Explore our sites

Stack Exchange
tour help
Take the 2-minute tour ×
Information Security Stack Exchange is a question and answer site for Information security professionals. It's 100% free, no registration required.
up vote 23 down vote favorite
9

There's the recent article NSA seeks to build quantum computer that could crack most types of encryption. Now I'm not surprised by the NSA trying anything1, but what slightly baffles me is the word "most" - so, what encryption algorithms are known and sufficiently field-tested that are not severely vulnerable to Quantum Computing?

share|improve this question
6  
1) Yup, I wouldn't even be surprised if they had a secret department of fortune telling... –  Tobias Kienzler yesterday
 
Best to use OTP -in real world and for the virtual world use symmetric algorithms + 256bit keys. look at this theguardian.com/world/2013/sep/05/… –  Johny 22 hours ago
1  
Quantum computers are still a ways off. The concept relies on using bits, that when unobserved, are both 1 and 0 and so able to calculate with all the values that can be represented in the given space -- with one calculation. As romantic as this sounds, I have yet to hear of a way to calculate with this bits while leaving them unobserved. –  November 19 hours ago
 
Don't assume that just because an organization the size of the NSA is trying to build something that they expect to successfully deploy one anytime soon. Because arms-races are races, often an organization will research something because they don't want to be just starting out when their competitors are deploying one. If the NSA builds up a brain-trust of people who know about quantum computing then they might be able to deploy one ahead of their competitors, and are less likely to be caught flat-footed. –  Mike Samuel 17 hours ago
 
My concern is not the NSA, who might just as well use some less pleasant meatworld methods to obtain one's secrets, but rather the implications of QC in general –  Tobias Kienzler 7 hours ago
show 2 more comments

3 Answers

up vote 42 down vote accepted

As usual, journalism talking about technical subjects tends to be fuzzy about details...

Assuming that a true Quantum Computer can be built, then:

  • RSA, and other algorithms which rely on the hardness of integer factorization (e.g. Rabin), are toast. Shor's algorithm factors big integers very efficiently.
  • DSA, Diffie-Hellman ElGamal, and other algorithms which rely on the hardness of discrete logarithm, are equally broken. A variant of Shor's algorithm also applies. Note that this is true for every group, so elliptic curve variants of these algorithms fare no better.

  • Symmetric encryption is weakened; namely, a quantum computer can search through a space of size 2n in time 2n/2. This means that a 128-bit AES key would be demoted back to the strength of a 64-bit key -- however, note that these are 264 _quantum-computing_ operations; you cannot apply figures from studies with FPGA and GPU and blindly assume that if a quantum computer can be built at all, it can be built and operated cheaply.

  • Similarly, hash function resistance to various kind of attacks would be similarly reduced. Roughly speaking, a hash function with an output of n bits would resist preimages with strength 2n/2 and collisions up to 2n/3 (figures with classical computers being 2n and 2n/2, respectively). SHA-256 would still be as strong against collisions as a 170-bit hash function nowadays, i.e. better than a "perfect SHA-1".

So symmetric cryptography would not be severely damaged if a quantum computer turned out to be built. Even if it could be built very cheaply actual symmetric encryption and hash function algorithms would still offer a very fair bit of resistance. For asymmetric encryption, though, that would mean trouble. We nonetheless know of several asymmetric algorithms for which no efficient QC-based attack is known, in particular algorithms based on lattice reduction (e.g. NTRU), and the venerable McEliece encryption. These algorithms are not very popular nowadays, for a variety of reasons (early versions of NTRU turned out to be weak; there are patents; McEliece's public keys are huge; and so on), but some would still be acceptable.

Study of cryptography under the assumption that efficient quantum computers can be built is called post-quantum cryptography.

Personally I don't believe that a meagre 80 millions dollars budget would get the NSA far. IBM has been working on that subject for decades and spent a lot more than that, and their best prototypes are not amazing. It is highly plausible that NSA has spent some dollars on the idea of quantum computing; after all, that's their job, and it would be a scandal if taxpayer money did not go into that kind of research. But there is a difference between searching and finding...

share|improve this answer
3  
+1, and wish I could give you +10 just for the last two sentences. With all the scandals about their abuses it's sometimes easy to forget that when all's said and done being able to spy on people is their job and what we're objecting to is their lack of restraint when doing it... –  Shadur yesterday
4  
+1 - Of course you might consider that with 80 million dollars, the NSA could just hire goons to beat private keys out of most targets... Then again they could have forced IBM and others to "volunteer" in providing their most secret research progress so far –  Tobias Kienzler 23 hours ago
 
@Thomas Pornin Is the complexity of searching a space decreased due to the uncertainty principle? I might be way off..... –  Rell3oT 22 hours ago
 
@Rell3oT: the idea is that a qubit is a superposition of several states, and thus, to some extent, with one operation, several computations are done simultaneously. The uncertainty principle is another, rather unrelated expression of the fact that at the quantum level, what we think of as "matter" actually behaves like a probability distribution. –  Thomas Pornin 22 hours ago
 
Okay Thank you @ThomasPornin . What you described is what I thought the uncertainty principle was. Apparently I need to brush up... –  Rell3oT 22 hours ago
show 3 more comments
up vote 3 down vote

Quantum computing will make most dramatic impact on asymmetric encryption, but symmetric algorithms are considered safe with a large enough key size (256 bits). So, yeah, we'll have to reinvent x509/SSL by the time quantum computing really takes off (which is a large enough TODO), but there will be large areas of cryptography that will remain relatively safe.

http://en.wikipedia.org/wiki/Post-quantum_cryptography http://www.pqcrypto.org/www.springer.com/cda/content/document/cda_downloaddocument/9783540887010-c1.pdf

share|improve this answer
add comment
up vote 0 down vote

For added protection against the NSA, encrypt using AES chain block cipher mode, then encrypt the cipher text (the result from the first encryption) again, and repeat as many times as you can afford to repeat. The NSA would probably try brute force searching to go through the search space, and figure out they've cracked the code by determining the entropy of the result for each of the keys they test. They know when to stop when they see meaningful text as the result. By encrypting several times, you make it harder for them to determine when they have cracked a code because if they did try the right key, then they would see jumble as the result, almost indistinguishable from the results of the incorrect keys. As you increase the number of re-encryptions, the difficulty of cracking encrypting content becomes more difficult. The NSA will lose its mind trying to figure out when they have cracked the code.

Software like TrueCrypt can do multiple encryption for you. But beware of naive encryption that simply runs in the "Encrypted Code Book" mode. You will need encryption that runs in one of the more sophisticated modes like "Chain Block Cipher" or "Cipher Feedback." Yes, a quantum computer would make it easier for the NSA to go through the possible keys to try. But by encrypting multiple times (with a DIFFERENT key for each encryption repeat of course), you make the search space difficult by a factor of the key length. Hopefully this helps you keep your stuff out of the NSA's reach.

share|improve this answer
 
The implications of applying multiple layers of encryption can be quite complex and in the worst case reduce the individual layers' security - take for example XORing the entire message twice - you end up with the original message! And even if you use two different keys, it's still equivalent to XORing with one entirely different key. It's of course more complex with AES, but you'd really do yourself a favour by increasing the key size instead... –  Tobias Kienzler 7 hours ago
add comment

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.