Re: State of Post Quantum Cryptography?

On 2024-05-09 23:28, Peter Fairbrother wrote:

On 06/05/2024 14:53, Jakob Bohm wrote:

On 2024-05-02 10:20, The Running Man wrote:

What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
>
I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users.

 Yep, that's a risk. PQC algorithms are of necessity less mature than current cryptographic algorithms. If I may quote Schneier's law it its original form:
 "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. It’s not even hard. What is hard is creating an algorithm that no one else can break, even after years of analysis. And the only way to prove that is to subject the algorithm to years of analysis by the best cryptographers around."
 The winning PQC algorithms have had some of that analysis, but perhaps not enough. I would not be surprised if, like some of the candidates, the winners were comprehensively broken.
 And there is another risk: that they will broken in ways we don't know about now. Quantum computers of the needed scale still don't exist, and we don't have years of practice using them - so it is practically inevitable that new attack techniques using quantum computers will be developed.
 

See further below where Fairbrother returns to this subject.

 

If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers.

 Err, no. Just no.

Note that I was talking logarithmic steps, not single Qbit steps.

 You would need about 1,000 reliable entangled error-free qubits equivalent (REEFQe) to do any useful cryptanalysis of present day public key algorithms, and we are nowhere near that. Not even 100 REEFQe, more like 20.
 Having 1,000 error prone qbits, which has been done in a couple of cases, is not nearly enough. Neither is D-wave's 1,200 calibrated annealing qbits.

 >
Would those numbers apply to things like EdDSA and ECDSA?

 Not even close.
 And close only counts in horseshoes and hand grenades.
 

They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128). [..] Any PQC public key algorithm will need to be combined with double strength symmetric algorithms.

 Now there we agree, in fact double strength symmetric algorithms should be de rigueur in general use as of yesterday: but I don't see why we can't double up and use classic public key algorithms *as well as* PQC public key algorithms, at least for a while.
 

Yes, doubling up the types of algorithms used is a good way to hedge bets against bad algorithms.  Staying with known at-risk algorithms is
problematic.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded