108

There's the recent article NSA seeks to build quantum computer that could crack most types of encryption. Now I'm not surprised by the NSA trying anything1, but what slightly baffles me is the word "most" - so, what encryption algorithms are known and sufficiently field-tested that are not severely vulnerable to Quantum Computing?

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
Tobias Kienzler
  • 7,578
  • 10
  • 43
  • 66
  • 14
    1) Yup, I wouldn't even be surprised if they had a secret department of fortune telling... – Tobias Kienzler Jan 03 '14 at 14:16
  • 2
    Quantum computers are still a ways off. The concept relies on using bits, that when unobserved, are both 1 and 0 and so able to calculate with all the values that can be represented in the given space -- with one calculation. As romantic as this sounds, I have yet to hear of a way to calculate with this bits while leaving them unobserved. – November Jan 03 '14 at 20:39
  • 1
    Don't assume that just because an organization the size of the NSA is trying to build something that they expect to successfully deploy one anytime soon. Because arms-races are races, often an organization will research something because they don't want to be just starting out when their competitors are deploying one. If the NSA builds up a brain-trust of people who know about quantum computing then they might be able to deploy one ahead of their competitors, and are less likely to be caught flat-footed. – Mike Samuel Jan 03 '14 at 22:49
  • My concern is not the NSA, who might just as well use some less pleasant meatworld methods to obtain one's secrets, but rather the implications of QC in general – Tobias Kienzler Jan 04 '14 at 08:32
  • Why wouldn't quantum computers also enable correspondingly stronger encryption? – mirimir Jan 04 '14 at 09:27
  • @mirimir Who claimed that? Of course there's Quantum Cryptography, but even once available not everyone will be able to afford it I assume, so it's still important to know what classical encryption one can rely upon even if potential eavesdroppers have Quantum Computers – Tobias Kienzler Jan 04 '14 at 15:30
  • 1
    Best to use OTP -in real world and for the virtual world use symmetric algorithms + 256bit keys. look at this http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance – Johny Jan 03 '14 at 18:02
  • @November Slightly modifying [this nice Gedankenexperiment](http://physics.stackexchange.com/a/3162/97), assume a friend of yours went outside before it got cold. Neither you or they know how many gloves (if any) they took with them, but both know where the remaining ones would be; and that, due to the severe cold, your friend would return home for the remaining glove(s) once they noticed some were missing. Assume the same for a friend your friend wanted to meet outside. Now observe whether some of their gloves are at home - and voilà you can determine whether they met outside or come home – Tobias Kienzler Jan 05 '14 at 10:33
  • 6
    @November Your knowledge is outdated. Computations on qbits *have* been performed. Just not very many. But there’s nothing “romantic” about this concept, it’s been demonstrated in practice. – Konrad Rudolph Jan 05 '14 at 16:38
  • Thanks for correcting me. This is very exciting, do you have a link that explains this more in-depth? – November Jan 05 '14 at 17:54
  • 1
    @November This just came out: http://arxiv.org/pdf/1512.02206v1.pdf It is a bit technical and requires a quite a bit of knowledge to be usable, but I guess most people here are :-) – flindeberg Dec 10 '15 at 10:16

5 Answers5

155

As usual, journalism talking about technical subjects tends to be fuzzy about details...

Assuming that a true Quantum Computer can be built, then:

  • RSA, and other algorithms which rely on the hardness of integer factorization (e.g. Rabin), are toast. Shor's algorithm factors big integers very efficiently.
  • DSA, Diffie-Hellman ElGamal, and other algorithms which rely on the hardness of discrete logarithm, are equally broken. A variant of Shor's algorithm also applies. Note that this is true for every group, so elliptic curve variants of these algorithms fare no better.

  • Symmetric encryption is weakened; namely, a quantum computer can search through a space of size 2n in time 2n/2. This means that a 128-bit AES key would be demoted back to the strength of a 64-bit key -- however, note that these are 264 quantum-computing operations; you cannot apply figures from studies with FPGA and GPU and blindly assume that if a quantum computer can be built at all, it can be built and operated cheaply.

  • Similarly, hash function resistance to various kind of attacks would be similarly reduced. Roughly speaking, a hash function with an output of n bits would resist preimages with strength 2n/2 and collisions up to 2n/3 (figures with classical computers being 2n and 2n/2, respectively). SHA-256 would still be as strong against collisions as a 170-bit hash function nowadays, i.e. better than a "perfect SHA-1".

So symmetric cryptography would not be severely damaged if a quantum computer turned out to be built. Even if it could be built very cheaply actual symmetric encryption and hash function algorithms would still offer a very fair bit of resistance. For asymmetric encryption, though, that would mean trouble. We nonetheless know of several asymmetric algorithms for which no efficient QC-based attack is known, in particular algorithms based on lattice reduction (e.g. NTRU), and the venerable McEliece encryption. These algorithms are not very popular nowadays, for a variety of reasons (early versions of NTRU turned out to be weak; there are patents; McEliece's public keys are huge; and so on), but some would still be acceptable.

Study of cryptography under the assumption that efficient quantum computers can be built is called post-quantum cryptography.

Personally I don't believe that a meagre 80 millions dollars budget would get the NSA far. IBM has been working on that subject for decades and spent a lot more than that, and their best prototypes are not amazing. It is highly plausible that NSA has spent some dollars on the idea of quantum computing; after all, that's their job, and it would be a scandal if taxpayer money did not go into that kind of research. But there is a difference between searching and finding...

forest
  • 64,616
  • 20
  • 206
  • 257
Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • 6
    +1, and wish I could give you +10 just for the last two sentences. With all the scandals about their abuses it's sometimes easy to forget that when all's said and done being able to spy on people is their *job* and what we're objecting to is their lack of restraint when doing it... – Shadur Jan 03 '14 at 16:22
  • 12
    +1 - Of course you might consider that with 80 million dollars, the NSA could just [hire goons to beat private keys out of most targets](http://xkcd.com/538/)... Then again they could have forced IBM and others to "volunteer" in providing their most secret research progress so far – Tobias Kienzler Jan 03 '14 at 16:34
  • @Thomas Pornin Is the complexity of searching a space decreased due to the uncertainty principle? I might be way off..... –  Jan 03 '14 at 17:56
  • 3
    @Rell3oT: the idea is that a qubit is a superposition of several states, and thus, _to some extent_, with one operation, several computations are done simultaneously. The uncertainty principle is another, rather unrelated expression of the fact that at the quantum level, what we think of as "matter" actually behaves like a probability distribution. – Thomas Pornin Jan 03 '14 at 18:02
  • Okay Thank you @ThomasPornin . What you described is what I thought the uncertainty principle was. Apparently I need to brush up... –  Jan 03 '14 at 18:08
  • 1
    Don't all this mean that if RSA can be broken that all TLS sessions with certificates are essentially broken as RSA is used to negotiate a symmetric key at the beginning of the session? Can we still have PFS? – Matrix Jan 04 '14 at 08:02
  • @Rell3oT Uncertainty boils down to that it is not sufficient to exploit the superposition of states but that you have to do it in a way that you can afterwards measure the entire result without changing the already measured part of it - e.g. if one bit were encoded in the x-coordinate and another one in that direction's momentum, you might still be screwed since measuring momentum (sufficiently precise) will _retroactively_ change the x-coordinate (maximum possible precision) you just measured and vice versa. Btw, check out http://physics.stackexchange.com ;) – Tobias Kienzler Jan 04 '14 at 08:37
  • 2
    @Matrix RSA (or DSA) is used for the server to identify itself, the key negotiation uses [Diffie-Hellman](https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange). But since that relies on the discrete logarithm just as DSA does, I guess it is just as vulnerable to Quantum Computing. However I'd be surprised if there weren't a way to use/modify the less QC-vulnerable methods for PFS – Tobias Kienzler Jan 04 '14 at 08:41
  • And what if the encryption was done on a quantum computer as well? – Jojo01 Aug 03 '16 at 18:19
  • 1
    @Jojo01: I think some encryption algorithms designed to run on quantum computers have been defined (I don't recall the details at the moment). They should resist attackers with quantum computers, but they also require a quantum computer to be used at all, and given the lack of availability of quantum computers right now, we cannot test them. Let's say they are an interesting intellectual construction that _might_ be useful in a future world where every single computer and smartphone is a quantum computer. – Thomas Pornin Aug 03 '16 at 18:40
  • @ThomasPornin Yeah, i think that quantum computing will improve account security, because the big companies will most likely be using quantum computers, that your typical hacker doesn't have. Of course when quantum computing gets to consumer lever, that advantage is lost and the situation goes back to zero. – Jojo01 Aug 03 '16 at 18:42
  • What about Serpent? I've read it won't be affected either. – skan May 04 '17 at 20:24
  • 3
    @skan: Serpent is a symmetric encryption algorithm; what I say about AES applies equally well to Serpent. In effect, it means that Serpent encryption with a 128-bit key could be broken with about 2^64 operations on a quantum computer (2^64 is already a very substantial amount on a classical computer). – Thomas Pornin May 05 '17 at 12:53
  • 1
    Having dealt with IBM a lot, it's my suspicion that they developed a quantum computer decades ago, but nobody can find the link for it on their website. – razethestray May 31 '18 at 14:15
  • "note that these are $2^64$ quantum-computing operations": also these operations must be sequential, meaning that your quantum computer has to be really fast ($2^64$ nanoseconds > 500 years). With $K$ parallel quantum computers you get a small speed up, but you still need time $\frac{2^64}{\sqrt{K}}$. See https://quantumcomputing.stackexchange.com/a/4538/5047 – qbt937 Jan 07 '20 at 22:56
  • Hey Thomas, do you think you may be able to post any updated info with the CISA/NIST guidance going out related to post-quantum cryptography? – cutrightjm Sep 07 '22 at 04:29
8

Quantum computing will make most dramatic impact on asymmetric encryption, but symmetric algorithms are considered safe with a large enough key size (256 bits). So, yeah, we'll have to reinvent x509/SSL by the time quantum computing really takes off (which is a large enough TODO), but there will be large areas of cryptography that will remain relatively safe.

http://en.wikipedia.org/wiki/Post-quantum_cryptography http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf

mricon
  • 6,238
  • 22
  • 27
6

When Cryptographers speak about quantum computer and post-quantum cryptography,actually they speak about power of Shor's algorithm in factoring numbers,so hard problems based on factoring number that are used for creating cryptosystems are broken with Shor's algorithm(quantum computer) so RSA,DSA,ELGamal,Diffie-Hellman Key Exchabge,ECC are vulnerable to Quantum Computing!

In public key cryptography,three schemes are quantum-secure:

  1. Lattice based cryptography like NTRUEncrypt;based on lattices
  2. code-based cryptography like McEliece cryptosystem;based on information theory
  3. multivariate cryptography like Hidden Fields Equations

and in symmetric encryption like AES,if you choose a long key;you are safe against quantum computer and NSA!

for future reading:Quanta magazine link and post-quantum cryptography book

-1

1-time pad remains the strongest, uncrackable (if used properly) encryption. Of course, you DO have to swap pad face to face, but I reckon 95% of people who require this level of security WILL meet before setting up secure communications.

Just specifying which 256-bit key to use for a particular message works perfectly and is used by the security services.

sean
  • 23
  • 1
  • 6
    This doesn't explain which types of encryption are not breakable by quantum computers, and so does not actually answer the question. – Xander Mar 14 '15 at 19:37
  • @Xander this answer says that the One-Time Pad method is unbreakable, which is a correct statement. – Count Iblis Mar 07 '16 at 16:02
  • 2
    I don't understand why this answer mentions 256-bit keys. Encrypting a 1024-bit plaintext with a 256-bit key is not using a OTP. – A. Darwin May 02 '16 at 18:22
-4

For added protection against the NSA, encrypt using AES chain block cipher mode, then encrypt the cipher text (the result from the first encryption) again, and repeat as many times as you can afford to repeat. The NSA would probably try brute force searching to go through the search space, and figure out they've cracked the code by determining the entropy of the result for each of the keys they test. They know when to stop when they see meaningful text as the result. By encrypting several times, you make it harder for them to determine when they have cracked a code because if they did try the right key, then they would see jumble as the result, almost indistinguishable from the results of the incorrect keys. As you increase the number of re-encryptions, the difficulty of cracking encrypting content becomes more difficult. The NSA will lose its mind trying to figure out when they have cracked the code.

Software like TrueCrypt can do multiple encryption for you. But beware of naive encryption that simply runs in "Electronic Code Book" (ECB) mode. You will need encryption that runs in one of the more sophisticated modes like "Chain Block Cipher" or "Cipher Feedback." Yes, a quantum computer would make it easier for the NSA to go through the possible keys to try. But by encrypting multiple times (with a DIFFERENT key for each encryption repeat of course), you make the search space difficult by a factor of the key length. Hopefully this helps you keep your stuff out of the NSA's reach.

Patrick M
  • 263
  • 1
  • 9
Bardeen
  • 1
  • 7
    The implications of applying multiple layers of encryption can be quite complex and in the worst case _reduce_ the individual layers' security - take for example `XOR`ing the entire message _twice_ - you end up with the original message! And even if you use two different keys, it's still equivalent to `XOR`ing with _one_ entirely different key. It's of course more complex with AES, but you'd really do yourself a favour by increasing the key size instead... – Tobias Kienzler Jan 04 '14 at 08:46
  • @TobiasKienzler That only applies to certain types of ciphers. For stream ciphers, as long as the nonce is different, everything is fine. For (most) block ciphers, it doesn't even matter if the key is different or not, though of course if the key is the same, you get no extra security. For something like AES, it is totally safe to do multiple encryption, it's just usually kinda silly and unnecessary. – forest Apr 17 '18 at 12:28
  • @forest Doing something silly and unnecessary _is_ unsafe, since you waste computational resources on something that doesn't truly increase security when appropriate usage of said resource could – Tobias Kienzler Apr 17 '18 at 12:31
  • @TobiasKienzler That is true. The increase in complexity can lead to bugs. I just meant that it was not unsafe in most cases in a purely cryptographic sense. – forest Apr 17 '18 at 12:33