America's NSA Isn't Sure Quantum Computers Will Ever Break Public Key Encryption

America's National Security Agency "isn't really sure when or even if quantum computers will be able to crack public key cryptography," writes TechRadar.

They report that the NSA "has expressed its reservations about the potential of quantum computing" in a new FAQ titled Quantum Computing and Post-Quantum Cryptography. "NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist," said the security agency in response to whether it is worried about the potential of adversarial use of quantum computing. In the FAQ, the NSA describes a Cryptographically Relevant Quantum Computer (CRQC) as a quantum computer that's capable of actually attacking real world cryptographic systems, something that's currently infeasible.

While it agrees that such a computer would be "devastating" to the digital security infrastructure, it seems to suggest that it doesn't believe such a CRQC would ever materialize.

However, the growing research in quantum computing has moved the agency to also support the development of post-quantum cryptographic standards, along with plans for eventual transition to such standards.

This means they've already done it.

[dgatwood]

Just saying.

Re:

[dfn5]

This means they've done it

I was literally just typing this.

Re: This means they've already done it.

[saloomy]

I look forward to quantum miners. Try all possible blocks in one go.

Re:

[fahrbot-bot]

I look forward to quantum miners. Try all possible blocks in one go.

What? Oh, "miners" not "minors" ...

Re: This means they've already done it.

[saloomy]

For mining coins. One operation with sufficient qubits will unearth (see what I did there?) all the coins in a currency, and all the other miners can be shut off, reducing demand for power, reducing its price.

Re:

[Immerman]

>reducing its price.

sure... and eliminating its value. I suspect that if people could instantly generate new blocks it would completely undermine the integrity of the entire network, in a way that would render virtually all proof-of-work based systems worthless.

Re:

[dada21]

Third

Re:

[base3]

I was literally just typing this.

They knew that already.

Re: This means they've already done it.

[nullchar]

And they knew that reply already, before you swiped it. It's quantum after all.

Re:

[QuietLagoon]

I was about to enter the same comment.

Re:

[WaffleMonster]

Just saying.

Sometimes I think it might be the opposite. Perhaps they are not getting anywhere with RSA. If this is true and they can't break it they might have come to the conclusion it is better to convince everyone to abandon it and go to a "post quantum" key exchange that grants them the upper hand.

If true why not say something more positive about QCs chances? That's because they are trained to lie. If they cheerlead too much for post quantum people will get suspicious.

Re:

[postbigbang]

I'm not sure quantum computers are necessary, and like the above posters, believe they've already figured it out.

What did they figure out? How decomposition works with an entropic algorithm. How to figure out cajoling the algorithms used to make AES-256 reveal its own collisions so that all that's needed is a killer dictionary.

The qubit parallelism wouldn't be needed.

This is my guess; it might be wrong, or it could be something completely different. Nonetheless, post-quantum algorithms are a marketing term

Re:This means they've already done it.

[OneHundredAndTen]

The Snowden's revelations belie that belief: according to them, breaking established cryptographic algorithms is not quite how the NSA gets that vast majority of its intelligence. This aside, the days in which the NSA was years, or even decades, ahead academia in cryptological research are long gone - worldwide there are more mathematicians researching cryptography (and publishing without NSA censorship) than the NSA, with all its might, employs.

Re:

[Malifescent]

The NSA gets most of its intelligence thought the fact that most of our communications (like e-mail) are not (yet) encrypted.

Re: This means they've already done it.

[Armonk]

if the NSA introduced flaws on purpose in the ancient libs that are likely still used in modern day encryption, then they likely have the key and have hjad the key from the beginning isnt openssl and all the others relying on the same ancient libs that are likely secretly been made in to swiss cheese by the NSA years ago? maybe they dont have this advantage with quantum based crypto yet, but I'm guessing that its just a matter of time, money, leverage, force and/or threats might as well just not use any

Re:

[ebvwfbw]

if the NSA introduced flaws on purpose in the ancient libs that are likely still used in modern day encryption, then they likely have the key and have hjad the key from the beginning

isnt openssl and all the others relying on the same ancient libs that are likely secretly been made in to swiss cheese by the NSA years ago?

maybe they dont have this advantage with quantum based crypto yet, but I'm guessing that its just a matter of time, money, leverage, force and/or threats

might as well just not use any cryptography at all

Is AES safe? So far not even Snowden said they were compromised. Has he?

Re:

[Malifescent]

AES is safe, the NSA specifically stated that they can't break AES-256. They're probably relying on al sorts of implementation errors to break the encryption nonetheless.

Re:

[ebvwfbw]

The NSA gets most of its intelligence thought the fact that most of our communications (like e-mail) are not (yet) encrypted.

Even recently I went on a campaign to get people to use encrypted e-mail. Outlook supports it. There's free gpg software. RedHat/Fedora support it of course. Even Debian I think supports it. Not sure if BSD supports it.
I was about as successful as getting anti-vax people to get the covid shot. Man they don't want to do it. The only way people do it is because they have to as part of the DOD or some other government mandate.

The best I can do is set up the mail servers so they support encryption. Anyone that

Re:

[bloodhawk]

I think unlikely, while I would never trust a thing that the NSA says, the reality is for them to have broken it they would have to be decades ahead of the best scientific research into Quantum computing.

Re:

[Antique Geekmeister]

There is no such thing as "decades ahead" in a technology field like encryption. Progress is not measured by some measured flow of passing time, despite the "myth of the man month". It would only take a fortunate mathematical insight, one which may or may not exist.

Re:

[bloodhawk]

firstly this is about Quantum computing not mathematics of cryptography, you can be decades ahead in the advancement of a technology. Secondly this isn't the movies, There are many encryption methods that are mathematically unrelated, Cryptography is not like the fantasy world of the movies like sneakers where you can come up with some hardware device that can read all encryption, breaking one algorithm doesn't affect other unrelated algorithms.

Re: This means they've already done it.

[nullchar]

Thank you A.G. for reminding us that time is relative and "decades ahead" is a silly term.

The Wright Brothers were decades ahead of flight.

Alan Turing was decades ahead of computing.

NASA engineers were decades ahead of space travel.

Homer was decades ahead of Greek epic tales.

The Egyptians were decades ahead of pyramid building.

A typical Slashdotter's mom is decades ahead of their child's enlightenment.

Re:

[Impy the Impiuos Imp]

And fusion is perpetually 4 decades ahead of the sliding "now", and has been since the 1970s.

Re:

[Antique Geekmeister]

You're being generous: the first controlled fusion was in a stellarator in 1958. The idea existed well before then, or the stellarator would not have been built.

Re:

[slazzy]

Funny, that was my thought too - sounds like they've cracked it.

Re:

[Antique Geekmeister]

They don't generally need to. They have access to the escrowed secrets of numerous environments, and access to zero-day exploits of most of the remainder. Most companies and schools, even with SSL or SSH private keys, have them on proxies, routers, remote cconfiguration tools, and even embedded in the laptops of admins. They're often quite poorly secured.

Re:

[drinkypoo]

It means nothing.

Paying any attention to what they say is a mistake.

Re:

[gweihir]

It means nothing.

Paying any attention to what they say is a mistake.

Well no. But verify anything carefully. For the current statement, all it takes is a few private conversations with people actually doing research in the area. They have known for a long time that no QC will result from their work. They all hope (and this is a reasonable hope) that secondary results will make the research worthwhile.

Re:

[Hadlock]

Beat me to it

"Hay guys, pretty sure this isn't possible, y'all should like, uh, give up, cuz uh, it like, totally doesn't work, sorry, we tried, tooootally did not work, nope, huh uh"

Re:

[gweihir]

Nope. Your statement just means you are paranoid and delusional.

Re:

[dgatwood]

Nope. It just means I'm a smart aleck.

Re:

[bferrell]

And want to discourage others for as long as they can

Could be

[Casandro]

However since this is the obvious conclusion, it's like that the NSA has thought about that.

Perhaps the intention is different. Perhaps the NSA just wants us to think that public key encryption is insecure. Since post quantum encryption isn't ready yet, the goal might be to discourage people form using public key encryption at all.

BTW the NSA probably doesn't even need to crack the encryption by itself as the mayor standard used today (TLS) is highly complex so security issues are likely to be in any implem

Re:

[Opportunist]

There are secure ways to store data.

The first step is to do it offline, preferably on a non-electronic medium.

Re:

[s4080326]

You have solved one problem but you have just DOS'd yourself. The first step is to analyse your data and decide your priorities, e.g. I'm happy for the world to see my cat photos, less happy for them to get a scanned copy of my loan application even less happy for them to have my PIN number. Different security for different data, for my PIN it isn't stored anywhere, my photo's are on the cloud and my scanned documents are on an encrypted portable hard-drive that if I wasn't so lazy would be in a fire-safe b

Re:

[Dutch Gun]

I'm also quite certain various corporations have access to your secret information. Your bank / credit union would be one of those. Same with credit card companies. You're also trusting Google, Microsoft, Apple, etc not to snoop on local apps and steal critical information from you, since they control the OSes that run on your devices. Does that mean you don't care if a Russian mafia gang or some Chinese hacker gets access to that same information while it's being transmitted across the internet? Becau

Re:

[stephanruby]

Having secure crypto in today's world seems kind of pointless.

I agree. That's why my password for my bank is simply Pa$$w0rd

A better password would be pointless. Everything is going to get hacked anyway.

Re:

[gweihir]

Exceptionally unlikely. If you were right, we would have had quite a few unexplained leaks by now. We do not.

Stop storing our web traffic

[satcomjimmy]

They will still keep spending our tax money to store untold gobs of web traffic they see on the internet backbone forever with the hopes of decrypting it.

Re:

[Jeremi]

Nobody cares about your web traffic. Your emails, maybe.

Re:

[satcomjimmy]

So not web browsing, but whatever you care to encrypt that they want to read. https://www.forbes.com/sites/a... [forbes.com]

Re:

[inode_buddha]

they don't care about goatse? OK everybody, start sending loads of unencrypted goatse !!

Re:

[Opportunist]

I hope they decrypt my emails.

There isn't enough bleach in the world to satisfy the needs of their eyes once they do!

Re:

[Antique Geekmeister]

Since many email servicesdare now web based, as is banking information and access to cryptocurrency exchanges, I'd suggest rethinking this confident claim.

Re:

[Patent Lover]

How else are they gonna find out who the 9/11 attackers were?

In other words

[Anonymous Coward]

This wavefunction can be collapsed into two alternative observed states, one of which generates disappointment, and the other of which generates funding.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Rosco P. Coltrane]

That is the best description of quantum computing today I've read so far. Thank you for a good laugh.

Suuure

[backslashdot]

It's not at all suspicious that a spy agency wants us to keep using a particular crypto-scheme.

Re:

[93 Escort Wagon]

I don’t see where they mentioned any particular type of cryptography. We already know this is (theoretically) going to be an issue with asymmetric RSA and ECDH - but that’s a solvable problem that people are already working on, and we’re supposed to have something by 2024.

On a side note - AES does not appear to be susceptible to quantum computing based attacks.

Re:

[gweihir]

Block-ciphers are not susceptible to QCs and that is a theoretical result, i.e. "hard". All a QC could give you were halving of the key-length. That means AES-256 is fully secure against QCs and, given how abysmally slow they would be (if they ever work at all), even AES-128 would probably stay secure. But take into account that attacking AES-4096 would take in excess of 12k Qbits that would need to stay entangled for a long and complex calculation, and even attacking that becomes a "likely not this centur

Re:

[TechyImmigrant]

>That means AES-256 is fully secure against QCs

AES-256 is not "fully secure" against normal computers. It has a key schedule weakness (https://eprint.iacr.org/2009/317) making it weaker that AES-128 against a related key attack.

Not a practical attack and making a crypto system where related key attacks are even possible is a noobie error but that raises the valid question 'why not just use AES-128?'

Re:

[gweihir]

Bullshit. You are exhibiting the same defective mind-set all other conspiracy-theorists have. You can infer exactly nothing about their capabilities from their statement.

Re:

[backslashdot]

lol, I was just kidding man.

Re:

[gweihir]

In that case, ignore my comment.

conspiracy or fact

[irving47]

I'm perfectly happy to jump on the government conspiracy theory bandwagon, but are there any reputable computer scientists in a relevant field that are saying the same, or differently?

Re:

[TechyImmigrant]

>but are there any reputable computer scientists in a relevant field that are saying the same, or differently?

There are physics professors arguing that CRQC is impossible.
I have an information theory argument that CRQC is impossible.

https://spectrum.ieee.org/the-... [ieee.org]

Re:

[bh_doc]

That article is pretty poor. "A useful quantum computer needs to process a set of continuous parameters that is larger than the number of subatomic particles in the observable universe." That's why you encode those "continuous parameters" as qubits, dumbass. You think they plan to encode each parameter in a double or something? It's like saying that because 640kB of RAM can encode more than 10^197000 different discrete "basic" states - a brain meltingly huge number - that it will be impossible to write algo

Re:

[TechyImmigrant]

It does fail to be clear about the most fundamental problems but it does address them.
1) The quantum states and the measurement of those states are noisy and the noise sets some limits on the information representation that is possible. With error correction this can be improved but it becomes more fragile with more qbits.
2) Nobody has come up with a way to perform logic on error corrected qbits. This step has remained unsolved for many years and all other improvements are moot without a solution.

It does no

Re: is there another NSA?

[reanjr]

Because it was started by nerds in MI, then sold to a media conglomerate started in San F, CA and HQ'd in NY, then sold to a company HQ'd in San D, CA.

Re:

[BAReFO0t]

Also, the language.

But I'm not sure about the active user base.

By the way: How do you tell someone on the Internet is German?
Answer: He will always write in perfect English, and will call you a Nazi for speaking German. ;)
(I would mention that I'm a German, but I don't want to be called a Nazi by a German.)

Re:

[BAReFO0t]

Well, you know... as opposed to Zimbabwe's NSA. ... XD

America's NSA Isn't Sure ...

[CaptainDork]

... enough said.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[BAReFO0t]

Welcome to Slashdot. I love you.

I think the headline is mischaracterising

[evanh]

Here's the actual question and answer:
> Q: Is NSA worried about the threat posed by a potential quantum computer because a CRQC exists?
> A: NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist.

All that's saying is they can't predict a timeline.

Re:

[chill]

Yeah, this is the equivalent of a shoulder shrug and saying "no idea". Not something to read anything into.

Re:

[BAReFO0t]

... by a person who's whole and entire job is manipulation and lying.

So I'd rather think about the intention behind saying that to us, than taking it at face value.

Re:

[Malifescent]

I think they have doubts the technology will scale to enable the breaking of cryptographic algorithms. To break RSA 2048-bit you'd need millions of qbits, which is far from what's feasible today. Currently, the maximum number of qbits numbers in the tens.

Just common sense

[gweihir]

Currently, there is no actually functioning quantum computer at all. All these mock-ups can do is single steps on low qbit numbers and then it gets conventional again and the next step gets loaded. That means loss of all advantages quantum computations are supposed to have. The reasons are simple: Decoherence. Basically, with a longer quantum computation, the changes of losing it all raise exponentially, essentially making anything that would matter completely infeasible. Unfortunately, there is a second exponential factor: The probability for decoherence also raises exponentially with the number of qbits.

Now, attacking modern cryptography requires both long, complex calculations and a lot of qbits. Hence it is quite possible this will not ever become feasible to do. It will certainly not happen anytime soon.

As usual, there are a lot of morons that believe the hype and desperately want "magic" to finally be possible. But that is basically all that keeps this stupidity going. Every other "alternate" computing paradigm has been give up on after a decade or two of failing to produce results, just "quantum computing" gets kept alive after now _four_ decades of having failed to produce anything useful.

Re:

[backslashdot]

So you're saying because something is difficult we should abandon it? It's not four decades of no results, there have been a lot of advancements. There is still a long way to go, but they haven't hit a brick wall.

Re:

[gweihir]

Not that many. The money and effort is mostly wasted and would better have been invested in some other place. There are always more and less worthwhile research directions. Sure, even QC research has produced secondary results, but the level of effectiveness in that is atrociously bad.

Incidentally, basically no research direction ever has "hit a brick wall" when it was abandoned. It was always just that the effort was in crass misalignment with the worth of the results. At that time, sane people stop until

Re:

[magnetar513]

Several years ago someone published and article saying that they had been able to find the factors of 15 reliably with qbits.I don't know how scalable this is, but it seems naive to dismiss the possibility that SOMEONE hasn't made significant unpublished advances in this field.

Thank You, US Intelligence Community

[Aighearach]

These guys are doing such a good job that even if they tell you what is what, none of you know if you should believe them or not. Leaks happen, nobody knows if it is a real leak or a planted leak. Nobody believes anything about what the intelligence agencies do. Even if they find out what they're doing, they still don't know! That's an unmitigated victory.

Now if they could just do a little better at infrastructure defense and counter-attack, I'd be happy.

Re:

[BAReFO0t]

Who came up with calling a spying and meddling agency "intelligence" anyway?
I'm not a native English speaker, but saying intelligent people are merely "smart" and evil assholes are "intelligent" always bugs me as a result of a fundamental messed-upness in how one thinks about those things...

Re:

[teg]

Who came up with calling a spying and meddling agency "intelligence" anyway?
I'm not a native English speaker, but saying intelligent people are merely "smart" and evil assholes are "intelligent" always bugs me as a result of a fundamental messed-upness in how one thinks about those things...

Intelligence can mean several things, one of them information, news [merriam-webster.com]. As an illustration of that, the first Norwegian newspaper - in 1720 - was called Norske Intelligenz-Seddeler [wikipedia.org] ("Norwegian Intelligence Pages"). Thus, intelligence doesn't have to mean "smart" and has had other meanings for centuries.

Analog error

[Reiyuki]

A common problem that occurs in Quantum computing is that the more qubits you work with, the more error is in the computation. So while the quantum operation might be 1 million times faster, you may have to run the operation 500,000 times to confirm it was correct.

Re:

[flatulus]

Now I know very little about quantum computing, but I do know a bit about cryptography. It seems evident to me that if you are using a quantum computer to discover a key that will decrypt some ciphertext, it is extremely straightforward to test the output of a quantum algorithm by simply trying the resulting key on the ciphertext you wish to decrypt.

A simple rule in cryptography is that whatever answer you calculate is either 100% correct, or wildly incorrect. There is no such thing as a "close" answer.

huh?

[nullchar]

No more spooks on /. eh?

Came here looking for comment about a man, a plan, a canal... somewhere.

QC is like fusion power

[Malifescent]

It's always 20 years in the future.

The same is happening with autonomous vehicles: they've been in development for over 15 years yet there's no indication they'll ever reach the market. We're already seeing investors losing interest and pulling out. Most likely we'll see a shake-out in a couple of years. Only companies like Google and Tesla, which have other sources of revenue, can continue investing into this technology.

If there aren't substantial breakthroughs (with actual products coming to market)

A successful quantum computer

[r2kordmaa]

Will likely improve on ability to brute force cryptographic algorithms significantly, but you can always make a harder algorithm. So a quantum leap in brute force cracking might retire some crypto schemes, but it's not going to be the end of cryptography. It's not the brute force approach you need to be afraid of in cryptography, it's all the clever ways to get around having to brute force that are the problems.

Re:

[AnilJ]

Cryptanalysis - not Cryptographic algorithms. Cryptography is easy, cryptanalysis is hard (or supposed to be, if one can devise a truly one-way function).

Perhaps ...

[Martin S.]

That is just what they want people to think.

You've had a breakthrough, you say?

[clambake]

Trust us, guys, keep using those unbreakable public keys.