NIST Asks Public For Help With Quantum-Proof Cryptography

chicksdaddy quotes a report from The Security Ledger: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help heading off what it calls "a looming threat to information security:" powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information. In a statement Tuesday, NIST asked the public to submit ideas for "post-quantum cryptography" algorithms that will be "less susceptible to a quantum computer's attack." NIST formally announced its quest in a publication on The Federal Register. Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information. "We're looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers," Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B. Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the "post-quantum crypto" standards set up by NIST will be invited to present their algorithms at an open workshop in early 2018.

Oxy-morons

So, they want a code less vulnerable to math... good luck with that.

Re:Oxy-morons

[ls671]

Solution: One time pad; "mathematically unbreakable encryption",

Re:Oxy-morons

[skids]

That's more or less what we have now, until quantum computing is real. You don't need a quantum computer to use post-quantum cryptography.

What I haven't seen is how quantum simulators rate as a threat.

Re: Oxy-morons

How does it handle counterfeit or lost messages? Not so well, I bet. Why would I want to spend more time securely obtaining one time pads than actually communicating?

Re: Oxy-morons

[skids]

Especially since Quantum Computing only breaks current public key encryption, not even some current shared key algorithms, and keys are much easier to exchange than giant pads.

Re: Oxy-morons

[davidwr]

How does it handle counterfeit or lost messages? Not so well, I bet. Why would I want to spend more time securely obtaining one time pads than actually communicating?

I think it would work like this:

You go to your bank to open an account. While you are filling out paperwork and supplying a thumb-print (thank you 9/11 terrorist - NOT!) the bank generates a very long one-time pad that should provide enough coverage for several year's worth of communications. They keep a copy and they give you a copy. The pad is probably signed with the bank's public key so you know it is really from the bank.

To detect lost messages, every communication will include either an index into the one-time pad (in cleartext or encrypted with some other method) or a pre-determined "synchronization phrase" encrypted with the pad. If it includes the index, then the problem is solved. If it includes a "synchronization phrase" then you start with where the pad left off. If it doesn't match, then you read forward in the pad until it matches, and you know you probably lost a message somewhere along the line.

Also, the pad may be, in effect, two pads: one for sending, one for receiving. This is easly accomplished by having one party start at the beginning of the pad working forwards and the other party start at the end working backwards.

Also, to avoid pad exhaustion, the pad would probably be used to generate temporary/ephemeral symmetric keys and for some other things like the initial setup of the communication. The actual "meat" of the communication would be encrypted with the ephemeral, symmetric keys.

Re: Oxy-morons

[FatdogHaiku]

Especially since Quantum Computing only breaks current public key encryption, not even some current shared key algorithms, and keys are much easier to exchange than giant pads.

OK. First off, "giant pads" is at best a clumsy phrase, so let's not beat around the bush, just call them MaxiPads.
Once that is done it should be no problem getting replenishment from a 7-11 "Flirtey drone".

Re: Oxy-morons

[Dutch+Gun]

Also, to avoid pad exhaustion, the pad would probably be used to generate temporary/ephemeral symmetric keys and for some other things like the initial setup of the communication. The actual "meat" of the communication would be encrypted with the ephemeral, symmetric keys.

And oops! It's no longer a one-time pad. As soon as you start using an algorithm, by its very nature, you're now leaking a very slight amount of information, because the output is no longer actually random either. This exactly why a one-time pad isn't practical for most applications. It's only effective if it's the same length as the message being encrypted. Any attempt to "cheat" and you compromise the encryption integrity.

Besides, modern ciphers actually DO use true random numbers to generate the initial symmetric keys, typically using Diffie-Hellman key exchange, in which it's impossible for anyone to intercept the key even if they listen to the entire exchange. So you might as well skip the one-time pad, and you get the exact same effect.

Re:Oxy-morons

No, they want math that is not vulnerable to QC, and it does exist. For proper symmetric encryption it typically only requires doubling the key length for a given security factor. Numerous 256-bit algorithms exist today, so that isn't a problem. There are also asymmetric algorithms that are presumed to be QC safe, but are not nearly as convenient and fast as something like curve25519. Work is required, but no more luck than usual.

Re: Oxy-morons

[bytesex]

The point is, that it's the Diffie-Hellman which is going to be broken by quantum computing, presumably. So you might want to be careful with that 'impossible' - this is exactly what the article is about.

Re:Oxy-morons

[geekmux]

Solution: One time pad; "mathematically unbreakable encryption",

A concept born in 1882, and yet NIST is still looking for a solution in 2017.

Hmmm...

Re: Oxy-morons

The problem with banks isn't the 9/11 terrorists, it was the Bush Administration's childish overreaction to it. That's what has enabled the modern spy infrastructure. Fear. Fear that we'd hold them accountable for their multiple failures on that day. Now it's fear that we'll hold the current crop accountable if something else happens.

Not entirely unjustified. Some of the most titanic failures of intelligence leading to attacks and mismanaged tragedies have been while conservatives have been in office after all. 9/11 being the largest but there's also been the Iraq war, the bombing of the Marine barracks in Lebanon, etc, and yet of course the conservative echo chamber manages to deflect blame. If any of that stuff had happened while a Democrat, and God forbid Obama, were in office we'd be hearing about it for the next 50 years.

So the Democrats know what will happen to them, the Republicans fear one day they'll actually not get a pass for their own incompetence, and you have a recipe for unconstitutional, un-American repressive laws and behavior.

Re: Oxy-morons

It would be just as much one time pad as the current "use RSA to exchange a temporary shared key" is public key encryption.

The symmetric encryption setup leaking a few bits of the one time pad doesn't matter, as these bits can't be used to infer any other information. The symmetrically encrypted messages won't be as secure as having the entire thing one time pad encrypted, but breaking the symmetric key will only give you that one message (just like now), not the entire communication.

Re: Oxy-morons

How does it handle counterfeit or lost messages?

Counterfeit messages can't be decrypted.

Lost messages would result in an unused block in the one time pad, alerting the receiver that something is missing, as long as you have some kind of synchronization mechanism (a simple start offset would be enough), otherwise it would result in none of the following messages being decryptable.

Re: Oxy-morons

[cryptizard]

The one-time pad DOES NOT replace Diffie-Hellman though. It replaces symmetric encryption, for which we have perfectly good existing solutions. AES is not vulnerable to quantum attacks. Any discussion of the one-time pad in relation to quantum-secure encryption is pointless. We need new asymmetric encryption schemes like lattice-based encryption, not some half-cocked one-time pad bullshit.

Re: Oxy-morons

[GLMDesigns]

Pearl Harbor?

Re: Oxy-morons

Counterfeit: It produces garbage.
Lost: No message.
Obtaining a OTP: Can be worthwhile if you want unbreakable communcation. A terabyte OTP can last a long, long time if you just want secure text. It's perfect if Alice and Bob meet before they start communicating.
Interception: If Alice and Bob can't meet, then the OTP can also be split, and sent via multiple routes, so that they'd all have to be intercepted to compromise your communication.

Re: Oxy-morons

Pigeons carrying microSD cards?

Re: Oxy-morons

[davidwr]

That's what has enabled the modern spy infrastructure

Not just the modern spy infrastructure, but most "spy infrastructures" throughout history.

Fear: Either on the part of the public, demanding the government protect them (e.g. 1933 Germany, 2001 USA), or on the part of a tyrannical regime, to protect them from rebellion (e.g. Communist Eastern Europe excluding Russia, Japan-occupied China and Korea in the decades before 1945, the occupied parts of the Confederacy during the last parts of the American Civil War and former Confederate states in the years after that war).

Re: Oxy-morons

[mlw4428]

True random number generators are few/far in between. Most use pseudorandom generation (generally provided by the OS which itself collects usually from various sources) with a high entropy. But TRNG is extremely difficult to do.

Re:Oxy-morons

[countach]

Your pad is as big as the original message, so how do you send the pad to someone in a secure manner? One time pads are very secure but don't solve many real world problems.

Re:Oxy-morons

[gweihir]

Most insight-less comment of the day. No wonder you post as AC.

Re:Oxy-morons

[gweihir]

Of QC ever gets real. Strikes me a lot like "AI", which looks these days as it may actually be impossible in this universe if you want something at least as smart as a human moron. Quantum factoring has gone from 4 bits to 16 bits in 25 years or so. Even if it continues to scale like that (which it will not, there is indication it scales inverse-exponentially, so 30-100 bits or so may be the absolute upper limit), it will not be a threat to modern encryption for 50-100 years, and that is only if we continue to use 1024 bit primes.

Re:Oxy-morons

[RespekMyAthorati]

which looks these days as it may actually be impossible in this universe if you want something at least as smart as a human moron

The progress has indeed been hyped, but that does not suggest in any way that it is impossible.
Machine intelligence will progress in the future, sometimes quickly but mostly slow. Nobody has a clue as to how far it will go.

Re:Oxy-morons

[gweihir]

There are some rather strong indications it will not go very far at all. They are not reliable proof, sure, but proving a negative is notoriously hard. One is that at this time, after half a century of research into it, there still is no credible theory how intelligence could be generated artificially. The only thing we have that can mimic some aspects of intelligence is automated theorem proving, and that cannot scale up to what a smart human can do in this universe, not enough matter and energy available. There is nothing else. The other indicator is that actual intelligence is only observable together with consciousness, and nobody has the least clue what that is. In fact, the current state-of-the art in physics would indicate that consciousness is impossible, which is clearly wrong. (There are some morons that pretend to be scientists in neuro-"science" that claim it is an "emergent property", which is just a scientifically sounding and dishonest way of saying "we do not know".) And then there is the little fact that AI has made exactly no progress at all in the direction of anything that can reasonably be called intelligence. All they have (which is still useful, no argument about that) is clever ways to fake intelligence and doing things without intelligence where we once thought that intelligence was required. And that is really all they have.

Not Hard

[SeattleLawGuy]

This is a bad idea. We're in a weapons race, and so long as we keep playing the game, successive generations of crypto will be subject to attack. We need an end-run around the problem, which means changing how we think about encryption and data security.

Encryption should begin with a physical exchange of one-time pads. If you open a bank account, you should get a key to it. The key is an exhaustible one-time pad you use to encrypt transmissions to and from the bank. You plug it into a machine which runs packets through it.

Re: Not Hard

[thesupraman]

Ffs..

So.. You will personally go and visit each and every web site you want to access privately?
Physically visit every inline store you want to deal with?
Then secure all that data carefully! Remember.. If anyone gets a copy.. All security is give.. At either end!

You need to think about things for more than 30 seconds.

Or perhaps you should accept that armchair 'experts' like you who think this is so easy are actually a big part of the problem?

Good crypto is hard.. QC proof crypto will be harder.. Such is life.
The major historical mistake to avoid is over complex 'standards' that are therefore never implemented or used correctly (I am looking at you ipsec..)

Re:Not Hard

This was my first thought.

Re: Not Hard

[drinkypoo]

So.. You will personally go and visit each and every web site you want to access privately?

The obvious solution, if you could trust your government, would be to have them handle the issuance of one-time pads. Since you can't, you can still use the technology for banking, dealing with social security, or for several other purposes without undue inconvenience.

Re: Not Hard

[SeattleLawGuy]

Ffs..

So.. You will personally go and visit each and every web site you want to access privately?
Physically visit every inline store you want to deal with?
Then secure all that data carefully! Remember.. If anyone gets a copy.. All security is give.. At either end!

You need to think about things for more than 30 seconds.

Or perhaps you should accept that armchair 'experts' like you who think this is so easy are actually a big part of the problem?

Good crypto is hard.. QC proof crypto will be harder.. Such is life.
The major historical mistake to avoid is over complex 'standards' that are therefore never implemented or used correctly (I am looking at you ipsec..)

Of course not. You build an infrastructure based on the premise of physical distribution of one-time pads. That doesn't mean you personally visit every web site you interact with; it means you assume that encryption of a website is breakable and you make the important sites uncrackable by using one-time pads. There are lots of ways to play around with the model and lots of weak points in bad implementations, but fundamentally any encryption algorithm other than that is breakable eventually. It's a much better and more reliable solution for many points of vulnerability than we have today. It is also entirely practical to implement in many cases because of the relatively cheap price of storage media these days.

Just because it's not hard doesn't mean it's trivial. :)

Re: Not Hard

You know when laypeople that read about court cases have an opinion about how easy caselaw is if only lawyers would do this one thing they just made up? You are giving that cringy feeling to everyone here that deals in infosec.

Re: Not Hard

[cryptizard]

You are extremely ignorant of modern encryption. Ciphers like AES have existed for 15+ years and never had any significant attacks against them. To brute force AES-256 you would exhaust all the energy in the universe. AES is also not vulnerable to attacks by quantum computers. You act like the sky is falling when in reality there have been very few fundamental breaks on cryptographic primitives. Every significant attack in the last decade has been on implementations and protocols, which would be equally vulnerable in your imagined scheme. Even against quantum computers, we already have public key encryption schemes to replace the vulnerable ones. This NIST request is more about standardizing than coming up with something new from whole cloth. Cryptography is working.

Re: Not Hard

Overly complex standards are essential. They provide three basic functions:

1. Speaking engagements and fees, and fame, for certain people on the standards committees.

2. Guarantees that implementing the standards is so much work that for-profit companies can use them as cash cows.

3. A way for the NSA to slip in vulnerabilities by hiding them in complexity.

Re: Not Hard

To brute force AES-256 you would exhaust all the energy in the universe.

Bullcrap!!! If a cracker knows your keyboard layout or the language used to generate the AES passwrord, then AES-256 can be easily bruteforced especially if you have less than 8 alphanumeric password. Actually easier than the weak classic DES encryption. 96 (which is your alphanumeric keyboard keyspace) raised to 8 (which is length of your password) is just 96^8 which means this is very weak compared to DES which is 2^64.

Therefore AES-256 is not difficult to crack and you won't require all the energy in the universe, stop believing the hype and the media claiming AES is difficult to crack.

captcha: overrule

Re: Not Hard

[cryptizard]

Your argument is not internally consistent. You are assuming that AES ciphertext will be encrypted with a password-derived key but DES will use a uniformly random one. That's not a fair comparison. Anyways, your whole premise is flawed for two reasons:

1) Password security is an orthogonal issue to encryption. You can have the strongest encryption in the world and if you use a weak password to derive a key you will not get the full benefit of that strength. Attacking a ciphertext you break either the password or the encryption, whichever is weaker. Furthermore, there are techniques like password stretching and memory-hard hash functions that make password cracking harder. Again, an orthogonal issue.

2) 99.9% of AES encrypted ciphertext is not encrypted using a password derived key. All encrypted internet traffic, for instance, and most full-disk encryption (on devices that have an enclave chip) use uniformly random keys. For this traffic, there is no password to break. You can only attack the cipher itself, attacks which AES has withstood for many years now.

Re: Not Hard

If a cracker knows your keyboard layout or the language used to generate the AES passwrord

Then they're no longer "bruteforcing". The definition of a "bruteforce attack" is to just iterate through all combinations until you get a hit.

Anyway, you're not attacking AES, you're attacking the input. If AES is so easy to crack, how about I send you a message encrypted in AES-256 with a random key generated by a modern hardware RNG source.

Re:Not Hard

[admin7087]

Which machine do you plug it into? Endpoints are notoriously insecure, that's the #1 problem that needs to be fixed before anything else is even worth considering. Every current smart phone and PC is 100% hackable, no matter which operating system it is running. Modern PCs even have a separate operating system built into them, which can run independently of anything else that is running, can be activated and accessed from the network, and can access all disks and all memory. With this kind of "security" in place, your one time pad is moot. Hardware tokens face similar problems, especially since almost all of them are supposed to be connected to - guess what - your PC, and then often even via USB, which is even more insecure and the #1 entry point for hardware keystroke loggers and malicious firmware installers.

Re: Not Hard

Crack your AES encrypted ciphertext? Why? How much is your prize fund? I just might be able to do it if the prize fund is correct and can cover the cost of my home brewed cracker. That's how DES was cracked too, a motivational prize fund which can cover the cost of the winners customized DES cracker.

Re: Not Hard

You have a valid point on your first paragraph. But your first point and second point is also flawed.

On your first point, regarding weak passwords,
You can have the strongest encryption in the world and if you use a weak password to derive a key you will not get the full benefit of that strength. Attacking a ciphertext you break either the password or the encryption, whichever is weaker.
No, as pointed out by this post above, OTP cipher with IndexPointer can encrypt a whole message even with a single character. Just convert that character into its ASCII decimal value and use that as index on your OTP then encrypt your message starting from that index. That's an uncrackable ciphertext even with a single password, assuming the OTP password is secured by the user. So no, password length and strength is NOT TRUE ON ALL CASES.

On your second point,
99.9% of AES encrypted ciphertext is not encrypted using a password derived key.
I have seen so many secured packed files (.xz, .tar, .gz, .zip, .7z, .bzip2 ) floating around which was encrypted by AES, so your 99.9% is not accurate I guess. Also the FDE used by TrueCrypt and VeraCrypt also uses password derived keys to decrypt all of its encrypted volumes.

Re: Not Hard

's/single password/single character password/'

Re: Not Hard

[cryptizard]

Yes let us now compare the packed files you have seen personally vs the entire volume of HTTPS traffic that goes across the internet every day. I am betting that the second one is a teensy bit bigger. And yes TrueCrypt and VeraCrypt don't use enclave chips, but only a handful of enthusiasts use those programs. You know what programs do use enclaves and therefore uniformly random keys? iOS encryption (over 1 billion iOS devices), Android encryption (lots of those too), Microsoft BitLocker, Apple Filevault. The problem is that you think the stuff you use is the main problem when in reality it is not. It is the mainstream stuff, and surprise billion dollar companies like Google, Apple and Microsoft don't rely on offline password security. And if the stuff you use is broken, that is YOUR fault. Make a better version of TrueCrypt that doesn't rely on password security. It is not the fault of the encryption scheme.

Also, the one-time pad is conceptually a very large password that both parties know. If you assume that you can get a long one-time pad, then you could have just as easily made a good password in the first place. It is intellectually dishonest to pretend otherwise. The ONLY reason you would ever use the one-time pad is if you do not trust the core security of symmetric encryption schemes.

Re: Not Hard

It would take a type 3 civilization just for the energy requirements. No amount of money will break it short of a weakness discovered.

Re:Not Hard

[gweihir]

Protip: If anybody in an encryption-debate brings up the one-time pad, then they have just outed themselves as clueless amateurs.

Re: Not Hard

[gweihir]

Indeed. On the plus side, we already have QC-proof symmetric encryption today. It just gives you a square-root improvement, so AES-256 is proof against a QC. The moron above probably does not know that, as a one-time pad is symmetrical encryption and hence does not improve against AES-256 in the presence og working, scaling QC in actual reality.

Re: Not Hard

[gweihir]

The crypto-morons that think everything is easy and they of course understand the questions that takes an actual expert a decade or so to really get will never die out. They are a close cousin to the morons that think coding is easy.

Re: Not Hard

[gweihir]

Well, to be fair, if a scaling QC ever materializes, AES-128 may be just barely vulnerable (2^64 effort). But AES-256 will still have a very comfortable security margin.

Re: Not Hard

Have blockchains generate one time pads, and then ROT13 the encrypted message for added quantum-proof security. Simple!

Post backdoor

NIST are hardly credible at this point, they previously were involved in the Dual EC fake random number generator, and now they're an agency under the Executive of Russian puppet leader, Trump. No credibility, means no trust.

FBI has demanded backdoors, Trump has said he'll give them their backdoors. NIST are the backdoor implementers.

Re:Post backdoor

[skids]

One should not trust NIST, but that doesn't stop NIST from providing a forum where trustworthy theoreticians can spar, and that's a helpful thing for them to do. It's not like they are entirely evil, just their decisions should not be trusted, but rather reviewed by the cryptomath community and either endorsed or criticized.

Basically any government entity is going to be torn between wanting to break crypto (for cointel) and wanting to use it (for their own security or for the fact that it is pretty damn essential to a continuing economy.) They'll do some good things, and they'll do some bad things, but at least they'll do something, rather than just sitting on their hands.

Re:Post backdoor

[CajunArson]

Please implement your own encryption without any of our nasty backdoor review process! We're totally sure that it will be perfectly secure because we didn't put in a backdoor! NO REALLY!
-- The NSA

Re:Post backdoor

Ironic that an agency so invested in removing our security and privacy are now asking us to help them improve their security. We should backdoor them.

Re:Post backdoor

"NIST are hardly credible at this point"

Agreed. NIST is also the agency that officially said that fire was the main reason that the WTC buildings collapsed on 9/11.

Re:Post backdoor

[JoshuaZ]

In fairness to NIST, there's no evidence that had any reason to think that the elliptic curve encryption supplied by the NSA had a backdoor. In the past, the NSA had been highly helpful without pulling that sort of junk. You are correct to note that things might change under a Trump administration.

Re:Post backdoor

Citation needed.

Re:Post backdoor

"Executive of Russian puppet leader, Trump. No credibility, means no trust."

Congratulations on the recursively self-refuting post.

Re: Post backdoor

When everyone knows the real reason: gravity.

Re:Post backdoor

[Agripa]

So this wikipedia page is wrong? It says there were multiple warning before NIST ratified the standard and that is how I remember it at the time.

Use Quantum Cryptography - duh

So there is going to be lag between when Quantum Computers can decrypt classical based algorithms and when Quantum Cryptography can be used. They must think it's long enough to find more robust classical algorithms. Probably not going to help.

Re:Use Quantum Cryptography - duh

[davidwr]

there is going to be lag between when Quantum Computers can decrypt classical based algorithms and when Quantum Cryptography can be used. They must think it's long enough to find more robust classical algorithms. Probably not going to help

The two concepts are related but not identical.

Practical quantum cryptography means sending quantum messages over long distances - anything less than halfway across the world leaves room for improvement - while quantum computing, which includes fast description of classical encryption algorithms - is typically done in one location.

I expect well-funded parties will be able to routinely decript 512-bit-and-smaller factor-based algorithms in a reasonable amount of time (less than a year) and cost (less than $100,000 per decryption effort) well before we see routine quantum cryptography between locations that are halfway around the world from each other.

P.S.: For all we know, the government spooks in America, England, Israel, China, North Korea, and possibly other countries can already do this. I have no evidence to support this theory, but I do expect that we won't hear about it until at least a year or two after they do have it.

Re:Use Quantum Cryptography - duh

[cryptizard]

Check out the Logjam paper from CCS '15. The authors show an improved attack on 512-1024 bit TLS that would allow for decryption of traffic, then estimate how much money it would cost to implement and show that based on public and leaked information it is likely that the NSA is already doing this.

Done

[Jason1729]

https://en.wikipedia.org/wiki/...

They can write me a check.

The NSA!?

[EzInKy]

They are the sheeps in the wolves clothing here. They well not allow anything they can't break.

Re:The NSA!?

[davidwr]

They are the sheeps in the wolves clothing here.

I think the NSA re-worded your message for you. Did you mean carnivors dressing up as herbivors by any chance?

they couldn't explain 911

[thesjaakspoiler]

so why are they still around if the Public constantly has to rectify them?

Re: they couldn't explain 911

For a good explanation of 911 see:
https://en.m.wikipedia.org/wiki/911_(number)

That works in some contexts

[davidwr]

Banking with your local bank branch, fine.

Sending in an online application to a graduate school a thousand miles away, not so much.

Okay, I take that back: Physical "in person" key exchange could be done if you did your key exchange "in person" with agents acting on the other party's behalf, with the key sealed in a tamper-evident packaging and optionally encrypted with your public key. Oh way, scratch that optional part, or we will be reasoning in circles.

Besides, one-time pads can be compromised.

I do agree that a combination of one-time pads and public-key encryption - with the pads being encrypted with short-lived public keys - are preferred for some uses, such as setting up a bank account in person, than the current system.

Understand it!

Codex idioca.

Greetings!

gHZ1Ln82hulupzy me the king prime. Red. 11111111111111111111111111111111111

Sticks. Beans. Floggernoggin.

There are critical errors in the measurements of my Harold stated that when he First saw cars on roads tend to speed excessively.

>>.2-/

The dated frog.

Re:Understand it!

[davidwr]

[drivel] Harold [more drivel]

Okay, you didn't have to tell remind us that Prime Minister Harold Saxon was bat-guano looney-toons insane, the whole universe knew that already.

Post Quantum Cryptography

[1+a+bee]

Here's a good wikipedia page https://en.wikipedia.org/wiki/... summarizing the known approaches. Interestingly, most symmetric encryption schemes seem to be secure (you just need to increase the key size apparently): it's the public/private schemes that are in trouble.

Re:Post Quantum Cryptography

Symmetric encryption is typically just a key composed of pure random data. Hard to "calculate" what the random data was. Asymmetric keys mean if you have one key, you have part of the answer, making it easier to calculate the other key.

Ask a perl programmer

[mark-t]

They can take pretty much any concept and turn it into a hopelessly indecipherable mess that nobody else would ever be able to understand without guidance from the writer.... so I'm thinking they must be onto some pretty sophisticated encryption techniques right there.

Well, using your logic

If you did nothing wrong, you would have nothing to hide, right Mr NSA?

So do nothing wrong, then you won't have to hide anything. ...oh, that only applies to the common vermin. Apologies.

One time pad is a time machine, not a crpto algori

[anwyn]

People are thinking about one time pads in the wrong way. OTPs should be thought of not as a crypto algorithm, but rather as a time machine!

Suppose that that Bob and Alice have a secure channel now, that they will not have in the future. They will have an insecure channel in the future. A OTP allows them to exchange messages now, that have not been written yet! A OTP is a message time machine. It allows you to securely exchange a message now, that you intend to write in the future.

After they exchange a OTP, if either Bob or Allice gets hacked, so that the OTP is surreptitiously exposed, then that is equivalent to exposing a message that has not been written yet.

The proper way to think about OTP is not as a crypto algorithm, but rather as a message time machine.

"Falken: W.P.O.R.:

[CaptainDork]

A strange game. The only winning move is not to play." ~ War Games - 1983

Encryption is not the solution; it's the problem.

Quantum computers can't do a goddam thing better than what we already do except faster.

The best new approach is to change paradigms.

I'm not 16 anymore and I don't have enough time left to figure it out.

That's the way to go, though.

The problem with security today is the fucking DNA of the first computer ever built.

The first automobile should have had seat belts.

Re:"Falken: W.P.O.R.:

[BDeblier]

It was WOPR, not WPOR.

Re:"Falken: W.P.O.R.:

Quantum computers can't do a goddam thing better than what we already do except faster.

Normal computers can't do anything better than what we already can do by manually executing instructions, they just are faster.

Perhaps "faster" can be useful, though?

Re:"Falken: W.P.O.R.:

[cryptizard]

Your post belies a significant misunderstanding of complexity theory. If we could do what we do today, only faster, then the world would be quite a different place than it is now. If we could constructively show that P = NP, we could make strong AI, cure most if not all diseases and revolutionize every field of science for a start. Quantum computers are able to solve problems in polynomial time (denoted QP) that classical computers are not known to be able to (good ol' P). That is a much bigger deal than you are making it out to be. It is not the difference between 10 minutes and two hours, it is the difference between 10 minutes and the age of the universe.

Having said that, QP is not thought to be equal to NP. We still have encryption schemes which are resistant to attack by quantum computers. The world is not going to end, encryption will still work fine, we just have to do a little bit of planning ahead.

Re:"Falken: W.P.O.R.:

[CaptainDork]

You are correct. Thank you for the correction.

Re:"Falken: W.P.O.R.:

[CaptainDork]

... we just have to do a little bit of planning ahead.

That's what I said. We have to fight the problem of speed if we stick to the current paradigm.

We need to change the rules so computers can't play.

--

TRUE STORY

I got a chess game for my Tandy 2000 back in the very early 80s. I had a hard time beating it because it would make a test move; predict my next move; make a test move based on that; rinse repeat,

I won a lot after I figured out what was going on.

My friends thought I was really good at chess.

Not true.

I fucked that computer over by making illogical moves and when it got to be very unpredictable in response, I spanked it like I was competing with a three year old.

Re:"Falken: W.P.O.R.:

[cryptizard]

No, the "rules" are fine you just don't properly understand them. It is not about quantum computers being faster than classical computers it is about them literally being different computational machines that have different properties with respect to complexity theory. It just so happens that certain complexity assumptions we base modern cryptography on are not true in the quantum world. Fortunately there are other assumptions that still hold. It is not a "race" against faster computers, it is incorporating an additional tool into our toolbox and designing a scheme which is secure against that tool. You are spouting a bunch of uninformed nonsense that you think is profound but is actually meaningless. Congratulations on beating a rudimentary chess game, that doesn't make you a cryptographer.

Re:"Falken: W.P.O.R.:

[CaptainDork]

You are not an editor, so I'm sorry you missed the digression markup, "--" that signals a change of subject.

My bad.

--

I've been in this business since Moby Dick was a minnow and I also grok quantum theory and the emergence of the computers.

I also understand that when a problem is solved, a way to sabotage the process is to change the problem but not the solution.

That, in a nutshell, is encryption.

The NIST is looking for an elephant gun to kill a piss ant.

Instead, we need to provide a solution where piss ants are no longer a target.

D-Wave can't run Shor's algorithm, but...

[peter.hudson452]

I'm not sure I 100% understand this (but then it was Dr. Feynman who said that if you think you understand quantum mechanics then you don't)... but I read this 2002 paper by MS research that gives a method of transforming biprime factorization into an optimization problem. Optimization problems are exactly what D-Wave's quantum annealing machine can do (very well)... so doesn't this kind of break RSA? Can somebody point me to the place where I can learn that I'm wrong and can start trusting RSA PKI again?

Re:D-Wave can't run Shor's algorithm, but...

Optimization problems are exactly what D-Wave's quantum annealing machine can do (very well)... so doesn't this kind of break RSA? Can somebody point me to the place where I can learn that I'm wrong and can start trusting RSA PKI again?

D-Wave is a scam. To break crypto with a quantum computer you actually need high numbers of entangled bits (e.g. exponential scaling) not this "topological" malarkey.

Re:D-Wave can't run Shor's algorithm, but...

[cryptizard]

The reason the D-Wave doesn't "break" RSA is that it can only do quantum annealing, which as you say is basically a search algorithm. It does not give exponential increases in efficiency like a theoretical "complete" quantum processor would. For instance, using Shor's algorithm one can factor an N bit number in time something like O(log^2 N), compared to the best algorithm on a classical computer which is something like O(N^(1/3)). In the best case, quantum annealing allows one to do a search which would normally take O(N) time on a classical computer instead in O(sqrt(N)) = O(N^(1/2)). It does not break any "complexity barriers" like a real quantum computer would, just lets you solve certain problems a bit faster.

This is a really big increase in efficiency, say going from a month worth of computation to solve a problem down to just an hour. But it is not anywhere near enough to break factoring since it would hypothetically take thousands of years to break on a classical computer. In fact, the best classical algorithm is actually slightly faster than quantum annealing because we happen to know that factoring is a problem that requires sub-exponential time to solve, O(N^(1/3)) on a classical computer vs O(N^(1/2)) on a D-Wave.

21

21=3x7

You are going to crash the simulation by forcing the universe to perform such expensive computations!

I am not a Cryptographer...

[Macdude]

I'm not up on cryptography but from what I understand most encryption standards have a way to tell if a data set is decrypted correctly. Correct?

So couldn't you implement a cypher that has no way to verify the result -- put in a key, any key, get an output file. If the proper key is used the output file is an encrypted file that can be decoded using another key, and a different encryption system that does a check for correctness.

Wouldn't that greatly increase the difficulty in cracking the code? The file would have to be decrypted using every possible key and then each of those files would have to be hacked, but only one of them would actually be the correct file to decrypt so the other 99.99...% of the files would be unhackable because they would be garbage.

Or would the same effect be had by just using a longer key?

Re:I am not a Cryptographer...

[cryptizard]

People have already tried this, they called it 2DES. It is a classical example you learn in an intro to cryptography course because it actually does not add any security at all. You can do something called a "meet-in-the-middle" attack where you try to decrypt from the right side and encrypt from the left side at the same time, looking for collisions in the middle. This means that even though you use two keys, you don't have to attack them in conjunction you can attack them separately giving you only one extra bit of security.

https://en.wikipedia.org/wiki/Meet-in-the-middle_attack

You've simply doubled the length of the key. Good

[raymorris]

It sounds to me like you've simply doubled the length of the key. Actually slightly worse than that due to collisions. You'd be more secure encrypting 128 bit blocks with a 128 bit key than encrypting a 64 bit block with a 64 bit key, then with another 64 bit key.

It should be noted that making the key twice as long does NOT make it twice as hard to decrypt. Rather it SQUARES the time required. A 129 bit key takes twice as long as a 128 bit key (assuming blocks are long enough etc.) So your idea DOES make it much harder to break - exactly like a longer key does.

Unfortunately, it may be that in 30 years a quantum computer will be able to break 1024 bit Diffie-Hellman in a picosecond. 2048 bit would then probably take much longer - many seconds or minutes.

Unfortunately right now we're trying to defeat the capabilities of machines that don't yet exist, so we don't know their capabilities. Recall the president of IBM said "I think there is a world market for maybe five computers." Twenty years later, there were hundreds of thousands of computers sold every year, and a decade or so later was the Apple ][. Predicting what the next generation of computers will be able to do is *hard*.

Re: One time pad is a time machine, not a crpto al

I found Bob and murdered him. I have the codes, now what? Can I get your data?

Kerosene is the answer...

At one position in space/time the fire from kerosene can melt steel beams, whereas the same steel beams elsewhere in the universe do not melt under identical conditions. Surely NIST can use this concept to provide real national security.

It's Easily Solved!

Let's just assert a hard limit to the complexity of any physical interaction.

A few suggestions and questions?

As a mathematician who occasionally works on cryptography problems, I read the statement, provided in the link, at the Federal Register, some thoughts:

1) Quantum computers are a distant reality. From my understanding, they are still mostly theoretical. Those that do function, can only perform basic arithmetic -- or the equivalent -- or aren't considered fully quantum. So, it would have helped to define what quantum cryptography is. Presently, a key size, from my understanding, that's needed to prevent birthday problem attacks (that is, brute force) is 2^90. Probabilistically, this is the equivalent of 1. What then is optimal key-size needed in quantum cryptography?

2) Why can't present methods, such as block ciphers, be used to significantly expand the key size? DES, for instance, was once considered secure and is not. 3DES, however, is now considered secure.

3) Why would a cryptographer, or a company, want to work with NIST? Although the theoretical and applied work at NIST is obviously important for cryptographic applications, NIST does have a reputation of vagueness. For instance, it's widely believed that the S-box, for AES, was designed by NIST as a method for providing backdoor access to American government agencies. Also, the elliptic curve designed for a NIST-approved key exchange doesn't list the mathematician(s) who worked on it and doesn't provide any transparency on how it was developed. (Note: this information is several years old and may be out-dated.)

Re:A few suggestions and questions?

[cryptizard]

1) Because of Grover's algorithm, even encryption which is "secure" against quantum computers still needs twice the key length to have the same level of security as against classical computers. This is because Grover's algorithm lets you brute force a space of N possibilities in time O(sqrt(N)) instead of O(N). So if 90 bits is secure today, you would want 180 bits to be secure against quantum attacks.

2) They can. AES goes up to 256 bits and there is no reason we couldn't make larger block ciphers if we needed to. Currently AES-256 would be secure even against a fully-functioning quantum computer.

3) You are confusing NIST and the NSA, and also AES with DES. The S-box for DES was recommended by the NSA because they had advanced knowledge of differential cryptanalysis that was not widely known at the time. It was not a backdoor. And they had no input into the design of AES, which was proposed by Belgian cryptographers and vetted in a mult-year open contest between academics. The Dual_EC_DRBG scheme with the backdoor that you are referencing was entirely designed by the NSA, not NIST, and academics were immediately suspicious of it. The open contests that NIST has done, including AES and SHA-3, have been widely lauded as the "right" way to do standardization and have had significant buy in from academics, in contrast to the top-down approach that lead to weak standards like Dual_EC_DRBG.

Re:A few suggestions and questions?

Just to make sure it's clear, quantum attacks against AES will at most cut the number of operations in half, which is effectively removing one bit. It doesn't cut the key in half. What Grover's algorithm can do is dramatically increase the ability to pull off a plain-text attack. If you have access to the plain and encrypted text, you can use Grover's algorithm to reduce 2^256 operations down to 2^128 operations, but some very very expensive operations. That's a lot of samples of plain text. 2^128 bits of data would require enough energy to boil the oceans away, assuming a 100% efficient computer. Not even including the calculations or moving the data, just the storage. The energy to move that data through copper would increase your required power by many magnitudes. You would make the entire Earth molten again.

Dont waste your time

more than half of the population has their brains damaged by watching the Kardashians, Reality TV, and Trump related trash...

One time pad

[Karmashock]

If you want unbreakable crypto... One time pad.

and here someone says "but MOOOOOM its hard!"... no it isn't.

How many gigs of communication do you need to secure per device? Lets presume that there are LEVELS of security that can be secured with varying levels of security.

Naturally it is impractical to secure everything with the one time pad type encryption. Which to be clear would be a very large file stored on the sender and receiver and the data being encrypted would use only a portion of that seed data to randomize the information you wanted secured. And any portion of the "pad" that was used would be blacklisted from future use. So what would I use with something like this? Well, how about using the one time pad to encrypt new encryption keys. Thus encrypt/decrypt keys, seeds, etc would be secured by one time pad. Transferring the new pad could be done physically if this is really high security thus bypassing networks that are demonstrably compromised enough that you want to encrypt your data over them.

One time pads are already used by the government for the highest level security. Nuclear launch codes for example are one time pad. A lot of the shoe leather and handshake intelligence networks run on one time pads.

There is no reason we can't translate this even more easily to the digital sphere than it is in the wink and pistol sphere. Let us say you have a file that contains something like 32 gigs of randomized "one time pad" data. Using 1:1 encryption that could encrypt 32 gigs of data you want to secure. And breaking it would be basically impossible. No repeating patterns. You need the one time pad data to decrypt. Period. Look at text messages from cell phones. If we WANT to be efficient with our data transmissions, we can be.

Let us say what we want to do is sync two databases over the internet and the data in these databases is very very sensitive. Now we could use the one time pad data sparingly... passing only some data through that system. Maybe just encrypt/decrypt data for some other encryption scheme. Possibly certain aspects of the data would be encrypted using one time pad. Maybe not all the data being synced has the same security clearance. The point is that if you need to be efficient about it, you can be.

And if you want encryption that can't be broken. One time pad.

Now I assume that isn't what they want. They want some fire and forget, cheap as dirt, flawless, idiot proof system they can slot into the system and stop thinking about this ever again.

That is a fantasy. I don't see that happening.

Re:One time pad

[cryptizard]

The one-time pad replaces a symmetric encryption scheme. We have AES which was invented by academic cryptographers unaffiliated with any government organization and has been vetted for over 15 years by academic and industrial cryptographers with no substantial weaknesses found. It would take all the energy in the universe to brute force one AES-256 key. You are replacing something that works and is secure with something much more cumbersome for no appreciable reason except that you read somewhere the one-time pad is the only unbreakable encryption.

Re:One time pad

[Karmashock]

"NIST Asks Public For Help With Quantum-Proof Cryptography" ...

Re:One time pad

[cryptizard]

You obviously didn't read even the summary then because they are looking for replacements to asymmetric encryption schemes dude. Sorry for assuming that you read the paragraphs following the headline my bad.

Re:One time pad

Not sure this is feasible, as OTP has a limited number of characters.

Re:One time pad

[naughtynaughty]

How do I secure my one-time pads? WIth more one-time pads? Is it one-time pads all the way down?

Re:One time pad

[Karmashock]

Doesn't address the quantum aspect of the query. Define the danger of quantum cracking?

Do you know how that is supposed to work? If you think your 256 bit key is going to hold against what that promises to be then maybe you should look that up.

That said, I haven't seen any practical evidence of it actually working. So maybe it doesn't matter.

Your sad dive into rudeness however is unfortunate. Why is your ego so small that when your obvious autism is revealed you have to lash out.

Calm down, dude. You're autistic. It's okay.

Re:One time pad

[Karmashock]

... It is assumed that the opposition doesn't have physical access to your system or the target system. Rather the assumption is that the encryption is required any other system besides the origin and destination of the message. If you need to secure things so that your own system isn't compromised then you're basically fucked via the first rule of computer security...

Physical security. You either have that or kill yourself.

Re:One time pad

[Karmashock]

You update the code as you exhaust it.

For the highest level security you can physically deliver new codes. Thus meaning the code will only be compromised if intercepted. And if it is intercepted... physically... you just invalidate the new code and deploy another one.

Again this is used for the highest level security already. Nuclear launch codes work this way. You can't crack them. If I told you what all the past launch codes were, you'd have no idea what the new launch codes are. The codes don't repeat. Once and never again.

Re:One time pad

[cryptizard]

Cool story bro.

Re:One time pad

[Karmashock]

The air is let out of your pretensions and this is all you're left with...

Sad.

Re:One time pad

[cryptizard]

Lol ok. What pretension? I literally have a PhD in cryptography. I've just realized that you are proud of your ignorance and it's not worth talking to you any more. I've gotten like 30 +informative upvotes on this article. Some people learned something. You are a lost cause. I read somewhere recently... I can't remember where... "I've decided to stop wasting my time responding." Have a good day bro.

Re:One time pad

[Karmashock]

Still no response to the quantum bit that made you run away like a kicked dog. Pretension... I call you out on it and you claim a PhD... Irony.

Re:One time pad

[cryptizard]

Run away? Sorry, I already answered your comment at least twice on this article responding to other people before you "challenged" me (go look if you don't believe it). I was just tired of responding to your arrogant uninformed bullshit. Quantum attacks reduce the security of all block ciphers by half due to grovers algorithm. AES-256 would still have 128 bits of effective security which is more than enough. Your comment about physical security is also ill informed btw google Software Guard Extensions and learn how modern systems can be secure even against physical compromise and root kits.

Re:One time pad

Wow. Just wow.

Someone showed how your starting thesis doesn't work and you responded by telling them to kill themselves. Such a civilized conversation you are keeping, there.

You must be a riot at parties.

Re: You've simply doubled the length of the key. G

Why verify the really at all? The recipient will know whether the response is nonsense or not. This may not be a good method of authentication/validation, but with trillions of decrypted "solutions" to go through... Maybe a machine learning algorithm could pick it out, but otherwise it's a needle hiding in a huge haystack...

Guess verification

[John+Allsup]

if you want to crack encryption with a powerful computer, you need a means to algorithmically verify your guesses. This is what you need to make hard. Essentially you need a way of encoding messages such that there are many many plausible decryptions. As such, if you took a dictionary of the most common 5000 English words, and forced all communications to use those, and only standard English grammar, you could algorithmically map strings of integers to English words and phrases. There are many ways to do this, and many ways to permute how it does it. More importantly, it is hard to know if you've got it right (and impossible for a simple algorithm).

Re:Guess verification

[cryptizard]

This is called deniable encryption and there are information theoretic lower bounds on what you can actually accomplish with this unfortunately. Each ciphertext has to be carefully coded with full knowledge of what "domain" it comes from in order to produce other, plausible messages. It is incredibly cumbersome and not usable for real-world applications. For simple "spy games" it could be useful, but given the incredibly diversity of data that is encrypted on an average persons computer it is not practical.

Re:Guess verification

Not practical? There are real-world implementations used daily, see VeraCrypt and BestCrypt.

Re:Guess verification

[cryptizard]

That is specifically and only for disk encryption, because you have the convenient property that your disk is always the same size regardless of how much data you are actually storing on it. You can hide extra encrypted data in the "free" space. That doesn't apply for 99% of encrypted data which is not disk encryption but rather stuff like TLS.

Re:Guess verification

Fair enough, just seems that everyone seems to forget that plausible denialability in encryption exists at all, especially for duress. Couldn't the same principle be applied to fixed-bitrate traffic though? Still need a way to generate plausible 'outer' traffic though (depends on application) and a good enough PRNG source for when 'inner'/hidden traffic can't fill the rest of the bandwidth.

Re: One time pad is a time machine, not a crpto al

Who is the "you" in "your data"?

You can get the data sent to Bob, just like you would with Bobs decryption key to any other encryption system.

You may also be able get the data that Bob has sent, just like any other *symmetrical* encryption. A one time pad IS symmetric encryption (both sender and receiver has the same key). However, each bit in a one time pad is by definition only ever used once, so used bits can safely be destroyed (overwritten (18 times if you prefer)) as soon as the message is encrypted. This would prevent you from decrypting anything he has sent previously.

Re: One time pad is a time machine, not a crpto al

That was the wrong Bob. You killed an innocent Bob.

Maybe too early to worry

[n2hightech]

Considering the quantum computers seem to be mostly built on hype and not capable of beating regular computers in speed or cost I would not worry much about this.

Re:Maybe too early to worry

[cryptizard]

I think you are thinking of the D-Wave computer, which is not actually a quantum computer in the most general sense. The great thing about quantum computers is that they actually break some complexity barriers that exist for classical computers, factoring being one of them. If we ever get a quantum computer that can handle a few hundred qubits then it would be able to instantly factor existing RSA moduli, compared to hundreds or thousands of years for a classical computer. Right now I think the record is only something like 12 qubits, but it seems like the number of qubits we can work with is also increasing at a pretty good rate if you look at timelines of these things.

That is not to say that next year all RSA will be broken, but it is prudent to plan for a world in which that may be the case. Especially since we already have public key encryption schemes which are quantum-resistant, it is just a matter of studying and standardizing them.

Re: One time pad is a time machine, not a crpto al

The security of OTP is in destroying the part of the pad that you have used. Then if the pad is hacked, there is no way to decrypt past messages.
https://sourceforge.net/projects/gentleotp/

To hell with that!

[moeinvt]

If I have an idea for creating encryption that's invulnerable(or extremely resistant) to attack by quantum computers, I'm going to the patent office not NIST.
 

No threat model?

The request doesn't appear to explain what they think this troubling quantum computer can and can't do.
(Except that is can run some specific algorithms like Shor's, it says little about what the range or future algorithms might be.)

Perhaps their first request should have been to get a common language for defining the threat.
For a conventional computer, the size of effort to crack is somewhat represented by the number of key bits.
For a quantum computer, a similar metric might be nice.
Especially if it gave some insight into the problem they are trying to solve.

Re:No threat model?

[cryptizard]

The number of key bits is still the metric for quantum resistant encryption. You just need to base your scheme on a problem that is not solvable in polynomial time by a quantum computer. There are no great ways to do this except to find a problem that seems like it is hard for a quantum computer, conjecture that it is hard, and then wait for people to try to break your conjecture. You cannot prove that something is hard to solve because we still don't know if P = NP, maybe all problems are easy and we just don't know it.

There are a few encryption schemes that seem like they are not vulnerable to quantum attacks, chief among them being NTRU and other lattice-based encryption schemes. They have been of independent interest lately because they incidentally also allow for homomorphic encryption, so people are starting to get a good idea of what parameters to use and how much security the schemes have with different key sizes.

Three reasons

[raymorris]

There are three reasons to have an integrity checksum, to verify that it decrypted correctly. One issue you didn't mention is that it's always possible for an attacker to change the cipher text without decrypting it, and sometimes they can make interesting changes. You want to know if the data has been modified.

> Maybe a machine learning algorithm could pick it out, but otherwise it's a needle hiding in a huge haystack...

It's not hard for an attacker to notice whether or not the plaintext looks like:
GET /fundstransfer.asp HTTP/1.1
Host: bankamerica.com
Cookie: xxxxxxxxxxxxxx
User-Agent: Firefox blah blah blah

For data formats where a machine can't readily know if it's probably correct, such a scheme is unusable where there isn't a human interactively using the application at BOTH ends of a communication. For example, you use your bank web site to initiate a transfer. If the computer at the bank can know when the request is correct versus corrupted, the attacker can also know when it's likely correct. If the attacker can't identity a correctly decrypted transaction, neither can the bank.

On the other hand:
> The recipient will know whether the response is nonsense or not.

Maybe, maybe not. If it's supposed to be a web page, gibberish would be easy to distinguish. For more compact data formats, many incorrect plain texts will also be syntactically valid. The computer at the other end doesn't necessarily know which is correct, without a checksum indicating correctness.

Re: One time pad is a time machine, not a crpto a

His name wasn't even Bob, it was Robert. Robert Paulson. His name was Robert Paulson.

let me leave this here....

AES has already been compromised. I can't reveal the details. But, suffice it to say this NIST cry for help is much too late.

cat

You need to start with Alice and Bobs cat.

Another gov org not helping or doing much

[micahraleigh]

Microsoft already did this.

Do we the tax payers have to pay the government to make free (and probably bloated, not working) versions of everything?

I don't see why anyone uses NIST outside the government. Almost no one does unless they have huge budgets not requiring profit.

Re:You've simply doubled the length of the key. Go

It should be noted that making the key twice as long does NOT make it twice as hard to decrypt. Rather it SQUARES the time required.

This only applies to symmetric keys where doubling the key length squares the search space. For RSA, the ballpark is doubling the key size increases its strength by 50% (1024-bit RSA = 80bit AES, 15360-bit RSA = 256bit AES), and quadrupling the computational costs each doubling of key size.

Do Finite Key Lengths even make sense for post-qua

[CloudDrakken]

It seems to me that the key lengths cannot be finite for something post-quantum and thus must end up being some sort of (lispy (program)) that is a lazy-sequence (returning specific values only on demand) of all the [infinite] key bits. So your cryptokey is _alive_ *laughs like doctor frankenstein*

Good point

[raymorris]

Thanks for pointing that out.

An Old Parable

[JimSadler]

Can God create a rock so heavy that He can not lift it? OK so quantum computers can solve problems that appear to us to be of infinite complexity. So could a quantum computer be programmed to create a password of an even more complex infinity ? I still like the idea of a ladder of passwords being created such that every rung of the ladder need be answered in frequent, quick steps. That way even a quantum computer could not solve the password fast enough and the first rung of the ladder would change every time it was addressed. Think of it like the spokes on a bicycle wheel that is in fast rotation and you have to enter on the moment that a certain spoke comes to a mark and then rapidly supply the passwords before the next spoke arrives in position. Only when each spoke is decoded at the proper, small instant, can the site be opened. Making it even more complex, each spoke may have a code that defines which of the other spokes is opened such as every fifth spoke. But after landing on the fifth spoke three times it lands on another spoke that now demands every twelth spoke be opened in order of appearance. I think such a complex system could work to a degree that no quantum computer could run long enough to solve the password. Keep in mind that that bicycle wheel could have a very large number of spokes.

Re:An Old Parable

[cryptizard]

The problem with this is that almost all encryption and decryption is done locally by an individual client. If the bad guy has the message, it is just inert data. The only person enforcing any kind of time constraints on him would be his self so he will just not do it. Moreover, if you are trying to use a password to login to a server (I think this is the problem you are trying to solve) then there is no need to do anything fancy like this because there are already existing zero-knowledge password protocols that are not vulnerable to quantum attacks.

Radial Lock

[Isarian]

There Came An Echo, anyone?

Fliberty flue!

Even a quantum computer can't break a (properly) created, safeguarded, and used, ONE TIME PAD CIPHER.

Just saying.