New Post: RIP RSA AES: The Immediate Need of Quantum-Resistant Cryptography

http://cjc.ict.ac.cn/online/onlinepaper/wc-202458160402.pdf

From: Chinese Scientists Report Using Quantum Computer to Hack Military-grade Encryption

Except it’s a 22 bit key of a subset of the encryption algorith. So it’s both an unrealistically small key AND not the full algorithm.

As far as collected and stored for later decryption that issue started over 20 years ago if your threat model includes governments with those kinds of resources. That concept of store for decryption later isn’t new and has already been used to decrypt older encryption algorithms that have since been defeated with current compute capabilities.

My point being that’s not a new risk/threat and is not a problem “now” but has been a problem for decades.

3 Likes

So actually it is a problem now.

In theory you can run with “it has always been a problem” and it is not incorrect that it has always been a problem, just as for example MD5 is no longer considered an adequate hash at all, and SHA1 is on the way out. However there is a difference between the slow and steady march of Moore’s Law - 1 bit per 18 months - and the (no pun intended) quantum leap that a workable-at-scale QC would represent.

For information transmitted encrypted on the public internet using publicly known algorithms, there is no foolproof defence against collect-now-decrypt-later, so the best course of action is always to be on the leading edge i.e. in using new algorithms as they become available - so that the number of years between collect and decrypt is as large as possible.

1 Like

@Randy, @Randy, Please. Have you even read the abstract of that paper? 50 bits is nowhere near military grade. Improve yourself!

2 Likes

FWIW I don’t think Randy has logged into the forum except the first time to create the account.

@JCS seems to currently be the primary Purism employee that checks the forum with any consistency at the moment.

1 Like

@jonathon.hall has been quite active too, although they did not reply to the previous blog article about ML-KEM when mentioned by @JCS.

1 Like

Yes, you’re right, I’ve raised this internally suggesting to reword it to “a reduced form of military-grade encryption” or something to that effect.

I saw that sources describe it this way (including the one linked above). The abstract does say they factored 50 bit integers, and that news article suggests that there are limitations preventing it from applying to full size keys (e.g. not just money or scale).

Obviously as others have said, it’s on the brink though :scream:

Sorry, I must have overlooked that one, maybe went through it too fast in my email and marked it ‘read’ by mistake.

I did do the development to hook up our proof-of-concept Chatty with GPG encrypted Matrix messages to the current development release of GnuPG supporting PQC encryption. (I did not implement the crypto, all credit to the fine folks on the GnuPG team for that!)

Do you have any specific questions about it or just looking for some more info on how it works?

4 Likes

Personally I was looking for transparency from Purism regarding what Purism has done with regard to “We have already implemented ML-KEM and are actively integrating the technology throughout our product line.”

Sounds like a very different thing to me and it sounds like marketing getting out ahead of engineering and development, again.

3 Likes

Maybe you can directly answer the inquiry @todd-weaver failed to adequately address or acknowledge in my email conversation with them:

1 Like

Thanks @OpojOJirYAlG for the clear feedback. I’ve raised this internally as well. I agree with the message in the article, but it’s frustrating that these details detract from that message.

I appreciate Randy’s writing, I think he has the right message and is a good writer. The insufficient communication between development and marketing is my fault as well.

2 Likes

Sure. I’ll start with some basics to get us all up to speed.

As you know, post-quantum cryptography is cryptography designed to be resistant to quantum computers. While there aren’t yet quantum computers capable of breaking the algorithms in use today, as we’ve seen above it is close enough that this is a real threat - communications harvested today might be decrypted in the relatively near future.

NIST recently standardized three PQC cryptographic algorithms (August 2024):

  • ML-KEM (CRYSTALS-Kyber), an encryption method
  • ML-DSA (CRYSTALS-Dilithium), a signing method
  • SLH-DSA (Sphincs+), a second signing method

Two signing methods were standardized in case one proves vulnerable. You can sign data with both, so both algorithms would have to be compromised to forge a complete signature.

As these algorithms were very recently standardized, it will take some time before they are widely supported. This is not something you can enable in GnuPG today on your existing setup.

GnuPG 2.5.0 (a development release, not intended for production use), supports ML-KEM encryption. It does not yet support either signing method. The OpenPGP standard for using ML-KEM in PGP messages is not yet standardized, so it is possible that messages encrypted today will not interchange with production releases. (It does appear the drafts probably will not change much to the final, but there’s no guarantee.)

So what are some things you can do today?

  • If your threat model justifies it, research very recent releases or development versions of software you use for encryption. Remember that development versions may have caveats, these might be acceptable for your use case. (E.g. a power-side-channel attack today might be OK to have PQC encrypted data.)
  • If you are a developer, contribute to FLOSS to support these projects.
  • Support companies doing either of the above :slightly_smiling_face:
6 Likes

Perhaps I’m missing what that message is intended to be. To me the primary medsage appears to be “The world is scary. We can protect you because we’re great, buy our products.” I would prefer messaging closer to “things are changing, there’s value in keeping up with the changes, here’s what we’re doing to keep up with and contribute to those changes, and here’s what we’re doing to differentiate ourselves.”

I don’t see how asking for more information to understand detracts from that, aside from detracting from “the world is scary” if those clarifications would be evidence against the ascertion that the world is scary.

Asking for clarification on how Purism and Purism products can protect, isn’t detracting from that message as it should provide clarity and understanding in how and in turn bolster that message assuming the messaging is accurate.

4 Likes

I had seen this story commented on SOS by renowned cryptography expert Bruce Schneier, and also further read the linked article debunking this overblown media hype, which is basically a sensational story made for eye-catching headlines by ignorant journalists that don’t even know what they are talking about - mixing up AES/RSA, military-grade/public key cryptography and making very confused statements.
As to Bruce Schneier’s opinion on all this: No, The Chinese Have Not Broken Modern Encryption Systems with a Quantum Computer

Instead of having to write an entire article explaining why it is no true, he was glad someone else had already written one debunking the whole affair:

I feel sad that Purism has fallen into this trap of bad journalism and published what looks like a marketing post out of all this FUD. Purism SPC lately seems to have become more of an aggressive marketing company than anything else…

5 Likes

Just a random question … if you were Chinese government and you were making public that you had cracked, say, 22 bits only + subset of an algorithm, would you be disclosing your full capability? Wouldn’t it make sense to keep your public disclosures running behind your private capability? Wouldn’t it make sense to keep the enemy guessing?

It’s a fine line between boasting in order to achieve national prestige and giving the enemy free information.

1 Like

That would depend on how much credibility I would want to establish with my claims, along with propaganda, FUD, and various other factors. Attempting to solicit feedback against my threat model would be the main reason I would consider unclassifying information.

1 Like

Historically speaking chinese backed entities tend to oversell their capabilities rather than undersell them. While past activity isn’t a guarantee of current nor future action, it can be used as part of the assessment of probability.

4 Likes

Once they are supported in software will it be possible to continue using our existing librem keys or will they require new hardware?

3 Likes

The ZeitControl OpenPGP card used in the Librem Key does not support any of the post quantum cryptographic protocols, so unless either or both of them have firmware updates in the future, new hardware will be required to benefit from this development.

2 Likes

You realize that your post is all just speculation turned into a question.

No. They should assume that the NSA knows to within 3 or 4 bits. IMO, it’s only the public that doesn’t know and the amount of news media attention will get is well worth any divulgement of probably-already-known information.

1 Like

Well, there is an update process for NitroKeys, but the upstream tool only works on Windows and MacOS. Hopefully we can get some process that works on our machines in the future.

1 Like

Not for the Nitrokey Pro 2 and Librem Key with v0.10 and below:

1 Like