What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?

I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.

I myself am very much in doubt whether to use PQC or stick with known ciphers.

On 2024-05-02 10:20, The Running Man wrote:
> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
>
> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.

If any bad actor has a quantum computer with just a few more Qubits
than the ones demonstrated in public, they can break most current public
key algorithms using known attack algorithms written a long time ago for
such (then hypothetical) computers. They can also break symmetric
encryption at the same difficulty as if the key length was half as many
bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
128).

>
> I myself am very much in doubt whether to use PQC or stick with known ciphers.
>

From what I read so far, the most promising PQC signature algorithm is
the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
will take serious work.

Key exchange will be harder, though the DJB-sponsored proposal for a
"Classic McElice" variant may be solid.

Any PQC public key algorithm will need to be combined with double
strength symmetric algorithms.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

On a sunny day (Mon, 6 May 2024 15:53:18 +0200) it happened Jakob Bohm
<jb-usenet@wisemo.invalid> wrote in <v1ancg$2jieu$1@dont-email.me>:

>On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are
>> winners, but do you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current
>> cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the
>> promise of eternal confidentiality which current ciphers cannot guarantee.
>
>If any bad actor has a quantum computer with just a few more Qubits
>than the ones demonstrated in public, they can break most current public
>key algorithms using known attack algorithms written a long time ago for
>such (then hypothetical) computers. They can also break symmetric
>encryption at the same difficulty as if the key length was half as many
>bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
>128).
>
>>
>> I myself am very much in doubt whether to use PQC or stick with known ciphers.
>>
>
> From what I read so far, the most promising PQC signature algorithm is
>the Merkle scheme in RFC8554 and RFC8391, though a secure implementation
>will take serious work.
>
>Key exchange will be harder, though the DJB-sponsored proposal for a
>"Classic McElice" variant may be solid.
>
>Any PQC public key algorithm will need to be combined with double
>strength symmetric algorithms.
>
>Enjoy
>
>Jakob

Experiment opens door for millions of qubits on one chip:
https://www.sciencedaily.com/releases/2024/05/240506131552.htm
Summary:
Researchers have achieved the first controllable interaction between two hole spin qubits in a conventional silicon transistor.
The breakthrough opens up the possibility of integrating millions of these qubits on a single chip using mature manufacturing processes

?

On 06/05/2024 15:53 Jakob Bohm <jb-usenet@wisemo.invalid> wrote:
> On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I know the NIST has held a contest and that there are winners, but do you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the security and privacy of millions of unsuspecting users. Current cryptographic algorithms are known to be safe and will be for at least the coming decades. OTOH these new PQC ciphers hold the promise of eternal confidentiality which current ciphers cannot guarantee.
>
> If any bad actor has a quantum computer with just a few more Qubits
> than the ones demonstrated in public, they can break most current public
> key algorithms using known attack algorithms written a long time ago for
> such (then hypothetical) computers. They can also break symmetric
> encryption at the same difficulty as if the key length was half as many
> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
> 128).
>

Define: "a few more qubits." I've read that maybe up to a million qubits are needed to compensate for the errors and noise to be able to break current asymmetric encryption algorithms. Symmetric algorithms aren't vulnerable in any case since quantum algorithms only halve the number of bits of security (i.e. 256 bits becomes 128 bits which cannot be broken).

On 06/05/2024 14:53, Jakob Bohm wrote:
> On 2024-05-02 10:20, The Running Man wrote:
>> What is you guys take on PQC (Post Quantum Cryptography) algorithms? I
>> know the NIST has held a contest and that there are winners, but do
>> you guys think they're safe to use?
>>
>> I fear they may be broken in the future thereby destroying the
>> security and privacy of millions of unsuspecting users.

Yep, that's a risk. PQC algorithms are of necessity less mature than
current cryptographic algorithms. If I may quote Schneier's law it its
original form:

"Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break. It’s not even hard.
What is hard is creating an algorithm that no one else can break, even
after years of analysis. And the only way to prove that is to subject
the algorithm to years of analysis by the best cryptographers around."

The winning PQC algorithms have had some of that analysis, but perhaps
not enough. I would not be surprised if, like some of the candidates,
the winners were comprehensively broken.

And there is another risk: that they will broken in ways we don't know
about now. Quantum computers of the needed scale still don't exist, and
we don't have years of practice using them - so it is practically
inevitable that new attack techniques using quantum computers will be
developed.

> If any bad actor has a quantum computer with just a few more Qubits
> than the ones demonstrated in public, they can break most current public
> key algorithms using known attack algorithms written a long time ago for
> such (then hypothetical) computers.

Err, no. Just no.

You would need about 1,000 reliable entangled error-free qubits
equivalent (REEFQe) to do any useful cryptanalysis of present day public
key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
like 20.

Having 1,000 error prone qbits, which has been done in a couple of
cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
annealing qbits.

Not even close.

And close only counts in horseshoes and hand grenades.

> They can also break symmetric
> encryption at the same difficulty as if the key length was half as many
> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
> 128). [..] Any PQC public key algorithm will need to be combined with double
> strength symmetric algorithms.

Now there we agree, in fact double strength symmetric algorithms should
be de rigueur in general use as of yesterday: but I don't see why we
can't double up and use classic public key algorithms *as well as* PQC
public key algorithms, at least for a while.

Peter Fairbrother

who doesn't see why we need the u in qubits

On 2024-05-09 23:28, Peter Fairbrother wrote:
> On 06/05/2024 14:53, Jakob Bohm wrote:
>> On 2024-05-02 10:20, The Running Man wrote:
>>> What is you guys take on PQC (Post Quantum Cryptography) algorithms?
>>> I know the NIST has held a contest and that there are winners, but do
>>> you guys think they're safe to use?
>>>
>>> I fear they may be broken in the future thereby destroying the
>>> security and privacy of millions of unsuspecting users.
>
> Yep, that's a risk. PQC algorithms are of necessity less mature than
> current cryptographic algorithms. If I may quote Schneier's law it its
> original form:
>
> "Anyone, from the most clueless amateur to the best cryptographer, can
> create an algorithm that he himself can’t break. It’s not even hard.
> What is hard is creating an algorithm that no one else can break, even
> after years of analysis. And the only way to prove that is to subject
> the algorithm to years of analysis by the best cryptographers around."
>
> The winning PQC algorithms have had some of that analysis, but perhaps
> not enough. I would not be surprised if, like some of the candidates,
> the winners were comprehensively broken.
>
> And there is another risk: that they will broken in ways we don't know
> about now. Quantum computers of the needed scale still don't exist, and
> we don't have years of practice using them - so it is practically
> inevitable that new attack techniques using quantum computers will be
> developed.
>

See further below where Fairbrother returns to this subject.

>
>> If any bad actor has a quantum computer with just a few more Qubits
>> than the ones demonstrated in public, they can break most current
>> public key algorithms using known attack algorithms written a long
>> time ago for
>> such (then hypothetical) computers.
>
> Err, no. Just no.

Note that I was talking logarithmic steps, not single Qbit steps.

>
> You would need about 1,000 reliable entangled error-free qubits
> equivalent (REEFQe) to do any useful cryptanalysis of present day public
> key algorithms, and we are nowhere near that. Not even 100 REEFQe, more
> like 20.
>
> Having 1,000 error prone qbits, which has been done in a couple of
> cases, is not nearly enough. Neither is D-wave's 1,200 calibrated
> annealing qbits.
>

Would those numbers apply to things like EdDSA and ECDSA?

>
> Not even close.
>
> And close only counts in horseshoes and hand grenades.
>
>
>> They can also break symmetric
>> encryption at the same difficulty as if the key length was half as many
>> bits (thus AES 128 would be as weak as IDEA, AES 256 as weak as AES
>> 128). [..] Any PQC public key algorithm will need to be combined with
>> double strength symmetric algorithms.
>
> Now there we agree, in fact double strength symmetric algorithms should
> be de rigueur in general use as of yesterday: but I don't see why we
> can't double up and use classic public key algorithms *as well as* PQC
> public key algorithms, at least for a while.
>

Yes, doubling up the types of algorithms used is a good way to hedge
bets against bad algorithms. Staying with known at-risk algorithms is
problematic.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

On 10/05/2024 07:32, Jakob Bohm wrote:
> On 2024-05-09 23:28, Peter Fairbrother wrote:

>> You would need about 1,000 reliable entangled error-free qubits
>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>> public key algorithms, and we are nowhere near that. Not even 100
>> REEFQe, more like 20.

> Would those numbers apply to things like EdDSA and ECDSA?

A thorny question.

The publicity for quantum computers is usually splashed about measured
solely in qubits (approximately, quantum storage bits, a bit like a
register in a cpu with only one register); but that's not immediately
relevant to the amount of computation they can do - they also need
quantum gates, qubits by themselves can't do any computing.

So even 1,000 "real" qubits is just a very rough ballpark figure which
doesn't actually mean very much.

In terms of comparing breaking RSA and breaking ECDSA, you would need
more qubits but less gates for RSA - but as you can, above some
minimums, pretty much swap needed qubits for needed gates, that doesn't
help much.

I believe the minimum number of "real" qubits needed is about 350 for
ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
a LOT more quantum gates.

Overall it's pretty hard to say which is easier to do, and would depend
on more than the number of qubits a computer has. Quantum gates are
noisy too, especially the ones which do entanglement.

[1] I could be wrong here, I'm a bit out-of-touch. And these are
_theoretical_ minimums, and even then estimates vary, a lot.

In practice, realistically the best I've seen uses about 6,000 real
qubits and 10^12 gates to break 2k RSA in months. You would also need a
depth of about 10^11 (depth is the longest chain of quantum gates used,
and they all have to work...)

We are closer to getting to Alpha Centaurus and taming fusion than doing
that.

Peter Fairbrother

On 10/05/2024 17:28 Peter Fairbrother <peter@tsto.co.uk> wrote:
> On 10/05/2024 07:32, Jakob Bohm wrote:
>> On 2024-05-09 23:28, Peter Fairbrother wrote:
>
>>> You would need about 1,000 reliable entangled error-free qubits
>>> equivalent (REEFQe) to do any useful cryptanalysis of present day
>>> public key algorithms, and we are nowhere near that. Not even 100
>>> REEFQe, more like 20.
>
>> Would those numbers apply to things like EdDSA and ECDSA?
>
> A thorny question.
>
> The publicity for quantum computers is usually splashed about measured
> solely in qubits (approximately, quantum storage bits, a bit like a
> register in a cpu with only one register); but that's not immediately
> relevant to the amount of computation they can do - they also need
> quantum gates, qubits by themselves can't do any computing.
>
> So even 1,000 "real" qubits is just a very rough ballpark figure which
> doesn't actually mean very much.
>
>
> In terms of comparing breaking RSA and breaking ECDSA, you would need
> more qubits but less gates for RSA - but as you can, above some
> minimums, pretty much swap needed qubits for needed gates, that doesn't
> help much.
>
> I believe the minimum number of "real" qubits needed is about 350 for
> ECDSA and about 1,000 for RSA[1]; but at that level breaking ECDSA needs
> a LOT more quantum gates.
>
> Overall it's pretty hard to say which is easier to do, and would depend
> on more than the number of qubits a computer has. Quantum gates are
> noisy too, especially the ones which do entanglement.
>
>
>
> [1] I could be wrong here, I'm a bit out-of-touch. And these are
> _theoretical_ minimums, and even then estimates vary, a lot.
>
> In practice, realistically the best I've seen uses about 6,000 real
> qubits and 10^12 gates to break 2k RSA in months. You would also need a
> depth of about 10^11 (depth is the longest chain of quantum gates used,
> and they all have to work...)
>
>
> We are closer to getting to Alpha Centaurus and taming fusion than doing
> that.
>
>
> Peter Fairbrother
>
>

<https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>

They now believe they can build million-qubit processors using ultra-pure silicon.

The Running Man <runningman@writeable.com> writes:
> <https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
>
> They now believe they can build million-qubit processors using ultra-pure silicon.

You have confused "could" with "can".

Phil
--
We are no longer hunters and nomads. No longer awed and frightened, as we have
gained some understanding of the world in which we live. As such, we can cast
aside childish remnants from the dawn of our civilization.
-- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/

On 13/05/2024 23:45 Phil Carmody <pc+usenet@asdf.org> wrote:
> The Running Man <runningman@writeable.com> writes:
>> <https://www.space.com/purest-silicon-could-lead-to-first-million-qubit-quantum-computing-chips>
>>
>> They now believe they can build million-qubit processors using ultra-pure silicon.
>
> You have confused "could" with "can".
>
> Phil
> --
> We are no longer hunters and nomads. No longer awed and frightened, as we have
> gained some understanding of the world in which we live. As such, we can cast
> aside childish remnants from the dawn of our civilization.
> -- NotSanguine on SoylentNews, after Eugen Weber in /The Western Tradition/

And here's another one:

<https://www.spacedaily.com/reports/Experiment_Allows_for_Potential_Millions_of_Qubits_on_Single_Chip_999.html>