Slashdot Mirror

← Back to Stories (view on slashdot.org)

Quantum Computers Will Break the Encryption that Protects the Internet (economist.com)

Posted by msmash on from the minute-details dept.

An anonymous reader shares a report: Factorising numbers into their constituent primes may sound esoteric, but the one-way nature of the problem -- and of some other, closely related mathematical tasks -- is the foundation on which much modern encryption rests. Such encryption has plenty of uses. It defends state secrets, and the corporate sort. It protects financial flows and medical records. And it makes the $2trn e-commerce industry possible. Nobody, however, is certain that the foundation of all this is sound. Though mathematicians have found no quick way to solve the prime-factors problem, neither have they proved that there isn't one. In theory, any of the world's millions of professional or amateur mathematicians could have a stroke of inspiration tomorrow and publish a formula that unravels internet cryptography -- and most internet commerce with it.

In fact, something like this has already happened. In 1994 Peter Shor, a mathematician then working at Bell Laboratories, in America, came up with a quick and efficient way to find a number's prime factors. The only catch was that for large numbers his method -- dubbed Shor's algorithm -- needs a quantum computer to work. Quantum computers rely on the famous weirdness of quantum mechanics to perform certain sorts of calculation far faster than any conceivable classical machine. Their fundamental unit is the "qubit", a quantum analogue of the ones and zeros that classical machines manipulate. By exploiting the quantum-mechanical phenomena of superposition and entanglement, quantum computers can perform some forms of mathematics -- though only some -- far faster than any conceivable classical machine, no matter how beefy.

100 of 166 comments (clear)

  1. So what? by forkfail · · Score: 5, Funny

    If you're not guilty, you have nothing to hide.

    And unbreakable encryption only serves the Bad Guys (tm).

    Or so we're told...

    --
    Check your premises.
    1. Re:So what? by mark-t · · Score: 5, Insightful

      If you're not guilty, you have nothing to hide.

      And yet absolutely every person I've ever heard make this statement was fully clothed when they made it.

      People have things to hide not because there is anything wrong with them, but because they are private. Full stop.

      --
      File under 'M' for 'Manic ranting'
    2. Re:So what? by mwvdlee · · Score: 2

      Governments encrypt everything, so they would know best.

      --
      Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
    3. Re: So what? by Anonymous Coward · · Score: 1

      You do realize that there are practical reasons for wearing clothes, right?

    4. Re: So what? by Anonymous Coward · · Score: 1

      Most things can be stored in your colon. Pockets are overrated.

    5. Re:So what? by cascadingstylesheet · · Score: 1

      If you're not guilty, you have nothing to hide.

      And yet absolutely every person I've ever heard make this statement was fully clothed when they made it.

      People have things to hide not because there is anything wrong with them, but because they are private. Full stop.

      Bad metaphor dude ... Slashdot has taught me that that anti-nudity thing is just an American hangup, from our bad old puritan days

    6. Re:So what? by Rick+Schumann · · Score: 1

      The people who actually push that agenda also think the old saying about 'people in glass houses' is about the future of civilization, not a warning about being hypocritical. When it comes right down to it, they want to be able to break our (the common citizens) encryption -- but they (The Rich, and The Powerful) want their own unbreakable encryption. After all we're all criminals so far as they're concerned -- we just haven't been caught, tried, and incarcerated yet.

      Of course what they refuse to acknowledge is that like the RIAA/MPAA (and similar), trying to stamp out 'piracy', they're playing an endless game of Whack-a-Mole; maybe they can create computers that will break even the strongest current version of encryption in no time at all, but someone else will come up with a new way to encrypt things, or otherwise protect data, that even a so-called quantum computer won't be able to crack. Then I suppose they'll just go back to dragging people behind closed doors and beating them until they give up whatever information they want them to give up -- until someone creates yet another machine to crack the new encryption; then the cycle repeats. Power-hungry and control-freak types will, sadly, always exist, at least until (if?) we evolve past it. Until then we'll have to endure these endless cycles.

    7. Re:So what? by Rick+Schumann · · Score: 5, Informative

      People have things to hide not because there is anything wrong with them, but because they are private. Full stop.

      What basic psychology I ever learned said precisely this, that it's normal, natural, and healthy for people to want privacy, and to 'share' when it's their choice. This is a fact despite what so-called 'social media' corporations have been trying to indoctrinate people with over the last 20 years or so.

    8. Re:So what? by Rick+Schumann · · Score: 1

      Sure. And as I said above, they want total access to all our stuff without delay of any kind, yet they can keep hidden whatever they want. Are we sure we have 'freedom'?

    9. Re: So what? by cordovaCon83 · · Score: 1

      You do realize there are practical reasons for encrypting your data, right?

    10. Re: So what? by Your.Master · · Score: 2

      You do realize that's not a parallel, right?

      The reasons to encrypt your data are all about information hiding and non-repudiation. The reasons to wear clothing include that, and temperature modulation, shelter from elements, carrying capacity upgrades, and sanitation. And on a less practical level, self-expression (you could argue encryption as self-expression, but that's usually cyphers that humans can decode).

      The analogy is just a terrible one. We already know why "if you're not guilty, you have nothing to hide" is a troublesome statement and it's not really similar to why people wear clothing.

    11. Re:So what? by Your.Master · · Score: 1

      Is the only reason that you poop with the door closed is to hide your poop?

      Really?

      Here's the difference: with poop, 99.99% of the time you don't actually care if somebody *wants* to deal with your poo, you just know that they almost certainly don't.

      With encryption, you do care if somebody wants to deal with your contents, even though in most cases they probably don't.

      It's completely different. Why don't we use normal analogies? The surprise you intend to keep for a loved one until their birthday?

    12. Re: So what? by mark-t · · Score: 1

      Oh, it's very similar.... the fact that there are so-called practical reasons for wearing clothing that have nothing to do with privacy is irrelevant, because it is still the single most overpowering reason... so much so that we even have actual laws that govern what levels of clothing are considered "decent".

      --
      File under 'M' for 'Manic ranting'
    13. Re: So what? by cordovaCon83 · · Score: 1

      There certainly are parallels between the two. There are some things that we don't want people to see or touch without permission, ethical and moral implications aside. If things were exactly alike then we wouldn't use an analogy to compare them.

    14. Re:So what? by Anonymous Coward · · Score: 1

      Yet there's hardly any shortage of things to download, are there? I think most of the things you're citing there are either not cracked because nobody cares enough to or can get the content in other ways, or you're just not plugged in enough to know if they're cracked. After all it's not like crackers make press releases to the news services when they succeed in breaking into things, now do they?

    15. Re:So what? by liquid_schwartz · · Score: 1

      What basic psychology I ever learned said precisely this...

      Basic psychology is also clear that men want one style of job and women another, but that won't stop the tirade of 'tech hates women' and 'diversity'.

    16. Re:So what? by Rick+Schumann · · Score: 1

      Basic psychology is also clear that men want one style of job and women another

      Okay, I'll bite: post links to credible, academic and/or science-based studies, preferably peer-reviewed, that back that statement up.

    17. Re: So what? by piojo · · Score: 1

      Have you never been hot and realized you would be more comfortable without a shirt, but couldn't take it off due to the setting? The analogy fits, but it is confusing due to the other reasons for clothing which are not about privacy or modesty.

      --
      A cat can't teach a dog to bark.
    18. Re:So what? by mark-t · · Score: 1

      That's not supported by basic psychology, that is supported by anecdotal evidence.

      --
      File under 'M' for 'Manic ranting'
    19. Re:So what? by mark-t · · Score: 1

      Nobody has any "right" to privacy beyond the fact that they might want it, and one may have the delusion that anything that a person wants is something that they somehow also have a right to have.

      My point, above, is only that people who have not necessarily done anything wrong still desire privacy, and it is simply a matter of being humanely decent to eachother that compels every one of us to respect it. Man-made laws in excess of this which impose restrictions on what people are allowed to do which might interfere with someone else's privacy are a nice-to-have, but again, only in that privacy is something that is generally desirable in the first place.

      --
      File under 'M' for 'Manic ranting'
  2. No, they will not by gweihir · · Score: 4, Insightful

    First, even if QCs ever work for reasonably sized problems, it will take a long, long time for them to get there. If the last 30 years are any indication, they scale decidedly sub-linear with time. And second, nobody knows whether they scale at all or are limited to low qbit numbers.

    Any panic over this is a few decades premature.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    1. Re:No, they will not by Anonymous Coward · · Score: 1

      Also, we will have poisoned ourselves with micro plastics way before this is an issue.

    2. Re:No, they will not by NicknameUnavailable · · Score: 1

      First, even if QCs ever work for reasonably sized problems, it will take a long, long time for them to get there.

      TIL 5 years is a long time.

    3. Re:No, they will not by gweihir · · Score: 1

      I should be concerned over a QC that can factor 100 bit numbers? My RSA key is 2048 bit. No reason for concern at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re: No, they will not by jd · · Score: 1

      https://www.google.co.uk/amp/s...

      IBM begs to differ. And IBM doesn't beg very often.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    5. Re:No, they will not by Minupla · · Score: 1

      There are classes of secrets for which "decades" is a reasonable threat model. Communications can be an example. If I'm recording everything you send NOW, are you sure there's nothing in there that won't be a problem for you in 20, 30 years? Consider some person is going to be present of the US in 20, 30 years.

      If you're on the Nation State side of this, recording everything you can and decrypting later is a totally legitimate strategy, as SOMEONE will be the leader of $otherCountry then, and having all their emails ever is going to be valuable, even if only for putting together a psychological profile.

      So people who work for companies whose job it is to protect your information SHOULD be looking ahead. I know I'm writing policy documents with words like "Quantium Horizon" in them and looking at up and coming post-quantum algorithms. You're welcome :).

      Min

      PS: https://csrc.nist.gov/projects...

      --
      On the whole, I find that I prefer Slashdot posts to twitter ones because I don't get limited to 140 chars before
    6. Re:No, they will not by mark-t · · Score: 1

      Not sure if you were being sarcastic. You may be concerned, however, that the 2048 bit value is not even two full orders of magnitude harder for a QC to factor than a 100 bit number, compared to over 500 orders of magnitude for a conventional alogorithm.

      --
      File under 'M' for 'Manic ranting'
    7. Re: No, they will not by gtall · · Score: 1

      Well, you haven't been reading their financial statements then.

    8. Re:No, they will not by ceoyoyo · · Score: 2

      That's probably not true. Quantum computers are more difficult to make the more qubits you need to stick together. In a conventional computer the "difficulty" of a computation is dominated by the number of operations. In a quantum computer it tends to be dominated by the number of qubits that are required.

    9. Re:No, they will not by jaymemaurice · · Score: 1

      Consider some person is going to be present of the US in 20, 30 years.

      Decryption: The inaugural unwrapping of the new US present.

      --
      120 characters ought to be enough for anyone
    10. Re:No, they will not by mark-t · · Score: 1

      In a quantum computer [difficulty] tends to be dominated by the number of qubits that are required.

      True, but it's still a fixed cost for any given quantum computer and amortizes over a large number of operations that can be done by that computer.

      Quantum computers are more difficult to make the more qubits you need to stick together

      And I'd suggest that this principle is only true today, while there are actual real inviolable reasons why factoring large numbers is hard for any conventional computer (unless P=NP can be proven), there are no such theoretical barriers on how difficult quantum computers are inherently hard to make.

      --
      File under 'M' for 'Manic ranting'
    11. Re:No, they will not by ceoyoyo · · Score: 1

      "And I'd suggest that this principle is only true today"

      Unlikely. It's fairly easy to make a qubit. It's fairly easy, but not trivial, to put a bunch of them on a chip. It's hard to put a bunch of them on a chip, have them highly coupled, and have them maintain coherence long enough to do something useful. And it gets harder rapidly the more you want to have, due to real physical limitations.

    12. Re:No, they will not by gweihir · · Score: 1

      Indeed. This tech has scaled sub-linear for 4 decades now. It is very likely it will only get worse at larger sizes. It may well hit a wall at sizes far below what is needed to threaten modern encryption and it will certainly not get there anytime soon. These are not classical computing scaling factors were you got a factor of 16 in just 8 years for a long time.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re: No, they will not by gweihir · · Score: 1

      So? If it is high-order polynomial, things stay secure. You can do public-key crypto with, say , effort n in in one direction and n^4 in the other. Requiring NP is just convenient and if you can get it, go for it. But it is not required at all.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    14. Re: No, they will not by gweihir · · Score: 1

      And you just outed yourself as utterly clueless. There are no "rounds" in RSA. You are thinking of a Feistel-construction or the like, which is something completely different. Incidentally, I am in the know but you would not even understand what that means.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re: No, they will not by gweihir · · Score: 1

      IBM is desperate for relevancy these days. They are on their knees.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    16. Re:No, they will not by gweihir · · Score: 1

      You have no clue what you are talking about. Due to fundamental physical limitations, QCs will never scale the way digital computers did for a long time.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Oh No!!! by Anonymous Coward · · Score: 1

    Will this break all the foundational DRM on which all our good stuff depends?!?!?

  4. Fusion power vs Quantum computing by Anonymous Coward · · Score: 1

    Quantum computing is a good way to fleece investors, but that is about it.

  5. No it will not by Anonymous Coward · · Score: 1, Interesting

    The encryption is ALREADY broken, we don't have to wait for quantum machines to get there

    Additionally speed is not the ONLY factor in security/encryption. complexity is also a key factor, but if people would get rid of ridiculous ideas like "public CA's" and force everyone to perform private and variable key exchanges provided by the site itself on first visit we can rapidly increase security. [this is just one simplified example and to save time not a complete answer, so don't get your undies in a wad]

    As long as you require an encryption system that relies on a 3rd party institution as part of its key exchange it will never be secure, Quantum hacking or not.

    Real security is hard and requires some inconveniences.

    1. Re: No it will not by jd · · Score: 1

      Nobody has broken RSA.

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  6. Quantum proof algorithm? by Camembert · · Score: 1

    I seem to remember having read about a recent cryptographic algorithm that could withstand a quantum computer. Anyone remembers more detail?

    1. Re:Quantum proof algorithm? by feedayeen · · Score: 1

      Many of our existing algorithms, AES, ECDH, and others scale to the 2^(N-K) for N bits used in their keys with classical computers in terms of the operations to break them and that K is very small compared to the 64, 128, or 256-bits. Some of the proposed quantum attacks reduce these states by about the square root causing it to become 2^(N/2) operations. 2^32 states isn't that many for a classical computer to evaluate so 64-bit keys could reasonably break. 256-bit keys are reduced to 2^128 operations which is likely still 'age of the universe' even with these updates.

      The practical costo of using these larger keys is slightly slower key generation and encryption calculations. Aes takes about 1.4 times as long for doubling of the key size for instance so between these factors, the existing encryption methods are scaling a lot better against advances in quantum computers but we likely will want to update our minimum acceptable standards.

    2. Re:Quantum proof algorithm? by JMZero · · Score: 2

      Lots of cryptographic algorithms are fine, or may just need longer codes. The hardest ones to replace are public-keys, where I think the front runners are lattice or error correction based (see NTRU and McEliece).

      The other possibility is public key encryption dies, and we have to build some wacky network of symmetric encryption trust rings or something.

      --
      Let's not stir that bag of worms...
    3. Re:Quantum proof algorithm? by rajkiran_g · · Score: 1

      There are several:
      https://en.wikipedia.org/wiki/...

  7. No worries by Anonymous Coward · · Score: 1

    https://csrc.nist.gov/Projects/Post-Quantum-Cryptography

    Don't panic, citizen.

    1. Re: No worries by jd · · Score: 2

      https://www.safecrypto.eu/pqcl...

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  8. Sounds like an ad for by bobstreo · · Score: 1

    the company offering quantum encryption.

    If QC is the latest, greatest thing that is coming "Real Soon Now" you should ignore botnets with hundreds of thousands of systems, which exist now.

    On the other hand, QC may make mining bitcoins much more economical.

    1. Re:Sounds like an ad for by religionofpeas · · Score: 1

      Bitcoin mining involves doing SHA256 hashes, that's not something you can do faster with a quantum computer.

    2. Re:Sounds like an ad for by phishybongwaters · · Score: 1

      sure, if you don't have the slightest clue what quantum computing actually is. That botnet can theoretically hash out stuff yes, but you aren't pooling that processing power, you are distributing it which causes it's own bottlenecks and headaches. A quantum computer (they DO exist) can hash out faster than any of those combined. As well, through entanglement, the actual communication takes place over nothing, and is instant. So, i mean while we can say QC may help break our current encryption, the technology that QC can eventually provide us will literally remove the need for encryption. Unless you are at point A or point B, there's nothing to encrypt, listen to or steal. Spooky action at a distance is a real thing and it's spooky as fuck but potentially will change our entire techno-ecosphere for the better.

    3. Re:Sounds like an ad for by kamakazi · · Score: 1

      -On the other hand, QC may make mining bitcoins much more economical.-

      Isn't the expense of mining the only intrinsic value bitcoin has? If mining cryptocurrencies is economical then inflation in those currencies will make them valuless.

      --
      "Proximity to wonder has blunted our perception and appreciation of it" --Tim Hartnell in 'Exploring ARTIFICIAL INTELLI
    4. Re:Sounds like an ad for by JMZero · · Score: 1

      If Bitcoins suddenly became easier to mine, they'd just have to increase difficulty. It's not like there's a static amount of work to be done, and this will do it faster (which is good, as otherwise Bitcoins would rapidly lose value as computing improved). If they couldn't adjust the difficulty enough to compensate, the system would need major change.

      But it would likely actually collapse for a different reason: QC could make spending other people's Bitcoins very easy - and thus make all of them worthless.

      --
      Let's not stir that bag of worms...
    5. Re:Sounds like an ad for by WaffleMonster · · Score: 1

      sure, if you don't have the slightest clue what quantum computing actually is.

      All it does is search a space of all possible states at once. Each real qubit added doubles the search space (power) of your computer.

      QC is great for some problems that can be expressed as search problems. It doesn't do much otherwise.

      That botnet can theoretically hash out stuff yes, but you aren't pooling that processing power, you are distributing it which causes it's own bottlenecks and headaches.

      A quantum computer (they DO exist) can hash out faster than any of those combined.

      Even if you assume RSA smashing quantum computers exist there is still no evidence they could put much of a dent in 'hashing out'.

      the technology that QC can eventually provide us will literally remove the need for encryption. Unless you are at point A or point B, there's nothing to encrypt, listen to or steal. Spooky action at a distance is a real thing and it's spooky as fuck but potentially will change our entire techno-ecosphere for the better.

      "spooky action at a distance" decides outcomes rather than conducts information. It can't be used to conduct information.

      Problem with quantum encryption schemes is point A and point B are not mprotect()'d by god who infallibly only allows intended parties to communicate. You still have to bind the quantum channel while leveraging it for keying to prove integrity of the quantum channel. This requires classical communication and encryption algorithms. So while quantum crypto does provide a useful service it is still only as good as the algorithms and enabling guarded secrets. It isn't infinitely secure or infallible by any means.

    6. Re:Sounds like an ad for by religionofpeas · · Score: 1

      No, it's the other way around. The value of bitcoin determines how much effort people will put in mining.

      The word "intrinsic" is misleading. Nothing has intrinsic value. Value always depends on context.

    7. Re:Sounds like an ad for by istartedi · · Score: 1

      No, BTC's value proposition is in the hard-limited number of coins and in the ability to verify ownership via the blockchain. Also, like any other currency its value is in the collective actions of those who support it.

      --
      For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  9. Re:Second article this year Iâ(TM)ve seen abo by nitehawk214 · · Score: 3, Funny

    https://www.forbes.com/sites/forbestechcouncil/2018/04/18/worse-than-y2k-quantum-computing-and-the-end-of-privacy/

    This is worse than y2k

    If it is 10x worse than y2k, then it will still be no problem at all.

    --
    I'm a good cook. I'm a fantastic eater. - Steven Brust
  10. This again...? by SCVonSteroids · · Score: 1

    How often can we rehash the same thing?
    We've been saying this for how long now?

    --
    I tend to rant.
    1. Re: This again...? by jd · · Score: 1

      Hashes must repeat, limited outputs. if

      --
      It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  11. And if... by TheDarkMaster · · Score: 1

    ...your encryption method does not use prime numbers to work?

    --
    Religion: The greatest weapon of mass destruction of all time
  12. Re: So what by Anonymous Coward · · Score: 5, Informative

    The trouble is that with the quantum algorithms finding the key becomes the same order of difficulty as deciding the message if you know the key. Before decryption was O(N) and cracking was O(2^N), so you can increase the key size until you get the right trade-off of ease of use and security. If they are the same order then there may not be a key size that has a reasonable ease of use and security trade-off.

    That said, this generally only applies to RSA. If you're using elliptic curve cryptography it discrete logarithms then you are probably still safe (since we haven't yet figured out how to get qubits to perform analogous operations without collapsing).

  13. Re:Second article this year Iâ(TM)ve seen abo by Anonymous Coward · · Score: 1

    Really? A problem that required billions of dollars and millions of man-hours to fix worldwide wasn't a big deal?

  14. That breaks RSA by jd · · Score: 1

    Which has been on the decline on the Internet for a while. Factorising large numbers won't help with elliptic curve, Rijndael or any other post-quantum crypto.

    For the latest:

    https://www.safecrypto.eu/pqcl...

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  15. Re: Yeah but.... by jd · · Score: 1

    No, because you can conceive of a very large scale parallel computer, such as the one the EFF built.

    Quantum attacks are parallel attacks, so a large enough parallel computer can mimic them.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  16. Phishing scams break the internet by edi_guy · · Score: 3, Insightful
    Really...people are still worried about the front door attacks? Not too long ago, my employer w/ >10,000 employees hired a company to send out fake phish emails to see who would take the bait and click. Over 15% of the people clicked on the bogus link. Extrapolating, would indicate that there are 1,500 times from one single email, that a bad guy could pwn our Fortune 500 company. Probably already does.

    Hell, we even see news items that the NSA contractors are USB'ing data around, dropping passwords, and using their hotmail accounts at work etc. Front door breaks are for academics, interesting mathematically, but not useful day to day.

    1. Re:Phishing scams break the internet by ole_timer · · Score: 1

      yep, there's enough people that continue to fall for phishes that it's profitable for ransomware crooks and spies to keep sending them.

      --
      nothing to see here - move along
  17. The Economist "predicts" what everyone believes by iMadeGhostzilla · · Score: 1, Informative

    There is no other value to their analyses. Their track record shows that. The magazine is a nicely packaged nothing.

  18. Re: So what by thechemic · · Score: 2, Informative

    Agreed. The article is essentially the same rehash of, "tomorrow's computers will break today's encryption just like today's computers broke yesterday's encryption." Nothing to see here; we already know that tomorrow's encryption will be reinvented.

    --
    Let's make like a bird... and get the flock outta here.
  19. Quantum safe is a NSA conspiracy by WaffleMonster · · Score: 1

    Always prudent to make sure security stacks are sufficiently configurable to enable rapid phase out of broken technology as it becomes necessary. It's great to work on quantum safe key exchange and new ciphers just in case.

    What is foolish and wasteful is switching to something else from a position of fear of what can't be ruled out when no affirmative evidence to support such fears exists. At that point you are no better off hiring keyboard mashing monkeys to set policy.

  20. Already been done by smooth+wombat · · Score: 1

    could have a stroke of inspiration tomorrow and publish a formula that unravels internet cryptography

    They made a movie about it. The problem is the "deep state" has hidden it from the public, just like they've hidden those aliens who helped us in World War II.

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  21. How is quantum-resistant crypto research going? by presidenteloco · · Score: 1

    In general. parent is saying ECC is still probably safe, but can anyone reference or summarize other work in this?
    I know Vitalik Butarin was concerned about it and investigating, a few years ago, because apart from existing e-commerce and secure surfing etc this, quantum computer cryptanalysis would also destroy all existing blockchain implementations and cryptocurrencies.

    --

    Where are we going and why are we in a handbasket?
    1. Re:How is quantum-resistant crypto research going? by lgw · · Score: 4, Informative

      In general. parent is saying ECC is still probably safe

      The problem with ECC is the damn NSA. Fifteen or so years ago the NSA strongly endorsed moving to ECC to get ahead of the risk of quantum computing. Sadly, the specifics they suggested were poison: what the proposed was weak in a way the NSA knew about, but they hoped no one else would ever figure out. There's a lingering distrust for ECC as a result, perhaps unfairly.

      And there's no good reason to choose ECC for "post-quantum" crypto when there are good alternatives

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:How is quantum-resistant crypto research going? by Dragonslicer · · Score: 1

      ... quantum computer cryptanalysis would also destroy all existing blockchain implementations and cryptocurrencies.

      I fail to see the problem.

    3. Re:How is quantum-resistant crypto research going? by Anonymous Coward · · Score: 1

      ECC is not post-quantum, it relies on the discrete log problem for which there are good QC algorithms.

    4. Re:How is quantum-resistant crypto research going? by lgw · · Score: 1

      ECC is not post-quantum, it relies on the discrete log problem for which there are good QC algorithms.

      https://en.wikipedia.org/wiki/...

      Check it out. Supersingular isogeny Diffieâ"Hellman key exchange uses ECC operatins, but is post-quantum and not patented.

      --
      Socialism: a lie told by totalitarians and believed by fools.
  22. Only broken for a while by HeckRuler · · Score: 2

    Encryption is a force multiplier.

    1) They'll make fast computers that are so cheap that everyone can use them (or time-share them or whatever), and therefore be resistant to quantum-computer-speed brute-force.

    2) They'll make fast computers that are so expensive only the the most powerful can crack encryption, and only selectively at that. But it's probably easier for the CIA and NSA to get around encryption other ways. I just kind of assume that they've got their fingers into most everything.

    3) Something in between.

    We live in a magical age where the poorest of poor can utilize services (that are so cheap they're free) which the most powerful of the powerful cannot thwart. They are secure in their person and papers. Despite a warrant. And that really rankles the powerful. They're typically not big fans of not having power over people. If they make a fundamentally faster computer, it'll crack the encryption of today. But it WON'T crack the encryption of tomorrow, because they'll simply use the faster computing technology. (or from factoring to ellipse curves). The transition period is where cyberpunk novels are written.

  23. Ah yes the old progress is linear trope by presidenteloco · · Score: 1

    Technological progress is definitely not linear in general.
    It builds on itself and thus sometimes has a geometric or exponential progress.
    Often times, advances in multiple areas can combine to make a new revolutionary solution that was impractical before.
    e.g. Theoretical advances + materials research can lead to practical quantum computing, or maybe high temperature superconductivity etc,
    which then can be a foundation for a whole new layer of practical revolutionary and unpredicted technologies.
    It tends to have breakthroughs, tipping points etc, in other words, punctuated equilibrium.

    So don't count on progress in quantum computing staying slow and incremental.

    --

    Where are we going and why are we in a handbasket?
    1. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      Quantum computing has failed to perform for something like 40 years now. Any other technology this abysmally bad has just been scrapped. But somehow there are a lot of really clueless people that think this is magic and will suddenly scale and whatnot. There is absolutely no indication for that and a ton of indications to the contrary.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    2. Re:Ah yes the old progress is linear trope by Entrope · · Score: 1

      Nuclear fusion?

    3. Re:Ah yes the old progress is linear trope by shoor · · Score: 1

      My own favorite example of start and stop progress is aeronautics. As a kid, I remember seeing a Twilight Zone episode in which a World War I fighter pilot flew his plane into a cloud and came out in the present (which at the time the episode was made was the late 50s or maybe early 60s). So there was this scene of a World War I Biplane fighter taxing past Boeing B-52 stratofrotresses and other aircraft representing 30-40 years of progress in aviation, and the contrast was stark and amazing to my youthful mind. The pilot was an Englishman who thought he was still in World War I and commented to the first Americans he saw that he didn't realize we Americans were so advanced., That was circa 1960. Go forward 50-60 years and we're still flying B-52s. According to the wikipedia, they're expected to see use into 2050. What happened to all the initial progress in aviation tech?

      --
      In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
    4. Re:Ah yes the old progress is linear trope by alexgieg · · Score: 1

      Any other technology this abysmally bad has just been scrapped.

      Low hanging fruits. We first developed the easy technologies, in which the S curve had a short slow R&D start, then a relatively steep exponential growth curve, and a slowly developing plateau. Alongside that we stumbled upon classic computation, which had (emphasis on had) the most insanely steep exponential growth of all technologies developed before and probably will never be matched again. That one has now matured and plateaued too. So now we're entering the realm of hard to develop technologies that might have a very, VERY long initial R&D curve, followed by a slightly exponential, perhaps even linear, growth curve, followed by a long, looong plateauing.

      So, the choices are:

      a) Don't even try. Keep going for the few remaining low hanging fruits and then stop and keep forever iterating and gold plating over what has already been done.

      b) Accept the R&D phase is now going to take decades, maybe even centuries, before turning into anything resembling a growth curve. Adjust societal investments according to the new reality.

      I prefer "b". Bring on the multi-generational efforts with risk of ending up empty handed after 100, 500 or 10,000 years of effort. It's best to do that in hope science and technology will keep advancing than to shrug and let it go.

      --
      Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
    5. Re:Ah yes the old progress is linear trope by presidenteloco · · Score: 1

      Well you may be right of course since we don't really have it yet.
      Risk analysis (for cryptographically protected data and communications) would say:
      risk (real soon) = Medium or High because = probability=low x impact=ginormous (for now).

      Also, I can see a group of natural philosophers sitting around 600 years ago in a drinking establishment (I drink therefore I am) listening to someone in a wooden armchair griping "You people have been yammering on about figuring out how things work for 2000 years now, and I don't see any progress."

      --

      Where are we going and why are we in a handbasket?
    6. Re:Ah yes the old progress is linear trope by ffkom · · Score: 1

      There is proof in the sky, visible to everyone, that nuclear fusion actually works at large scale. But there is no proof at all that quantum computers will ever scale to useful complexity.
      The belief that quantum computers will deliver complex results in an instant is like believing that you can add numbers of arbitrary precision with a slide rule. Theoretically possible, but only if a certain physical model was a complete description of the real world, which we know for sure it is not.

    7. Re:Ah yes the old progress is linear trope by ffkom · · Score: 1

      Decade-long R&D is fine, but fear-mongering by predicting improvements that are nowhere near is not welcome.
      Plus, the amount of money put into one specific research topic should not be just based on media hypes. There are plenty of research fields that promise much sooner life-improving progress than the hypothetical quantum computers.

    8. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      You are comparing apples and oranges. Nuclear fusion has at least two observable instances where it works large-scale: 1. The sun 2. Hydrogen bombs. Nothing like that exists for QC.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    9. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      Nice example! Technologies do plateau, the question is where. For classical computing we are pretty much there now. But we had a fed decades of rapid progress before and these things are very powerful and useful. For Quantum Computers, it looks like they pretty much plateaued as well or are about too, bit at a scale were they are pretty useless and a modern pocket calculator can beat them easily.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    10. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      Exactly. Incidentally, the slide-rule example is limited pretty much by noise and measurement precision. The same is true for classical digital computers (at some scale and speed you are losing bits and digital computations become infeasible) and the huge success for classical computers comes from them having dealt very effectively with noise. It looks now like noise is the bane of QCs as well, but at a scale where they have not yet scaled to any useful size as classical computers hang that bar very high.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    11. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      Indeed. And that is just my point. QC is a crapshot at this time. It may at some time be valuable, it is not today and will not be for a long time. That does not mean stop all research, but that does certainly mean do not prioritize it and do not put major emphasis in decision making on what it may or may not eventually deliver. Now, it is possible that at some future time some other tech becomes available that makes higher-intensity research into QCs a good idea, but at the moment this is not the case and the whole thing is a large bubble of hot air.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    12. Re:Ah yes the old progress is linear trope by gweihir · · Score: 1

      I disagree. After 40 years of failure, the probability("real soon") is at worst "low" but realistically "very low". And the impact is not "ginormous", but rather "moderate". That makes risk = low ... very low.

      Even most encryption is not threatened. A working, scaling QC is nowhere near as magic as people believe. These things are useless except for a few tasks and even for them (factorization) they may have huge constants in their run-times.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re: Ah yes the old progress is linear trope by gweihir · · Score: 1

      My understanding was that grover's search and schorr's alg both dont have such bad constants. Thats why people have already been able to run toy examples to even though we've only built QCs with very limited number of qubits so far.

      They have constants in real life that allows you to run toy examples in a matter of weeks or worse. Sure, the one good run was much faster, but do the researchers list how many bad ones they had and how much time that took? Also, you may get additional complexity from the real-world set-up. That would not show up in the toy examples or the theory, but it may well show up in practice.
      A practical example is that when you run out of memory for a hash-table, you suddenly have to put it in SSD, then disk, then tape. That gives you a pretty bad additional factor and the last step is often prohibitive. The same thing could well be happening here, for example if the whole thing has to be made successively colder to support larger computations. It does not help you much if you get a result in seconds, but have to cool the whole thing for a few months after programming it to get that one result and have to repeat the process every time for a new computation.

      Now, I am not saying this particular problem is going to manifest here, but after 40 years of research doing even toy quantum computations is excessively hard. So chances are there will be massive hurdles to scale this in reality, even if the theory works out for larger examples. As larger examples need the theory to be much, much more precisely describing reality, it may well turn out that instead we find another more complicated theory and that one does not support large quantum calculations.

      In any case, nothing threatening to real-world crypto will be happening in the next few decades and that is much longer than current asymmetric keys are expected to be secure against conventional attacks. For really long-term stuff, use one-time-pads or excessive key-lenght, like 100'000 bit RSA. As a QC cannot subdivide problems (unlike a classical computer) that makes you pretty secure.

      Also while symmetric crypto will only have its security halved most crypto applications end up usong both assymetric and symmetric in combination (TLS, PGP, many VPNs, Blockchains, Secure Messaging, etc.) and breaking the assymrteic compnents is enough to completely destroy to securoty of the entire protocol (even if the symmetric stuff were to saty untouched!)

      Only if you can actually break the asymmetric part in reasonable time and at mass-scale. If it turns out that, say, the NSA can break one 1024 bit RSA key per year investing 100M into that and the process is already optimized to the limits of what is possible, then this is not a threat.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  24. Perhaps we need a better infrastructure. by jellomizer · · Score: 1

    Encryption of TCP/IP traffic was always a kludge workaround to the internet problem.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  25. Re: Y2K by presidenteloco · · Score: 1

    The armchair wise-asses laughed at how lame Y2K was.
    Their pea-brains didn't understand that it was no big deal precisely because a lot of planning, time, and effort went into technical fixes and technology replacements to avoid the impacts of the problem.
    A lot of computing-related problems are still pretty binary. Either they'll happen, or if fixed, they won't. It can be all or nothing easily. E.g. a patch for a critical and easy to exploit OS security hole. Could be a laughable hype, if discovered and widely patched in time, or could be a widespread disaster.

    --

    Where are we going and why are we in a handbasket?
  26. Quantum computers are useless by 140Mandak262Jamuna · · Score: 1
    They will do all sorts of calculations, fast. But if you try to read the answer, it will change.

    The results of the computation depends on the observer

    And it is a QA nightmare, none of the computations are repeatable.

    All the memory states of a quantum computers can be 1 or 0 till you read it your would not know. Once you read it the memory is destroyed.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  27. Finds the period of a function - doesn't factor by FeelGood314 · · Score: 1

    For RSA you don't actually have to factor the large composite number, you need to just know the period of the messages, which is what Shor's algorithm does.

    In RSA you choose two large prime numbers p and q, and then publish n=(p*q) and e. e is a smallish usually prime number. Your private key is a number d such that e*d is congruent to 1 module (p-1)(q-1). (p-1)(q-1) is the number of coprime numbers to (p*q). Given a number M less than n that is coprime to n, if you raise that number to every different power less than (p-1)(q-1) and take the modulus n, you will get every coprime number of n. When you raise M to (p-1)(q-1) and take the modulus you will get 1 and when you raise it to (p-1)(q-1)+1 you will get M again.

    (p-1)(q-1) is the number of coprimes to n and also the period of any M being raised to a power modulo n. In classical computing you would likely find p and q by factoring n and then calculate (p-1)(q-1). However, Shor's algorithm actually gives you the period. (You could then find p and q though)

  28. Remember when you thought privacy existed? by CranberryKing · · Score: 1

    You can argue about encryption algorithms and faster computers, but the real issue is time. Anything that traverses the wire becomes part of a permanent record. They copy and store every single bit, knowing that they cannot crack your encryption today, but in the future it will become trivial. So at best you're talking about mitigation. Everything you've ever said or done will have to live up to the impossible moral standard of the world communist courts of the not so distant future. There will be no deviation from the hive mind of public opinion which you will be happy to oblige.

  29. Future Algorithms - difficulties today by FeelGood314 · · Score: 1

    We can sign things with just a hashing function. For key agreement and other fun things there are other problems that it appears a quantum computer can't solve. https://en.wikipedia.org/wiki/...

    However, there are a number of problems:
    1 - If the NSA records the handshake of your conversation today, they will be able to read your messages in the future when/if they build a quantum computer. I find this point very frustrating. So many people think they are safe as long as they adopt something before a quantum computer is built.
    2 - Adoption is going to be very slow. Other than Supersingular elliptic curve isogeny, none of the other proposals are drop in replacements for what we do today. So the protocols will have to change.
    3 - Performance and bandwidth - some of the new algorithms have similar computation requirements but many are more expensive, some require significantly more RAM and almost all require huge message sizes. Most of my work is with ZigBee and 21 byte ECC point representations are fine. 1K messages are going to be really hard. 30K will be impossible. The bandwidth will take nearly an hour, many $1 systems won't even have that much memory. Hell the power consumption to be awake to receive the message will kill some devices.

  30. Re: So what by Anonymous Coward · · Score: 1

    Wrong. There are also efficient quantum algorithms to compute discrete logs and elliptic curve discrete logs (which is generally what elliptic curve cryptography is based on). Lattice based crypto and symmetric key systems might well be safe, but quantum computers basically break all commonly used public key cryptography protocols.

  31. Real quantum computers do not yet exist by Jerry · · Score: 1

    and it may be decades before they do.

    IBM's 5 qbit machine is coherent for 50 microseconds. It is not big enough to solve any useful problems. D-Wave isn't any faster than an ordinary computer and using quantum "annealing" it is limited in the kinds of problems it can solve.

    If someone created a 4096 GPG key it would most likely be good for their lifetime.

    --

    Running with Linux for over 20 years!

  32. It's why the summary is false by Actually,+I+do+RTFA · · Score: 1

    The summary says:

    In theory, any of the world's millions of professional or amateur mathematicians could have a stroke of inspiration tomorrow and publish a formula that unravels internet cryptography -- and most internet commerce with it.

    Anyone smart enough to solve this problem is smart enough to do something other than publish the proof. Patriots will probably get a large payday for delivering it to their local intelligence service. Black hats can sell it on the dark web. White hats would warn about an impending publication and let everyone crash move to a new system first.

    --
    Your ad here. Ask me how!
  33. Re:SETEC ASTRONOMY by rogoshen1 · · Score: 1

    utterly amazing how well that movie aged, isn't it?

  34. Communication via Entanglement makes this obsolete by burhop · · Score: 1

    Quantum physics allows us to entangle bits (really qubits) and separate them by great distances. We can create a totally secure "quantum net" that allows instantaneous communication between one set of entangled bits and another set of entangled bits.

    Yeah, you physicists are going to say something about "information passing", "speed of light limits", yada, yada yada. That is fine in theory, but in practice 99% of all social media post have no real information.