@Randys has written a new blog article for Purism:
1 Like
This seems very disingenuous to me. Theres still no elaboration on what Purism is actually doing as far as ML-KEM. The chinese research being talked about cracked a singular 22 bit key using subsets of the AES standard, not the full standard. (most standard keys are 2048 or 4096 bit and the difficulty scales exponentially not linearly). And they don’t even bother to link to an article about the chinese research, or write their own and link to the actual research itself…
This appears to be more FUD than marketing even.
3 Likes
Do you have a citation for this Chinese research?
1 Like
With a QC, I am unconvinced that this is correct. That is, it may well scale linearly. (If you brute force using a conventional computer, no matter what fixed number of parallel CPUs you have, it of course scales exponentially.)
Yes, the blog post should have linked either to the research or to a reputable discussion of the research.
I think the (potentially theoretical) point being made is that if I can crack a 22 bit key then the rest of the job to crack a 2048 bit key is just engineering. The difficult parts of … imagining that it can be done, of building qbits, of putting it together in a working QC have been done.
And as the article says
The importance of adopting quantum-resistant cryptography cannot be overstated. As quantum computing continues to advance, the risk of “harvest-now, decrypt-later” attacks—where adversaries collect encrypted data now and decrypt it once quantum computers become powerful enough—becomes a tangible threat.
So even if it takes 5 years of engineering to scale up to 2048 bits, the problem is now - because you are generating encrypted content and traffic now that can be collected for future decryption. Thus you must change your algorithm now.
The main circumstance in which you could discount that argument is if the information would be worthless and obsolete by the time it can be decrypted. How many decades would that be? Obviously that is up to the owner of the information to assess - and up to someone else to guess whether it’s 5 years of engineering or 25 years of engineering.
And, I agree, the blog post lacks detail regarding how it relates to what Purism is actually doing.
4 Likes
http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf
From: Chinese Scientists Report Using Quantum Computer to Hack Military-grade Encryption
Except it’s a 22 bit key of a subset of the encryption algorith. So it’s both an unrealistically small key AND not the full algorithm.
As far as collected and stored for later decryption that issue started over 20 years ago if your threat model includes governments with those kinds of resources. That concept of store for decryption later isn’t new and has already been used to decrypt older encryption algorithms that have since been defeated with current compute capabilities.
My point being that’s not a new risk/threat and is not a problem “now” but has been a problem for decades.
2 Likes
So actually it is a problem now.
In theory you can run with “it has always been a problem” and it is not incorrect that it has always been a problem, just as for example MD5 is no longer considered an adequate hash at all, and SHA1 is on the way out. However there is a difference between the slow and steady march of Moore’s Law - 1 bit per 18 months - and the (no pun intended) quantum leap that a workable-at-scale QC would represent.
For information transmitted encrypted on the public internet using publicly known algorithms, there is no foolproof defence against collect-now-decrypt-later, so the best course of action is always to be on the leading edge i.e. in using new algorithms as they become available - so that the number of years between collect and decrypt is as large as possible.
1 Like