
The Day When Computers Can Break All Encryption Is Coming - gnicholas
https://www.wsj.com/articles/the-race-to-save-encryption-11559646737
======
DanielBMarkham
Something to remember: One-Time Pads are unbreakable, and as storage costs
continue to drop, there are certainly many scenarios where they could be used
and never cracked.

Think about it. How much actual secure data do you and your bank need to
transfer back and forth? Certainly not web UI elements or site chrome. For
each use of your online account, there's probably 3 or 4k max actual data that
you need to be secure. Your bank could mail you a 1GB random noise file,
perhaps a backup, and you two could communicate for the rest of your life
without any fear of anybody understanding what you're saying.

I understand that there's an entire e-commerce ease-of-use scenario where
secure communications becomes mission-critical. And I'm certainly not
suggesting to replace all secured comms. My only point is that there are parts
of this problem that are very tough and there are parts of this problem that
we have made more difficult than it has to be simply in an effort to
standardize and abstract everything.

~~~
QuicksilverJohn
The problem with this method is that it requires a side channel. This is the
real beauty of public key cryptography, you can negotiate a secure channel
over an open channel. (*Authentication sold separately)

~~~
rini17
I don't get why this argument is used so often as if it was valid. Setting up
a banking account and many other things require a secure side channel anyway -
physical presence :)

~~~
brokenmachine
The last bank account I registered was done completely online, except for the
physical card being mailed to me.

------
surelyyoujest
There is some cognitive dissonance in associating what after more than 30
years is currently, for all purposes still a Sci-Fi concept and Cryptography.

After billions spent and decades of no progress, this is the same repeated
article that has been rewritten every other year hyping about the promisses of
what, for all purposes, is currently expensive vaporware.

~~~
TazeTSchnitzel
Quantum computers that can do fast factorisation have been demonstrated, they
just haven't yet been able to factor large enough numbers to be dangerous.

~~~
credit_guy
> they just haven't yet been able to factor large enough numbers to be
> dangerous.

According to [1], the current highest factorization using Schor's algorithm is
21=3 * 7 published in 2012, up from the 15=3 * 5 that was demonstrated in
2001. This pace is not all that promising.

Sure, there are other quantum factorizations, but they are either stunts (work
only for very narrow classes), or are based on a different algorithm than
Schor, which does not show hope to scale up.

[1] [https://crypto.stackexchange.com/questions/59795/largest-
int...](https://crypto.stackexchange.com/questions/59795/largest-integer-
factored-by-shors-algorithm?noredirect=1&lq=1)

~~~
todd8
Your 3 * 7 and 3 * 5 got interpreted as a highlighting of the text surrounded
by the asterisks. You can edit your comment to fix it. Here are the complete
HN markup rules:

Blank lines separate paragraphs.

Text surrounded by asterisks is italicized, if the character after the first
asterisk isn't whitespace.

Text after a blank line that is indented by two or more spaces is reproduced
verbatim. (This is intended for code.)

Urls become links, except in the text field of a submission.

~~~
credit_guy
Many thanks, updated.

------
supermatt
is there a single practical example of a real world problem being solved by a
current quantum computer? all the talks i have seen involve a lot of hand
waving and talk of the future. i’m very skeptical that these capabilities are
around the corner

~~~
orbifold
Yeah a couple of related problems in fact: You are a professor and working on
cold quantum gases, synthetic quantum systems, ... and can semi-plausibly
claim that this has applications to quantum computing: Problem solved, you
will get a whole bunch of funding. You found a bunch of linear algebra algebra
algorithms and they use unitary matrices: Problem solved, founding secured.

It is also a good buzzword prefix: Just prepend Quantum to any word and
immediately get funding (See the recently 1 Billion Euro funded EU quantum
initiative).

In this respect it has similar applications as Neuro-something: A great way to
get funding for a few years. (See Human Brain Project)

------
alkdfsAFD94
[https://en.wikipedia.org/wiki/Post-
quantum_cryptography](https://en.wikipedia.org/wiki/Post-quantum_cryptography)

------
amelius
Not a crypto expert, but wondering if we could make a classical encryption
function where every bit of the output depends nontrivially on every bit of
the input, so a long message would be harder to decrypt, even for a QC.

(First hashing the input counts as trivial because that would reduce the
effective number of bits)

~~~
dogma1138
Some ciphers use this method, it’s not the problem.

QC isn’t going to break all crypto traditional symmetric ciphers are safe and
one of the simplest classical ciphers a one time pad is still the safest
method of encryption when it’s done correctly.

QC may break some asymmetric encryption which relies on factoring numbers.

Asymmetric encryption is on some level security through obscurity as you
publicly display a key from which your encryption key can be mathematically
derived and you rely solely on the fact that it’s a very hard thing to do.

But as far as classical encryption goes XORing a message against a random
number of bits equal to the message length would always be secure, especially
for long messages the problem is that it ain’t very practical.

That said however we do have QC resistant key exchange and signature
algorithms so I don’t think there is that much reason to panic.

I’m pretty sure you can still find 1024bit and lower RSA key systems still in
use arguably these are less secure today than 2048 and 4096bit RSA keys will
be during the first years of a post QC world.

~~~
amelius
> That said however we do have QC resistant key exchange and signature
> algorithms so I don’t think there is that much reason to panic.

Interesting. Then shouldn't we (and PR people involved in QC) stop focusing on
the cryptographical capabilities of QC, and start focusing on its other
potential applications, like protein folding? Until now in the media, it seems
like QC is synonymous with crypto ...

~~~
dogma1138
Well depends on what your threat model is.

If it’s criminals stealing your passwords then it would take decades after QC
until it would become universal enough to be a problem, by then likely current
traffic would not be affected.

If it’s state level actors then you might be in a bigger bind.

If we take the NSA for example today there isn’t a single cryptographic system
they can’t compromise.

And I’m using the term system intentionally as the NSA can’t break 4096bit RSA
or AES or any other competent cipher.

They can and do break cryptographic systems on a daily basis by compromising
the hardware, software and people which the system relies on.

But this is a very targeted and costly operation which means that general
internet traffic isn’t looked at because it’s not worth it.

However if they also capture encrypted traffic and store it indefinitely as
most key exchanges today are not necessarily QC resistant they could
potentially go back and decrypt all that traffic.

This is why while the house is not on fire I think there is value in pushing
post-QC ciphers sooner rather than later.

And even if the NSA can be kept in check we have little control over Russia
and China and the list of actors capable of operating at large enough scales
for this to be a problem grows bigger every day.

~~~
faissaloo
Just pointing out that the NSA have had plans to build a quantum computer, not
sure where they got with it

~~~
dogma1138
OFC they will, it would be criminally negligent of them not to.

However if the NSA is currently your adversary and you are worried of being
targeted then pre QC or post QC encryption isn't going to matter push comes to
shove they'll beat it out of you.

But as I said if the NSA or any other agency is currently capturing and
storing encrypted data they can't afford to decrypt via targeted means they'll
be able to retroactively decrypt it if they do manage to build a quantum
computer and quantum supremacy would be a definite thing.

But right now there isn't an encryption the NSA can't break as long as there
are people and additional assets involved in the process.

In fact I would be that for targeted attacks it would still bet easier to
bribe, raid/hack the server farm or beat the snot out of someone in a black
site than to use a quantum computer for quite a while after these things would
be become a reality to factor the RSA private key corresponding with the key
exchange of the traffic you want to decrypt.

------
bayareanative
No classical functions _as they exist now without added strengthening_ will be
able to secure secrets against QC for long. OTOH, classical computing is
reaching the limits of Moore's law, so barring process and fab cost
reductions, CC ASIC costs will approach stability. If one wants to secure
secrets without traditional digital logic (CC), it would get pricey, awkward
and/or slow. I think we'll have to gradually keep looking more closely at cost
to crack functions (i.e., GPU, ASIC, classical and q computation) much closer,
in the spirit of scrypt and argon2. Zillions of rounds (is adding orders of
magnitude in existing implementations) of AES or SHA3 maybe the tradeoff
needed to thwart QC collisions / breakage with reasonable attacker costs &
timeframe goals.

~~~
AgentME
Isn't AES-256 safe from quantum computers? I thought it was mainly assymmetric
encryption that's completely breakable with quantum computers.

~~~
tootahe45
Not if your key is sent in the clear protected by asymmetric encryption.

~~~
tialaramex
However, in practice modern systems do ephemeral DH key agreement. Now, Shor's
algorithm can be brought to bear on DH as well, but it ratchets up your costs
because now you're attacking every single connection individually.

Suppose, miraculously, that you have a Quantum Computer which breaks any
modern assymetric crypto for $1M in one hour. That's very impressive, but you
won't use it to snoop on somebody's Google searches, that's $1M and an hour
per search. "Big booobs", an hour and $1M later, "Big boobs" (ah, that first
one was a typo), another hour, another $1M, "Bigger boobs". Not practical.

You _could_ attack the signature algorithm, allowing you to sign messages "as
Google" and MITM connections but that's an active attack so it will have very
poor deniability. Not a problem if you're the SVR or Mossad, deniability was
never part of your mandate anyway, but awkward for the NSA or GCHQ whose
governments prefer not to admit what they're up to. And lack of deniability is
very awkward if you're organised crooks, that's going to get you banged up.

------
zeristor
Perhaps I’m showing my ignorance, but isn’t elliptic curve cryptography
different?

~~~
dvdkhlng
No, elliptic curve cryptography is not different, as it is based on the
discrete logarithm problem [1].

That said, quantum computer resistant cryptography does exist, but is not
currently in wide-spread use for various reasons.

[1] [https://en.wikipedia.org/wiki/Post-
quantum_cryptography](https://en.wikipedia.org/wiki/Post-quantum_cryptography)

------
SAI_Peregrinus
All current public-key encryption, and short-key private-key encryption yes.
XChaCha20-Poly1305 will still be safe. AES-256 (in an appropriate
authenticated mode of operation and side-channel free implementation) will
still be safe.

As for public-key encryption there are as-yet standardized algorithms that are
likely secure. They're just slow. The NIST standardization should wrap up
decades before any practical quantum computer is created, giving plenty of
time to add some of these as options in protocols.

------
SanchoPanda
I can't get over the picture in the middle. Why is the intercepting computer a
turret? Why is the secure bank on a slanted platform? I can just picture a
meeting of the graphics team with facepalms and groans all around at having to
come up with "something".

------
boyter
In the race between arms and armor, arms have always won. I wonder if the
reverse is true in crypto. Will crypto always evolve to be one step ahead, or
make a massive leap such that it will be multiple steps ahead.

------
hestefisk
What about quantum encryption? Shouldn’t that theoretically be unbreakable?

~~~
nabla9
Theoretically yes, but its impractical and expensive.

Verifying classical hardware and removing side channels is hard enough.

------
wakkaflokka
I store moderately sensitive files in VeraCrypt containers. Are there post-
quantum encryption algorithms on the roadmap for this type of storage
software?

~~~
Laforet
I don't see any urgent need for a better symmetric cipher as AES-256 is likely
to be sufficient in the foreseeable future.

------
neonate
[http://archive.is/Z0iJd](http://archive.is/Z0iJd)

------
tomglynch
"We're sorry, but this URL is not supported by Outline" \- have outline made a
deal with WSJ to not bypass their paywall?

~~~
DennisP
Currently WSJ articles can be read by appending "?mod=rsswn" to the URL.

------
sbhn
Its not here yet. Im surprised the problem wasn't already solved with ai/ml,
big data, and blockchain. I think the problem personally is the sheer amount
of ram that is needed and the ram aint ever gonna be fast enough to fill the
buffers or to access. But it will be solved, soon im sure.

Gee, are all the down votes because of the issue that quantum computers will
have with random access memory

