
Don’t Rush Quantum-Proof Encryption, Warns NSA Research Director - jonbaer
https://www.nextgov.com/emerging-tech/2019/11/dont-rush-quantum-proof-encryption-warns-nsa-research-director/161217/
======
Perseids
The whole premise of the article is broken:

1\. Every respectable cryptographic protocol designer would hedge their bets
by combining a post-quantum cryptography (PQC) algorithm with a classical one,
preferable elliptic curve cryptography (ECC), such that you first have to
break ECC in order to attack the post-quantum cryptography. ECC is great in
that it is both fast, secure, its signatures, ciphertexts and keys are small.
Every post-quantum algorithm fails in at least one of the categories, but as
ECC excels everywhere, the overhead is basically bound by a factor of two.

2\. Our focus can't be on choosing one PQC algorithm now (and keep it
forever), as it is a very young field comparably (as the article agrees).
Instead, we need to built up _algorithm agility_ in our protocols and
software, as we are probably going to change PQC algorithms at least once,
when the cryptographic community has gained experience in PQC
design/cryptanalysis and we switch to the second wave PQC algorithms. In
practice that means: Never assume keys, ciphertext, signatures are small.
Investigate whether it is possible for keys to have _state_ (see Lamport
signature). And the only way to show these properties about protocols and
software _is to try out some PQC algorithms now_. (Why the urgency? Because
software and protocol turnaround time is bonkers in commercial applications.
Heck, parts of the payment industry still use single DES in 2019...)

Given that the NSA knows both of this, the question is whether the author was
clueless or the NSA spokesperson is malicious.

~~~
bdamm
My employer produces low-power devices with hardware cryptography built into
them. Without the crypto hardware, almost all crypto (including ECC) is too
slow for practical use. It's all well and good to have "crypto agility" but
that ends when it comes to depending on silicon. So if we're making our 20
year plan for, say, the next generation hardware platform that we're going to
invest many millions of dollars and thousands of engineer hours to build, then
which PQC algorithms will we select to be built into our platform? It's very
unclear at this point.

Certainly we can be flexible in key and cert sizes, but also I happen to live
in a world where a 1200 byte MTU actually matters a great deal, so it's easier
to just push the requirement for dealing with enormous certificates down the
road for the day when we actually have enormous certificates. Future-proofing
isn't an issue yet because legacy devices will _never_ be able to do PQC.

The premise is not broken at all, for us.

~~~
snagglegaggle
Is that a pertinent question? The availability of devices with integrated
cryptography is very, very low due to ITAR. Perhaps the only thing I have
encountered is a bluetooth controller.

Many things are not space constrained as they are cost constrained. It would
be easier to put in a core high power enough to get acceptable performance for
the one connection it needs to service.

It will be more expensive, probably in terms of development work. Will people
do it? Probably not, but people weren't doing security right anyway.

~~~
debatem1
This just isn't true.

Nearly every SoC you can buy today has hardware accelerators in it, from
STM32s up to Xeons. You have to be looking at really tiny, generally pretty
old micros before you literally don't have any.

On top of that, hitting hardware speeds by putting in faster cores just isn't
a thing for most parts. It's pretty easy to get 8-9x throughput wins on many
primitives with a hardware accelerator, but getting a similar improvement just
by getting bigger chips is often impossible and always expensive.

~~~
anon4242
> Nearly every SoC you can buy today has hardware accelerators in it

True, but few are full-featured HW acceleration SoCs. Most support a few
operations like for instance AES-ECB and maybe AES-CBC but if you want AES-CCM
or AES-GCM you still need to implement parts of it in software. The HW may be
super fast at ECB:ing many blocks of memory but the setup cost is steep so
when you need to ECB just a single block (for your counter in CCM) it buys you
very little performance gains over just ECB in SW. (Of course what you do then
is setting up several counters in a larger block of memory, after each other,
this is ok because the counters are just increments, and you ECB a bunch of
blocks. Next you need to solve how to do the same to get CBCMAC with just CBC
HW...)

~~~
debatem1
This is just moving the goalposts. First it was "crypto accelerators are rare
because ITAR", now it's "crypto accelerators are rare because they don't buy
you much". Neither is true.

Crypto accelerators are _extremely_ common, including those that implement
full cryptosystems or even complete protocols. Nearly every wireless part will
have them (especially for CCMP), as well as basically every modern+common
consumer device SoC (eg, all Qualcomm, Samsung, Apple, AMD, and Intel parts).
Several of these actually have overlapping accelerators for eg memory
encryption or wireless (full protocol) and acceleration instructions like
those for ARMv8. And they are there because they work.

Setup cost is a thing, but A) is largely paid when you rekey and therefore
rarely for most protocols, B) is acceptable in many protocols because you can
interleave other operations to prevent port contention without sacrificing
throughout, and C) is often buried by the cost of a very small number of
blocks, or even just one.

~~~
snagglegaggle
He didn't move the goalposts and usefully expanded on my point. Those devices
you're talking about notably adhere to other external standards and are not
typically user reprogrammable (where user is the integrator). Also important
is that I would not consider them secure in general due to the standards they
implement. You also certainly realize that their power consumption, when
present, massively dwarfs the type of processor we were first discussing?

By the time you get to the ARMv8 accelerators, yes, you're going to exactly
the same place I was arguing we should go with my original comment. There's
actually a number of primitives that could be reused for various systems.

~~~
debatem1
The original claim was that these parts were rare because of ITAR. They aren't
rare, and ITAR doesn't have much to do with where they're present or absent.
Shifting the argument to a different point about a specific accelerator or
specific class of parts is exactly as I said: moving the goalposts.

The question of whether they're user programmable or not is nearer to the mark
because EAR cares about it, but it still doesn't present a formidable
barrier-- at least, I've been shipping parts with crypto accelerators at
various levels of user configurability for a long time, and so has everybody
else.

------
cwmma
Don't rush to improve chicken coop, warns local fox

~~~
ledauphin
I feel like the irony here is that, assuming the director of the NSA is even
minimally self-aware, there's actually no way for me to know whether this is:

a) an attempt to prevent me from using encryption they can't yet break

\- or -

b) reverse-psychology, assuming that a halfway intelligent person would guess
this was a case of A, therefore prematurely switching to an untested quantum
crypto that they might actually have an _easier_ time breaking.

and honestly, either way I'm left with no actionable information.

~~~
ENOTTY
Why not a third option, that the research director of the NSA is giving her
honest informed opinion?

~~~
tremon
Because that would be ignoring over 25 years of documented history.

------
hannob
Just a note that there's a relatively fail-safe way to avoid concerns about
rushing pqcrypto too soon: Just couple it with established crypto.

This is e.g. what google is doing in all their pqcrypto experiments. They use
an elliptic curve key exchange combined with a post quantum key exchange. If
you don't do any really big mistakes you get at lest the security of the
stronger of the two.

Given that elliptic curve crypto is really cheap such a combination will
probably be used for most post quantum schemes for a while.

~~~
ksaj
Eventually quantum computing will also be really cheap. I don't think it'll
take all that much time, given the amount of money and attention.

Thinking of security in layers, as you've suggested, is the way to go. Secure
communications has always been about being "too expensive" to decrypt in a
relevant time span.

Just because there's a new kid on the block, we need to keep our old friends
around.

------
JasonFruit
I have a hard time reading this with an open mind, because I mistrust the NSA
so much. That being said, the processes described in the article sound like
they will arrive at a fairly transparent (in a good sense), publicly-vetted
algorithm --- or at least one where it's easy to perceive if it's not
trustworthy.

I'm not sure, based on my conversations with people in the field, that I put
so much stock in the "20 years 'til Shor" prediction. Most seem to be of the
opinion that the best currently available encryption should be okay until
we're very old.

~~~
kick
NSA put (effective) backdoor in Dual_EC_DRBG:

[https://www.schneier.com/blog/archives/2007/11/the_strange_s...](https://www.schneier.com/blog/archives/2007/11/the_strange_sto.html)

Thread by someone directly involved on why the ISO rejected NSA ciphers in the
past (hint: they refused to justify design decisions, lied, and attacked the
credibility of people who had put out actually-secure crypto):

[https://twitter.com/TomerAshur/status/988696306674630656](https://twitter.com/TomerAshur/status/988696306674630656)

Either they're too incompetent to be trusted or are bad actors and should be
treated as such.

~~~
mrandish
> Either they're too incompetent to be trusted or are bad actors

I agree but am curious about one thing. If they aren't stupid won't they
realize it's a terrible idea to embed weaknesses in standards destined to
become so pervasive your own economy will rely on them (as well as your own
military/intel)?

Also, history virtually guarantees that your most secret secrets are
reasonably likely to become known to your adversaries and used against you
with catastrophic consequences? Even if they could entirely subvert the
standards process to plant their own backdoor that ends up everywhere, game
theory dictates they might be creating their own greatest future weakness.

~~~
kick
The military is still on unencrypted IRC, the dog has already been fucked for
years on that one. The economy doesn't really matter, and for any person they
deem does matter, they can just tell them under NSLs to use something that DJB
made, instead, if they even understand the difference between protocols to
begin with.

~~~
robertony
From what I'm aware, the military doesn't use IRC? IRC was inspired from
BITNET, which was used by the DoD briefly and not the military as a whole?
Military networks are encrypted at the network layer? User authentication is
enforced at the session and presentation layers?

~~~
kick
[https://www.duffelblog.com/2012/10/wikileaks-releases-
mirc-t...](https://www.duffelblog.com/2012/10/wikileaks-releases-mirc-
transcripts-from-afghanistan/)

------
strictnein
In 15-20 years I really hope a book comes out about the NSA's quantum
computing work in this decade. I'm immensely curious to know how far they
are/are not ahead of the Google/IBM/D-wave crowd.

They pretty obviously haven't recreated the magical chip from Sneakers yet (I
think), but are they close? Or maybe they are there, but they have to be so
very careful with how they use it so not to reveal its existence?

Or maybe they're far enough along to realize that's not a thing that can be
built in this century?

~~~
randomsearch
Indeed. The probability of government agencies not at least seriously
considering a “Manhattan project” for quantum is zero.

But it’s a different situation from the 40s in many ways, consider this:
quantum machines could potentially revolutionise several fields, including
medicine. So by keeping an advanced machine secret (whether it has arrived or
in the future) could be passing up the opportunity to save millions of lives.
It’s a hell of a moral judgement call to make. I’d go so far as to say that
any intelligence advantage is just not worth the trade off. You’d have to find
some way to share that technology. If your hypothetical book emerged, it’d be
fascinating to see how it is justified.

~~~
kelnos
I think it's entirely plausible (and likely) that the US intelligence agencies
would keep life-saving technologies secret if other uses of that tech would
give them an edge in intelligence-gathering.

------
eternalny1
So, the NSA, who intentionally compromised NIST with bad crypto proofs, is now
warning NIST not to make better crypto, in the name of "security".

~~~
pera
Where did you read that? The only thing she says is to wait the competition to
end (by 2022):

> _“It 's very important that people wait for NIST to do its due diligence,”
> Frincke said._

This is the standard process.

~~~
CrazyStat
The NSA, who have a history of feeding NIST intentionally compromised crypto
algorithms, suggest we need to wait to hear what NIST recommends?

How very fucking convenient.

~~~
pera
It's a totally different ball game though: this isn't about NIST recommending
a shady algorithm with mysterious parameters, this is about a well-known
standardization process that accept submissions from cryptographers all around
the world where anyone can review the proposals and make comments.

I don't care what they end up selecting as the winner (and to be honest, I'm
so ridiculously paranoid that I don't trust Keccak, for instance), I just
think that having a competition where everyone is spending all their energy
into looking for flaws on the others candidates is a great thing.

Next year China will announce a similar standardization process. Do I trust
China? of course not, but I really welcome this initiative anyways.

------
staticassertion
I think the key quote is this:

> "Shor's algorithm is the attack that was developed in the absence of a
> quantum computer,” Frincke said. “It's hard to predict what people will
> actually do with one."

Once QC actually manifests we may find new properties and new approaches to
attacking existing algorithms, and being 'quantum hard' before that point is
impractical.

I'm not a cryptographer by any means, so I have no idea if this is actually
the case. Perhaps we understand the fundamentals so well that we can truly say
an algorithm today can hold up in a QC world - I have no idea, that certainly
sounds bold, but we do already have purported 'quantum hard' algorithms.

~~~
helen___keller
> Perhaps we understand the fundamentals so well that we can truly say an
> algorithm today can hold up in a QC world - I have no idea, that certainly
> sounds bold, but we do already have purported 'quantum hard' algorithms.

We don't have any theoretical proof that we can even encrypt against
_classical_ computation. It's still technically an open problem if P=PSPACE
(as well as P=NP). All encryption (quantum or not) would be broken if we could
effectively solve PSPACE-hard problems.

So really, nobody can truly say any encryption can hold up anywhere. But we
still usually have a good idea of the truth of things simply based on
empirical evidence - we don't think anybody is proving P=NP, much less
P=PSPACE. We don't think people are going to crack our best classical
encryption without brute force.

There's not as much empirical evidence that our current quantum encryption
will hold up, which is the point of the assertion "it's hard to predict what
people will actually do [with shor]"

------
bitwize
The NSA: Don't rush building quantum proof encryption guys. Might want to take
your time, make sure you _really_ get it right. Could take years to prove it
out. Maybe decades. (Psst, Joe, when will the quantum brute-force crackers be
ready? How soon can you get them online?)

~~~
andymockli
Joe: 2009.

------
JackRabbitSlim
I realize this is just the broken clock being right twice a day but the fact
that we give the NSA _any_ credibility of _any_ kind is truly mind boggling.

Would you use YubiKey _ever_ again after they got caught putting keyloggers
into one model? That's what the entire security community does every time they
so much as entertain anything the NSA says.

~~~
thephyber
> That's what the entire security community does every time they so much as
> entertain anything the NSA says.

[Morpheus Meme] What if it doesn't matter what the NSA publicly says, but what
it quietly does and which universities+researchers it funds?

------
Havoc
Hey NSA. You still on top of those backups you were making for me? Might need
some of that data back soon...duplicati has been spitting errors

~~~
eternalny1
Send an email to the admins at the Utah Data Center. They have it.

[https://en.wikipedia.org/wiki/Utah_Data_Center](https://en.wikipedia.org/wiki/Utah_Data_Center)

------
gautamcgoel
"The cybersecurity community is already hedging its bets against a future when
digital secrets are knowable to anyone with the right hacking chops and a
couple dozen qubits."

What a bunch of journalistic bunk. All QC researchers I know say it will take
at least thousands of logical qubits to break RSA. Given the large number of
physical qubits required to produce one logical qubit using quantum error
correction, this might entail millions of physical qubits, well beyond our
current technology - and way more than "a couple dozen qubits".

------
brobinson
Can we start a Gofundme or Kickstarter or something to get 24/7 bodyguards for
DJB? We gotta keep this dude alive.

------
ksaj
Of course NSA would have this opinion. They depend on you believing it so they
don't have to buy the newest D-wave or whatever.

If we adopted properly encrypted communications back in the 90's (when others
were also trying to pretty much illegalize it), nobody would be complaining
about speed today.

The problem is, everyone ignored encryption ("I've got nothing to hide!") and
now that they're learning that they actually do need it, they're not willing
to accept the drop in speed it would entail. Everything up to now has been
sold based on how much faster it is. Security is still hindsight, and the
perception of even slightly slower bandwidth infuriates people for no real
reason besides.

NSA is up to its same old predictable game. They rely on public laziness and
fixation on shiny new things.

------
segfaultbuserr
It was the NSA who shocked [0] the world of cryptography by announcing _"
elliptic curve cryptography is dead under the threat of quantum computers, we
must move to Post-Quantum Cryptography ASAP and encourage its development."_
(common knowledge, uncontroversial), " _therefore, if you are running a legacy
system which had not yet upgraded from RSA to ECC, you should not bother to do
so, and instead should save money for the future upgrade to post-quantum
protocols._ " (WTF? Most people thought the threat of quantum computers is
serious, but ECC should be good for another ten years, and one should should
definitely upgrade to ECC, also, it's worth to revise the ECC standard to
include newer curves).

> _In August 2015, the U.S. government’s National Security Agency (NSA)
> released a major policy statement on the need to develop standards for post-
> quantum cryptography (PQC). The NSA, like many others, believes that the
> time is right to make a major push to design public-key cryptographic
> protocols whose security depends on hard problems that can-not be solved
> efficiently by a quantum computer. The NSA announcement will give a
> tremendous boost to efforts to develop, standardize, and commercialize
> quantum-safe cryptography. While standards for new post-quantum algorithms
> are several years away, in the immediate future the NSA is encouraging
> vendors to add quantum-resistance to existing protocols by meansof
> conventional symmetric-key tools such as AES. Given the NSA’s strong
> interest in PQC, the demand for quantum-safe cryptographic solutions by
> governments and industry will likely grow dramatically in the coming years.
> Most of the NSA statement was unexceptionable. However, one passage was
> puzzling and unexpected:_

> _< quote>For those partners and vendors that have not yet made the
> transition to Suite B algorithms, we recommend not making a significant
> expenditure to do so at this point but instead to prepare for the upcoming
> quantum resistant algorithm transition.... Unfortunately, the growth of
> elliptic curve use has bumped up against the fact of continued progress in
> the research on quantum computing, necessitating a re-evaluation of our
> cryptographic strategy</quote>_

> _The NSA seemed to be suggesting that practical quantum computers were
> coming so soon that people who had not yet upgraded from RSA to ECC should
> not bother to do so, and instead should save their money for the future
> upgrade to post-quantum protocols._

> _Shortly thereafter, the NSA released a revised version in response to
> numerous queries and requests for clarification. The new wording was even
> more explicit in its negative tone on the continuing use of ECC:
> “...elliptic curve cryptography is not the long term solution many once
> hoped it would be. Thus, we have been obligated to update our strategy.”
> Although other parts of the statement assured the public that ECC was still
> recommended during the time before the advent of practical quantum
> computers,the overall impression was inescapable that the NSA was distancing
> itself from ECC._

> _In addition, people at the National Institute of Standards and
> Technology(NIST) and elsewhere have noticed that the NSA has not been taking
> an active part in discussions of new curves to replace the NIST curves that
> were recommended for ECC in 1999. The PQC announcement suggests that the NSA
> has no interest in this topic because it now views ECC as only a stopgap
> solution. The statement in fact advises against “making a significant
> expenditure” to upgrade to any of the Suite B algorithms, let alone to any
> new ECC standards using updated curves. Even industrial and government users
> who are using antiquated protocols should just sit tight and wait for post-
> quantum standards. This caught many people by surprise,since it is widely
> believed that ECC will continue to be used extensively for at least another
> decade or two._

Later, NSA ordered the NIST to start the PQC competition - which I think is
good for driving further development of PQC.

But now, NSA research director is telling us "don't rush"? It doesn't make
sense.

[0] See the exceptionally good paper by Koblitz, et al.
[https://eprint.iacr.org/2015/1018.pdf](https://eprint.iacr.org/2015/1018.pdf)

~~~
strictnein
I think the main thrust of the article is just that she feels that we should
let the NIST process play out which means we're looking at no recommendations
until 2022.

I'm not real familiar with the field, but it wouldn't surprise me if there are
vendors out there selling "Quantum proof encryption" which actually isn't, and
maybe she has some insight into that and is trying to warn people away from
it, without revealing anything specific.

~~~
segfaultbuserr
> _vendors out there selling "Quantum proof encryption" which actually isn't,
> and maybe she has some insight into that and is trying to warn people away
> from it, without revealing anything specific. _

There are. Okay, so it seems that the NSA is just here to warn people about
the snake-oil, makes sense.

------
blaser-waffle
"We already have it, and we don't want you to compete with us" -NSA, probably

------
alexnewman
I to this day think quantum proofing of encryption will greatly weaken
whatever upstream its use

------
aplacelikethis
"Don't depend on bleeding-edge software exclusively."

------
mleonhard
The only guaranteed safe post-quantum crypto is the one time pad.

------
kd3
I'm a simple man. I see an algorithm backed by djb, I use it.

------
voldacar
Hahahahah of course the NSA research director doesn't want people to start
using quantum-resistant algos. What this says about their quantum capability
is left as an exercise to the reader ;)

------
NatoshiSakimoto
There's never been a perfectly secure lock in all of history, thousands of
years of it. What makes modern day humans think that one can exist in digital
form? I think there is a direct connection to the laws of physics somewhere.

~~~
strangecasts
> What makes modern day humans think that one can exist in digital form?

...Shannon's[1] work showing that the one-time pad maintains perfect secrecy?

[1]
[https://ieeexplore.ieee.org/document/6769090](https://ieeexplore.ieee.org/document/6769090)

~~~
NatoshiSakimoto
copied from Reddit

No, when properly implemented, it can not be broken. "Properly implemented"
pretty much implies a paper version where there are only two copies of any pad
page, and both are immediately destroyed after use.

Computerized versions share the same vulnerabilities as the computer it is on.
It can't be "cracked", per se, but there are side-channel attacks that can be
effective.

Here is a paper by Dirk Rijmenants which explains it in the context of Cuban
spy communications:
[http://users.telenet.be/d.rijmenants/papers/cuban_agent_comm...](http://users.telenet.be/d.rijmenants/papers/cuban_agent_communications.pdf)

I've experimented with generating them manually, using 10-sided dice to
generate the code groups and an old manual typewriter (not electric!) with a
very used cloth ribbon and 2 part carbonless forms. Works pretty well, and
once you get into a rhythm you can make a considerable amount of key material.
I just grabbed some random 10-sided die at the local gaming store, but if you
were serious about it, I'd get Game Science 10-sided die:
[http://www.gamesciencedice.com/Gamescience-White--d10--
Ten-s...](http://www.gamesciencedice.com/Gamescience-White--d10--Ten-sided-die
--Plain-_p_53.html)

~~~
qw3rty01
You're saying we shouldn't spend time to make sure the algorithm is
mathematically sound...because the implementation will have side channels?
Using your metaphor, that's like saying we should never bother designing a
secure lock because someone will just break a window to get in anyway.

