Slashdot Mirror
Ask Slashdot: Post-Quantum Asymmetric Key Exchange?
First time accepted submitter LeDopore writes "Quantum computers might be coming. I'd estimate that there's a 10% chance RSA will be useless within 20 years. Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent. Are there any alternatives to RSA and ECC that are trustworthy and properly implemented? Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
ECC is AFAIK theoretically vulnerable (i.e. while there aren't KNOWN quantum gate implementations of ECC, there are no good reasons to think it is unfeasible).
McEliece and the Lattice-based stuff are promising, they just hadn't be as inspected as RSA yet...
I think the author's point is that data sent today could be sniffed, stored, and cracked in 20 years. Some of that data may still be sensitive in 20 years, so we need to switch now.
This 1978 crypto is supposed to be safe against quantum computers: http://www.technologyreview.com/blog/arxiv/25629/ (if that's the specific angle you're worried about). The downside is the key management because the keys have to be really really long (i.e. 20,000+ characters vs having a memorable passowrd or passphrase that you'd be able to use today).
Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?
Because the vast majority of us don't need to keep our data secure for the next century... Even for some of the most nefarious uses of crypto, merely lasting long enough to exceed the statute of limitations will suffice, and I'd put that as a serious fringe case.
Personally, I only use encryption for my financial documents and to make myself a more difficult target in the present (whether to identity thieves or the government or to my ISP trying to control my traffic). For the former, I consider basic access control (ie, keep it offline) as the first line of defense, and the encryption as a fallback; for the latter, if it takes even five minutes more effort than merely watching the wire, the crypto has done its job.
Even corporations don't tend to care about a scale longer than five years out (and that, only when they can even see past the next quarter)... Which leaves really only governments caring about how soon someone like Assange can find a way to embarrass the talking heads.
Well the person is an idiot. His estimation of 20 years is laughably naive.
My response to this statement is a quantum superposition of two thoughts:
A. I agree. A 20 year estimate is ludicrous. It's far too much time.
B. I agree. A 20 year estimate is ridiculous. It's far too short.
Quantum entanglement is being studied hard by bright people, who are publishing. I think that the technology is a ways off, and I expect that there are some limitations on entanglement. Being able to collapse 2^2048 super-positions seems a bit preposterous to me. I could be horribly wrong, but I have a feeling that there are going to be limits on how many "entanglements" can be made by a given subatomic particle.
I'm a bit more worried about someone who finally get's a eureka on factoring large numbers. Then the genie is out of the bottle, and no-one knows it. Heck it might already be cracked, and held as a state secret, only makes sense.
What would you do if you had a factoring algorithm that could factor a RSA number as fast as the generator could make them?
What would be the fallout?
Why is everyone still happy with SSH and RSA with the specter of a quantum menace lurking just around the corner?"
Because the sky isn't falling, chicken little?
I use SSH to keep someone from snooping my password, or hijacking my session to take over my servers.
I'm not so worried that someone is recording all of my SSH streams for future use in the hope that Quantum Computing becomes a reality and they can decode the stream and see that I typed "sudo service apache2 restart".
Clearly you know more than you're letting on since that's the exact command I ran over SSH on my server an hour ago!
I guess SSH is insecure after all, since you were able to break it so easily and post a line from my super secret command line session on Slashdot.
It's one time pads, all the way down!
You should keep in mind that although theoretically there may be efficient quantum algorithms for a variety of problems on which cryptographic schemes are based, in practice, the only one which has been found is factoring. So, yeah, RSA will become toast if we can get the number of qubits in a quantum computer up into the neighborhood of RSA key lengths (1024, 2048, 4096). But, exceedingly few of the other major cryptographic systems rely on factoring being hard. So, for example, Diffe-Hellman or El Gamal (both integer and elliptic curve versions for both) will probably not be appreciably easier to crack. So, there doesn't seem to be any serious reason to be worried about public key cryptography, just RSA. So changes to SSH are pretty straight-forward.
As for why people aren't worrying about it, my guess would be that most people don't follow quantum computing, and the few which do may have reason to wonder if we will ever actually reach the 1024 qubit size in a functioning quantum computer. A few years ago, I would've told people not to worry about it because I was following the state of the art and it was around 5 qubits and research had shown that under current models, you needed 9 qubits of output to reliably output 1 normal bit (if my memory is correct). So, we weren't even one 0.1% of the way to cracking RSA. These days, the number of qubits is higher, but it's still not clear how long it will be until we can actually functionally factor a 1024 bit number.
because most people estimate that the cost of putting a software of even hardware-based keylogger is cheaper today than quantum computing will be even when matures. ie, the powers that be, that need to keep tabs on you, already can keep tabs on you.
Any guest worker system is indistinguishable from indentured servitude.
Whatever the odds, some of the data we send over ssh and ssl today should remain private for a century, and we simply can't guarantee secrecy anymore using the algorithms with which we have become complacent.
If I may, I would like to quote the MC Frontalot song, "Secrets From The Future":
You can't hide secrets from the future
with math, you can try, but I'll bet that in the future
they laugh at the half-assed schemes and algorithms
amassed to enforce cryptographs in the past.
The rest of the song does a pretty good job of explaining exactly how absurd the entire concept of keeping data private, long-term (like, say, a century as suggested, or even twenty years when RSA is theorized to fall), entirely using encryption algorithms. Brings up points like how nobody's going to care about things like your shopping habits (as embarrassing as they may be), credit card transactions from cards expired twenty years previous, sensitive SSH streams decades old, etc. And that it's a moot point anyway, as it's impossible to predict technology out that far, so it's more than a bit futile to count on math to protect things on a time scale like that.
Best of all, your secret: nothing extant could extract it
By 2025 a children's Speak & Spell could crack it.
Demanding constant attention will only lead to attention.
I don't think the attacker is so much interested in the "sudo service apache2 restart" command but rather the response to the password prompt immediately following...
If he can break the RSA key exchange to get to the symmetric key encrypting my session, he can already log in as me, he doesn't need the password. But unless he gets his quantum computer within the next 90 days, I'll have already changed the password.
Different sort of quantum computer, it can't do general computing or schors algorithm, it's more like a quantum calculator, relegated to very specific statistical calculations rather than generic 3 bit computing.
There is no known attack on ECC using quantum computers.
This should not have been modded up, because it is blatantly false. The security of ECC relies on the presumed hardness of the discrete logarithm problem (in elliptic curves over finite fields). But Shor's algorithm can solve the discrete logarithm problem in ANY finite group (assuming you have an efficient way of operating on the group elements).