@Randys has written a new blog article for Purism:
This seems very disingenuous to me. Theres still no elaboration on what Purism is actually doing as far as ML-KEM. The chinese research being talked about cracked a singular 22 bit key using subsets of the AES standard, not the full standard. (most standard keys are 2048 or 4096 bit and the difficulty scales exponentially not linearly). And they don’t even bother to link to an article about the chinese research, or write their own and link to the actual research itself…
This appears to be more FUD than marketing even.
Do you have a citation for this Chinese research?
With a QC, I am unconvinced that this is correct. That is, it may well scale linearly. (If you brute force using a conventional computer, no matter what fixed number of parallel CPUs you have, it of course scales exponentially.)
Yes, the blog post should have linked either to the research or to a reputable discussion of the research.
I think the (potentially theoretical) point being made is that if I can crack a 22 bit key then the rest of the job to crack a 2048 bit key is just engineering. The difficult parts of … imagining that it can be done, of building qbits, of putting it together in a working QC have been done.
And as the article says
The importance of adopting quantum-resistant cryptography cannot be overstated. As quantum computing continues to advance, the risk of “harvest-now, decrypt-later” attacks—where adversaries collect encrypted data now and decrypt it once quantum computers become powerful enough—becomes a tangible threat.
So even if it takes 5 years of engineering to scale up to 2048 bits, the problem is now - because you are generating encrypted content and traffic now that can be collected for future decryption. Thus you must change your algorithm now.
The main circumstance in which you could discount that argument is if the information would be worthless and obsolete by the time it can be decrypted. How many decades would that be? Obviously that is up to the owner of the information to assess - and up to someone else to guess whether it’s 5 years of engineering or 25 years of engineering.
And, I agree, the blog post lacks detail regarding how it relates to what Purism is actually doing.
http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf
From: Chinese Scientists Report Using Quantum Computer to Hack Military-grade Encryption
Except it’s a 22 bit key of a subset of the encryption algorith. So it’s both an unrealistically small key AND not the full algorithm.
As far as collected and stored for later decryption that issue started over 20 years ago if your threat model includes governments with those kinds of resources. That concept of store for decryption later isn’t new and has already been used to decrypt older encryption algorithms that have since been defeated with current compute capabilities.
My point being that’s not a new risk/threat and is not a problem “now” but has been a problem for decades.
So actually it is a problem now.
In theory you can run with “it has always been a problem” and it is not incorrect that it has always been a problem, just as for example MD5 is no longer considered an adequate hash at all, and SHA1 is on the way out. However there is a difference between the slow and steady march of Moore’s Law - 1 bit per 18 months - and the (no pun intended) quantum leap that a workable-at-scale QC would represent.
For information transmitted encrypted on the public internet using publicly known algorithms, there is no foolproof defence against collect-now-decrypt-later, so the best course of action is always to be on the leading edge i.e. in using new algorithms as they become available - so that the number of years between collect and decrypt is as large as possible.
@Randy, @Randy, Please. Have you even read the abstract of that paper? 50 bits is nowhere near military grade. Improve yourself!
FWIW I don’t think Randy has logged into the forum except the first time to create the account.
@JCS seems to currently be the primary Purism employee that checks the forum with any consistency at the moment.
@jonathon.hall has been quite active too, although they did not reply to the previous blog article about ML-KEM when mentioned by @JCS.
Yes, you’re right, I’ve raised this internally suggesting to reword it to “a reduced form of military-grade encryption” or something to that effect.
I saw that sources describe it this way (including the one linked above). The abstract does say they factored 50 bit integers, and that news article suggests that there are limitations preventing it from applying to full size keys (e.g. not just money or scale).
Obviously as others have said, it’s on the brink though
Sorry, I must have overlooked that one, maybe went through it too fast in my email and marked it ‘read’ by mistake.
I did do the development to hook up our proof-of-concept Chatty with GPG encrypted Matrix messages to the current development release of GnuPG supporting PQC encryption. (I did not implement the crypto, all credit to the fine folks on the GnuPG team for that!)
Do you have any specific questions about it or just looking for some more info on how it works?
Personally I was looking for transparency from Purism regarding what Purism has done with regard to “We have already implemented ML-KEM and are actively integrating the technology throughout our product line.”
Sounds like a very different thing to me and it sounds like marketing getting out ahead of engineering and development, again.
Maybe you can directly answer the inquiry @todd-weaver failed to adequately address or acknowledge in my email conversation with them:
Thanks @OpojOJirYAlG for the clear feedback. I’ve raised this internally as well. I agree with the message in the article, but it’s frustrating that these details detract from that message.
I appreciate Randy’s writing, I think he has the right message and is a good writer. The insufficient communication between development and marketing is my fault as well.
Sure. I’ll start with some basics to get us all up to speed.
As you know, post-quantum cryptography is cryptography designed to be resistant to quantum computers. While there aren’t yet quantum computers capable of breaking the algorithms in use today, as we’ve seen above it is close enough that this is a real threat - communications harvested today might be decrypted in the relatively near future.
NIST recently standardized three PQC cryptographic algorithms (August 2024):
- ML-KEM (CRYSTALS-Kyber), an encryption method
- ML-DSA (CRYSTALS-Dilithium), a signing method
- SLH-DSA (Sphincs+), a second signing method
Two signing methods were standardized in case one proves vulnerable. You can sign data with both, so both algorithms would have to be compromised to forge a complete signature.
As these algorithms were very recently standardized, it will take some time before they are widely supported. This is not something you can enable in GnuPG today on your existing setup.
GnuPG 2.5.0 (a development release, not intended for production use), supports ML-KEM encryption. It does not yet support either signing method. The OpenPGP standard for using ML-KEM in PGP messages is not yet standardized, so it is possible that messages encrypted today will not interchange with production releases. (It does appear the drafts probably will not change much to the final, but there’s no guarantee.)
So what are some things you can do today?
- If your threat model justifies it, research very recent releases or development versions of software you use for encryption. Remember that development versions may have caveats, these might be acceptable for your use case. (E.g. a power-side-channel attack today might be OK to have PQC encrypted data.)
- If you are a developer, contribute to FLOSS to support these projects.
- Support companies doing either of the above
Perhaps I’m missing what that message is intended to be. To me the primary medsage appears to be “The world is scary. We can protect you because we’re great, buy our products.” I would prefer messaging closer to “things are changing, there’s value in keeping up with the changes, here’s what we’re doing to keep up with and contribute to those changes, and here’s what we’re doing to differentiate ourselves.”
I don’t see how asking for more information to understand detracts from that, aside from detracting from “the world is scary” if those clarifications would be evidence against the ascertion that the world is scary.
Asking for clarification on how Purism and Purism products can protect, isn’t detracting from that message as it should provide clarity and understanding in how and in turn bolster that message assuming the messaging is accurate.
I had seen this story commented on SOS by renowned cryptography expert Bruce Schneier, and also further read the linked article debunking this overblown media hype, which is basically a sensational story made for eye-catching headlines by ignorant journalists that don’t even know what they are talking about - mixing up AES/RSA, military-grade/public key cryptography and making very confused statements.
As to Bruce Schneier’s opinion on all this: No, The Chinese Have Not Broken Modern Encryption Systems with a Quantum Computer
Instead of having to write an entire article explaining why it is no true, he was glad someone else had already written one debunking the whole affair:
I feel sad that Purism has fallen into this trap of bad journalism and published what looks like a marketing post out of all this FUD. Purism SPC lately seems to have become more of an aggressive marketing company than anything else…
Just a random question … if you were Chinese government and you were making public that you had cracked, say, 22 bits only + subset of an algorithm, would you be disclosing your full capability? Wouldn’t it make sense to keep your public disclosures running behind your private capability? Wouldn’t it make sense to keep the enemy guessing?
It’s a fine line between boasting in order to achieve national prestige and giving the enemy free information.
That would depend on how much credibility I would want to establish with my claims, along with propaganda, FUD, and various other factors. Attempting to solicit feedback against my threat model would be the main reason I would consider unclassifying information.
Historically speaking chinese backed entities tend to oversell their capabilities rather than undersell them. While past activity isn’t a guarantee of current nor future action, it can be used as part of the assessment of probability.
Once they are supported in software will it be possible to continue using our existing librem keys or will they require new hardware?