Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Is Working To Safeguard Chrome From Quantum Computers (theverge.com)

Posted by msmash on from the safety-first dept.

Quantum computing could potentially someday be used to retroactively break any communications that were encrypted with today's standard encryption algorithms. Google realizes this, and hence, is ensuring that it doesn't happen. Today, it announced that it has begun to deploy a new type of cryptography called the New Hope algorithm in its Chrome Canary browser that is designed to prevent such decryption attacks. From a report on The Verge: Although quantum computers of this variety are only small and experimental at this stage, Google is taking precautions for the worst case scenario. "While they will, no doubt, be of huge benefit in some areas of study, some of the problems that they [quantum computers] are effective at solving are the ones that we use to secure digital communications," writes Matt Braithwaite, a Google software engineer, in a blog post. "Specifically, if large quantum computers can be built then they may be able to break the asymmetric cryptographic primitives that are currently used in TLS, the security protocol behind HTTPS." In other words, quantum computers could undermine the security of the entire internet. Quantum computers promise computational power far exceeding today's standards by taking advantage of the underpinning physics discipline. So the presence of a hypothetical future quantum computer, Braithwaite adds, puts at risk any and all encrypted internet communication past or present. It's unclear how secure New Hope (PDF) will prove to be for Chrome, and Braithwaite admits it could be less secure than its existing encryption. But Google says New Hope -- developed by researchers Erdem Alkim, Leo Ducas, Thomas Poppelmann and Peter Schwabe -- was the most promising of all post-quantum key-exchange software it looked into last year.

36 of 65 comments (clear)

  1. Quantum still around...? by __aaclcg7560 · · Score: 1, Funny

    I wouldn't buy Quantum Bigfoot hard drives back in the day. I'm sure as hell not buying a Quantum computer any time soon.

    1. Re: Quantum still around...? by WarJolt · · Score: 1

      I'd only buy one if it fit in a 5.25-inch bay.

    2. Re: Quantum still around...? by __aaclcg7560 · · Score: 1

      I'd only buy one if it fit in a 5.25-inch bay.

      I used to find Bigfoot drives in Compaq systems. The last 5.25" hard drive I owned was a 20MB RLL for an IBM AT.

    3. Re: Quantum still around...? by RuffMasterD · · Score: 1

      They did fit into a 5.25 inch bay. Mine was 1.2GB! One of the most attractive designs I have ever seen in a HD. Also the only HD I had that spectacularly failed. I seem to remember at the time they had a reputation for failing. Maybe something to do with the platter size, and the reason we don't have 5.25 inch HDs anymore.

      --
      Human Rights, Article 12: Freedom from Interference with Privacy, Family, Home and Correspondence
  2. security of the Internet? by DogDude · · Score: 2, Insightful

    "security of the entire internet."

    The author of this nugget doesn't know, apparently, that the Internet was never designed to be secure, and any attempt to make it so will inevitably fail. The Internet was designed to facilitate the OPEN exchange of information.

    --
    I don't respond to AC's.
    1. Re:security of the Internet? by Anonymous Coward · · Score: 1

      What defeatist nonsense. In your world, no one should even try to encrypt communications or study the math behind it, because DogDude on slashdot says the Internet wasn't designed for security. Shut the fuck up.

    2. Re:security of the Internet? by Anonymous Coward · · Score: 1

      192.168.0.1

    3. Re:security of the Internet? by umghhh · · Score: 1

      this may or may not be. 127.0.0.1 is more likely to be there.

    4. Re:security of the Internet? by sexconker · · Score: 1

      It's not defeatist, it's correct. A secure line needs to be physically secured and controlled and carry traffic directly from A to B only. This is unfeasible to do on the scale of the internet. So we rely on encryption and hope that it keeps things private enough for long enough. It does not make the connection "secure".

    5. Re:security of the Internet? by LichtSpektren · · Score: 3, Informative

      "security of the entire internet." The author of this nugget doesn't know, apparently, that the Internet was never designed to be secure, and any attempt to make it so will inevitably fail. The Internet was designed to facilitate the OPEN exchange of information.

      Who cares about the security of the Internet per se? Peak and tamper with the tunnels as much as you want, so long as the data is encrypted and signed then it makes no difference.

    6. Re:security of the Internet? by Anonymous Coward · · Score: 3, Informative

      A secure line needs to be physically secured and controlled and carry traffic directly from A to B only.

      Nonsense. The entire point of modern public key cryptosystems is to allow secure communication over non-secure links. This secure channel can even be established without private key exchange - hence the name.

    7. Re:security of the Internet? by skids · · Score: 1

      I could see an argument to the point that calling a medium that can be DoSd "secure" does not meet muster if you consider reliability part of "security."

      But for common use cases "secure" just means aaa, integrity, and confidentiality are protected, and modern crypto suites guarantee this against all known non-quantum attack mechanisms, and the new stuff rolling out is a first shot at killing all known quantum-computing-based mechanisms. For any use case where the security only needs to last a couple decades, the state of the art, if not the state of the installed base, is doing pretty well.

      Science-wise, there's a good chance quantum encryption will develop faster than quantum computing as well, which will render it possible to transmit across untrusted nodes without breaking these security guarantees on a raw physics level. Economically, though, the case for wide-scale deployment will be weaker probably than it will with quantum computing capabilities -- basically, the financial sector will likely be the only ones willing to pay for it.

      --
      Someone had to do it.
    8. Re:security of the Internet? by NatasRevol · · Score: 1

      Also, 169.254.0.0/16 and/or fe80::/10

      --
      There are two types of people in the world: Those who crave closure
    9. Re:security of the Internet? by Plus1Entropy · · Score: 1

      encryption is just some bolted-on technique

      I'm not trying to be an asshole, but this statement shows that you need to learn a lot more about cryptography. It has nothing to do with the medium. Mathematical operations are performed on the data. There is even the concept of perfect secrecy, which has been mathematically proven. The channel can be as insecure as you like, you could shout the ciphertext from the rooftops, it doesn't matter.

      Haven't you ever heard of numbers stations?

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  3. post-quantum by Anonymous Coward · · Score: 2, Funny

    Post-Quantum cryptography, but still can't give us an option to disable middle click scrolling on Windows.

  4. fox guarding the chicken coop by TheGratefulNet · · Score: 2, Insightful

    somehow, I don't fully trust google to safeguard ANY privacy.

    I know they have the financial ability to do major work like this, but their results are 100% untrustable, given WHO they are and WHAT they do.

    damn. we could use a good ally on the freedom trail; but google will NEVER be it.

    --

    --
    "It is now safe to switch off your computer."
    1. Re:fox guarding the chicken coop by LichtSpektren · · Score: 2

      somehow, I don't fully trust google to safeguard ANY privacy.

      I know they have the financial ability to do major work like this, but their results are 100% untrustable, given WHO they are and WHAT they do.

      damn. we could use a good ally on the freedom trail; but google will NEVER be it.

      You're not wrong, but Google's cash cow is that they are the exclusive broker of your personal information to advertisers. So it's in their best interest to keep their services secure, because (a) they don't want you going to some other service that's more secure, (b) they don't want your personal info leaking to somebody else [since its sole value to Google is that they hold it exclusively].

    2. Re:fox guarding the chicken coop by fuzzyfuzzyfungus · · Score: 1

      It's really worth keeping a precise distinction in mind when talking about Google and privacy:

      Google is clearly hell-bent on being as much of an Orwellian data overlord as possible; so trusting them to design products in such a way that they don't tend to leak data to Google during the course of routine use is foolish.

      However, Google's approach to gathering alarming amounts of data is usually to make themselves attractive enough that they get invited in to the system(eg. gmail, google voice, 'free' google analytics for website operators, 'benevolently' hosting common javascript libraries so that you can save yourself bandwidth at the minor cost of inserting Google into every page load, that sort of thing.) They get the target to 'agree'(certainly they'll exploit ignorance and product tie-ins to do this, they are hardly committed to some idealistic vision of contracts between fully informed equals); rather than compromising the target's security and malwareing the data out. Presumably this is both because that would probably open them to legal exposure; and because an "insecurity and hacks" data collection mechanism would open the field to Google competitors who would do none of the work but get the same data just by compromising the system.

      Because of this; Google actually tends to be pretty respectable in terms of design and implementation; sometimes even notably superior, in terms of quality of implementation and resistance to unauthorized 3rd parties. Chrome routinely scores very well in browser security comparisons, ChromeOS is also quite solid; Android usually doesn't turn into a dumpster fire until 3rd parties get involved, Gmail is better than an alarming number of sites about support for 2 factor authentication, and so on. It's just that all their products and services are designed to put them 'in the loop' by default and if you want everything to work smoothly, so that they have no need to compromise the system; because they are a trusted part of it.

      If given the choice between a design where there is no need for anything to talk to the mothership and a design that relies on a Google account and being logged into Chrome and so on; they'll choose the latter every time; but when they set out to keep unauthorized parties out; they usually mean it, though they work to ensure that they are not 'unauthorized parties' in as many real world use cases as they can.

  5. A New Hope? by R3d+M3rcury · · Score: 1

    [...] a new type of cryptography called the New Hope algorithm [...]

    Maybe it's just me, but I have some reservations using an encryption technology with the word "Hope" in the name--as in, "We really hope this works." It's kind of like PGP, "Pretty Good Privacy." It's not great, but it's pretty good.

    Granted, what's in a name? Take the same encryption and call it "Anti-Quantum Encryption" and I'd probably be on board.

    1. Re:A New Hope? by jfdavis668 · · Score: 1

      Just like Star Wars Episode IV

    2. Re:A New Hope? by Megahard · · Score: 5, Funny

      That's because they are trying to fight The Quantum Menace.

      --
      I eat only the real part of complex carbohydrates.
  6. Wha--? by Anonymous Coward · · Score: 3, Insightful

    Why do you feel the need to keep repeating this? Do you think doing so will suddenly make it true?

    Ever hear of cryptography? Ever hear of IPSec, for example, not to mention the numerous protocols- TLS, PGP, SSH, the Signal protocol, etc. etc. etc.? What about the underlying nature of "the Internet" are you saying makes security layers on top of it "inevitably fail?"

    1. Re:Wha--? by LichtSpektren · · Score: 2

      Secure enough for most things, yes. Until that encryption is broken or the implementation has back doors built into it or flaws discovered.

      Yeah, alright, but by that logic, nothing is really secure, because it's only secure *until* some vulnerability is found.

      When people talk about "security," they don't mean some Platonic Form that signifies some absolute and eternal protection in all cases. Practically, however, the best modern forms of encryption are reasonably secure enough that you can rely on them, moreso than any kind of physical lock-box.

    2. Re:Wha--? by Dutch+Gun · · Score: 2

      Layering encryption on top of an unsecured line and that is dynamically routed/switched and co-mingles signals from others doesn't make the internet a secure communication medium.

      I think perhaps you're conflating the transportation mechanism with the content itself. The internet was *designed* to layer different content and protocols on top of simple, insecure, and even *unreliable* transport protocols.

      If you're talking about remaining anonymous on the internet, no, we don't yet have a reliable way to do that, because ultimately you need to give someone your IP address to receive content back. If you're talking about securing content transmitted over the internet, then yes, we absolutely have a reliable way to do that - so far as we know.

      You neither have control over the pipe nor what the router at the end of it does.

      And that doesn't matter at all. I'm perfectly happy to blast my encrypted traffic over the internet or even over the air where anyone can listen to it, because all they'll hear is the initial handshake followed by a whole lot of pseudo-random noise. It sounds like you're saying that you believe you need a secure, dedicated line to secure your traffic. If so, either this means you don't understand how modern encryption works, or you're trying to play the cool pessimist by saying "well, someone could find a flaw" (which is like claiming airline travel is not safe because airplanes occasionally crash). No decent encryption scheme should rely on a secure transportation mechanism, because that's more or less impossible... or at least impractical... with today's technology.

      Security isn't a black and white issue, because you can never actually prove something is secure. It's about degrees of confidence that can only be established over time and lots of cryptographers and researchers trying to break said security. At the moment, we have a pretty high degree of confidence in TLS, because we haven't yet seen a single example of anyone breaking it. Unless you think all the government complaining about the internet "going dark" is a false flag operation, that's a pretty good indicator that no one has been able to break modern encryption methods.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  7. It's not computational power by cfalcon · · Score: 4, Informative

    It's not really fair to call what a quantum computer does "computational power", is it? If you factor N by trying all the integers greater than one and smaller than M= floor( square root ( N ) ), you will eventually find the answer, and the more computational power you have, the faster you can race from 2 to M. Using Shor's algorithm on a quantum machine, you don't actually end up doing all of the intervening computation, but you do get the answer. But that doesn't mean you can automatically take any set of problems and "solve them all at once", because that isn't really what is happening. It's not computational power in that sense, right?

    1. Re:It's not computational power by cdrudge · · Score: 2

      According to media reports and Hollywood, quantum computers will be able to do anything normal computers do instantaneously. Find the last digit of pi, divide by 0, factor N where N = infinity, decrypt any and every unknown encryption algorithm, etc.

    2. Re:It's not computational power by iris-n · · Score: 1

      Yep =)

      What you are arguing against is a very common, and very wrong, way to explain how quantum computers work. It is notoriously hard to explain it concisely, but even Trudeau did better than that.

      You do start by putting all the solutions of the problem in a superposition, but that in itself doesn't help, as if you just try to read it off you will get a random solution. And a random solution you could get just by running a classical computer with a random number generator.

      What you have to do is make all the solutions interfere, a delicate coreography of wrong solutions cancelling each other and correct solutions being reinforced. After that you make a measurement, and get a correct solution with high probability.

      --
      entropy happens
    3. Re:It's not computational power by skids · · Score: 1

      Only calculations that consist of certain combinations of certain operations can be "solved all at once". Most specifically, you cannot read the state of a qbit and see whether it contains both a 1 and a 0, just a 1, or just a 0. You'll either get a 1 or a 0. Second you cannot copy a qbit's "state" over to another qbit to try to work around this. Because of these limitations (and probably some others I won't understand unless/until I have a long stay in a hospital bed or prison with nothing better to do than learn hamiltonians) it is possible to design problems that confound quantum computation. The people that do this could probably be called crazy smart geniuses, but probably also have trouble making change or crossing the street or something.

      --
      Someone had to do it.
    4. Re:It's not computational power by Plus1Entropy · · Score: 1

      I don't know what's worse: that I don't understand what you said, or that I almost understood what you said.

      --
      Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  8. Devil you don't know by WaffleMonster · · Score: 2

    The core problem with pushing "post quantum" crypto into production is you are essentially making choices in the blind based exclusively on fear and *baseless* speculation. There is no affirmative evidence of any kind Quantum computers with the capability to crack crypto are even possible let alone expected in the near to medium term.

    I can't help but wonder if at least some of those pushing "post quantum" crypto are intentionally making a play to nerf security more than it already is.

    There are a million practical things Google could elect to do to improve real world practical security starting with not reading everyone's email to applying TLS-SRP patches to enable secure password authentication to making Android less of a security joke. Time spent on post quantum crap is time not spent addressing actual threats we know for sure exist in the real world.

    1. Re:Devil you don't know by WaffleMonster · · Score: 1, Interesting

      Perhaps, but the problem is that if those systems are in fact coming in the near to medium future (and there's "no affirmative evidence of any kind" that it *isn't* true) then they'll absolutely *destroy* most forms of encryption currently in use.

      If in fact hostile space aliens (or pancake monsters from the 5th dimension) are coming in the near to medium future then they'll absolutely *destroy* most forms of encryption and everything else currently in use.

      Why shouldn't Google care equally about this threat too given the consequences are much worse and there is no affirmative evidence it isn't true? Where does hedging against completely baseless nonsense end? Are there any limits? At all? Of any kind? Only when you can prove a negative?

      Google decided that the high risk outweighed the low chance. Plus their work goes towards research which will, eventually, be beneficial.

      Merely selecting algorithms OTHERS created is hardly what I would consider to be research. There are literally hundreds of cipher suites available in TLS.. adding new ones isn't a particularly noteworthy exercise.

    2. Re:Devil you don't know by cryptizard · · Score: 1

      Why shouldn't Google care equally about this threat

      Because they have no power to defend against that threat, no matter how much money they throw at it. Post-quantum cryptography just takes a handful of engineers to work on. It is basically free for a company the size of Google, and the benefits are potentially large.

      Merely selecting algorithms OTHERS created is hardly what I would consider to be research.

      Read the linked paper. That is not what they do. They optimize and improve security bounds on an existing scheme, making it more practical for real-world applications. Many of the most recent encryption schemes developed by academia are wildly impractical in terms of the exotic mathematical operations they require and the huge parameter sizes you need to meet currently understood security requirements.

  9. Re:next protection against God? by umghhh · · Score: 1

    What US government did support regime changes that resulted in major bloodshed? Was there one?

  10. Re:Break TLS? Isn't it already broken? by fuzzyfuzzyfungus · · Score: 1

    I'm not anything approaching a cryptoanalyst; but my understanding is that TLS has been 'broken' at various times because of either implementation flaws or legacy-compatibility stuff not being dropped fast enough(and there's the minor problem of CAs being a total clusterfuck); but that these breaks were of the somewhat less scary kind that can be fixed by deprecating a specific cipher, or increasing a key length, or patching/replacing a specific flawed implementation.

    A development of the 'hahaha, prime factorization is now trivial!' flavor would be the sort of ugly break where fundamental underlying assumptions are no longer correct and there no amount of incremental fixing will work.

  11. Re:Combined with a traditional key-exchange algoti by mcl630 · · Score: 1

    According to Google's blog post:

    Today we're announcing an experiment in Chrome where a small fraction of connections between desktop Chrome and Google's servers will use a post-quantum key-exchange algorithm in addition to the elliptic-curve key-exchange algorithm that would typically be used. By adding a post-quantum algorithm on top of the existing one, we are able to experiment without affecting user security. The post-quantum algorithm might turn out to be breakable even with today's computers, in which case the elliptic-curve algorithm will still provide the best security that today’s technology can offer. Alternatively, if the post-quantum algorithm turns out to be secure then it'll protect the connection even against a future, quantum computer.

    If I read this correctly, they are using "New Hope" in combination with an existing algorithm.

  12. Re:Break TLS? Isn't it already broken? by cryptizard · · Score: 1

    That is actually slightly less scary than a fast factorization algorithm. If you could factor, then you could calculate the root CAs private keys from their certificates, but also you could retroactively decrypt any communication that was intercepted in the past and decrypt it. If the CA private keys were released alone, it would not allow you to retroactively decrypt anything because Diffie-Hellman key exchange provides perfect forward secrecy that ensures retroactive decryption is not possible even if you later learn the private key.