Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Encryption Government

America's NSA Isn't Sure Quantum Computers Will Ever Break Public Key Encryption (msn.com) 92

America's National Security Agency "isn't really sure when or even if quantum computers will be able to crack public key cryptography," writes TechRadar.

They report that the NSA "has expressed its reservations about the potential of quantum computing" in a new FAQ titled Quantum Computing and Post-Quantum Cryptography. "NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist," said the security agency in response to whether it is worried about the potential of adversarial use of quantum computing. In the FAQ, the NSA describes a Cryptographically Relevant Quantum Computer (CRQC) as a quantum computer that's capable of actually attacking real world cryptographic systems, something that's currently infeasible.

While it agrees that such a computer would be "devastating" to the digital security infrastructure, it seems to suggest that it doesn't believe such a CRQC would ever materialize.

However, the growing research in quantum computing has moved the agency to also support the development of post-quantum cryptographic standards, along with plans for eventual transition to such standards.

This discussion has been archived. No new comments can be posted.

America's NSA Isn't Sure Quantum Computers Will Ever Break Public Key Encryption

Comments Filter:
  • by dgatwood ( 11270 ) on Saturday September 04, 2021 @04:52PM (#61763805) Homepage Journal

    Just saying.

    • by dfn5 ( 524972 )

      This means they've done it

      I was literally just typing this.

    • I was about to enter the same comment.
    • Just saying.

      Sometimes I think it might be the opposite. Perhaps they are not getting anywhere with RSA. If this is true and they can't break it they might have come to the conclusion it is better to convince everyone to abandon it and go to a "post quantum" key exchange that grants them the upper hand.

      If true why not say something more positive about QCs chances? That's because they are trained to lie. If they cheerlead too much for post quantum people will get suspicious.

      • I'm not sure quantum computers are necessary, and like the above posters, believe they've already figured it out.

        What did they figure out? How decomposition works with an entropic algorithm. How to figure out cajoling the algorithms used to make AES-256 reveal its own collisions so that all that's needed is a killer dictionary.

        The qubit parallelism wouldn't be needed.

        This is my guess; it might be wrong, or it could be something completely different. Nonetheless, post-quantum algorithms are a marketing term

    • by OneHundredAndTen ( 1523865 ) on Saturday September 04, 2021 @06:26PM (#61764045)
      The Snowden's revelations belie that belief: according to them, breaking established cryptographic algorithms is not quite how the NSA gets that vast majority of its intelligence. This aside, the days in which the NSA was years, or even decades, ahead academia in cryptological research are long gone - worldwide there are more mathematicians researching cryptography (and publishing without NSA censorship) than the NSA, with all its might, employs.
      • The NSA gets most of its intelligence thought the fact that most of our communications (like e-mail) are not (yet) encrypted.
        • if the NSA introduced flaws on purpose in the ancient libs that are likely still used in modern day encryption, then they likely have the key and have hjad the key from the beginning isnt openssl and all the others relying on the same ancient libs that are likely secretly been made in to swiss cheese by the NSA years ago? maybe they dont have this advantage with quantum based crypto yet, but I'm guessing that its just a matter of time, money, leverage, force and/or threats might as well just not use any
          • by ebvwfbw ( 864834 )

            if the NSA introduced flaws on purpose in the ancient libs that are likely still used in modern day encryption, then they likely have the key and have hjad the key from the beginning

            isnt openssl and all the others relying on the same ancient libs that are likely secretly been made in to swiss cheese by the NSA years ago?

            maybe they dont have this advantage with quantum based crypto yet, but I'm guessing that its just a matter of time, money, leverage, force and/or threats

            might as well just not use any cryptography at all

            Is AES safe? So far not even Snowden said they were compromised. Has he?

            • AES is safe, the NSA specifically stated that they can't break AES-256. They're probably relying on al sorts of implementation errors to break the encryption nonetheless.
        • by ebvwfbw ( 864834 )

          The NSA gets most of its intelligence thought the fact that most of our communications (like e-mail) are not (yet) encrypted.

          Even recently I went on a campaign to get people to use encrypted e-mail. Outlook supports it. There's free gpg software. RedHat/Fedora support it of course. Even Debian I think supports it. Not sure if BSD supports it.
          I was about as successful as getting anti-vax people to get the covid shot. Man they don't want to do it. The only way people do it is because they have to as part of the DOD or some other government mandate.

          The best I can do is set up the mail servers so they support encryption. Anyone that

    • I think unlikely, while I would never trust a thing that the NSA says, the reality is for them to have broken it they would have to be decades ahead of the best scientific research into Quantum computing.
      • There is no such thing as "decades ahead" in a technology field like encryption. Progress is not measured by some measured flow of passing time, despite the "myth of the man month". It would only take a fortunate mathematical insight, one which may or may not exist.

        • firstly this is about Quantum computing not mathematics of cryptography, you can be decades ahead in the advancement of a technology. Secondly this isn't the movies, There are many encryption methods that are mathematically unrelated, Cryptography is not like the fantasy world of the movies like sneakers where you can come up with some hardware device that can read all encryption, breaking one algorithm doesn't affect other unrelated algorithms.
        • Thank you A.G. for reminding us that time is relative and "decades ahead" is a silly term.

          The Wright Brothers were decades ahead of flight.

          Alan Turing was decades ahead of computing.

          NASA engineers were decades ahead of space travel.

          Homer was decades ahead of Greek epic tales.

          The Egyptians were decades ahead of pyramid building.

          A typical Slashdotter's mom is decades ahead of their child's enlightenment.

    • by slazzy ( 864185 )
      Funny, that was my thought too - sounds like they've cracked it.
    • They don't generally need to. They have access to the escrowed secrets of numerous environments, and access to zero-day exploits of most of the remainder. Most companies and schools, even with SSL or SSH private keys, have them on proxies, routers, remote cconfiguration tools, and even embedded in the laptops of admins. They're often quite poorly secured.

    • It means nothing.

      Paying any attention to what they say is a mistake.

      • by gweihir ( 88907 )

        It means nothing.

        Paying any attention to what they say is a mistake.

        Well no. But verify anything carefully. For the current statement, all it takes is a few private conversations with people actually doing research in the area. They have known for a long time that no QC will result from their work. They all hope (and this is a reasonable hope) that secondary results will make the research worthwhile.

    • by Hadlock ( 143607 )

      Beat me to it

      "Hay guys, pretty sure this isn't possible, y'all should like, uh, give up, cuz uh, it like, totally doesn't work, sorry, we tried, tooootally did not work, nope, huh uh"

    • by gweihir ( 88907 )

      Nope. Your statement just means you are paranoid and delusional.

    • And want to discourage others for as long as they can

    • However since this is the obvious conclusion, it's like that the NSA has thought about that.

      Perhaps the intention is different. Perhaps the NSA just wants us to think that public key encryption is insecure. Since post quantum encryption isn't ready yet, the goal might be to discourage people form using public key encryption at all.

      BTW the NSA probably doesn't even need to crack the encryption by itself as the mayor standard used today (TLS) is highly complex so security issues are likely to be in any implem

  • They will still keep spending our tax money to store untold gobs of web traffic they see on the internet backbone forever with the hopes of decrypting it.
  • by Anonymous Coward on Saturday September 04, 2021 @05:10PM (#61763863)
    This wavefunction can be collapsed into two alternative observed states, one of which generates disappointment, and the other of which generates funding.
  • It's not at all suspicious that a spy agency wants us to keep using a particular crypto-scheme.

    • I don’t see where they mentioned any particular type of cryptography. We already know this is (theoretically) going to be an issue with asymmetric RSA and ECDH - but that’s a solvable problem that people are already working on, and we’re supposed to have something by 2024.

      On a side note - AES does not appear to be susceptible to quantum computing based attacks.

      • by gweihir ( 88907 )

        Block-ciphers are not susceptible to QCs and that is a theoretical result, i.e. "hard". All a QC could give you were halving of the key-length. That means AES-256 is fully secure against QCs and, given how abysmally slow they would be (if they ever work at all), even AES-128 would probably stay secure. But take into account that attacking AES-4096 would take in excess of 12k Qbits that would need to stay entangled for a long and complex calculation, and even attacking that becomes a "likely not this centur

        • >That means AES-256 is fully secure against QCs

          AES-256 is not "fully secure" against normal computers. It has a key schedule weakness (https://eprint.iacr.org/2009/317) making it weaker that AES-128 against a related key attack.

          Not a practical attack and making a crypto system where related key attacks are even possible is a noobie error but that raises the valid question 'why not just use AES-128?'

    • by gweihir ( 88907 )

      Bullshit. You are exhibiting the same defective mind-set all other conspiracy-theorists have. You can infer exactly nothing about their capabilities from their statement.

  • I'm perfectly happy to jump on the government conspiracy theory bandwagon, but are there any reputable computer scientists in a relevant field that are saying the same, or differently?

    • >but are there any reputable computer scientists in a relevant field that are saying the same, or differently?

      There are physics professors arguing that CRQC is impossible.
      I have an information theory argument that CRQC is impossible.

      https://spectrum.ieee.org/the-... [ieee.org]

      • by bh_doc ( 930270 )

        That article is pretty poor. "A useful quantum computer needs to process a set of continuous parameters that is larger than the number of subatomic particles in the observable universe." That's why you encode those "continuous parameters" as qubits, dumbass. You think they plan to encode each parameter in a double or something? It's like saying that because 640kB of RAM can encode more than 10^197000 different discrete "basic" states - a brain meltingly huge number - that it will be impossible to write algo

        • It does fail to be clear about the most fundamental problems but it does address them.
          1) The quantum states and the measurement of those states are noisy and the noise sets some limits on the information representation that is possible. With error correction this can be improved but it becomes more fragile with more qbits.
          2) Nobody has come up with a way to perform logic on error corrected qbits. This step has remained unsolved for many years and all other improvements are moot without a solution.

          It does no

  • by CaptainDork ( 3678879 ) on Saturday September 04, 2021 @05:53PM (#61763985)

    ... enough said.

  • Here's the actual question and answer:
    > Q: Is NSA worried about the threat posed by a potential quantum computer because a CRQC exists?
    > A: NSA does not know when or even if a quantum computer of sufficient size and power to exploit public key cryptography (a CRQC) will exist.

    All that's saying is they can't predict a timeline.

    • by chill ( 34294 )

      Yeah, this is the equivalent of a shoulder shrug and saying "no idea". Not something to read anything into.

      • ... by a person who's whole and entire job is manipulation and lying.

        So I'd rather think about the intention behind saying that to us, than taking it at face value.

    • I think they have doubts the technology will scale to enable the breaking of cryptographic algorithms. To break RSA 2048-bit you'd need millions of qbits, which is far from what's feasible today. Currently, the maximum number of qbits numbers in the tens.
  • Just common sense (Score:5, Interesting)

    by gweihir ( 88907 ) on Saturday September 04, 2021 @08:07PM (#61764211)

    Currently, there is no actually functioning quantum computer at all. All these mock-ups can do is single steps on low qbit numbers and then it gets conventional again and the next step gets loaded. That means loss of all advantages quantum computations are supposed to have. The reasons are simple: Decoherence. Basically, with a longer quantum computation, the changes of losing it all raise exponentially, essentially making anything that would matter completely infeasible. Unfortunately, there is a second exponential factor: The probability for decoherence also raises exponentially with the number of qbits.

    Now, attacking modern cryptography requires both long, complex calculations and a lot of qbits. Hence it is quite possible this will not ever become feasible to do. It will certainly not happen anytime soon.

    As usual, there are a lot of morons that believe the hype and desperately want "magic" to finally be possible. But that is basically all that keeps this stupidity going. Every other "alternate" computing paradigm has been give up on after a decade or two of failing to produce results, just "quantum computing" gets kept alive after now _four_ decades of having failed to produce anything useful.

    • So you're saying because something is difficult we should abandon it? It's not four decades of no results, there have been a lot of advancements. There is still a long way to go, but they haven't hit a brick wall.

      • by gweihir ( 88907 )

        Not that many. The money and effort is mostly wasted and would better have been invested in some other place. There are always more and less worthwhile research directions. Sure, even QC research has produced secondary results, but the level of effectiveness in that is atrociously bad.

        Incidentally, basically no research direction ever has "hit a brick wall" when it was abandoned. It was always just that the effort was in crass misalignment with the worth of the results. At that time, sane people stop until

    • Several years ago someone published and article saying that they had been able to find the factors of 15 reliably with qbits.I don't know how scalable this is, but it seems naive to dismiss the possibility that SOMEONE hasn't made significant unpublished advances in this field.
  • These guys are doing such a good job that even if they tell you what is what, none of you know if you should believe them or not. Leaks happen, nobody knows if it is a real leak or a planted leak. Nobody believes anything about what the intelligence agencies do. Even if they find out what they're doing, they still don't know! That's an unmitigated victory.

    Now if they could just do a little better at infrastructure defense and counter-attack, I'd be happy.

    • Who came up with calling a spying and meddling agency "intelligence" anyway?
      I'm not a native English speaker, but saying intelligent people are merely "smart" and evil assholes are "intelligent" always bugs me as a result of a fundamental messed-upness in how one thinks about those things...

      • by teg ( 97890 )

        Who came up with calling a spying and meddling agency "intelligence" anyway?
        I'm not a native English speaker, but saying intelligent people are merely "smart" and evil assholes are "intelligent" always bugs me as a result of a fundamental messed-upness in how one thinks about those things...

        Intelligence can mean several things, one of them information, news [merriam-webster.com]. As an illustration of that, the first Norwegian newspaper - in 1720 - was called Norske Intelligenz-Seddeler [wikipedia.org] ("Norwegian Intelligence Pages"). Thus, intelligence doesn't have to mean "smart" and has had other meanings for centuries.

  • A common problem that occurs in Quantum computing is that the more qubits you work with, the more error is in the computation. So while the quantum operation might be 1 million times faster, you may have to run the operation 500,000 times to confirm it was correct.
    • Now I know very little about quantum computing, but I do know a bit about cryptography. It seems evident to me that if you are using a quantum computer to discover a key that will decrypt some ciphertext, it is extremely straightforward to test the output of a quantum algorithm by simply trying the resulting key on the ciphertext you wish to decrypt.

      A simple rule in cryptography is that whatever answer you calculate is either 100% correct, or wildly incorrect. There is no such thing as a "close" answer.
  • No more spooks on /. eh?

    Came here looking for comment about a man, a plan, a canal... somewhere.

  • It's always 20 years in the future.

    The same is happening with autonomous vehicles: they've been in development for over 15 years yet there's no indication they'll ever reach the market. We're already seeing investors losing interest and pulling out. Most likely we'll see a shake-out in a couple of years. Only companies like Google and Tesla, which have other sources of revenue, can continue investing into this technology.

    If there aren't substantial breakthroughs (with actual products coming to market)
  • Will likely improve on ability to brute force cryptographic algorithms significantly, but you can always make a harder algorithm. So a quantum leap in brute force cracking might retire some crypto schemes, but it's not going to be the end of cryptography. It's not the brute force approach you need to be afraid of in cryptography, it's all the clever ways to get around having to brute force that are the problems.
    • by AnilJ ( 1342025 )
      Cryptanalysis - not Cryptographic algorithms. Cryptography is easy, cryptanalysis is hard (or supposed to be, if one can devise a truly one-way function).
  • That is just what they want people to think.

  • Trust us, guys, keep using those unbreakable public keys.

Time is the most valuable thing a man can spend. -- Theophrastus

Working...