I love how it did not at all explain what they broke. It mentioned “rectangle”? Whats that? How does it have any relation to AES? Because AES is NOT vulnerable to quantum computing. Did they get the key by knowing the ciphertext and the original data?
Yeah, appears propaganda-y, they even mention that “Despite the slow progress in general-purpose quantum computing, which currently poses no threat to modern cryptography”, very weird. Supposedly used Canadian technology.
It’d be nice if it, you know, linked to the actual paper. The article reads like it was written by someone who knows cryptography words but had no clue what they mean.
The best known theoretical attack is Grover’s quantum search algorithm. As you pointed out, this allows us to search an unsorted database of n entries in n−−√ operations. As such, AES-256 is secure for a medium-term against a quantum attack, however, AES-128 can be broken, and AES-192 isn’t looking that good.
With the advances in computational power (doubling every 18 months), and the development of quantum computers, no set keysize is safe indefinitely. The use of Grover is just one of the gigantic leaps.
I would still class AES as quantum resistant, so long as the best-known attack is still some form of an exhaustive search of the keyspace.
How big are your packets at that point? Seems like you’re steadily clogging up your web traffic and setting yourself up for disruption vulnerability down the line if your only response is to inflate the size of every message.
It’s not enough to simply have your data be secure. You need it to be reliable. And larger packets require more bandwidth which means more robust hardware and more reliable transmission equipment. Also cuts into the viability of stealthy communications if you know the minimum transmission size of your adversary.
Because hashes are deterministic one way functions - they’re generally one way only
Let’s say I hash a picture. It could go from 14MB to 128 digits of base 64 - there’s orders of magnitude less information in the hash than in the source data
Now - with that hash can you rebuild the picture? You’ve lost a great deal of information, you don’t necessarily even know the size or the format of the input.
Let’s set up an equation - x is the input (the photo), so hash_func(x) = hashx
There are multiple, maybe infinite (depending on the hashing function) values of x that will solve our equation. In the case of the photo, most of it will be random combinations of pixels that mean nothing to a human. There could also randomly be things that appear meaningful, but without knowing more about the original you could never be sure if you have the correct answer
Now, passwords might actually be shorter than the resulting hash, but we salt them so each password hash function works differently, and can still destroy information from the original password. Part of the password and the salt are then used as basically the seed for a deterministic random function to generate this extra information
Again, you have the dual problem of a huge problem space as well as an inability to be sure you have the original input or just another solution
Ultimately, everything is defeatable, and if you can narrow down the problem space (say, by knowing the length of a password, having enough known before and after data, or finding a bias in the algorithm), you can reduce the needed computations by orders of magnitude and make it feasible. Quantum computers also grow exponentially with chained qbits, so I expect someone clever will figure it out sooner or later
AES works with a shared key. This won’t work when you want to have an encrypted connection with a webshop (how would you get the key over there in a secure way?). For this you have asynchronous key algorithms such as RSA en ECDH. These algorithms can make a secure connection without anything preshared. Usually this is used to compute a shared key and then continue over AES. These asynchronous algorithms are at risk of being cracked with quantum computers.
The article says they hit AES, which doesn’t make much sense. Block ciphers aren’t vulnerable to QC in the same way as public key crypto. Even so far as Grover’s Algorithm would help at all, it’s far from being practical.
In many cases the key exchange (kex) for symmetric ciphers are done using slower asymmetric ciphers. Many of which are vulnerable to quantum algos to various degrees.
So even when attacking AES you’d ideally do it indirectly by targeting the kex.
I love how it did not at all explain what they broke. It mentioned “rectangle”? Whats that? How does it have any relation to AES? Because AES is NOT vulnerable to quantum computing. Did they get the key by knowing the ciphertext and the original data?
Yeah, appears propaganda-y, they even mention that “Despite the slow progress in general-purpose quantum computing, which currently poses no threat to modern cryptography”, very weird. Supposedly used Canadian technology.
Perhaps it’s: military grade (40 years ago)
It’d be nice if it, you know, linked to the actual paper. The article reads like it was written by someone who knows cryptography words but had no clue what they mean.
It was probably written by these fancy autocomplete things.
I have not been following the quantum computing attacks on cryptography, so I’m not current here at all.
I can believe that current AES in general use cannot be broken by existing quantum computers.
But if what you’re saying is that AES cannot be broken by quantum computing at all, that doesn’t seem to be what various pages out there say.
https://crypto.stackexchange.com/questions/6712/is-aes-256-a-post-quantum-secure-cipher-or-not
Interesting. I know things like SimpleX use padding to force each message block to be a multiple of 16KB
All we need to do to make AES secure is double the size of the key. That’s it.
And fix the fact that it’s really hard to implement without gaping side channel vulnerabilities, but that’s not really a quantum computer problem.
Bump AES to a min 1024 and you buy time.
How big are your packets at that point? Seems like you’re steadily clogging up your web traffic and setting yourself up for disruption vulnerability down the line if your only response is to inflate the size of every message.
It’s not enough to simply have your data be secure. You need it to be reliable. And larger packets require more bandwidth which means more robust hardware and more reliable transmission equipment. Also cuts into the viability of stealthy communications if you know the minimum transmission size of your adversary.
Then why are hashes secure?
Hahses don’t use encryption
Because hashes are deterministic one way functions - they’re generally one way only
Let’s say I hash a picture. It could go from 14MB to 128 digits of base 64 - there’s orders of magnitude less information in the hash than in the source data
Now - with that hash can you rebuild the picture? You’ve lost a great deal of information, you don’t necessarily even know the size or the format of the input.
Let’s set up an equation - x is the input (the photo), so hash_func(x) = hashx
There are multiple, maybe infinite (depending on the hashing function) values of x that will solve our equation. In the case of the photo, most of it will be random combinations of pixels that mean nothing to a human. There could also randomly be things that appear meaningful, but without knowing more about the original you could never be sure if you have the correct answer
Now, passwords might actually be shorter than the resulting hash, but we salt them so each password hash function works differently, and can still destroy information from the original password. Part of the password and the salt are then used as basically the seed for a deterministic random function to generate this extra information
Again, you have the dual problem of a huge problem space as well as an inability to be sure you have the original input or just another solution
Ultimately, everything is defeatable, and if you can narrow down the problem space (say, by knowing the length of a password, having enough known before and after data, or finding a bias in the algorithm), you can reduce the needed computations by orders of magnitude and make it feasible. Quantum computers also grow exponentially with chained qbits, so I expect someone clever will figure it out sooner or later
There’s Grover’s algorithm which can help in cracking the key.
https://crypto.stackexchange.com/questions/6712/is-aes-256-a-post-quantum-secure-cipher-or-not#7869
Regardless, everything sane uses 256 bit AES. Should be ok for now.
AES works with a shared key. This won’t work when you want to have an encrypted connection with a webshop (how would you get the key over there in a secure way?). For this you have asynchronous key algorithms such as RSA en ECDH. These algorithms can make a secure connection without anything preshared. Usually this is used to compute a shared key and then continue over AES. These asynchronous algorithms are at risk of being cracked with quantum computers.
My point is that AES isn’t untouched by quantumn computing. We now have quantumn safe asymmetric key encryption, too.
Grover’s algorithm gives broad asymptotic speed-ups to many kinds of brute-force attacks on symmetric-key cryptography.
Source: https://en.m.wikipedia.org/wiki/Grover’s_algorithm#Cryptography
You attack kex, so dh or rsa (ie shors) , which we’re moving away from (very slowly).
Ecc is better for similar keylengths, but you need lattice to really resist quantum.
My guess they hit old rsa, still a standard but being deprecated everywhere.
You can’t really hit the sboxes, they’re just this side of otp.
Key exchange is mostly discrete logarithm, ie you use modulo to hide/destroy data making it hard for anyone to figure it out without guessing wildly.
The article says they hit AES, which doesn’t make much sense. Block ciphers aren’t vulnerable to QC in the same way as public key crypto. Even so far as Grover’s Algorithm would help at all, it’s far from being practical.
In many cases the key exchange (kex) for symmetric ciphers are done using slower asymmetric ciphers. Many of which are vulnerable to quantum algos to various degrees.
So even when attacking AES you’d ideally do it indirectly by targeting the kex.