Slashdot Mirror

← Back to Stories (view on slashdot.org)

1978 Cryptosystem Resists Quantum Attack

Posted by samzenpus on from the built-to-last dept.

KentuckyFC writes "In 1978, the CalTech mathematician Robert McEliece developed a cryptosystem based on the (then) new idea of using asymmetric mathematical functions to create different keys for encrypting and decrypting information. The security of these systems relies on mathematical steps that are easy to make in one direction but hard to do in the other. Today, popular encryption systems such as the RSA algorithm use exactly this idea. But in 1994, the mathematician Peter Shor dreamt up a quantum algorithm that could factorise much faster than any classical counterpart and so can break these codes. As soon as the first decent-sized quantum computer is switched on, these codes will become breakable. Since then, cryptographers have been hunting for encryption systems that will be safe in the post quantum world. Now a group of mathematicians have shown that the McEliece encryption system is safe against attack by Shor's algorithm and all other known quantum algorithms. That's because it does not depend on factorisation but gets its security from another asymmetric conundrum known as the hidden subgroup problem which they show is immune to all known quantum attacks."

39 of 185 comments (clear)

  1. Re:Timeless saying applies here... by Jack9 · · Score: 2, Insightful

    > If it can be engineered, it can be reverse-engineered.

    How does that apply to this article, in any way?

    --

    Often wrong but never in doubt.
    I am Jack9.
    Everyone knows me.
  2. Hidden subgroup problem is under active research by da+cog · · Score: 5, Informative

    It is worth noting that solving hidden subgroup problem is a subfield of quantum computing that has been active for a while. Although we can't figure out how to solve it in general, we can solve specific instances of it; for example, I think that factorizing is one such instance.

    Thus, I suspect that we will eventually figure out a way to break this encryption. Even if we do, though, these mathematicians still get credit for giving us a new instance of the hidden subgroup problem to try and solve, which may give us additional insight into the extent to which the general problem can be solved by a quantum computer.

    --
    Snarkiness is inversely proportional to wisdom because it emphasizes feeling right rather than being right.
  3. ElGamal?? by neiko · · Score: 4, Interesting

    Would ElGamal also be immune since it's based on Discrete Logarithms?

    1. Re:ElGamal?? by mrnobo1024 · · Score: 5, Informative

      No - both prime factorization and discrete logarithms can be done in polynomial time with a quantum computer.

  4. conspiracy theory by craftycoder · · Score: 4, Interesting

    I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop on the PGP of our enemies. Would it be possible to develop one of these in secrecy?

    1. Re:conspiracy theory by Anonymous Coward · · Score: 2, Funny

      No. Nothing to see here.

    2. Re:conspiracy theory by woolpert · · Score: 5, Insightful

      I wonder if "THEY" already have one of these quantum computers and are keeping a lid on it so they can snoop on the PGP of our enemies. Would it be possible to develop one of these in secrecy?

      Simplistically:
      If THEY bought out 50% of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would only have a 50% chance of having one first.

      More realistically,
      If THEY bought out a significant percentage of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would likely only be a few months / years (at best) ahead.
      And since the outlook on the QC front is rather bleak (in terms of a functional QC with any real power) the odds are strongly in favor of THEY not having squat.

      Especially in today's world it isn't like top researchers are fragmented and isolated. In the past it was possible for a governmental organization to use its greater vision to collect isolated researchers and be the first to introduce them to each other, magnifying their individual efforts. Today everybody who is anybody in these fields is at least aware of the others, if not following closely.

    3. Re:conspiracy theory by Anubis+IV · · Score: 2, Insightful

      Of course, your point doesn't consider the fact that the information sharing only goes one way. If THEY come up with something new, it's not always put back out into the field where it can be worked on by others and built upon. If THEY then find something new, THEY can be the first and only ones building upon it, and THEY do not have to sacrifice the ability to build on everything else that is coming out in the field as well. If that something new is a breakthrough concept, then THEY may be able to build a lead of years or decades. Of course, as you pointed out, researchers tend to be much more aware of what is going on these days than in the past, due to the speed and ease of communication, which reduces both the likelihood of THEM getting a breakthrough first and also reduces the time that THEY will likely be the only ones exclusively holding that knowledge. Despite that, I seem to recall hearing stories of various encryption ideas the NSA developed in the '70s and '80s which weren't developed in the open until the late '90s and early 2000s (sorry, no citation).

    4. Re:conspiracy theory by euxneks · · Score: 2, Funny

      Simplistically: If THEY bought out 50% of the researchers in the field, without arousing suspicion amongst those who turned down the offer, THEY would only have a 50% chance of having one first.

      Unfortunately, that same 50% chance collapsed to a more stable 0 once observed.

      --
      in girum imus nocte et consumimur igni
    5. Re:conspiracy theory by garyebickford · · Score: 2, Informative

      Only 50,000 sq. ft.? Times have changed, computers are getting smaller as they get bigger. Back in the day, that was a mid-size corporate server farm. Of course now, that's a lot more computing power.

      As for power, most secure computing facilities have their own power generation capability - if nothing else then just a motor-generator to assure clean power all the time. An old Army base's power system is not likely to be up to the standards of today for this purpose.

      There's a facility in the wilds east of Bend OR that was built in the 1980s as a backup government facility in case of nuclear war - this is where the Western governors and such were going to hang out till the radiation in the big cities got down to a reasonable level. It has about 40,000 sq. ft. of raised floor, plus a couple of acres worth of space for people, with food and everything you need for 150 people for a year, four hidden satellite dish platforms, four diesel generators each the size of a large room, and a fuel supply the size of an Olympic swimming pool.

      --
      It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  5. Re:Timeless saying applies here... by kalirion · · Score: 4, Insightful

    If it can be engineered, it can be reverse-engineered.

    That only works for "security through obscurity" type of problems. A good encryption should not be "solvable" - it must be brute forced. The question is how expensive the brute force method is in processing power and time.

  6. Re:Timeless saying applies here... by da+cog · · Score: 5, Insightful

    It doesn't apply to this article. The way that one typically breaks a cryptosystem is not by reverse engineering (which is not even meaningful here, given that the algorithm is already completely open), but by finding a clever new way to solve the mathematics underlying the system using less information than the designers of the system had thought was needed.

    --
    Snarkiness is inversely proportional to wisdom because it emphasizes feeling right rather than being right.
  7. Re:Can be broken? by Reason58 · · Score: 2, Informative

    This is not a brute-force attack. The article refers to a method of deriving the private key from the public key (which is available for anyone to download).

  8. If you want to test it by Atmchicago · · Score: 4, Funny

    Send a bunch of encrypted e-mails containing questionable content and see if anyone comes knocking at your door. And be sure to not send any questionable content unencrypted, or to give any other reasons for them to show up.

    --

    You can lead a horse to water, but you can't make it dissolve.

    1. Re:If you want to test it by fishexe · · Score: 3, Funny

      Send a bunch of encrypted e-mails containing questionable content and see if anyone comes knocking at your door. And be sure to not send any questionable content unencrypted, or to give any other reasons for them to show up.

      But how will I know they're not just knocking at my door out of a desire to make my acquaintance?

      --
      "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
    2. Re:If you want to test it by Anonymous Coward · · Score: 5, Interesting

      Even then, they would probably spend a long time creating other circumstances in which to pick you up that would give plausible deniability as to how they caught on.

      One can google one's own references as I'm sort of lazy today, but a good example: the British had thoroughly broken Enigma during WWII, and at one point in the war knew where -every- German U-boat was. This created a dilemma for them: should they act on this information, and if so, how to do it without tipping their hand? If they just went and rounded up every single one, it would be pretty obvious that the code had been broken.

      What they did, according to the stories, is send out disinformation that a) they had ramped up production of a bunch of new long-range sea-spotting planes (they didn't, they only had the resources for a few); and b) these planes would fly near where they already -knew- the U-boat was, and 'spot it' (making sure it was obvious they'd been seen by the U-boat itself before flying back). The British were also careful not to find too many U-boats -- only the ones that they needed out of the way for critical operations. The Germans were convinced they just had really bad luck and were the victim of a very expensive and thorough patrol system by the British.

      If the guys in dark suits can crack PGP, Blowfish, etc. easily, they won't obviously act on it until they first get dirt on you via other means. :p

    3. Re:If you want to test it by c6gunner · · Score: 5, Funny

      But how will I know they're not just knocking at my door out of a desire to make my acquaintance?

      Easy. If they use your door knocker, they want to make your acquaintance. If they bring their own, they're coming for more than tea and crumpets.

    4. Re:If you want to test it by geggo98 · · Score: 2
      Better yet: The Brittish military created an urban legend, still famous today. They spread the word that eating carrots would improve vision and this would help them to spot submarines more easily. Although this was not done to cover that they broke Enigma, but to hide the fact that they invented radard. (Source)

      But the fact remains: To hide an invetion they used misinformation. And they did it so well, that it is still effective today.

  9. Re:Good but not great by pushing-robot · · Score: 5, Informative

    Feel secure again. Only a variant was broken.

    --
    How can I believe you when you tell me what I don't want to hear?
  10. New assymetric algorithms needed? by mlts · · Score: 4, Interesting

    Symmetric algorithms are at least in their second generation (DES/Lucifer now AES) of production use, with decades of study and close analysis by a lot of good minds.

    Asymmetric algorithms are still essentially the first generation. Take RSA. It has been out for so long that its patent has expired more than 15 years ago. Even elliptic curve cryptography has been out at least 20 years, because the NeXT had it in NeXTStep 3.0 (and ended up getting pulled out of the OS due to ITAR).

    Even cryptographic hashes have been through a number of iterations. We had MD4, then MD5, then SHA-1, then SHA-256, now are looking for something to replace SHA, similar to how Rijndael replaced 3DES and DES.

    Maybe it is time to have a contest to have a standard asymmetric algorithm to replace RSA, DSS, and ElGamal? Something fundamentally designed to resist quantum computer attack as well as other threats.

    1. Re:New assymetric algorithms needed? by mlts · · Score: 2, Informative

      Three reasons:

      1: Public keys are not just used for real time exchanges. Public keys are sometimes used for data archiving where the private keys are held in an offline area. Same with keys that sign programs to detect tampering.

      2: Quantum links are really, really slow. Instead of a one time pad, realistically you want to generate a key through the secure channel via a Diffie-Hellman handshake that is used for some time then chucked (like for a transaction or for a chunk of data.) Then send the bulk data through a standard link.

      3: Quantum key exchanges have had some issues that could allow an attacker to get knowledge of the key.

      4: One would have to drop parallel pipes everywhere that supported quantum channels. It is hard to get ISPs to drop one chunk of fiber, much less the fiber needed to interconnect for the secure quantum channels and the partial photons.

      5: There is the issue of trust. You can set up a quantum exchange with another machine and come up with a key that you know hasn't been touched... but is that really your bank, or is it some site in Elbonia that is patched in? Quantum key selection won't help you here in knowing that you are talking to the right host.

      Regardless, even if we had secure point to point connections via quantum key generation and bulk tunnels, public key cryptography is still an important part of life, even if it to sign documents and ensure they won't be tampered with.

    2. Re:New assymetric algorithms needed? by FrangoAssado · · Score: 2, Insightful

      What you're describing is a NP-complete problem -- assuming P != BQP != NP. But I'm guessing that you already know that :)

      Still, it's still very hard to build a cryptosystem that exploits the hardness of solving NP-complete problems. The main problem is, NP-completeness only guarantees that some instance of the problem is hard, it says nothing about a specific instance. So, for instance, if you have a specific 3-SAT formula, there's no guarantee someone can't come up with a solution for it in polynomial time.

      That being said, there are some candidates for a cryptosystem based on NP-completeness. Check for example the McEliece cryptosystem.

  11. The article agrees with you by fishexe · · Score: 5, Informative

    Thus, I suspect that we will eventually figure out a way to break this encryption. Even if we do, though, these mathematicians still get credit for giving us a new instance of the hidden subgroup problem to try and solve, which may give us additional insight into the extent to which the general problem can be solved by a quantum computer.

    From TFA:

    However, it's worth pointing out that while the new work guanratees safety against all known quantum attacks, it does nothing of the sort for future quantum attacks. It's perfectly possible that somebody will develop a quantum algorithm that will tear it apart as easily as Shor's can with the RSA algorithm. "Our results do not rule out other quantum (or classical) attacks," says Dinh and co.

    --
    "I don't care about the Constitution!" --Bill O'Reilly, November 17, 2009
    1. Re:The article agrees with you by DarkKnightRadick · · Score: 5, Funny

      You read the article?!

      --
      "There is a way that seems right to a man, but its end is the way of death." Proverbs 16:25 (NKJV)
  12. It's "Caltech", not "CalTech" or "Cal Tech" by 3.1415926535 · · Score: 2, Informative

    Seriously, Slashdot gets it wrong EVERY TIME. Next time, would it kill the editor to go to http://www.caltech.edu/ and, you know, read any of the words on the page?

    1. Re:It's "Caltech", not "CalTech" or "Cal Tech" by Anonymous Coward · · Score: 3, Funny

      Pidantic much? {sic}

  13. Re:Timeless saying applies here... by Frequency+Domain · · Score: 5, Insightful

    Actually, with really hard-core crypto systems there are three traditional ways to break them: 1) rubber hose; 2) dumpster diving; or 3) box of chocolates/bouquet of roses.

  14. Re:Timeless saying applies here... by ae1294 · · Score: 2, Funny

    Actually, with really hard-core crypto systems there are three traditional ways to break them: 1) rubber hose; 2) dumpster diving; or 3) box of chocolates/bouquet of roses.

    What no wad of Cash xor hookers & blow?

  15. Early connection? by steve_bryan · · Score: 5, Interesting

    A sociological observation is that Shor was an undergrad at Caltech when McEliece was a professor there formulating the cryptosystem that would resist the quantum algorithm that Shor would develop years later. I wonder if knew each other.

  16. Secure encryption by SnarfQuest · · Score: 2, Interesting

    The only encryption method I've heard about that has not been found to be breakable is the one time pad. This method has the problem of exchanging the pads beforehand.

    All of the major encryption machines used during WWII appear to have been broken. The new encryption methods are currently much harder to break, but the spooks are likely to discover some innovative method to break such algorithms.

    Current methods using large prime numbers sounds like they are soon (next few decades) to be broken. If we got into a war where breaking these methods became important, I'm sure that quantum computers would soon become available, if they aren't already. Even if quantum algorithms aren't available, someone might come up with a way to calculate prime factors using a bacteria colony through DNA molecules. A method may cost a million dollars per factor found, but sometimes that is small change for the information gained.

    I'm sure that there are groups looking for the next level of encryption. Something that isn't compatible with quantum methods, or requires it to reverse the encrypted data. Making it take longer and be more expensive to break is the goal of encryption.

    --
    Who would win this election: Andrew Weiner vs Andrew Weiner's weiner.
  17. Re:Good but not great by alphatel · · Score: 2, Informative

    Feel secure again. Only a variant was broken.

    The date of your document July 2008 precedes the successful decryption in October 2008.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  18. Re:Timeless saying applies here... by sznupi · · Score: 2, Funny

    W8, why both of them wouldn't work?

    --
    One that hath name thou can not otter
  19. Re:Timeless saying applies here... by treeves · · Score: 3, Interesting

    That falls under the generalization of (3).
    (1) Threat/intimidation/violence
    (2) Exploit a careless mistake
    (3) Bribery/persuasion

    I suppose (1) and (3) even could blur together into "influence" (negative and positive).

    --
    ...the future crusty old bastards are already drinking the Kool-Aid.
  20. Re:Timeless saying applies here... by ae1294 · · Score: 3, Funny

    WTF... OK... I can deal with slashdot being overrun by morns who know little but act big, but now we have to put up with text-ese ?

    His UID is lower than yours so shouldn't it be "I can deal with that slashdot was overrun by morns who knew little when I signed up. (eol)"

  21. Feed him some cat food by A+nonymous+Coward · · Score: 3, Funny

    Maybe he did, maybe he didn't.

    --
    Infuriate left and right
  22. Introduction to post-quantum cryptography by Anonymous Coward · · Score: 2, Informative

    There is an old paper, written by DJB, which gives a quick introduction to some (this and) other quantum computer resistant encryption methods: Introduction to post-quantum cryptography

  23. Re:Timeless saying applies here... by garyebickford · · Score: 2, Interesting

    It's worth noting that social engineering is quite often the cheapest method. I was at a conference back in 1999, where a Navy guy pointed out that in 'red team' testing, they'd found that the typical Systems Administrator would roll over for an average of $7000. No, I don't know how the details of how they conducted the test.

    One could argue (or hope) that _most_ SysAdmins these days are more cognizant of the risks, so probably not as casual as they used to be.

    --
    It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
  24. Let's just back up a moment. by fyngyrz · · Score: 2, Interesting

    A good encryption should not be "solvable" - it must be brute forced.

    How do you brute force (or solve) a one-time pad, where the pad was created from random atmospheric noise or any other truly random source?

    [...]

    ...that's what I thought. You can (a) beat the message out of the sender or receiver, (b) sweet-talk the message out of the sender or receiver, or (c) steal the pad ahead of time (proper use of OTPs requires they be destroyed when used.) But you can't brute-force it or solve it. It's unbreakable. Properly implemented, you can't even determine the symbol size. And it's *easy* to implement; any PDA or phone has the horsepower to encode using OTPs to any size message these days, and what's more, to stick it nicely inside a JPG or PNG or MPEG or something as a LS-bitstream and fire it off, at the same time destroying the source OTP and *any* hope an interceptor has of breaking it.

    The only downside (and it's really not much of a downside) of OTP technique is that you need the pads before you need the message. However, I actually can't think of a situation where that would seriously inconvenience modern users of the technique.

    Oh, and how do you unbreakably update OTPs in the field? Easy: You encrypt them with the last/reserved OTP the other end has. Cyclic encryption of truly random numbers? Incomprehensible. It's just another 100% opaque data stream. Done deal.

    --
    I've fallen off your lawn, and I can't get up.
  25. Re:I'm sorry, I'm an idiot- by NonSequor · · Score: 2, Interesting

    No, it doesn't brute force every possible combination. You can perform an operation on a superposition of all possible k-bit strings, but you can't actually get all of the 2^k outcomes of that operation. If you measure the result, you'll get one of the 2^k outcomes at random.

    Basically you start from that superposition of k-bit strings, then you apply some operations to that state so that all of the the correct answers are in phase with each other and constructively interfere. Effectively, you can only apply this kind of speed-up if you can exploit the numerical properties of the problem to ensure that this happens.

    --
    My only political goal is to see to it that no political party achieves its goals.