back to article NSA: We 'don't know when or even if' a quantum computer will ever be able to break today's public-key encryption

America's National Security Agency has published an FAQ about quantum cryptography, saying it does not know "when or even if" a quantum computer will ever exist to "exploit" public-key cryptography. In the document, titled Quantum Computing and Post-Quantum Cryptography, the NSA said it "has to produce requirements today for …

  1. Anonymous Coward
    Anonymous Coward

    Well, *that's* a relief!

    If the NSA says not to worry, that means they already have 3.14159265358979323846264338327950288419716939937510582097494459230781640628620899862803482534211706798214808651328230664709384460955058223172535940812848111745028410270193852110555964462... of them.

  2. Pete 2 Silver badge

    Not asking the right people

    > it does not know "when or even if" a quantum computer will exist to "exploit" public key cryptography.

    I wonder what the response would be if that question was asked of the chinese?

    China emerges as quantum tech leader while Biden vows to catch up (says the chinese!)

    1. Anonymous Coward
      Anonymous Coward

      Re: Not asking the right people

      The claim: a quantum computer goes through every state simultaneously till its measured, so it can check all possible answers and then settle on the optimal answer in zero time. Feyman's idea.

      The problem is its a bogus claim, you've already found repeating patterns in that subatomic motion showing that its complex/not understand but NOT RANDOM [probabilistic]. You label them with mystical terms like "quantum teleportation", and "entanglement", rather than address the mistake.

      Matter interacts with other matter all the time, it has no idea if those interactions constitute 'measurement' or not.

      Given that this motion gives matter its scale, and the speed of light is measured against the scale of matter, so for speed of light in a vaccum to be a constant, the motion at the subatomic (and all levels) must be the same mechanism of motion as light's motion.

      If you stop measuring light, does it stop moving? Or perhaps head off in a random direction till you measure it again? No? Then neither does the subatomic level. The only difference there is you understand one and not the other. One is sufficiently simple a motion, that you can describe and model it, and the other is more complex (at least it appears to be) and not understood. Yet they are the same motion, they must be for light's speed to be constant, relative to the other!

      Particle physics is not a science, its a math approximation of a 'complex' observed system that's become a cult.

      Here's the China card played, as if the EU didn't piss away billions already on this. Only to have the cult repeat the same flawed experiments over and over again. Do you want China to piss away billions?

      1. Anonymous Coward
        Anonymous Coward

        Re: Not asking the right people

        That is exactly what I have always thought of Heisberg indeterminación principle. When nature repeats patterns every where O never understood the acceptance of approximate theory like quantum particles science as a core science replacing entirely pure physics of understanding nature. Tto me quantum physics is no different from mass manufacturing quality control study because you can not inspect every one of the produced items. Even the celebrated DeBrrolie dual wave particle properties including its associated verifyble experiments must have their explaination if we really understood at subparticle level all what is involved. O always though giants that would live under water and notice a difracción of traveling water wave similar to wave particle experiments would also have concluded water it self is as we now it is of quantic nature and that quantic nature is visible to them. This is the level human understanding of the current quantum state of the subatomic world. Test it is a quasi cult and I believe Einestain was not wrong in protesting to find spooky action at distance. I may have issue in understanding on the need to reduce just to geometry of space time to explain gravity as he proposed it but I am pretty inclined to have the same view on his doubts about the quantum world view.

        1. Anonymous Coward
          Anonymous Coward

          Re: Not asking the right people

          Just extending on the principle of indeterminación, suppose you are a new human incarnation that want to study given car parked or in motion. And your new self incarnation lives in a new universe another car that never stops and for the sake of analogy have constant speed like light is claimed to have. Let's also make analogy of the subatomic particle observability with photons by defining our observability in our case to be to take take temperature of the other car by direct physical contact to the other car engine compartment. But then because our universe is Acad that is always in motion when we get closer to take temperature of the car being studied there will be physical impact and the temperature that we will read will be altered by the impact. What should you do then come up with some crazy approximate idea like quantic physics or else try to find out how our universe motion impact has changed the temperature of the subject you are studying. It is even rational to consider this phenomenon as not observable and therefore build a complete probabilistic theory with out core understanding of the physics below? How is denying the existence of nature if is not observable different form dogmas lthat have fallen from the past.

      2. itzman
        Boffin

        Re: Not asking the right people

        "If you stop measuring light, does it stop moving? Or perhaps head off in a random direction till you measure it again?"

        The fact that anything not directly observed even exists, is in the end only an article of faith.

        You appear to be blind to the Materialist worldview which you assume to be true, for no other reason than it vaguely explains your experience.

        Once you confuse models in your mind with the RealWorld™, you have stopped learning anything.

      3. Baximelter

        Re: Not asking the right people

        "Matter interacts with other matter all the time, it has no idea if those interactions constitute 'measurement' or not."

        This is the best, most succinct refutation of Neils Bohr's crazy notion of measurement and the 'quantum collapse' that I have ever seen.

      4. Anonymous Coward
        Anonymous Coward

        Re: Not asking the right people

        I have always also wondered what physical interpretation should one take even of existing deterministic models and formulas when those mathematics formulation have singularities. If you take literally those asymptotic trends most of this formulas with singularity diverge from what we observer with our plain eyes. So building world view only with even exact mathematics is not always correct let alone to build a new reality on probabilities based mathematics. Math used to be auxiliary and not the determinant of nature study and even if math predicts some of the physical traits not all math formulas "simulations" ended up being a fit to our physical world. In fact my OST of those simulations end up being nothing else of cooked reality projection that never would be seen in the real world. In the subatomic world study the trend is just to accept blindly these projections as proven realty even when we build our supposedly independent measurements systems.

  3. Anonymous Coward
    Anonymous Coward

    AES-256 and SHA-384, is that all?

    Bah. I've been using AES-1024 and SHA-4096 for decades. I encoded my library of bad filk about squirrels. To give them something to do. Because I'm a right bastard, that's why. Have fun! =-D

    1. eldakka

      Re: AES-256 and SHA-384, is that all?

      > Bah. I've been using AES-1024

      Since AES is not public-key cryptography - it's symmetric key - then for the purposes of this article, "a quantum computer will ever be able to break today's public-key encryption", the number of bits used in AES is irrelevant.

      However, more generally, even AES-256 is safe (relatively) from quantum computing, as per this article that explains it better than I ever can:

      While Grover’s algorithm[a quantum search algorithm] can reduce the time necessary to guess symmetric keys, widely accepted solutions with sufficient key size are believed to be quantum-resistant. Lane Wagner, writing for Qvault, reports that Grover’s algorithm can effectively reduce the attack time against AES-128 to achieve reasonably successful key guessing once quantum computers reach the necessary power levels. However, the AES-256 keyspace is sufficiently large to remain resistant to quantum-enabled attacks.

      And just to provide an idea of 'strength' of symmetric keys as used by AES from the same article:

      Ubiq Security describes the length of time it would take with today’s technology to guess the keys for AES-128 and AES-256. Using the combined power of Bitcoin farmer networks, it could take about 70,000,000,000,000,000,000,000,000 years to guess an AES-128 key.

      1. MJB7
        Boffin

        Re: AES-256 and SHA-384, is that all?

        More precisely, a quantum computer can half the effective key length of a symmetric key, so AES-256 would have 128 bit security. That's good enough (but AES-128 with 64 bit security would be dodgy). Asymmetric crypto has its key length logged - so a quantum computer with O(500) logical qubits can break RSA-4096.

      2. sreynolds

        Re: AES-256 and SHA-384, is that all?

        What is the quantum algorithm for SHA-x and AES? Shor's is about factorization, no?

    2. Anonymous Coward
      Anonymous Coward

      Re: AES-256 and SHA-384, is that all?

      African or European squirrel?

  4. Vulch
    Black Helicopters

    So...

    saying it does not know "when or even if" a quantum computer will ever exist to "exploit" public-key cryptography.

    It went live last week then.

    1. sad_loser
      Black Helicopters

      Re: So...

      As Christine Keeler so memorably commented

      "they would say that, wouldn't they?"

      1. smudge
        Headmaster

        Re: So...

        Mandy Rice-Davies, not Keeler.

    2. Ian Johnston Silver badge

      Re: So...

      That's what they want you to think.

      What it really means, of course, is that they are trying to scare people into changing encryption to something which looks unbreakable but which they have actually solved.

      Or perhaps that's what they want you to think.

    3. DJO Silver badge

      Re: So...

      Progress is being made: in 2012, the factorization of 21 was achieved, setting the record for the largest integer factored with Shor's algorithm.

      Some way to go perhaps.

      1. sreynolds

        Re: So...

        Whoohoo. Start popping the champagne corks. Mission accomplished. RSA and DSA broken.

  5. Ken G Silver badge
    Trollface

    See if the NSA asks for funding for such a computer

    If it doesn't, it means they already have one and are funding themselves by mining bitcoin.

    1. ravenviz Silver badge

      Re: See if the NSA asks for funding for such a computer

      If they had done that then all the Bitcoin would already be in circulation.

      1. doublelayer Silver badge

        Re: See if the NSA asks for funding for such a computer

        Only if they did it wrong. If you have a quantum computer and you want to use crypto to earn money, there's more to gain by finding wallets that haven't spent money in a long time and cracking their private keys. That gives you money without making it obvious that a lot more mining is being done.

  6. Pascal Monett Silver badge

    "users will divulge their passwords in return for chocolate"

    What makes you think they will gave their actual password ?

    You want to give me a frozen Mars Bar for my email password ? Kachinka2708. Hand it over.

    1. Charles 9

      Re: "users will divulge their passwords in return for chocolate"

      You don't really think they wouldn't verify your submissions before paying out?

      * Payment conditional on verification.

      1. Arthur the cat Silver badge

        Re: "users will divulge their passwords in return for chocolate"

        You don't really think they wouldn't verify your submissions before paying out?

        The only time I know of when this test was done, it was a TV crew and "security expert" asking London commuters at some railway station the question. No verification, not even a confirmation of what the password was for. I.e. a stupid stunt for TV, not a real experiment.

        1. MJI Silver badge

          Re: "users will divulge their passwords in return for chocolate"

          Yum chocolate

          As long as not US sick stuff.

          And I would say

          "Battery Horse Correct Stable"

          Do I use it? No

          Do I get chocolate? Yes

          1. DJO Silver badge

            Re: "users will divulge their passwords in return for chocolate"

            "Battery Horse Correct Stable"

            Sneaky, the original from XKCD was "Battery Horse Correct Staple" either you've changed the last word or proven the concept false by forgetting one of the words.

            1. Charles 9

              Re: "users will divulge their passwords in return for chocolate"

              I've always protested that comic because I know people whose memory is SO bad that they could easily go, "Now was that 'correct horse battery staple' or 'donkey engine paperclip wrong'?"

              What do you do for people whose memories are SO bad that there's basically nothing you can count on them to know?

            2. MJI Silver badge

              Re: "users will divulge their passwords in return for chocolate"

              Stable Staple

              I actually was not sure, but anyway if it was wrong, even better.

        2. DrewWyatt

          Re: "users will divulge their passwords in return for chocolate"

          Looks like they did it a few years on the run. Here is what the register wrote about it in 2008:

          https://www.theregister.com/2008/04/16/password_security/

    2. lglethal Silver badge
      Joke

      Re: "users will divulge their passwords in return for chocolate"

      Wait I can get free Chocolate??? Where do I sign up???

  7. Anonymous Coward
    Anonymous Coward

    Ultimately for the first 50 years, quantum computers will be too heavily monetised to actually be useful so they are probably telling the truth XD

  8. Chris Miller
    Joke

    If a QC could churn out billions of bitcoin, that would be interesting.

    1. JCT5698

      That is not how bitcoin works. There can only ever be 21 million, and there is a set amount that is mined every 10 min.

  9. Toolman83

    Oh, that means they have already broken it...

  10. Allan George Dyer
    Coat

    How was the ammouncement made?

    I'm imagining the head of the NSA, sitting in a large swivel chair stroking a cat previously owned by Schrödinger...

    Pass me the coat with the death-trap escape gadget in the pocket.

    1. Aristotles slow and dimwitted horse

      Re: How was the ammouncement made?

      At least the cat was happy. It had previously had a hell of a time being stuck in that box for so long with not a single person physically checking in on its state of being.

      1. Bartholomew
        Devil

        Re: How was the ammouncement made?

        I feel sorry for that poor cat, shoved into a dark metal box with a source of radiation and a vial of poison for the last 70+ years. There may have been a single bowl of milk in there as well, but that was gone in the first five minutes. I can tell you this without looking that cat is dead folks, and do not even think about opening the box now.

        1. A.P. Veening Silver badge

          Re: How was the ammouncement made?

          There may have been a single bowl of milk in there as well

          While most cats do like milk, it is very unhealthy for them (as well as most other adult mammalians, humans -and not even all- are the exception), so providing that bowl of milk would not be ethical.

  11. Hubert Cumberdale

    With the rubber hose mention, I expected a link to the oblig. XKCD.

    1. Kane
      Thumb Up

      "With the rubber hose mention, I expected a link to the oblig. XKCD."

      I came here for this, was not disappointed!

  12. Binraider Silver badge

    Perhaps the NSA has tipped their hand because a foreign state has the potential to be ahead of them? All the funding in the universe doesn’t produce brainpower.

  13. Anonymous Coward
    Anonymous Coward

    Misdirection Again (Why am I not surprised?)

    So.....in Public Key Cryptography there's a public key (duh!) and the owner of that public key also has a private key (secret....not public). So messages using this key pair can be attacked in two different ways......the keys can be attacked, or the messages can be attacked, or both.

    *

    In Symmetrical Key Cryptography there's a secret key, used by both the sender and the recipient of a message. So any attack boils down to guessing the key. (Of course the snoops might try to STEAL the key too...but that's cheating!!).

    *

    And finally, there may be people who use a cryptography algorithm which is not published, but which might (or might not) be a variant of one of the published algorithms. In this case, it's not at all clear whether ANY type of attack might be possible......because for ANY attack to be designed, the algorithm needs to be known. Quantum computers may be good at guessing keys......but the guesses have to be applied to the encrypted message USING AN ALGORITHM!

    *

    Just as a little test, here's a message using a private algorithm. El Reg readers with access to a quantum computer are welcome to publish the plain text in a prompt reply!

    *

    uv2JG5ef4PcVi1mzCh2Ns54L8T0R6VqNihSR2XqNoxyxINgZwRoZOV2paXSNWvcVWjwXiNgfKNiJ

    eXYVW3ulCHujGXE1gDyl4dOHQN2nc5O3ElKNk907KfmrKDQnkDo1U5UFCFIroTURqREFUVUhqD2z

    YZ4Rgdul0JqhiJSNC5yZ6tMluno3ePaRklwx674b07SjIJuZ8ZyfePYxOHqTCPY3a1M9KdWj0TQz

    YBG5glQ3uv8BsTW5sdaLC5mdufIfYdKJa7CBqFSfqTw94t0BcfKvyz4RydKDSXgLMTWtkXUVgXUn

    6bGZ0jOZY1OfgvM1mhCxMfSPgX0rqB8naDK36D4Ze5I7eRW14TglwFg3E9cTMjoVs9AJyFwjOReH

    G5o50ZKviXCJYjiFQ7apUXwdIdwR6Z09UFkLAXghm3yjELQXgNQp63gPSBEDKbAVqNOLOBUJcNwr

    Q5uhwlgD0vWrkrkLuPYZ4f2j0xmn0ZWt0juxU5ipsRwTqL4hevYby5UJmhIVu5WH81YXit8doTSV

    6501gNqvIrCjqRMHKHghiHm5k9YpsFA7iJadkrGBGdIN2BIbA7SbgVQ7UPMtylwfohKh8325I9Ib

    WpGn4LStSTmfMtuPaFUNIDCLAhCNQjEhE58peb2TelEfcP29mrspGpcTENOTwvy50jS7ijwXgdG3

    Uvo7YxQ3aLy7cLm5qfStSzIdk1slG9Cp6vwLAbmVMNGLkrMj2R6XyzyVotsjChY9WfEjg9KvWlSp

    obwhQ1QFUtubS58VIb2v8v6bubsZcnopGV85Y1Mhe70XKbKF6pYLCDgh0dMpOnml8rEDmDaNY9Mr

    QlQ1Yb0VSRkvs1Wn6t0FilMJepupoLUN8FcjGNU7y14rStQJUB0PE1GTgJWHUnQ7AtiHQDeb0l8h

    8D2JYzibGjMXYNWte5azAbczgL6faHEZ0dMTEb2tOREvONmXUDAJeVsR6hQFgtm3UBi5kfuFef67

    oR0vKhITmPA9C74v0jIXSfcLo307QhyziD4dGNqFwHIlkXIPinKFiX0P4R4VI90dSHYJUvKHStCl

    c98BqR61ihoRg7kHOTubAfAx8jAzYvevepQFgNsVkdsRoNeZUvGxUn4DCD0dK3WHqNOPWrQfYjmz

    gz4jMBwzq7i5an2Nev632RUHQbazEPoFUdKNIRIZsNm3i3MTs5ELWv8hClMtIJIJIFsLmP6BSnG3

    UhApUDOJCjgVK16Vc9EF2b8z0d09k507K3KFW1yHqX4rE9spyr0dSTWnmfw5IZYp4Tup2NSz6z2x

    kV6foPkdmt0Za34ROfuHyfUfm5kd8HGJGnqZyBOx0pAhITUZI3QBW7QhYhcNspg7wnUhI325KTu1

    GTAt8ngfsdsxYjY34ZO9S7EXmpE7KT6zC34dOD65EXuxEFAHS9Ov6r6ZGTQtGFkZEfAPu7OpIna7

    CRWp4HuhUL0LstG3KtklqPgBsfgLghsfW3wFG3QNYNgjmjqneRmFOHMzQhS9gzINWrW1MBmt2H8D

    I1KdaXoL6NKNwvwlopuxMxArwjWZw1Kdij4ruxcVyD4pE90foD4xO7gPEFEn6RSl8PqnCFOFyTmF

    EruLgN0f05W7I5CvKpG5svePS7ItglqP0p4V0v0ni945YxGnCdwBIHUBMJ2By5If6vgxkD8hGbMn

    O3krCzIV4dGliHCXExw9OFsXqN6FmlKPGL87Ej43IHMz6zop0vcjQbC9c1CHqvqXUbkRYbClS7gH

    29qjKBMJo5Mj43kt8HMzmPobilsJi76tenaPqjMxGdCF4ZEbuJIvCXgXqV0JERyrqB6XcP6P

    *

    Hint.....before you start, you might like to consider whether this really is base64!

    1. MJB7
      Boffin

      Re: Misdirection Again (Why am I not surprised?)

      You might want to look up the cryptanalysis of the Lorenz Cipher. Bill Tutte worked out the algorithm without ever having seen a Lorenz machine.

      See also Kerckhoffs's principle.

      1. Anonymous Coward
        Anonymous Coward

        Re: Misdirection Again (Why am I not surprised?)

        @MJB7

        OK......good for Kerckhoff! ....and Shannon!!

        *

        .....but the point still remains.....you need to know the algorithm for decryption to be successful.

        *

        .....even if you have to figure it out without ever seeing the machine (or the program code).

        *

        .....so it DOES NOT HURT if the algorithm is hard to identify....does it?

        1. doublelayer Silver badge

          Re: Misdirection Again (Why am I not surprised?)

          ".....so it DOES NOT HURT if the algorithm is hard to identify....does it?"

          It does hurt if you made any mistakes because nobody else tested for whether you had a clue what you were doing. If you are infallible in designing encryption, which is unlikely, it provides a mild benefit the strength of which depends on the resources of the attacker. But we've had that discussion before, so I'll stop now.

    2. Anonymous Coward
      Anonymous Coward

      Re: Misdirection Again (Why am I not surprised?)

      @AC

      *

      Of course the comentards here on El Reg might be MUCH more comfortable if the cipher was encrypted in IDEA. So....

      *

      Ad4biJNp850CobVkgjWSjSisRseGvz8br3/WaDSfPg7N73CXw1mSbnRBrPKtHS7HnfQ/T7CWdev5

      jNVHZrBB0G5Y9dR8SfS2JxDUlDQzuip6R0f1hqrKO4Pl6h5zTnhVnAJXR9G1JmMz0cn4FHCEEPaf

      EGpgX/qgT6T4EvYzM17frOuE8a+zjV62eKiw1d+k/tzvJkPNFAzjpVOLv3SD4d1PRTFWIEhnEVfM

      IGNWwU0UB9u3Mf9kVDU60dLm16ydbiIqasVBD2aARneJt4GGabcrdkLVxxMDhRRQ1/SH5PGhmysn

      jLMB/4wlNp+w0e7CB5SQ4cNNaHVQ6/dqUGzbZazfFa6etMHMVBFBWeSSPKUyJC7WiIi7aVJ9NRN8

      wajweyY7FdGHt1Bw/vvX7vT2k4A0+9EBBv6ewqEiyRpMXrMIZ1I0o5Xfgh5F+ktuVvvmcgK7FEsJ

      9wznYVu+wlddoc5qPOFMCoP/y8KgXpODle81nDMdPatiT5txm0Z9xy4SGTBfKe7co0RljEsZZ5qZ

      pIWvpDmI1M9ALYZYIB50m5RJR4hQk2nOqTQii3aLY/yzt7MCuNBSF9AiYgXiOg2wCXopM6JwAOQu

      qRopZu/n3X2UoY/pxTp2LajjcA10xZAl8WhIVd8w3qUKElbo0PCdkGDk8HnGfhd5yXKKa5ToBiwV

      7u11heqcmpoi6ddprXJieQ1j5ChIiRpoAjdkElqVFIy4Gm9O9h4tRQrNebCTdoZg0/9F5040BvDF

      9C0sdHzN0BSmGB6MN/s8719I5EX2htJMuOJa6DeLAonnbvV0VpoYN+bqeUvOwEQeMUeIE03CBauC

      sDA/kVkCikEHbOX82L68dx9eelZ3cELLsNFmfFa+ZjNpw6RSBDvq+H0GebDrkUGsORsCM+ecTxiV

      BJDQcLYCge2Ch6DGkDraIwFZHtc6PXxAbXrj9NOpyslIbCBqgb3+AeFQBHy3mB+G2XyHJMVBj4Ho

      142YBpjrt5UeMOg3y8H1ApAUUgz2yl54e17caNKozy30Sdyh3ztIyuj/JOixAkAshD8C3JTOebOu

      YBK+ZjNpw6RSBCwaG56XUI1ZIhvmIdQtHCNsZhxVuovZ9XukLmFbU6oBiurJRIOuQRpbHfPThWRY

      pqFh07kuLi6WtpVhh16XPDKyyjUk5KiadldIksNQ/zqhvHQgugbxzcsdOkpq9pNXNviJ9oMNxU5h

      Aeyz3MMcMm0HIreS2ifHSarP3va5Bx94gKWqEbSXjuqvRxnJ8jNZLiPlPVPK4jZefKYjTWV9Fdos

      gT4yIGihHZT1q8aYmtIdaWge61iUFTeDJDarr/PC9uygKSDexKL+CrgSZ7pivqDqWp4kL032CD99

      30qcO74ih86+3dfXOz3W76KtvmeNaCPjByomOlkeCty9za4HQegipubSwgI8+Cm3EQMjncIiAOlR

      jlKvXwZXixzY42n2njBqrldEhhOJgA52fA6uHukUbr6+G/fwr+9yz+Pik2VDRLOTZgkdqRA/DR+y

      FrtvLZrfVTvF+ytpVbkJAbPhiBZUUIDuQxNP18ekgsUWoMbDqZpCXgGsFIoyk6vx2VuycdkZ5jnj

      FvJJDImaOua4uws93/q8dr5K0Bi3+EsNO3Wv0mLYPQsQsGfngzpHtBZ0TFEqqO0Gq4YWtOwCASdR

      NtNr1ISHn62BjjXBfr3sfDwxDAt/XXmRBHdqH+JRHbBQ8AC4kfzEvV73ttksmJhqVMwG4xUOTwIi

      QI5eo4za4ZWDuHMuGf6HI9ZwfNaak+f2HFUJwPjmgTC5Lxe8bzNqJZjDfufywfi10Rvkrgl4tCsq

      gjtLQC6oIvc=

      *

      Same message......but this time in IDEA. Quantum computing can now compare TWO separate encryptions of the same message. Must be easier than just having one encryption! Do let us know what the plain text says!!!

      *

      1. Anonymous Coward
        Anonymous Coward

        Re: Misdirection Again (Why am I not surprised?)

        And then again maybe a Blowfish version would help the quantum decryption folk....

        Third encrypted version o fTHE SAME plain text1

        *

        KUTktHLwrCNGmD2/gUDz8dqm0fNyVWbHjLE6oCl7UJEVBEUWFmHAm3qhzEK+B9juexE5aZHBFfh4

        7qyZm4ABQ0T+13gzTh8cg4KlAwdDK5VNyDR23XuKsbG27cvVr0wQZR37AaBeRrSeG4Pe5KMY0aI3

        D2mEcRXEk0JQ8ImpeEMJ1XtLEz7ey0dnarktOemDWSaaa4iG2mQ0GmltYQ0puneMmaWnfBaCP8m0

        RShGRkkW05hCiXHga6qg2k0pF13kHUqApeoUPj55rrJOOWAfcXhlv75bd0KfKhkdc6weCvwKyoyx

        JjcPe3EhDy0yZdyufuNakKho8JcBiMrpbFBxmmbl1rHpwhnnNRegf7oOGpVP+3iaN2RzryS9qAD+

        iB7kZIUZ6Yn+g8G23xMmHkXLs2Kiseq9/ry5vraz0wITznmlnOLZM2brr/J174i0oLkwje0ppg/w

        55HfHRDXtL8bAvR2ecFia9z9wdZW0/RYqHLhOoWMIbzUBBaEl3VMCbsJT2N2xhWgKwi3iBybYRrE

        b9vDOSroeN6bbp640FDEoCIPJeIUCTi2O6DjftXImZvQ0MoKxOwlfpc388vb6vumjLoFcbOPpXa4

        OABh7Nq2nCX3A24ySiTBjofGwufxaOaorxFHLGFCjFGH0FnQH4KaLkHVTnfwkrcdJHRl5SBWF/W1

        /YwV3skJJl9YNEQ503e4awnc3GVwyo+WE0jM/imgslt6W2WvT8MHWElHwcBxw01pqz1OGwWvaBsk

        14bwjivum/bS7+8nso+MYKESbPVRz1K+GQP8aeJAww6dpisq6cJSMph2jxAyb6ke1P4gDChkVRTw

        VN3Qx/7OkippTDSLtbpYyqpPcRxRowxibfXzGuUqZca25CAplhpKCsCM9DRKzUIvkIEVfYFF0Llu

        Rl4JtVU/OUrHIXBtLY8lPW3cjKZ1M2ajVP1YCN80fkwx4PZuKXXYmmfEYi6HapPJ2rE3o5kGaXYY

        OrBefEw0529xzJ8R5ddFyYHffBlYDnJr092tzAFIfch//T/s3ljslQ2V+K73EQ8n8LKiUZZpERZz

        hgyfCQfT7s7ATkiTfwIIeFi4Elynea5esT9LBlk1lkNjjNXHXZKdxGSGl/uTt9xV/PlWaHOkFhOI

        BDMQRKzED0MJmuwVb5bS/vJGu37xaeyYG9PU7rVGiSfGFsWHrklpLkFFWIxYpQtUKom2oTekV2XP

        4+dmsieXEjXt3H7jN6PCFG1CFm6IUFS4Ok8zRhxDvXn7c1FR2Nd+v+fwO5oU4MjTZpg/dvpAUzIl

        HnJp9dWGotkGqLPL9dg76vm9he+Emc0mybM9JyNO88jfcYXQcg3qM0GFlDEkMe7cDUtczNcFzSDz

        YDV8Y0Lj4bJNjpPvhv4KeZ8De6L1eOy5wPjF2rh53F8DBhQ8bdFPm6qNjYaQ4fO/lpK1Rv0iGXWc

        XA6KMypW4zYoDlVekt1y7lKIwk6yMJhlTRiYzCW1hn15Wou9BCtX4eYIJwOhSshOQKMbDzKRZSYv

        ToGWMolwKvHVOEUJ1QvjoGS6rOQS45c+71wC45luYyj3zqB2zl4fgl9hDgkg5r12E9y63pbfYmeN

        4SLTil1Y3PYVm41fbEH7cq9BVSB0hGl5nh+Xg0N7TePCkPF8RZeKU7w0/GZ39Sm63AGIYUlnZCyY

        RcLEZYn1MGUB+WQOZnJT0AhdbeXBrglC2Cr9kSBZCCKNrQbxFy8GDeH69oV31x57ayl5mjqEQGuR

        SV1DXpaz2CGW32m/mfMDLMSC3PAvOJYj8qZ8dp5ELsUZKJ6o5P2prA0T9ckNI+b7gTaK5K7kyDPd

        xlZKD9z5Z/c=

        *

  14. Peter2 Silver badge

    Quantum proof encryption? It's not actually that difficult to come up with completely impregnable methods of dealing with cracking keys. Using one time pads would be utterly Quantum proof if the concern is basically brute forcing keys as so far as I can see, and with modern hardware could be implemented relatively easily.

    Take two 8TB hard drives full of a solid block of data, and put one at two locations to be used as encryption keys between them. Then encrypt each character going over the connection with that data, deleting it when used. There would be enough data on the drives to encrypt all traffic going over a 100mbps connection for 7.7 days, assuming my math is right. (A 100 megabits per second line divided by 8 to get from bits to bytes is 12.5 megabytes a second, and taking a 8192GB drive, which is 8388608MB divided by the 12.5MB/s gives you 671088.64 seconds worth of use, which is 11184.81 minutes, 186.41 hours = 7.7 days)

    Key exchange would be a pain in the ass because it would have to be done by physically delivering drives by somebody trusted, but even at constant 100mbps use maxing out the line it'd only need doing once a week so it's not unfeasible; it'd also be utterly impregnable and perfectly suitable for use between you and your bank, or for VPN's used in a hub and spoke model. Where it falls down flat is between you and random websites that you wouldn't have a one time pad from.

    Well, that and acquiring 8TB worth of random data without using a RNG that could be cracked, but you could get pretty random numbers via things like instruments attached to a computer such as digital thermometers tracking the temperature to 20 digits and the same with EM field sensors etc.

    1. Rob Daglish

      You are Tom Clancy, and ICMFP.

      This is pretty much what he suggested in one of his Jack Ryan books -the CIA recorded atmospheric interference, recorded it to CD, one copy to sender, one to headquarters, and used that to encrypt comms, with a new CD for each day which was erased as the data was used, and then microwaved each night to destroy any remaining data on them.

      1. Peter2 Silver badge

        Sorry, no fiver. :)

        One time pads are a pretty obvious solution to getting virtually unbreakable encryption; coming up with a digital version of this isn't exactly rocket science. The only real question there is if he got the idea from hearing of an actual implementation of this, which wouldn't surprise me. It was my first thought, so i'd be surprised if there weren't hundreds of independent implementations of this from places like the CIA who wouldn't want a risk of somebody recording their satellite traffic and then decoding it, even 20 years down the line.

        Picking a combination of some form of external input is also reasonably obvious; anybody going to this sort of paranoia induced extent is hardly going to rely upon a pseudo-random number generator as you'd assume the worst case that the RNG might have some kind of a deliberately inbuilt pattern to it that might compromise your encryption scheme.

        Microwaving the CD's though as a destruction method is something i'm not sure about, i'd have thought that would just destroy the plastic and risk leaving the data layer alive, which could possibly be recovered by somebody sufficiently determined in a lab. I'd have thought a metal container, a can of lighter fluid and a match would have been safer. :)

        1. Charles 9

          "Microwaving the CD's though as a destruction method is something i'm not sure about, i'd have thought that would just destroy the plastic and risk leaving the data layer alive, which could possibly be recovered by somebody sufficiently determined in a lab. I'd have thought a metal container, a can of lighter fluid and a match would have been safer. :)"

          The reason microwaving a CD is considered safe as a destructive method is because CDs keep a metallic reflective layer, even on recordables (the recordable medium covers it up, the recording/rewriting laser removes/alters it to make it transparent). And you know what happens when you put metal in a microwave...

    2. Bartholomew

      The real problem is how to generate 8 TiB of cryptographically secure random numbers at least 100 Mbit/second.

      Lets say that you are generating the random numbers in a secure location. Lets also say that you were using a hundred thermoelectric couples with automatic gain control so as to not overload and yet still make sure that you are filling all the digits of a 24-bit ADC(Analogue to Digital Converter)'s. Doing the basic maths that would mean that each ADC would need to sample at at least 41667 samples per second. Which is not impractical, it is within the range of most cheap audio ADC chips, and you get two (stereo) or more channels on each chip at price point will be low because it is a mass produced high quality part. But probably about 16-22 of the bits will be constant between consecutive samples taken only 24 microseconds apart because thermoelectric couples have a physical mass and it takes time for fluctuations in the external temperature to raise or lower the temperature. So at best you probably have 8-bits, and at worst 2-bits, of good randomness out of every 24-bits which would be times 100, for the 100 ADC's. So about 800 to 200 random bits out of every 24000 bits generated. The "good" random bits will be biased (on average more ones than zeros, or more zeros than ones), so your options are to hash the output and hide any problems and that is what 99.9% of the "true random" number generators do or you could discard the upper most bits that are common between two consecutive samples and use von neumann debiasing algorithm (1. take two bits from the input ; 2. if both are the the same, throw both away and goto step 1 ; 3. if both are different, output the first bit, throw away the second bit and goto step 1) on the lower bits. But if you feed the debiased"good" output of that directly into "Dieharder" (A random number test suite by Robert G. Brown), it is turns out not to be truly random. So even if you added 100 times more ADC's it is just not good enough. Which is why nearly everyone feeds their output to reseed a CSPRNG (Cryptographically-Secure PseudoRandom Number Generator), even Linux uses CSPRNG for both /dev/random and /dev/urandom (ref: https://www.2uo.de/myths-about-urandom/ ).

      It is actually very difficult to source truly random numbers (without using a CSPRNG) at more than a few kilobits a second, so most people settle for good enough solutions.

      1. Bartholomew

        It is cheaper use use one fast ADC and enough gain to access "Johnson–Nyquist_noise" but, if tested with the Dieharder suite, even it is still not truly random. Getting cheap access to large quantities of high quality random numbers is just not easy.

      2. LionelB Silver badge
        Trollface

        Nah - you just need enough lava lamps. Or one very hot one.

      3. Peter2 Silver badge

        Thanks for putting the effort into explaining that; it's an interesting issue.

        I'd (obviously?) never considered the actual mechanics and limits of getting that level of truly random numbers. Even sourcing 100 kilobits a second of truly random data (which sounds like it's ~fifty times the easily obtainable rate) would still be a shortfall of 99.9 megabits per second at that rate, which as you say is well short of the requirement if your pushing that amount of data.

      4. Anonymous Coward
        Anonymous Coward

        Is testing for randomness completely futile?

        @Bartholomew

        Quote: "....truly random numbers...."

        Perhaps a thought experiment will help. Suppose you have a fair coin, and suppose you toss the coin a number of times. And suppose, in one trial, the coin comes up heads ten times in a row. This result is "truly random"!! The fact that the result does not pass some test for "randomness" does not make the result "less random".

        Longer tests will likely restore the stream of results to something closer to 50/50 (regression to the mean), but that may take a very long time! ...and in the mean time, the stream will show characteristics which will fail some test for "randomness".

        Which is a long way of saying that streams of "random numbers" -- irrespective of their source -- may always fail these tests, unless of course the stream is infinitely long.

        1. Charles 9

          Re: Is testing for randomness completely futile?

          "Longer tests will likely restore the stream of results to something closer to 50/50 (regression to the mean), but that may take a very long time! ...and in the mean time, the stream will show characteristics which will fail some test for "randomness"."

          These randomness tests know this and tend to run PDL to take advantage of regression to the mean. If statistical balance doesn't pan out after millions if not billions of runs, odds are pretty good there's something going on that's not pure randomness.

        2. Bartholomew

          Re: Is testing for randomness completely futile?

          > may always fail these tests, unless of course the stream is infinitely long.

          Dieharder, for its more useful tests, needs at least a gigabyte of data. And if for say 1 GB of data it is like 80% 1's (and 20% 0's), it is clear that you have some kind of problem. And when it comes to cryptography you want a perfectly normal distribution, any thing else has the potentially leak information. It may not leak enough today, nor tomorrow, but given enough time and enough data it will leak.

  15. William Higinbotham

    We Don't Know When or Even If

    Is the same as saying, The entirety of the NSA's systems can neither be confirmed nor denied, no matter how much information has been leaked to the press over the past year.

  16. JimmyPage Silver badge
    Stop

    How much encryption is REALLY cracked by brute force ?

    And how much - like the WW2 Nazi Enigma messages - are cracked by pisspoor implementation and usage ?

    My view has always been if you are encrypting you have halfway lost. The trick is to transfer data in plain sight.

  17. MJI Silver badge

    Or more likely GCHQ have broken it.

    Seems more likely.

    1. Arthur the cat Silver badge

      Re: Or more likely GCHQ have broken it.

      "Honest guv, it fell apart as soon as I picked it up!"

  18. Eclectic Man Silver badge

    Most common ways to breach cryptography

    Are, according to Prof Fred Piper of Royal Holloway College, UK,

    Sex, Drugs and Money.

    (NOT a joke)

    1. Arthur the cat Silver badge

      Re: Most common ways to breach cryptography

      Sex, Drugs and Money.

      That's a high standard. I though it was Sex, Drugs or Money for most people.

      1. Paul Crawford Silver badge
        Coat

        Re: Most common ways to breach cryptography

        My standards are not that high, sufficiently good sex and money is enough.

        Just reaching for my schedule of costs and services =>

    2. LionelB Silver badge

      Re: Most common ways to breach cryptography

      Shouldn't we add stupidity, carelessness and violence to those?

  19. FlamingDeath Silver badge

    Mostly harmless

    Maybe if the organisation was less, you know, shady, then maybe the quantum world would be more acquiescent

    For a long time nature has readily revealed its secrets to us, while we keep secrets from eachother.

    It seems poetic that we may never fully understand quantum mechanics

    Probably for the best too, we are not a mature species

  20. Anonymous Coward
    Anonymous Coward

    Oh my -- this will make a lot of consultants unhappy

    Namely, the ones exhorting tossing out current PK for QR stuff (and renumerating them appropriately, of course) as El Reg pointed out.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like