You mean on some days it goes faster and some other days slower?
That is by design. It depends on how much other people are using their services right now and they do communicate it somewhere in the TOS that they do this. Otherwise they could give us a fixed amount of tokens - but they don't because it is not fixed.
I dunno, I find it extremely unbelievable that we will get self-improving AGI which chooses to become a slave to humanity at all, ultra rich or otherwise.
Not the parent, but I have a teammate who stunned me when, after a long back and forth texting that seemed out of character for them (I can be a fast & long texter, admittedly), sent me a long message that ended:
"If you want, I'll write you a response to 9x39 that follows up on ..."
Bro. Come on. Anyway, weirder things have happened. A chatbot that works like what people do on social media comments would be just be offensive.
I'm unconvinced of this "polishing" everyone seems to claim. Whenever someone dumps a load of slop on you, that's always the answer, oh this is totally my own work, but I used AI to "polish" it. Then why is it so clearly crap? What kind of "polishing" makes text bloated and empty?
No, they were too lazy to write and let the machine do it.
Well, I like writing. But I have friends who hate it .. but need to for work. So they enjoy LLM's to make professional drafts out of some notes (technical reports) without all their grammar misstakes etc. No fluff, just the document in a shape the target audience expects.
But if they would do this to me .. I would object. I prefer their authentic ramblings ..
Finally, someone calling this one out. Are there legit english-learners or unskilled communicators out there who sparingly use LLMs to tweak 1-10% their prose here and there? Yes. Does that mean that the vast majority of slop-senders just using it for this "polishing"? No way.
"Its not special even in earth let alone in universe. "
What alien species you have in mind, that is more capable/consciouss about the universe and how to shape it?
"Any species on Earth can replace us given same lottery."
But they did not. We "won" so we are special. We don't just build tools, we build tools that build tools, that build tools, ..
My issue with debasing humanity is, it gives argument to devalueing human life to artificial life. Meaning people with feelings and emotions might suffer, in favour of GPU's with electricity.
On the other hand a good point to reevaluate how we treat other sentient life.
"What alien species you have in mind, that is more capable/consciouss about the universe and how to shape it?"
Claim was that we are special in the "universe", it's not that I'm aware of alien life, it's that poster is pretending to know that we are alone.
"But they did not. We "won" so we are special."
Congratulations, if winning a lottery makes you better, I guess top 1% of 1% are the best we have to offer.
"it gives argument to devalueing human life to artificial life"
We have proven time and time again that we are not better than other animals and statistically, we are very similar to animals if not worse. I wasn't even talking about artificial life, which is sure to be superior as it's being created with accelerated evolution processes, just like bacterial generational evolution, it will learn to do everything it's environment rewards it for.
"Meaning people with feelings and emotions might suffer, in favour of GPU's with electricity"
I agree with you and I am in the camp that wants it to be done better. But alas, recent events have unveiled the ugly truth of the society, societies follow the whims of the ones who won the lottery, and everyone else is just mute observer. We could on any day collectively decide as consumers to not use Amazon, Netflix, ChatGPT to save our collective selves, but we won't because we are not "one for all species".
I don't know what face we have to call ourselves better organism given our history. Sure we can point to few people who are better, but on average we are better?
"We could on any day collectively decide as consumers to not use Amazon, Netflix, ChatGPT to save our collective selves"
I don't use betflix nor amazon, but ChatGPT(or rather Claude) is useful to me. Makes me more productive and also knowledgable. Things that would have taken me quite long (so long that I would not have done it) are now easy, like some shell script to do a specific thing. I can verify what it does quickly and .. see that it works. In other words, you won't be able to convince people to give up on AI if people find it useful. I don't enjoy troubleshooting in outdated documentation. I enjoy getting things done. And if I get things done, my fate of survival gets higher.
"This is creating a separate fatigue among providers who need to keep their guard up at all times so they can maintain focus on the patients who really have these conditions instead of letting their schedules get destroyed by patients who don't. It's a hard problem."
In your example of MCAS, the solutions seems simple, do a blood test first, before really involving the specialist?
It’s a little more difficult because the blood test is supposed to be performed during a flare up, so it can be negative in an MCAS case if given at the wrong time.
Primary care doctors don’t want to gate the diagnosis so they’ll send the referral over and hope that the specialist will do the work of filtering out the likely and unlikely cases.
The everything-is-MCAS people on the internet use the fact that it can be negative at times in MCAS patients as a wedge to justify ignoring negative test results. In practice it’s not that hard to give someone a standing order for the test and have them get the blood draw when their symptoms flare.
Well, in 1984 the protagonist learns after a while, that inner party members had the amazing perk of being able to turn off the mandatory surveillance screen for up to 30 minutes. But I guess in this case the workers still will be tracked by the usual Meta tracking that applies to everyone surfing the internet.
Better encryption sounds good to me in general, but I don't really understand, how we can make quantum safe encryption, when we don't know yet, what capabilities it will have (or if it is possible at all).
I am obviously not in the field, but as far as I know, no QC is close of working for a practical purpose(aside quantum research), but to make it practical, it needs a groundbraking brakethrough of some sort. But if a brakethrough happens, can we really estimate the consequences?
The capabilities of quantum computing, in theory, are pretty well known. There's basically a few extra operations which can be done efficiently on it and so that can be built into the threat model, even if no-one's built a quantum computer yet.
(Of course, basically all encryption, especially asymmetric encryption, is predicated on there not being some as-yet-undiscovered exploitable structure to the mathematics on which it is built. Modern cryptography, AFAIK, tends to have some decent arguments for why this is not expected to be the case, but it's never completely proven top-to-bottom outside of fairly niche/trivial cases. It's always in principle possible that someone discovers an attack on these new algorithms, classical or quantum)
Supersingular Isogeny Key Exchange is one that was invented to be quantum-safe but turned out to be unsafe at any speed, so hybrid encryption is still a good idea. You use both a quantum-safe algorithm and a classical algorithm, encrypting your data twice and remaining secure if either one is broken.
No. "Post-quantum" is not a kind of cryptography; it's an attribute of many different kinds of cryptography. SIKE and modular lattices are completely unrelated. SIKE is moon math that genuinely was introduced to mainstream cryptographers as a post-quantum construction. Lattices have been carefully studied for decades; in the 1990s, it was a live discussion whether the successor to RSA was going to be elliptic curves or lattices.
People bring up SIKE/SIDH in these discussions because Daniel Bernstein has used it as innuendo in his arguments against the MLKEM standard (always left out of those discussions: Bernstein himself backed a lattice KEM in the same competition). It's aggravating because its very clear that he's succeeded in getting people to believe that SIDH somehow reflects on lattice cryptography. That's not a problem because it's persuasive (no cryptographer would take that argument seriously) but rather because he's succeeded in making people say dumb things.
Worth mentioning the lattice KEM he backed (NTRU prime) is part of a class of lattice-based assumptions that admitted devastating attacks (though not in the parameter regime relevant to public-key cryptography applications). By this I mean the dense sub lattice attacks on NTRU.
He has also repeatedly pointed to (seemingly random) pieces of lattice cryptography and claimed that it is the cause for concern/plausibly where attacks may come from. Here, I mean the galois group structure, the whole “quotient vs product” stuff he was doing trying to pretend LWE is a variant of ntru (and less secure, which was explicitly wrong), and his “spherical models” claims. These last ones included an explicit claim of subexponential attacks to be presented later, which have been delayed for a number of years now.
In short, his fearmongering over lattices, while persistent, has never been right. He’s pointed fingers at things we have not found issues with, and either backed sides in debates which ended up being less secure (NTRU vs LWE), or completely missed other things (say the sPIP attacks a decade ago). He may plausibly be the least credible person to make predictions about lattices in the world.
This is ignoring all of his other explicitly embarrassing behavior, for example
1. Insinuating all lattice cryptographers are on the payroll of the NSA. The winning schemes were European teams predominantly.
2. Adding a license to all emails he sends in the IETF wg that is incompatible with the wg. This ends up with him getting censure, which he then argues is unjust.
3. Recently, finding a bug in a 2017 piece of software, and then fabricating 3 other bugs. He then wrote a 60 page paper on it, using it as justification to argue against lattices. All of the bugs would be caught by standard high quality testing procedures, eg mutation testing, which he appears unfamiliar with. I believe the “actual” bug (from the v1 reference impl a decade ago) is caught by current test vectors as well.
That he backed PQ crypto that turned out to be broken later should be an argument in favor of hybrid (belts-and-suspender) schemes rather than against it. Embarassing behavior amounts to not much more than ad hominems. Hybrid KEMs are a good idea.
I am pointing out a particular cryptographer's abysmal track record in understanding the security of PQ schemes to call into question their current criticisms of PQ schemes. They've always been (in my opinion obviously) fear-mongering in the past. None of this fear-mongering has been right. So I do not put particularly high weight on their current fear-mongering.
This is especially true because they often lie in their fear-mongering. For example, you appear to be a follower of Dan. You seem to think the argument against hybrids is an argument against hybrid KEMs. It's not. That is a lie. Even Dan's recent tirade on the TLS-WG mailing list has been against putting forward an informational RFC on ML-DSA, a (pure lattice) digital signature scheme.
Perhaps you misunderstood this, and Dan accurately described the setting he is fear-mongering over. Perhaps Dan misrepresented things again, as he has been doing for nearly a decade again. I don't particularly care either way. All that matters to me is accurate evaluation of our current options. It is exceedingly frustrating that a high-profile cryptographer seems incapable of doing this, either due to incompetence or malice.
The controversy lately isn’t for encryption. We have a fine hybrid KEM, and it’s being standardized/deployed most places.
The issue instead is for signatures. We don’t have a fine hybrid signature. Concretely, our current hybrid signatures achieve security in a weaker model (they do not achieve BUFF security) than what our PQ signatures achieve.
So the question is if we want explicitly weaker security to provide assurance against possible security issues in the PQ hardness assumption. Or we could delay standardization longer while people search for better ways of making hybrid signatures. Both seem stupid, especially as obtaining cryptographically relevant quantum computers recently seems less like “if” than “when”. Note that when cryptographically relevant quantum computers appear, we will NEED to have a PQ secure component. The main “pro hybrid” cryptographer (Bernstein) has himself predicted classical (public key) cryptography will likely be broken by 2032. Things must transition now.
If you encrypt your data twice (taken very literally):
c1 = E1(p, k1)
c2 = E2(p, k2)
If we assume E1() is broken by a quantum computer, E2 doesn't matter to protect p.
What you do instead is to use multiple KEMs and combine them securely (see the blog post I linked) in such a way that the confidentiality of your shared secret (i.e., the key you actually use for encryption) is preserved if any of the underlying KEMs is unbroken.
This in practice looks like a KDF based on a hash function where the component shared secrets (and, depending on the underlying KEM's binding properties, underlying ciphertexts too) are concatenated.
This is very different than merely "encrypt your data twice". You only encrypt your data once. The KEY YOU ENCRYPT WITH is, instead, the result of multiple asymmetric operations.
I cannot stress enough how different these proposition are. It's like suggesting someone swim downstream in electric current. The words might make logical sense to a non-expert, but it's utterly unsafe taken literally.
It seems to me you assumed that the poster that replied to you meant encrypting in parallel, while it seems pretty clear to me what they meant was c = E1(E2(p, k2), k1).
both encrypting in parallel and encrypting in the second way you mentioned are bad ideas, and are far from being what is seriously being discussed when people talk about hybrid KEMs. Encrypting in parallel is explicitly IND-CPA insecure if one of the ciphers is broken. Your construction is IND-CPA secure, but quite inefficient, and would not fit into modern protocols.
If this was a typical cryptographic topic, this might be fine, and is how I would likely phrase things for an undergraduate cryptography course. Unfortunately, this is a topic that a certain cryptographer with a decently large public following has been spreading conspiracy theories (and slandering other cryptographers about) for a number of years now. So, discussions on this topic often come from a place where the audience is misinformed, and more care is required in grounding the discussing in what is actually being discussed/considered.
The thing is: Quantum computers don't break AES-GCM, ChaCha20-Poly1305, or any other modern authenticated cipher. Layering encryption or doing cipher cascades is pointless.
The thing a cryptography-relevant quantum computer does is break RSA and elliptic curve cryptography, so that the underlying key (k1 or k2) is recoverable from its corresponding public component.
Hybrid KEMs, such as mlkem768x25519 (a.k.a. X-Wing) is a simple abstraction with security proofs that does both classical (X25519 is elliptic curve) and post-quantum (ML-KEM-768 is lattice-based) cryptography and combines them securely into a single key agreement.
"Encrypt twice" is bad advice. Even if you get the same approximate security, you're giving up a lot of performance.
Encrypt once, but encrypt with a key you can be confident in the secrecy of.
Are you saying that a "hybrid KEM" is different in theoretical risk from chaining two KEMs? The change of jargon from "encryption" to "KEM" doesn't mean anything to most people talking about this post-quantum risk. To the extent we know what KEM is, we think it is just encrypting the key used for the rest of the bulk encryption.
Whether or not people understand the nuance of encrypting the block cipher keys or encrypting the blocks themselves, I think we all mean to stack the two encryption methods for defense-in-depth protection. They intuit having to open two locks in series to get to the valuable stuff, not adding two different access paths that each suffice for access.
"Intuition" about how cryptography works is notoriously bad. Many intuitive things about cryptography are false, and many true things about cryptography are non-intuitive. For this reason it is difficult to seriously discuss cryptography when people are vaguely referring to what they intuitively hope to achieve, framed in terms of concrete constructions that are not secure.
This is also completely ignoring that designing secure systems is about MUCH more than selecting the right "hard problem". Concretely
> They intuit having to open two locks in series to get to the valuable stuff, not adding two different access paths that each suffice for access.
might mean requiring a much more complicated lock that, in its ideal implementation has the properties you want, but practically is easier to implement incorrectly, yielding a less secure scheme. Considerations of this form almost never appear, despite being very relevant to the end goal of protecting users.
Similarly, this "defense in depth" intuition is currently not particularly controversial for hybrid KEMs. it is currently quite controversial for hybrid signatures though. The intuitive story would work perfectly well for signatures though. So this intuition does not end up being particularly useful for understanding the actual discussion.
I don't disagree, but I think the folks who know this ought to remember the lay person perspective and try to address it more concretely.
Rather than rejecting the framing because they (we) aren't fluent in your jargon, provide a more constructive hint... E.g. "You may be thinking the symmetric cipher key is simply encrypted with the asymmetric cipher and concatenated to the bulk message. But, to mitigate known cryptographic system risks, modern solutions use specialized key encapsulation or key exchange methods (KEM) which are not directly encrypted messages containing key material."
I'm generally sympathetic to your point, it is just difficult for this particular topic. For example, I mentioned how precision in cryptographic language is important, as there was a discussion about combiners for encryption, when really people should use combiners for KEMs, along with hybrid encryption (here, meaning building public-key encryption from a KEM + symmetric key encryption).
The issue is that none of the above is relevant to the article that we are in the comments of. The article is about signatures. Why are we talking about encryption/KEMs in the first place?
One might hope the story for combiners for KEMs (which people may have intuition for due to combiners for encryption, which you could easily show in an undergraduate cryptography course) is broadly similar to the story for combiners for signatures. Unfortunately, that's not true at all. It would be a very reasonable perspective to have that we should use combiners for KEMs but not combiners for signatures. It would be very difficult to communicate this to a layperson without being very precise about the jargon.
This is especially true as this is a topic where a notable cryptographer has spent the last few years libeling several other cryptographers, and spreading a good deal of misinformation to laypeople. He is also extremely litigious, and has either sued or threatened to sue several cryptographers for what I view to be nonsense reasons. For some (at least myself), this makes precise language all the more important in topics he might have his eyes on.
So I both broadly agree with you for most topics, and also this particular topic requires a good deal more precision than most others in cryptography.
> I think the folks who know this ought to remember the lay person perspective
That's fair. I hold Hacker News to a higher bar of technical proficiency than a general audience. My hope with insisting on correct framing is to nudge other experts in adjacent fields to teach your more general audiences how to think about these topics more correctly so it's more approachable to the general public.
> Are you saying that a "hybrid KEM" is different in theoretical risk from chaining two KEMs?
No, I'm saying that "hybrid KEM" or "chaining two KEMs" is very distinct from "encrypt twice". Confuse the two at your own peril.
> To the extent we know what KEM is, we think it is just encrypting the key used for the rest of the bulk encryption.
Encryption is reversible. If you have the key, you can decrypt. It's not encryption if you can't decrypt.
KEMs are their own class of algorithms. They combine an asymmetric encryption scheme with an all-or-nothing one-way transform (usually a key derivation function built on hash functions). It's the safest way to hold asymmetric encryption in practice (even not considering PQ; RSA-KEM beats RSA-OAEP in implementation safety).
Calling KEMs "encryption" is misleading to the point of malpractice. I will push back on conflating the two.
> Whether or not people understand the nuance of encrypting the block cipher keys or encrypting the blocks themselves, I think we all mean to stack the two encryption methods for defense-in-depth protection.
Your only defense-in-depth should be in delivering a strong pseudorandom ephemeral key over an untrusted network, and then using the tried-and-true AEAD constructions that we're already using today. Encrypt once. Do whatever you need to do to get the key exchanged securely.
I write a blog that very regularly covers applied cryptography. I deal with newbie confusion all the time. It's very important that we talk about these things correctly on forums like Hacker News comment threads so that the people learning from us won't get more confused.
Trying to bridge this a bit since I'm closer to a layperson in this area.
Symmetric encryption does not need a quantum computer alternative, nor do we need a post quantum hashing algorithm. We may need larger keys and larger outputs from the existing algorithms, but that really depends on the level of paranoia.
It is the asymmetric keys that need post quantum replacement.
So I'm guessing the change to your proposed pseudocode you would have two derivation algorithms based on two input asymmetric keys - one post quantum and one classical. You would get from these two separate symmetric keys. You would then layer encryption using each of them, encrypting the cipher text output from the first with the second.
You can however just combine the two derived symmetric keys together to create a single symmetric key, and encrypt once. That is what hybrid algorithms propose.
# You kind of have to define this since most libraries don't have it
def classic_kem(pk):
[eph_sk, eph_pk] = classic_keygen()
d = classic_shared_secret(eph_sk, pk)
return hash(d + eph_pk + pk), eph_pk
# Two pieces ...
[ss1, ct1] = classic_kem(pk1)
[ss2, ct2] = postquantum_kem(pk2)
# ... combine into one:
# note: for some KEMs, ct1 and/or ct2 can safely be omitted
shared_secret = hash(ss1 + ss2 + ct1 + ct2)
ciphertext = symmetric_encrypt(plaintext, shared_secret, context)
send_to_other_party(
ct1,
ct2,
ciphertext
)
This sounds more complex, but I'm just filling in the details implied by your pseudocode and making it at least 2x as fast.
If you mean "doing two different KEMs and then securely combining them", then just say that. "Hybrid KEM" is short enough and distinct from other verbage.
"Encrypt" means something specific, not just the vague use of cryptography.
In addition to the other fine answers, I personally find the additional operations that quantum computers enable to be surprisingly inapplicable to a lot of real problems. It's really kind of unimpressive when you dig down into it. It is not a revolution of computing as we know it, it's a very, very expensive accelerator card for a few niche problems. Neat for people who have those problems. But if "cracking cryptography" wasn't one of those problems I'm not sure it would have the popular attention it does.
I think there is a sense in which we have a historical accident that has make quantum computers sound bigger than they are, in that we ended up with "factoring prime numbers" being the first thing we had to make practical encryption out of, and by what is from a human perspective mostly a coincidence, it so happens that quantum computers may be really good at that. But the problem is that quantum computers happen to be good at factorizing that is the problem, not that quantum computers are somehow "good at breaking encryption". It seams to me that in some sense "post-quantum computing" is actually "all practical encryption schemes except those based on factoring large numbers". Breaking large prime number-based schemes is the exception that QC happens to be good at, not the rule.
this is broadly true. I've heard some criticisms of industrial QC research along these lines, namely that it runs into the issue that its entire TAM ends up being some combination of
1. defense contracting, which can definitely be lucrative, but (hopefully) will dry up quickly after the PQ transition (and especially will if we successfully transition before QCs are advanced enough, which is the goal), and
2. theft, with things like e.g. stealing bitcoins or whatever.
The second is plausibly a large market. It may be difficult to put it on a quarterly report though. So the economic basis industrial QC research may not end up panning out.
Yes, sorry, I didn't mean to imply they could only "factor". But the things they can do that they get the big advantage over classical computing I find underwhelming when considered against the entire scope of computing problems. Again, great for the people who have those problems, but I still am not sure that they are "worth" what are being poured into them in terms of any real economic impact they have. I do wonder if I could trace back all the money in the sector to their original source just how much of it would end up being the intelligence sector who wants their crackz, and how valuable it'll end up being to them in the end if they can't get a decent crack before we all go post-quantum encryption anyhow.
> But if "cracking cryptography" wasn't one of those problems I'm not sure it would have the popular attention it does.
I think it's very funny to consider that if you were a time traveler tasked with making sure that humanity had the economic incentive to develop quantum computers, the most efficient way to ensure that in a single stroke would be by suggesting the use of prime factorization as a trapdoor function to Rivest, Shamir, or Adleman.
By this standard, there is no current encryption method (except for pre-shared one time pads when used correctly) that is known to be unbreakable. For example, it is not proven that prime factoring can't be done much more efficiently on a classical computer - for all we know, it's possible that tomorrow someone will come up with a novel algorithm that can break RSA in just a small number of operations. Same is true for elyptic curves - we don't have any mathematical proof that it's impossible for a much better algorithm than the currently known ones is possible.
However, just like for RSA we know that the problem of efficient integer factoring has been worked on for a long time with no progress, the same is true for quantum computing. We have been trying to figure out quantum algorithms for a great number of problems that are hard for classical computers for a long time now, and we haven't been able to, except for the ones that we have. Mathematicians have also developed certain intuitions for which problems have characteristics that make them potentially easier to solve on a QC and which don't.
In general, just like with P=NP?, we haven't proven yet if BQP, roughly the class of problems which have efficient QC versions, is equal or not to P, the class of problems that can be efficiently solved on a classical computer; and we also don't know if BQP=NP.
So yes, there is at least a theoretical possibility that the problems used for creating post-quantum encryption will turn out to be in BQP, will turn out to have an efficient quantum algorithm that solves them. But that would come from mathematical research, it is entirely unrelated to creating and tinkering with actual quantum computers. The math of quantum algorithms is currently far ahead of the engineering and physics on building the actual computers.
Has there been "no progress" on classical prime factorization? What about the AKS primality test, a polynomial-time algorithm to test the primality of a number, published in 2002? (This is not my field of expertise; I'm genuinely curious if there's a good reason to discount this as progress towards efficient prime factorization)
Primality testing was essentially solved in the 70s with Miller-Rabin. AKS made that (randomized) algorithm deterministic, albeit at much higher (polynomial) running-time.
For your overall question, the current record-holders for integer factorization wrote a paper on this a few years ago that is probably a good reference
1. theoretically there's been no progress on factoring in ~30 years
2. practically, there have been both improved hardware + efficient implementations driving the progress. They estimate that current nation-states can (classically) break RSA-1024. The cost would be approximately 500,000 core-years of computation. At current cloud prices this is doable on aws for < $1B.
3. attacks against factoring use a technique ("index calculus") that can also be used to attack finite-field discrete logarithm. There were significant advances on that problem in the 2010s (at least for certain parameters, namely the "small characteristic" setting). An easy way to communicate this is that the RSA factoring record is ~830 bits, while the binary-field discrete logarithm record is > 30,000 bits. These significant advances have not been able to be ported over to factoring, nor have they been ported over to medium/large-characteristic discrete logarithm. It is a (very upsettingly) large open question of whether similar-magnitude improvements are possible more generally for index calculus algorithms.
> Has there been "no progress" on classical prime factorization?
Not recently. The primality tests don't really help all that much. We already had polynomial tests that are really fast since the 70-s.
Think about this idea: the output of the counting function for the number of primes ("Euler's totient function") lies almost on the logarithmic curve, and we can compute logarithms quickly to any precision. So we can easily find the general area of the curve that should contain the current prime. And then we can quickly test if the given number is in fact the prime number within it.
This is probabilistic because the prime distribution is not _strictly_ logarithmic. We can imagine that by computing a logarithm we might end up in the next "bucket" and check for the wrong prime.
The fascinating part is that zeroes of the Riemann zeta function encode these corrections on top of the logarithmic curve. If the Riemann hypothesis is correct, then these corrections are _bounded_ and we simply can not end up in a different "bucket" by accident.
It's not particularly related. We have efficient quantum algorithms for RSA and discrete logarithms. Both are solved by viewing them as instances of the "hidden subgroup problem" over an abelian group.
Some well-known other problems are also HSP instances over non-abelian groups, for example
1. the learning with errors assumption (the main PQ thing people like) is a HSP instance over the dihedral group, and
2. graph-isomorphism is a HSP instance over the symmetric group.
LWE appears to be quite hard classically (SOTA attacks are 2^{~0.3n} time and exponential memory). Graph isomorphism is a famously easy problem outside of P, namely it is in quasi-polynomial time. So the fact that both are not in BQP doesn't say much about their relative classical difficulty.
This is precisely the uncertainty that the commenter above was referring to when they mentioned complexity classes like BQP. We don't necessarily know the precise relationship between quantum complexity classes and their classical counterparts.
There is more certainty about the resilience of lattice cryptography to classical attack than there was about Curve25519's resilience when it was introduced. Lattice schemes weren't invented as PQC schemes; they were invented as faster classical schemes. In the 1990s, there was a live debate about whether lattices might be the successor to RSA, not curves.
With the caveat (for other commenters) that "lattices" means several things that were not viewed with a unified lens in the 90s and 2000s, the main lattice scheme of interest now (LWE) actually was introduced in a quite literal sense as a PQC scheme.
In the early 2000s, Oded Regev was looking into quantum computing algorithms for various worst-case lattice problems. He was able to create an efficient quantum algorithm for a particular one (SIVP_\gamma), if he could only obtain an efficient quantum algorithm for a certain novel/simple problem (the learning with errors problem). He was unable to do this, so instead framed his result as a reduction from SIVP_\gamma to LWE, and additionally showed how one can build cryptography from LWE. This is essentially the contents of his 2005 LWE paper, for which he later got the Godel prize.
So in a quite literal sense, LWE is the byproduct of a failed search for a quantum algorithm for SIVP_\gamma, and was therefore "post-quantum from the start". Regev mentions this as his initial motivation for looking into LWE on page 4 of his LWE survey
I didn't say Kyber/MLKEM or even LWE was a contender vs. curves in the 1990s; that wouldn't have made sense. I said lattice cryptography. As I understand it, our formal understanding of LWE is actually better than that of the original NTRU problem.
I liken this to the original Certicom proposals from the 1990s versus Curve25519. There's a diversity of curve approaches (binary field Koblitz vs prime-field curves, etc; things were wackier in the early aughts too) just as there is a diversity of implementation strategies for lattice KEMs.
The notion I'm hostile to is the one that poses lattices as moon math.
Yes I know. That was what my initial paragraph was about.
And yes, our formal understanding of LWE is much better than the original NTRU problem. NTRU itself
1. admits non-trivial attacks if the ciphertext modulus is too large, as well as
2. had a signature algorithm (NTRU-sign) that was completely broken.
Lattice-based signatures were actually a relatively thorny thing to develop. The first non-broken lattice-based signature was proposed in 2009 iirc. I think this was after Gentry developed fully homomorphic encryption (though his initial scheme is now broken as well). Even in modern treatments, it's a fair statement to say that constructing a secure lattice-based signature is of similar complexity to constructing a secure fully homomorphic encryption scheme (although there are some relatively-simple ones these days).
You can make stronger statements about our understanding of LWE though. I would say that it is relatively uncontentious to state that LWE and elliptic-curve DLOG are the two problems we understand the best theoretically in public-key cryptography, and it is not particularly close. The only remote contenders would be
1. finite-field DH, though arguably our understanding of this is still not great (are CDH and DDH equivalent? well sort of, but the details become quite messy).
2. RSA. There are still many basic questions about it that are wide-open, namely is it equivalent to factoring? There are other questions that are unknown as well, for example how hard it is to attack. "Everyone knows" that you just use GNFS, with L[1/3, c] complexity. But other index calculus attacks were improved to L[1/4, c] complexity in the 2010s. Can those attacks extend to factoring? Things get even worse when you consider the veritable zoo of attacks on RSA when you get a small detail wrong (Coppersmith-style attacks in the presence of some leaked key bits, improved attacks depending on what particular RSA exponents you've chosen, etc).
I think you could even go farther and say that we understand LWE better than elliptic curve DLOG. This would of course be contentious, but is meant to communicate just how good of a (theoretical) understanding we have of the LWE problem.
Of course, the main point in EC DLOG's favor is that, when correctly parameterized (which is a thorny point itself, but mostly fine these days), there are the generic group lower bounds (2^n time, poly space), and attacks have never beaten them. While for LWE attacks have always been of the form (exp time, exp space) (or 2^{n\log n} time, poly space), but the exponent in the "exp"'s doesn't have as clean of a conjectured lower bound, and has been reduced some over time.
(1) Cards on the table I don't pay attention to PQ signatures.
(2) I'm mostly just saying that LWE schemes and 90s NTRU are pretty closely related, more closely related than RSA and FFDH were (but less closely related than a binary Koblitz curve is to 25519).
They are, my point is that this only became obvious later. The initial NTRU preprint frames it as a scheme based on modular polynomial arithmetic, rather than anything related to lattices. At the end of section 4 they even explicitly describe it as a “ring based cryptosystem” (contrasted with “group based cryptosystems”). As you say, now we would call it a lattice-based cryptosystem (over an algebraically structured lattice).
> except for pre-shared one time pads when used correctly
The relevant property here is known as "information-theoretic security", and I'm not sure if one-time pads are the only way to achieve it, e.g. Shamir's secret sharing also has this property (although the use case is slightly different): https://en.wikipedia.org/wiki/Information-theoretic_security
you can sort-of view it that way, but it's not particularly useful. There are settings where you can view (steps of) a cryptographic algorithm as applying a one-time pad with a pseudorandom pad (say counter-mode encryption for the most obvious example, though it appears elsewhere as well).
Alternatively, shamir's secret sharing can be extended to threshold settings pretty easily. So you can write a generalized scheme where you only recover things when "enough people" (but perhaps not everyone) tries to reconstruct. This generalized scheme doesn't look particularly like the one-time pad.
So they end up coinciding in the 2-party case over F2 but it seems to be mostly a coincidence.
I would say that SSS is a generalization of OTP, but OTP in practice is so dramatically and unbelievably simpler than SSS that it's not practically useful to consider it as "just" a special-case of SSS. Which is to say, if you were implementing OTP, you would not just implement SSS and then set the right parameters; you would use an entirely distinct implementation.
To answer your "if it's possible at all" question: it's full of hard engineering problems, but none of it looks unsolvable, and the investments are there.
And even if there was only a 10% chance of QC breaking crypto, the community is not comfortable with a 10% chance of such a catastrophic scenario.
This is part of my day job, so here's another interesting fact: for migrating encryption use cases, you have to consider that attackers can capture your encrypted data today to break in the future. So, as a rule of thumb, your migration timeline is much shorter for encryption than for signatures.
Well similar to how turing machines are a sufficient theoretical model to make all kinds of arguments about runtime complexity of classical computers without relying on their actual physical implementation, we have theoretical models for the way we are approaching quantum computation that do the same thing (Namely the quantum circuit model)
The problem is perhaps more theoretical than you might think. The security of post-quantum schemes basically comes down to the fact that researchers have thought long and hard about whether there are efficient classical or quantum algorithms to solve a given problem, and haven't found any yet. That's not necessarily anything new. Even RSA is predicated on no one having a fast factorisation algorithm.
It's essentially the laws of physics. To oversimplify, Quantum computing can essentially do certain kinds of operations extremely fast (like factoring prime numbers) because it can calculate all the permutations almost instantly. But if you add intentional complexity to it in ways that all those states can't be "seen" then the quantum computer falls flat. That's one of the issues with adding post-quantum algorithms, they're by design less efficient in certain ways, meaning slower and/or with more overhead.
The way a quantum mechanics PhD explained it to me years ago in layman's terms is similar to nuclear science. We "knew" that a nuclear explosion was possible before a bomb was created and what conditions it would work. The Nagasaki bomb was a completely different type of bomb than the trinity test and Hirosima, plutonium instead of uranium, and it was never even tested before it's first use!
The Nagasaki “Fat Man” bomb was the same plutonium implosion design tested at Trinity.
The Hiroshima “Little Boy” bomb was the uranium “gun” design that was never tested before combat use. The physics and engineering were comparably straightforward so the scientists were very sure it would work assuming the Urnaium enrichment was pure enough.
this is not an accurate description/heuristic of how quantum computing works. It would predict quantum computers can solve problems that they cannot solve. For a more accurate account see e.g.
And the post-quantum algorithms are not by design less efficient either. For example, RLWE-based schemes are more cycle-efficient than elliptic curve schemes. They're not uniformly more efficient (key/ciphertext sizes are generally longer), but this has nothing to do with intentional design choices to make them post-quantum secure. Just different things are different.
That is by design. It depends on how much other people are using their services right now and they do communicate it somewhere in the TOS that they do this. Otherwise they could give us a fixed amount of tokens - but they don't because it is not fixed.
reply