52 comments

[ 2.7 ms ] story [ 120 ms ] thread
Which is why bulk collection is the problem — not today's figureheads.
I agree but then again it's hard to predict which (encrypted) data will be relevant in 15-20 years
The longer the key you are trying to generate, the longer this takes. Randy is trying to generate one that is ridiculously long. He has pointed out to Avi, in an encrypted e mail message, that if every particle of matter in the universe could be used to construct one single cosmic supercomputer, and this computer was put to work trying to break a 4096 bit encryption key, it would take longer than the lifespan of the universe.

"Using today's technology," Avi shot back. "that is true. But what about quantum computers? And what if new mathematical techniques are developed that can simplify the factoring of large numbers?"

"How long do you want these messages to remain secret?" Randy asked, in his last message before leaving San Francisco. "Five years? Ten years? Twenty five years?"

After he got to the hotel this afternoon, Randy decrypted and read Avi's answer. It is still hanging in front of his eyes, like the afterimage of a strobe:

I want them to remain secret for as long as men are capable of evil.*

Cryptonomicon!

What a tasteful reference on HN. Love that book.

A favorite of mine as well; I think theres a Shaftoe in a lot of us. For the uninitiated, it took me about 48 hours of reading to get through. The depth of Stephenson's side-stories and historic background are as captivating as they are numerous, to me it is emblematic of his writing style.
Literally just listened to this bit...
"quantum fear, uncertainty and doubt".
QFUD — it's a little hard to pronounce, but I like it.
This describes a special case; most data goes stale quickly.
The article offers no explanation about how adversaries are able to get the encrypted data in the first place. I'm not saying it's unlikely or that they shouldn't invest in quantum-proof cryptography for the future, but it would be nice to hear about some plausible ways that data is being "harvested now". I assume that nuclear weapon design secrets aren't floating around as encrypted files on the web. One possible idea I had is that adversaries are intercepting and saving HTTPS traffic between "interesting" targets.
-----BEGIN PGP MESSAGE----- isnt exactly hard to find.

That said it is slightly harder now most email isnt flying around in clear text just waiting to be scopped up.

API exfiltration is a common technique. One of the downsides of public APIs is that they're usually very enumerable on purpose. This leaks into how we design private APIs as well.

Others could be more traditional, like a dragnet that infiltrates common applications or exploits, then hunts for IAM credentials or a DB server.

Users checking tokens with public endpoints into repositories is also very common.

Also, the term is post-quantum cryptography. I don't think it can be declared quantum-safe or quantum-proof just yet.

> I assume that nuclear weapon design secrets aren't floating around as encrypted files on the web. One possible idea I had is that adversaries are intercepting and saving HTTPS traffic between "interesting" targets.

They're probably targeting communications, like those diplomatic cables Manning leaked. I'd assume top secret "design secrets" aren't transmitted. My understanding of spying is it's typically focused on gleaning information from sources a laymen would consider boring and/or useless. For instance, the NSA worked until 1980 to decrypt certain Soviet messages sent between 1942 and 1945 that re-used one-time pad pages:

https://en.wikipedia.org/wiki/Venona_project

Ironically, the most uncrackable communications today is probably diplomatic cables to enemies (like the "red phone" which is a misnomer), which uses one-time pad (technically hard drives now) encryption, mainly because they don't trust each others' encryption (or even sharing their encryption to their sworn enemy!) and cryptologists on both sides say that OT pads are perfectly uncrackable (which is true, assuming that no-one tampered the diplomatic box between i.e. the Pentagon and the Kremlin, for example).
> diplomatic cables to enemies (like the "red phone" which is a misnomer), which uses one-time pad (technically hard drives now) encryption, mainly because they don't trust each others' encryption

I don't think that's quite accurate. The Wikipedia article makes it sounds like the issue was more that they didn't want to give their adversary access to their encryption technology. In this context, OTP has the advantage of being both secure and not secret.

https://en.wikipedia.org/wiki/One-time_pad#Historical_uses

> The hotline between Moscow and Washington D.C., established in 1963 after the 1962 Cuban Missile Crisis, used teleprinters protected by a commercial one-time tape system. Each country prepared the keying tapes used to encode its messages and delivered them via their embassy in the other country. A unique advantage of the OTP in this case was that neither country had to reveal more sensitive encryption methods to the other.

Will quantum computers be able to hack the bitcoin algos in a decade?
Anything based on RSA, factoring primes, will be vulnerable. There are lots of forms of encryption which no quantum algorithm is known to process faster -- I believe elliptic key crypto is one. I don't know whether any cryptocurrency uses such alternative encryption schemes.
Sorry, factoring into primes. Factoring primes is easy. I can factor a million-digit prime myself by hand.
Quantum Computers solve ECDLP just as easily as factoring.
That seems exceedingly unlikely. I think it's more likely someone finds an efficient classical ECDLP (Elliptic Curve Discrete Log Problem) solver in 5 years...
On what basis do you think that the ECDLP will be solved in polynomial time in a classical context?

I would expect we will more likely have an error-correcting quantum machine sooner than the aforementioned. Given the pace Google et al are making.

We already have a quantum approach to solved ECC over finite fields, Shor's.

I don't think it will. But having quantum computers able to crack 256-bit ECDLP in only 5 years seems even more far fetched.
The US government has been after post-quantum-computing encryption for a while:

https://csrc.nist.gov/news/2016/public-key-post-quantum-cryp...

That's from 2016. It's wise to impute shady motives to US government encryption efforts in light of probable DES skulduggery, the Clipper chip, Dual_EC_DRBG, and all the Snowden-era revelations about "implants" and NSA intercepting and modifying hardware.

> It's wise to impute shady motives to US government encryption efforts in light of probable DES skulduggery...

Huh? Didn't DES use NSA-provided unexplained magic numbers that many people were highly skeptical of, but actually made it more secure against an attack that was not publicly known?

The NSA does a lot of things, many of them in opposition to other internal departments. The problem is that you don't know the agenda of each team there, sometimes for decades.
Ye it is kinda confusing having a spy agency also be the domestic data protection agency.
I bet they have pretty epic red/blue action, though.
DES also has parity bits believe to make it brute forceable. 56-bits of strength instead of the full 64
This is the definition of "invest in the future".
We should all be operating under the assumption that everything we type or say to an internet connected computer will one day be public and indexed to our name and face.
Better to assume it’s possible rather than likely. If you have motivated enemies they can do it already, you’d need to be worth the effort for them to want to attack you.
The funny thing is, I've got some data myself that was encrypted but have since lost the password, and would not mind unlocking with in however many decades that quantum key breakers are available to the general public.
Time for quantum resistant encryption algorithms?
What I'd like to know is what is the status of all those billions of dollars in crypto currency? That's quite an incentive to build a quantum computer if it would allow you to steal some of that money. And what's the legal status of breaking some encryption and stealing crypto currency? Is that even stealing?
For defense: They rotate to a quantum proof algorithm

For attack: custody is never provable in crypto, as in you can prove you own an account but you cant prove nobody else does. so a hacker can use that to their advantage. They can also delay rotation by carefully picking their targets and amounts, as all the victims will be victim blamed and not believed for a very long time so a quantum computer hack could exist for a long time unless a large theft was done. Its tricky because many power users will report unexpected thefts and the rumors will start quickly.

Why aren't they rotating now? Because it will only protect coins in new addresses. The old ones will still be vulnerable.
the attack vector is dubious

We are talking about deriving private keys from an address hash, which is already still improbable with quantum logic

There is also the idea of changing a signed transaction in flight before confirmation, which is the most probable

Or attempting to alter the state of a smart contract, which is less probable and needs consensus

Is there somewhere I can place a bet that within 10 years these things will be possible?
prediction markets suck with liquidity, you just have to invest in the company that would offer the ability to do it

there are just already lower tech ways to make billions getting other people’s crypto, and turning that into cash easily, assuming you even want state money

its just not worth it for the “aha! see only I could make this bet so accurately” gloat, right now

I've been thinking about this with relation to Bitcoin and Ethereum lately. I'm hopeful that a little-known Blockchain called Mochimo might have the answers--they seem to have prepared for the post-quantum computing age early by using WOTS (Winternitz One Time Signatures) in each transaction.