
Experimenting with Post-Quantum Cryptography - cramforce
https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
======
bradleyjg
As I understand it that the picture for symmetric encryption in a quantum
computer world is still relatively rosy. The key strength of something like
AES is halved, but with the important caveat that the difficulty is with
respect to quantum operations rather than classical operations and there's no
guarantee quantum computers will be able to scale as well over time as silicon
has. The situation for asymmetric encryption is where the real potential
trouble lies. Please correct me if I misunderstand the situation.

~~~
aruss
That's right, symmetric encryption is fine. You're also right that protocols
that rely on factoring or discrete log (more generally, any hidden subgroup
problem) will be broken by quantum computers. However, this still means
symmetric encryption is in trouble; namely in that we still need a post-
quantum method for exchanging keys, otherwise symmetric ciphers will be
virtually useless.

~~~
e12e
How about hashing - in particular wrt key derivation? Does anyone have some
insight there? Is it likely passphrase+salt+stretching might be in danger from
quantum attacks? (I also wonder if DNA/RNA based biologic computing (or
computing inspired by biology) might somehow change things around in terms of
guessing passwords or look for hash collision...)

~~~
indolering
Hashing is in a similar position in that we just need to increase the size.
Biological computing is (AFAIK) irrelevant to the speedups provided by quantum
mechanics.

~~~
e12e
> Hashing is in a similar position in that we just need to increase the size.

Size of hash, or number of iterations? Or either? And will it still be
"convenient security" available for those that "only" have classical
computers? (ie: is will be get away with "small" increases in size, and get to
keep (some of) our current speed)?

> Biological computing is (AFAIK) irrelevant to the speedups provided by
> quantum mechanics.

I didn't think otherwise. But they might be relevant to combinatorial
problems, and so relevant to security?

------
gfody
I discovered NTRU while searching for a fast alternative to RSA for asymmetric
encryption. It's said to be quantum resistant as well but I can only vouch for
its speed (it is very fast and served my purpose perfectly).

[https://github.com/NTRUOpenSourceProject/ntru-
crypto](https://github.com/NTRUOpenSourceProject/ntru-crypto)

~~~
eximius
It is lattice based so the state of the art to attack it uses LLL lattice
reduction, I believe. I wrote a python implementation of both and, with pypy,
it is quite fast at encrypting and decrypting. The LLL reduction was rather
slow, but impressive that it could be done within a few minutes for some low-
rank lattices.

~~~
math_and_stuff
Alternating between tours of BKZ(50) and y-sparse enumeration is _much_
stronger. I have some BSD-d C++ implementations here:
[https://github.com/elemental/Elemental/tree/master/include/E...](https://github.com/elemental/Elemental/tree/master/include/El/number_theory/lattice)

------
tptacek
Are the TLS constructions they're using documented anywhere? Is this a
combination of Ring-LWE and, say, ECC, in case there are as-yet-unknown
implementation faults in Ring-LWE?

~~~
agl
We haven't written a spec because we don't intend for this to be widespread.
However, the spec would basically be: run both X25519 and NewHope
concurrently, concatenate their outputs and feed that into the TLS KDF as
normal.

It is indeed a combination of R-LWE and ECC because it doesn't yet seem
reasonable to depend on R-LWE alone. Not only because of the possibility of
implementation faults in NewHope, but also because of the possibility of
significant crypto-analytic advances against R-LWE, even with classical
computers.

~~~
NobleSir
Maybe this is a naive question, not knowing chrome well, but is the source
available? Would love to play around with this..

~~~
baby
[https://github.com/google/boringssl/blob/master/include/open...](https://github.com/google/boringssl/blob/master/include/openssl/newhope.h)

~~~
aseipp
and also
[https://github.com/google/boringssl/blob/master/crypto/newho...](https://github.com/google/boringssl/blob/master/crypto/newhope/newhope.c)

~~~
NobleSir
cool, thanks

------
DenisM
_a hypothetical, future quantum computer would be able to retrospectively
decrypt any internet communication that was recorded today, and many types of
information need to remain confidential for decades. Thus even the possibility
of a future quantum computer is something that we should be thinking about
today._

Uh-oh.

Apparently not even Perfect Forward Secrecy can protect against this:
[https://en.wikipedia.org/wiki/Forward_secrecy#Attacks](https://en.wikipedia.org/wiki/Forward_secrecy#Attacks)

------
epaulson
Are any of these algorithms suited for PGP signing replacements?

I'm interested in being able to make long term claims based on web-of-trust
models, and I've been nervous about basing it around RSA/DSA key pairs.

In that sort of world, what do the keys actually look like? Is it comparable
to being able to distribute a single public root key?

~~~
hannob
you may want to have a look at sphincs. its security is based on hash-
functions, therefore unlike most other postquantum schemes it can be
considered very reliable (good hash functions are a solved problem these
days). Downside: signatures are big (~40k). For TLS this is unworkable, for a
PGP-like system this is doable.
[https://sphincs.cr.yp.to/](https://sphincs.cr.yp.to/)

------
DyslexicAtheist
very good talk by Daniel J Bernstein on PQC Hacks at the last 32C3 (certainly
separating reality/fiction and one of the best talks I have seen on the
subject):

\-
[https://www.youtube.com/watch?v=6XeBvdm8vao](https://www.youtube.com/watch?v=6XeBvdm8vao)

------
indolering
We need a lot more money being poured into PQC. The key sizes are enormous:
ECC requires 256 bits and these new schemes range up to 10KB. Say goodbye to
single packet key exchanges.

------
Poorboyrise
[weekend-senility.Modus:On] anectodical ?

 _um_... when actual information must be _matched_

via "0" and "1" _harrumph 's_ principles... eerie _ahem_...

and the lever is relativeness... _zzz_... eh... using

stochastical methods to... _zzzz_ ...strategy... _zzz_

[slept away]

------
theandrewbailey
see also:
[https://news.ycombinator.com/item?id=12050028](https://news.ycombinator.com/item?id=12050028)

------
Trufa
> We explicitly do not wish to make our selected post-quantum algorithm a de-
> facto standard

Like so many other things in computer science history, that seems like a great
way to make it the de-facto standard.

~~~
Frank2312
If Google manages to prove it works and there are no better alternatives later
on, then it will probably become the de-facto standard.

However, the second condition seems to not be met if Google is right, because
they mention there are promising papers published.

­>Since we selected New Hope, we've noted two promising papers in this space,
which are welcome.

~~~
baby
There is also the fact that "as of now" efficient quantum computers capable to
break our crypto is fiction.

~~~
serendipitous
Yes, but if you want your sessions that are captured today to remain
confidential when quantum computers do become reality then you need to use
post-quantum key exchange methods today.

------
Retr0spectrum
Could someone replace the link with the non-mobile version?

[https://security.googleblog.com/2016/07/experimenting-
with-p...](https://security.googleblog.com/2016/07/experimenting-with-post-
quantum.html)

~~~
bognition
just remove ?m=1 from the end of the url

~~~
Retr0spectrum
If 1000 people need to do that, the few seconds it takes quickly adds up.

It would be much easier if the original link was changed.

------
hackaflocka
Upvote for hearing "post-quantum" for the first time in my life.

I suspect Deepak Chopra is going to appropriate it soon enough.

~~~
andrewclunn
When you realize that your soul is already entangled with existence on a
quantum level, your consciousness can achieve post-quantum awareness...

~~~
hackaflocka
I would have lent a pithy rejoinder, but the I don't want to incur further
wrath of the down-voters.

