back to article NIST finalizes trio of post-quantum encryption standards

The National Institute of Standards and Technology (NIST) today released the long-awaited post-quantum encryption standards, designed to protect electronic information long into the future – when quantum computers are expected to break existing cryptographic algorithms. These machines aren't readily available yet. We have been …

  1. Bebu Silver badge
    Windows

    NIST ... encouraged system administrators to start transitioning

    NIST mathematician Dustin Moody encouraged system administrators to start transitioning to the new standards ASAP

    I was wondering how feasible this was currently.

    A quick search revealed it's fairly straightforward to add new algorithms to openssl 3 by reason of its modular architecture and that the developers at Open Quantum Safe have tracked the drafts of these new standards.

    So I imagine these new standards will be integrated into the usual suspects like openssh etc if it's not already the case.

    I think the point that adversaries have been accumulating encrypted material against the day the technology might be able to decrypt that material suggests that all encrypted material ought to be secured from unauthorised access as though it were unencrypted.

    For example, storing your encrypted backups or archives on an internet accessible server probably not the greatest idea.

    1. Anonymous Coward
      Anonymous Coward

      Re: NIST ... encouraged system administrators to start transitioning

      For key exchange, there are some gotchas beyond simply adding the new algorithms to OpenSSL:

      - the computational overhead of the new algorithms is (moderately) higher, so some systems with less going on under the hood, or operating at scale, might find themselves taking a performance hit during the key exchange. Obviously, if you go down the hybrid route, that computational cost is cumulative with the existing overhead.

      - When PQC was added to Chromium they reported an increase in bandwidth per exchange of over a kb. Not likely to raise eyebrows in general, but for systems at scale, an extra kb per transaction could get difficult.

      - some network infrastructure and APIs can't handle the longer ClientHello messages required for PQC (sometimes splitting them up into smaller packets with catastrophic consequences). That might mean new network infrastructure (or at the very least new firmware for the offending infrastructure)

      For most people, it's likely the changes will just happen invisibly as their software and services update, but there are going to be some bumps along the way for big systems, distributed embedded systems, and some corner cases that I've not considered :D

      1. Michael Wojcik Silver badge

        Re: NIST ... encouraged system administrators to start transitioning

        The increase in message size, and in certificate size when certificates start getting signed with PQC DSAs, are problematic for some embedded systems too.

  2. amanfromMars 1 Silver badge

    Another Colossus of an Enigmatic Riddle Denying and Defying Human Solution ‽

    These machines [powerful super-fast processing quantum computers] aren't readily available yet.

    And most probably, ..... if you neither know nor are able to believe them already stealthily operative and highly proactive ..... because of the overwhelming almighty exclusive advantage they deliver to executive systems administration, SCADA mentors and monitors, an artful state of dynamic fluid existentialism for virtual realisation and self-actualisation for programming and projects application, never ever likely to be made readily available ...... and most definitely never ever to belligerents and enemies or opposing competition.

    AI rules AI reigns with AI reins on all future commissions and derivative market ventures .... and the open universal secret to aid your enjoyment and employment of the unfolding of its unbridled enlightening successes is simply to unconditionally accept it is destined to be so ..... and do not resist and fight against the inevitable and incredible, for such is futile and self-defeating.

  3. Pascal Monett Silver badge
    Windows

    "implant compromised firmware on hardware"

    I don't see that that should be an issue since Huawei has been banned and Russia is incapable of selling computer hardware since it doesn't make any.

    And if it does start making some, it won't sell it outside of its captive market.

    So, what's the problem ?

    Oh, right. Cisco will probably fuck something up . . .

  4. DancesWithPoultry
    Headmaster

    > math

    Maths. It's short for mathematics.

    1. Anonymous Coward
      Anonymous Coward

      Should be NIST (after consulting with the NSA) announced today...

    2. IGotOut Silver badge

      Give the US a break.

      There are a finite amount of letters available, so they took the "s" from maths and added it to LEGO instead.

  5. IanRS

    Ready for when they are needed

    Working quantum computers will probably be available around the time when they can be powered by the new fusion power plants, and delivered by fully autonomous self-driving trucks.

    1. Michael Wojcik Silver badge

      Re: Ready for when they are needed

      We already have working (general) quantum computers, and we probably have quantum advantage, though that's something of a moving target because we keep finding faster (in principle) classical methods for the problems in BQP that we're using as benchmarks, like quantum circuit evaluation.

      What we don't have yet are many working quantum computers, or any with nearly enough error-correcting logical qubits to pose a threat to classical asymmetric cryptography in practice.

      (QC will never be much of a threat to classical symmetric cryptography, since the quantum advantage there is just a square root, and doubling the key length trivially fixes that. In principle QC could be used against recorded encrypted traffic with a sufficiently short key, but there's relatively little eligible traffic because at the low end we can already break the too-short keys that were widely used during the cryptography embargo with classical attacks, and not long after that ended people were mostly using adequately long keys, at least for bulk attacks.)

  6. Anonymous Coward
    Anonymous Coward

    What would be quantum resistant?

    I wonder what is quantum resistant math here. Unless the crypto infrastructure is also given the same quantum computing and may be entanglement

    which some say it is not even possible to achieve for info exchage advantage what we are talking here? To put out some complex algorithms that can delay the intrusion by quantum computing? From the claims quantum computing would be. God like probe it all of enormous number of combinations so if the receiving end is capable to decrypt using known key in instant for it to be usable how long would take for the Oracle of quantum computing. Either quantum computing hypes are a hoax or else these proven algorithms will not survive the test of time.

    1. Michael Wojcik Silver badge

      Re: What would be quantum resistant?

      There are tons of accessible explanations of quantum-resistant cryptography available online. Start with something fairly straightforward, like Classic McEliece.

      "Quantum-resistant math" just means "anything that appears to be a trapdoor function and doesn't have a known (or suspected) algorithm in BQP". In other words, most mathematics are "quantum-resistant". There is just a special class of problems where there are quantum-computing algorithms which have a formal time-complexity advantage — the ones that are in complexity class BQP — and that just happens to include the things that classic asymmetric cryptography uses for trapdoors, namely factoring and discrete logs (the latter in finite fields and elliptic curves).

      QC very, very much is not "try everything all at once". That's an utterly incorrect common myth about how QC works.

  7. gnasher729 Silver badge

    Questions:

    1. How safe would for example 4096 or 8192 bit RSA be against quantum computers, or other algorithms with doubled or quadrupled number of bits?

    2. How strong are these new algorithms against ordinary classical computers, especially compared to classical algorithms?

    3. Why are the new algorithms safe against quantum computers? Are they just so much harder to crack with classical computers that quantum also fails, or do they have properties where quantum computers can’t attack them?

    1. Anonymous Coward
      Anonymous Coward

      4096 and 8192 RSA have no meaning.

      People just like them because of human love of neat power of twos.

      Mathematically useful RSA lengths are 2048, 3072 and 15360. And the latter is of no practical use, too slow.

      It's time to pick an ECDSA flavor you like.

    2. Jon 37

      1. RSA is broken by quantum computers, no matter the bit length. The problem is that the difficulty of breaking RSA on a classical computer increases massively as you increase the bit length, but the difficulty of breaking it on a quantum computer only increases a little bit.

      2. I'm not sure, but particularly paranoid people can double encrypt with one of the new algorithms AND one of the existing, proven algorithms. That way, you know that you're not making things worse, because an attacker has to break both algorithms to decrypt your data.

      3. The math is specifically designed to make it hard for quantum computers to attack them, while still making it possible for existing computers to use the algorithms.

      1. Michael Wojcik Silver badge

        RSA is broken by quantum computers, no matter the bit length.

        That's true from a cryptographic-purity standpoint. It's more complicated in practice.

        Shor's is O(lg N),1 in time. But it's O(N3) in space (number of gates), so the space requirements grow quite badly — given the difficulties we still face in scaling up error-corrected qubits and quantum gates.

        Unless and until large QCs become available, attacks against decent-sized RSA keys using Shor won't generally be practical. And when large QCs become available, (the handful of2) attackers with them may well prefer to crack, say, 8 keys of length N in parallel rather than a single key of length 2N.

        ECC, on the other hand, will be more practical to break because of its much smaller keys.

        Then there's GEECM, the Groverized Lenstra variant, which is claimed to be "often faster than Shor's". I don't know what GEECM's space complexity looks like.

        For most people, their traffic isn't interesting enough to anyone to ever be threatened by QC, unless there's a truly mind-boggling breakthrough that completely changes the picture. As long as things like dilution refrigeration are in the hardware picture, and we struggle to get a significant number of physical qubits working, the risk to classical asymmetric cryptography for the vast majority of users is vanishingly small.

        Moving to PQC now(-ish) is justifiable from a security viewpoint. But the reality is that no one's going to be snooping on your Amazon purchases.

        1Actually polynomial in lg N, but we're among friends here.

        2There's only so much recorded RSA-protected key-exchange traffic that will still be of value to anyone at that point. Sure, you break a TLS server's RSA key and then you can decrypt all those session keys, and then the traffic you saved ... and then you have to separate the wheat from the chaff. NSA ain't gonna care about the vast majority of the crap they hoovered up; they did that mostly because they could.

  8. sin

    "...America's adversaries – including Russia and China... "

    For us in the rest of the world: "America, Russia and China" because they are all the same from the outside.

    I don't see America being any less keen on getting other people's secrets, especially it's allies, than the other two.

    (English is not my first language, but you'll get the point).

  9. ydroneaud

    Quantum Computing Cryptography

    In http://www.cs.auckland.ac.nz/~pgut001/pubs/bollocks.pdf "Why Quantum Cryptanalysis is Bollocks", Peter Gutmann explains quantum computer doesn't qualify as a threat now and for any foreseeable future, as it's not able to factorize anything useful (factoring 21 as 3 x 7, well done champ') and progress are really slow on that front.

    I think his advice is to focus on lower hanging fruits that matter more in real life security, and not on vaporware cryptanalysis breakthrough.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like