OCTADE |
mail  files  register  groups  login |
1 |
<ekCwF67a9p7PHWhXm+p3L7tjSqY0FYJNbA0LLbUz1mc=@writeable.com>
copy midhttps://news.octade.net/USENET/article-flat.php?id=277&group=sci.crypt#277
copy link Newsgroups: sci.cryptWhat is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.
I myself am very much in doubt whether to use PQC or stick with known ciphers.
<v1jf6i$srv9$1@dont-email.me>
copy midhttps://news.octade.net/USENET/article-flat.php?id=290&group=sci.crypt#290
copy link Newsgroups: sci.cryptOn 06/05/2024 14:53, Jakob Bohm wrote:
> On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I
>> know the NIST has held a contest and that there are winners, but do
>> you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the
>> security and privacy of millions of unsuspecting users.
Yep, that's a risk. PQC algorithms are of necessity less mature than
current cryptographic algorithms. If I may quote Schneier's law it its
original form:
"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break. It’s not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis. And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around."
The winning PQC algorithms have had some of that analysis, but perhaps
not enough. I would not be surprised if, like some of the candidates,
the winners were comprehensively broken.
And there is another risk: that they will broken in ways we don't know
about now. Quantum computers of the needed scale still don't exist, and
we don't have years of practice using them - so it is practically
inevitable that new attack techniques using quantum computers will be
developed.
> If any bad actor has a quantum computer with just a few more Qubits
> than the ones demonstrated in public, they can break most current public
> key algorithms using known attack algorithms written a long time ago for
> such (then hypothetical) computers.
Err, no. Just no.
You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day public
key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
like 20.
Having 1,000 error prone qbits, which has been done in a couple of
cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
annealing qbits.
Not even close.
And close only counts in horseshoes and hand grenades.
> They can also break symmetric
> encryption at the same difficulty as if the key length was half as many
> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
> 128). [..] Any PQC public key algorithm will need to be combined with double
> strength symmetric algorithms.
Now there we agree, in fact double strength symmetric algorithms should
be de rigueur in general use as of yesterday: but I don't see why we
can't double up and use classic public key algorithms *as well as* PQC
public key algorithms, at least for a while.
Peter Fairbrother
who doesn't see why we need the u in qubits
<v1lhuo$1etcj$1@dont-email.me>
copy midhttps://news.octade.net/USENET/article-flat.php?id=294&group=sci.crypt#294
copy link Newsgroups: sci.cryptOn 10/05/2024 07:32, Jakob Bohm wrote:
> On 2024-05-09 23:28, Peter Fairbrother wrote:
>> You would need about 1,000 reliable entangled error-free qubits
>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>> public key algorithms, and we are nowhere near that. Not even 100
>> REEFQe, more like 20.
> Would those numbers apply to things like EdDSA and ECDSA?
A thorny question.
The publicity for quantum computers is usually splashed about measured
solely in qubits (approximately, quantum storage bits, a bit like a
register in a cpu with only one register); but that's not immediately
relevant to the amount of computation they can do - they also need
quantum gates, qubits by themselves can't do any computing.
So even 1,000 "real" qubits is just a very rough ballpark figure which
doesn't actually mean very much.
In terms of comparing breaking RSA and breaking ECDSA, you would need
more qubits but less gates for RSA - but as you can, above some
minimums, pretty much swap needed qubits for needed gates, that doesn't
help much.
I believe the minimum number of "real" qubits needed is about 350 for
ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
a LOT more quantum gates.
Overall it's pretty hard to say which is easier to do, and would depend
on more than the number of qubits a computer has. Quantum gates are
noisy too, especially the ones which do entanglement.
[1] I could be wrong here, I'm a bit out-of-touch. And these are
_theoretical_ minimums, and even then estimates vary, a lot.
In practice, realistically the best I've seen uses about 6,000 real
qubits and 10^12 gates to break 2k RSA in months. You would also need a
depth of about 10^11 (depth is the longest chain of quantum gates used,
and they all have to work...)
We are closer to getting to Alpha Centaurus and taming fusion than doing
that.
Peter Fairbrother
<epj0i3qTn0l0LoPeudnOyLH1Iu0TiTHt52YZbtCh8No=@writeable.com>
copy midhttps://news.octade.net/USENET/article-flat.php?id=299&group=sci.crypt#299
copy link Newsgroups: sci.cryptOn 10/05/2024 17:28 Peter Fairbrother <peter@tsto.co.uk> wrote:
> On 10/05/2024 07:32, Jakob Bohm wrote:
>> On 2024-05-09 23:28, Peter Fairbrother wrote:
>
>>> You would need about 1,000 reliable entangled error-free qubits
>>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>>> public key algorithms, and we are nowhere near that. Not even 100
>>> REEFQe, more like 20.
>
>> Would those numbers apply to things like EdDSA and ECDSA?
>
> A thorny question.
>
> The publicity for quantum computers is usually splashed about measured
> solely in qubits (approximately, quantum storage bits, a bit like a
> register in a cpu with only one register); but that's not immediately
> relevant to the amount of computation they can do - they also need
> quantum gates, qubits by themselves can't do any computing.
>
> So even 1,000 "real" qubits is just a very rough ballpark figure which
> doesn't actually mean very much.
>
>
> In terms of comparing breaking RSA and breaking ECDSA, you would need
> more qubits but less gates for RSA - but as you can, above some
> minimums, pretty much swap needed qubits for needed gates, that doesn't
> help much.
>
> I believe the minimum number of "real" qubits needed is about 350 for
> ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
> a LOT more quantum gates.
>
> Overall it's pretty hard to say which is easier to do, and would depend
> on more than the number of qubits a computer has. Quantum gates are
> noisy too, especially the ones which do entanglement.
>
>
>
> [1] I could be wrong here, I'm a bit out-of-touch. And these are
> _theoretical_ minimums, and even then estimates vary, a lot.
>
> In practice, realistically the best I've seen uses about 6,000 real
> qubits and 10^12 gates to break 2k RSA in months. You would also need a
> depth of about 10^11 (depth is the longest chain of quantum gates used,
> and they all have to work...)
>
>
> We are closer to getting to Alpha Centaurus and taming fusion than doing
> that.
>
>
> Peter Fairbrother
>
>
<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
They now believe they can build million-qubit processors using ultra-pure silicon.
1 |