. The CRYSTALS (Cryptographic Suite for Algebraic Lattices) project is an inter-organizational effort. Two of the team members have IBM affiliation, but it's not owned or run by IBM.

  4. julian.smith
    Mushroom

    Trust the US National Institute of Standards and Technology (NIST)?

    I've got an NFT of the Brooklyn Bridge you'll be interested in.

    Dumb as a sack of rocks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like