Re: [qubes-users] Qubes & Quantum decryption Immunity

[Vít Šesták]

Hello,

I'll react to multiple questions and statements from multiple people.

> A figure I heard was that qc can cut search time for symmetric key merely in 
> half, whereas its can cut time for asymmetric key by orders of magnitude. 

No. For symmetric key, it does not halve the time. It works like halving key 
length. It is asymptotic improvement. With classical computer adding one bit 
doubles time for brute-force. With QC, adding *two* bits doubles time for 
probabilistic brute-force. See Grover's algorithm as I mentioned above.

For asymmetric cryptography, “orders of magnitude” can be true, but it does not 
express that it is asymptotic improvement – you can resolve some problems in 
*polynomial* time. But there are some ciphers that are believed to be 
quantum-resistant, meaning that there is no such known attack.

> in Qubes, the signature confirmation happens in dom0 or in the sys-net?

Dom0 updates are verified in dom0, template updates are verified in templates. 
But that's not important if your adversary can factorize release signing key.

> Doubling up the key length seems like an interesting prospect, but has the 
> potential risk to fail in the future by quantum computing

Why? Doubling key size is a asymptotic countermeasurement. Moreover, for 
bruteforce (but not necessarily for other types of attack), Grover's algorithm 
has been proven to be optimal, i.e., you can't go asymptotically bettter. 
Unless a QC can perform many many many more operations in the same time and at 
the same cost, it should suffice. Unless there is some extra breakthrough. 
Remember, virtually no cryptographic scheme has been proven to be secure 
(except some like  and Vernam cipher – but those have limited 
applicability), so, someone might theoretically break AES tomorrow. We just 
rely on the fact many that people have failed with this, so this is unlikely. 
But this is a theoretical issue even without QC.

> I've wondered for a good while if splitting up an symmetric encrypted file in 
> multiple of parts, say for example minimum two parts, and send one over the 
> internet, and carry the other on yourself in person, that if only one part is 
> stolen (for example someone steal your laptop with sensitive competitive 
> business trade secrets), then it's still uncrackable?

Usually no, unless you use a scheme specially designed for that. You might be 
interested in secret sharing, which is even more powerful concept.

> Wait, hold on, your last line, regarding that "some" asymmetric encryption is 
> believed to be secure against future quantum computing? Is it possible to 
> elaborate on that?

For example, see https://en.m.wikipedia.org/wiki/NTRU .

> Also if this turns out to indeed be quantum crack proof, whould it be 
> feasible to use these for what we currently use symmetric encryption for?

You could, but I see no reason for that. QC makes bruteforce considerably 
easier, but it is still considerably hard. With a proper key size, symmetric 
crypto will be still faster and have probably smaller keys for comparable 
security level.

For asymmetric ciphers, bruteforce is usually not much considered, because they 
are usually better attacks. But Grover's algorithm should be applicable even 
for asymmetric ciphers. It however does not make much sense (at least not 
without modifications), because they have much larger keys.

> Also, correct me if I'm wrong, but aren't there here two exponential effects, 
> one ontop of the other? Which may be overlooked by us too. I mean, imagine 
> the scale-ability of doubling the Qubits every day, it's not linier, it's 
> exponential. But the Qubits themselves are exponential too.

AFAIU, this is a common misconception. Well, you need exponentially growing 
space for emulating QC on classic computer. But you don't get exponentially 
faster computer. You get a computer with more memory. Such computer can process 
larger tasks, e.g., factorize larger numbers. But once you have enough memory, 
adding more qubits make AFAIU no improvement.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/4c85ee7e-b7a2-4f25-be68-022132c517fd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[eliott . teissonniere]

Speaking of quantum network, it is doable, for instance you can check 
araknet.eliott.tech

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/3b9e9145-8a64-4530-9f39-0bf813ac73c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Sandy Harris]

On Sat, Nov 11, 2017 at 6:22 PM, Chris Laprise  wrote:

>>> Would be simpler off the bat to limit discussion to asymmetric crypto,
>>> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
>>> most other disk encryption uses symmetric crypto.
>>>
>>> I believe qvm-backup crypto is also symmetric (although IIRC it may have
>>> specific security issues that need to be addressed).

>> or is it because asymmetry is typically used more when send over the
>> internet compared to symmetry which is more often used offline?

No.

> There are some articles/talks that explain the difference, but its not due
> to entropy. Its because the public key provides too much info about the
> private key to a qc search algorithm. This was already the case with regular
> computer searches, at least with RSA which uses much larger keys than a
> symmetric cipher like AES to compensate for the issue.
>
> A figure I heard was that qc can cut search time for symmetric key merely in
> half, whereas its can cut time for asymmetric key by orders of magnitude.

It is more complex than that, but that is a usable first approximation
for many cases.

> Most Internet encryption is based on asymmetric ciphers. That's the main
> issue and Qubes is not special in any sense on this topic.

Symmetric encryption is much faster & is used for nearly all
encryption of large chunks or streams of data -- messages in PGP,
connections in SSH or TLS or IPsec, disk or file contents in other
systems -- and in hash algorithms & variants using them like the HMAC
construction. These can provide one level of authentication; if
decryption succeeds then the recipient knows the the sender had the
right key & if HMAC succeeds he knows the message received is
(overwhelmingly likely to be) identical to what was sent or the file
read identical to what was stored.

Asymmetric encryption gives a different type of authentication,
proving the other player had a particular private key. This solves the
key management problem which is very difficult with symmetric crypto
alone. A major government can send a junior military officer to fly to
an embassy once a month to deliver keys, but without public key
(asymmetric) techniques anyone else has a real problem ensuring that
the right people have the keys & enemies do not.

It also gives digital signatures which are used in authenticating the
players for SSH, SSL, IPsec connections. With symmetric techniques
alone, you can know that only the receiver can read your messages, but
you need the public key stuff to know who you are talking to.
Signatures are also used to be sure the file you download was produced
by Qubes people, not by say a malicious government or some gang of
botnet builders.

One explanation of the roles of the two algorithm types:
http://en.citizendium.org/wiki/Hybrid_cryptosystem

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACXcFm%3D7YjkUJJEKhnsuCcvmvECBa3oDL0gkU%3DaPr%2B806z_bNA%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Leo Gaspard]

On 11/12/2017 10:43 AM, Yuraeitha wrote:
>> As for quantum networks, they are slightly more obtainable than, say, 
>> moon rockets.
>
> [...]
> Given the fiber internet network might be able to carry these signals, it's 
> not farfetched to imagine we'll start to have portions of Quantum internet in 
> less than 10 years. It's a cheap technology too. While sure such research 
> costs a lot to do, the technology itself should be relatively cheap, and a 
> lot of the quantum computing research costs come from universities whom give 
> away their research fore free mostly now a days (Open Science movement, kinda 
> like Open Source movement).
> [...]

The issue with all current quantum-physics-based encryption that I know
of is that it requires a direct fiber link between the source and the
destination. Also, the segment length is currently about ~4-5km if I
remember correctly, though it may just as well have changed since a few
years ago.

But this direct fiber link means quantum-physics-based encryption will
never be end-to-end between you and the website you are visiting. And if
this quantum-physics-based encryption is terminated by eg. your ISP (the
only one you have a physical fiber link to), then your ISP could use the
exact same techniques as before to spy on you.

Basically, quantum-physics-based encryption is nice in that it is
demonstrably secure (modulo Bell's inequalities, last time I checked on
this is getting quite old, so I'm not sure about every detail). But its
constraints of use are really huge, so it is not likely to ever get in
your house unless you're at the head of a billion-dollar-level entity,
be it a state or a company.

> I've wondered for a good while if splitting up an symmetric encrypted file in 
> multiple of parts, say for example minimum two parts, and send one over the 
> internet, and carry the other on yourself in person, that if only one part is 
> stolen (for example someone steal your laptop with sensitive competitive 
> business trade secrets), then it's still uncrackable? However it's mostly 
> been a fun thought experiment, I never managed to confirm it, but I imagine 
> businesses or even government agencies would want to use such approaches if 
> its applicable?   If it isn't already.
Such a scheme is Vernam cipher. It is the only other provably secure
cryptographic system that I know of (all the others are based on “we
think this problem is hard, so let's prove the cryptosystem is at least
as hard as this problem”).

Basically to encrypt a N-bit-long message, you generate a N-bit key
(with perfect randomness, which is a point where the issue usually
lies), you xor it with your message, and to decrypt the message you just
xor again the encrypted message with the key. You could then just send
the key and the encrypted message through the two means.

Funnily enough, Vernam ciphers are actually the basis for
quantum-physics-based encryption. The quantum channel is only used to
generate the random N-bit key in way so that it is shared by the two
protagonists and no eavesdropper could get a reasonable amount of bits
without being detected (in which case the transmission can be cancelled
without ever using the key)

Cheers & hope that helps,
Leo

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/966f5e22-8a2c-6386-c2b5-ea2dcafb7eb7%40gaspard.ninja.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Yuraeitha]

@ Chris Laprise
On Saturday, November 11, 2017 at 11:22:37 PM UTC, Chris Laprise wrote:
> On 11/11/2017 08:31 AM, Yuraeitha wrote:
> > On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote:
> >> On 11/10/2017 05:51 PM, taii...@gmx.com wrote:
> >>> In this case you should ask the luks/dmcrypt mailinglist as that is
> >>> what qubes uses for disk crypto.
> >>>
> >> Would be simpler off the bat to limit discussion to asymmetric crypto,
> >> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
> >> most other disk encryption uses symmetric crypto.
> >>
> >> I believe qvm-backup crypto is also symmetric (although IIRC it may have
> >> specific security issues that need to be addressed).
> >>
> >> Finally, there is anti-evil-maid; I think it uses symmetric but not 
> >> certain.
> >>
> >> -- 
> >>
> >> Chris Laprise, tas...@posteo.net
> >> https://github.com/tasket
> >> https://twitter.com/ttaskett
> >> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886
> > That's an interesting twist, and seems like a very good point.
> >
> > Though does that mean asymmetric is more vulnerable due to it's nature of 
> > having two key systems (Private/Public) rather than a single private key? 
> > Lower entropy with two keys perhaps?
> > or is it because asymmetry is typically used more when send over the 
> > internet compared to symmetry which is more often used offline?
> >
> > So then, asymmetric internet protocols going in and out of Qubes, or 
> > encrypted packages or whole encrypted files send over the internet, is the 
> > bigger concern? or the more immediate between the two one I assume. The 
> > question left to me, out of curiosity, is just "why is it the asymmetric 
> > security a bigger concern". Are any of the two guesses the right reason?
> 
> There are some articles/talks that explain the difference, but its not 
> due to entropy. Its because the public key provides too much info about 
> the private key to a qc search algorithm. This was already the case with 
> regular computer searches, at least with RSA which uses much larger keys 
> than a symmetric cipher like AES to compensate for the issue.
> 
> A figure I heard was that qc can cut search time for symmetric key 
> merely in half, whereas its can cut time for asymmetric key by orders of 
> magnitude.
> 
> > Also about another aspect, are there by any chance any kind of encryption 
> > between the ioslated qubes in Qubes? If true, then internet based attacks 
> > cannot attack dom0 no matter what happens in the area of encryption 
> > cracking? but it may be able to attack whatever is using encryption in the 
> > VM itself? But offline physical encryption crack attacks, albeit seemingly 
> > requiring stronger cracking capability, can reach dom0?
> 
> > Specifically, if I understood this correctly, there is no immediate concern 
> > right now to protect with encryption in an offline physical machine, unless 
> > a copy is made of the data and stolen, or the entire drive is stolen, to be 
> > cracked in the future. So if a drive, or copy thereof, is stolen, it may be 
> > a future risk, but otherwise not a current risk.
> >
> > Eventually all this seems to boil down to theft of data, or surveillance, 
> > which is left to be cracked in the future, instead of now. But internet 
> > encrypted data is significantly easier to steal.
> 
> Most Internet encryption is based on asymmetric ciphers. That's the main 
> issue and Qubes is not special in any sense on this topic.
> 
> As for quantum networks, they are slightly more obtainable than, say, 
> moon rockets.
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886


So you don't have a moon rocket in your backyard? Really? Everyone have that by 
now. 

Joke aside xD I do actually think Quantum networks are much closer than we 
might think at first when first hearing about it, it's probably the quantum 
part that makes it seem so distant and futuristic. It's not as complex as 
quantum computing, and much less work has gone into it, yet prototypes are 
already up and working around the world as we speak. It's basically a simple 
transfer of data through light and not something of the scale of a whole 
quantum computer.

Given the fiber internet network might be able to carry these signals, it's not 
farfetched to imagine we'll start to have portions of Quantum internet in less 
than 10 years. It's a cheap technology too. While sure such research costs a 
lot to do, the technology itself should be relatively cheap, and a lot of the 
quantum computing research costs come from universities whom give away their 
research fore free mostly now a days (Open Science movement, kinda like Open 
Source movement).
So given we already partly have a infrstructure that can carry it, and given we 
currently have working prototypes, and given the technology itself appears 

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Chris Laprise]

On 11/11/2017 08:31 AM, Yuraeitha wrote:

On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote:

On 11/10/2017 05:51 PM, taii...@gmx.com wrote:

In this case you should ask the luks/dmcrypt mailinglist as that is
what qubes uses for disk crypto.


Would be simpler off the bat to limit discussion to asymmetric crypto,
as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
most other disk encryption uses symmetric crypto.

I believe qvm-backup crypto is also symmetric (although IIRC it may have
specific security issues that need to be addressed).

Finally, there is anti-evil-maid; I think it uses symmetric but not certain.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

That's an interesting twist, and seems like a very good point.

Though does that mean asymmetric is more vulnerable due to it's nature of 
having two key systems (Private/Public) rather than a single private key? Lower 
entropy with two keys perhaps?
or is it because asymmetry is typically used more when send over the internet 
compared to symmetry which is more often used offline?

So then, asymmetric internet protocols going in and out of Qubes, or encrypted packages 
or whole encrypted files send over the internet, is the bigger concern? or the more 
immediate between the two one I assume. The question left to me, out of curiosity, is 
just "why is it the asymmetric security a bigger concern". Are any of the two 
guesses the right reason?


There are some articles/talks that explain the difference, but its not 
due to entropy. Its because the public key provides too much info about 
the private key to a qc search algorithm. This was already the case with 
regular computer searches, at least with RSA which uses much larger keys 
than a symmetric cipher like AES to compensate for the issue.


A figure I heard was that qc can cut search time for symmetric key 
merely in half, whereas its can cut time for asymmetric key by orders of 
magnitude.



Also about another aspect, are there by any chance any kind of encryption 
between the ioslated qubes in Qubes? If true, then internet based attacks 
cannot attack dom0 no matter what happens in the area of encryption cracking? 
but it may be able to attack whatever is using encryption in the VM itself? But 
offline physical encryption crack attacks, albeit seemingly requiring stronger 
cracking capability, can reach dom0?



Specifically, if I understood this correctly, there is no immediate concern 
right now to protect with encryption in an offline physical machine, unless a 
copy is made of the data and stolen, or the entire drive is stolen, to be 
cracked in the future. So if a drive, or copy thereof, is stolen, it may be a 
future risk, but otherwise not a current risk.

Eventually all this seems to boil down to theft of data, or surveillance, which 
is left to be cracked in the future, instead of now. But internet encrypted 
data is significantly easier to steal.


Most Internet encryption is based on asymmetric ciphers. That's the main 
issue and Qubes is not special in any sense on this topic.


As for quantum networks, they are slightly more obtainable than, say, 
moon rockets.


--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a96c354a-19b9-2ba0-ad68-f39dffbac44a%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Vít Šesták]

QC is a potential threat for both symmetric and asymmetric cryptography, just 
the symmetric cryptography is threatened quite a bit more. And even asymmetric 
cryptography is important for QubesOS security because of update signatures.

Symmetric cryptography is threatened by Grover's algorithm. The algorithm can 
perform bruteforce search in N elements in O(sqrt(N)) time. In other words, it 
reduces O(2^n) time to O(2^(n/2)) time. What's great: There is some proof that 
this algorithm is optimal (probably under assumption that P≠NP). So, just using 
double-length keys should be sufficient. This could justify AES256 instead 
AES128. Doubling the key length could be an issue for password, but if you use 
a memory-intensive key derivation function, it might be infeasible to run it on 
quantum computers for some time.

Asymmetric crypto usually (always?) relies on problems that are believed to be 
easier than NP. Some of them (integer factorization and discrete logarithm 
problem) can be solved in polynomial time on QC (they belong to BQP class), 
which would be a real threat for cryptography like RSA and ECC. There are some 
“QC-proof” 
asymmetric schemes that are believed to be secure against QC. But those aren't 
widely used yet. It could be useful to use them together with some old schemes 
like RSA or ECC.

Regards,
Vít Šesták 'v6ak'

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/ba81205c-adfb-416a-8b70-27b01aa2b80c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Yuraeitha]

On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote:
> On 11/10/2017 05:51 PM, taii...@gmx.com wrote:
> > In this case you should ask the luks/dmcrypt mailinglist as that is 
> > what qubes uses for disk crypto.
> >
> 
> Would be simpler off the bat to limit discussion to asymmetric crypto, 
> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and 
> most other disk encryption uses symmetric crypto.
> 
> I believe qvm-backup crypto is also symmetric (although IIRC it may have 
> specific security issues that need to be addressed).
> 
> Finally, there is anti-evil-maid; I think it uses symmetric but not certain.
> 
> -- 
> 
> Chris Laprise, tas...@posteo.net
> https://github.com/tasket
> https://twitter.com/ttaskett
> PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

That's an interesting twist, and seems like a very good point. 

Though does that mean asymmetric is more vulnerable due to it's nature of 
having two key systems (Private/Public) rather than a single private key? Lower 
entropy with two keys perhaps? 
or is it because asymmetry is typically used more when send over the internet 
compared to symmetry which is more often used offline?

So then, asymmetric internet protocols going in and out of Qubes, or encrypted 
packages or whole encrypted files send over the internet, is the bigger 
concern? or the more immediate between the two one I assume. The question left 
to me, out of curiosity, is just "why is it the asymmetric security a bigger 
concern". Are any of the two guesses the right reason?


Also about another aspect, are there by any chance any kind of encryption 
between the ioslated qubes in Qubes? If true, then internet based attacks 
cannot attack dom0 no matter what happens in the area of encryption cracking? 
but it may be able to attack whatever is using encryption in the VM itself? But 
offline physical encryption crack attacks, albeit seemingly requiring stronger 
cracking capability, can reach dom0?

Specifically, if I understood this correctly, there is no immediate concern 
right now to protect with encryption in an offline physical machine, unless a 
copy is made of the data and stolen, or the entire drive is stolen, to be 
cracked in the future. So if a drive, or copy thereof, is stolen, it may be a 
future risk, but otherwise not a current risk.

Eventually all this seems to boil down to theft of data, or surveillance, which 
is left to be cracked in the future, instead of now. But internet encrypted 
data is significantly easier to steal.

This could be solved with the quantum network China made a big move towards 
recently though? One of the articles here about Quantum networks that goes into 
the pros and cons, as well as the feasibility and possible directions with the 
technology can take in the future. It seems this short brief article covers a 
bit of everything regarding this complex area 
https://www.wired.com/story/quantum-internet-is-13-years-away-wait-whats-quantum-internet/

Assuming quantum internet ever becomes a full scale replacement of our 
internet, perhaps this is the game changer we need to fix asymmetric 
encryption? After all, it wouldn't be a matter of hacking mathematics, it'd be 
increased to a level of hacking physics and the circumventing the laws of the 
universe. Anyone trying to read the signal, would apparently scramble it and 
make it unreadable. 

But in contrast, this cannot be used in symmetric encryption of i.e. local 
files and drives? and it requires a proper medium, like light fiber cables or 
similar, to carry the quantum signals, which would mean a lot of our modern 
infrastructure is not usable for quantum networking. 

It seems promising though, especially if it would arrive sooner rather than 
later to Linux/Qubes.

For example, the implications of combining quantum networking with the Tor 
network? It'd be potentially unhackable network/internet private connections? 
Tor's weakness, one of the bigger ones, is traffic sniffting at the end nodes. 
A quantum based internet could fix that issue on Tor, making it impossible to 
both know what is send, as well as to whom it was from or to.

Would there be any loose ends though? For example the joint between Qubes OS 
itself, and a future quantum based Tor based network? The weakness could be the 
joints and exploiting these with malware/surveillance? 
If the unit expected to receive the quantum signal itself is infected, then it 
could still surveillance any data/connections going through it? 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/c7fc324d-8fe2-43a8-9d56-34c9f1b29056%40googlegroups.com.
For more options, 

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Chris Laprise]

On 11/10/2017 05:51 PM, taii...@gmx.com wrote:
In this case you should ask the luks/dmcrypt mailinglist as that is 
what qubes uses for disk crypto.




Would be simpler off the bat to limit discussion to asymmetric crypto, 
as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and 
most other disk encryption uses symmetric crypto.


I believe qvm-backup crypto is also symmetric (although IIRC it may have 
specific security issues that need to be addressed).


Finally, there is anti-evil-maid; I think it uses symmetric but not certain.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd59baee-8a77-bf2e-20eb-c30965a0f3ad%40posteo.net.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Yuraeitha]

On Friday, November 10, 2017 at 10:29:48 PM UTC, Sandy Harris wrote:
> On Fri, Nov 10, 2017 at 1:45 PM, Yuraeitha  wrote:
> 
> > Either way, cryptography protected by "structure", should be safe against a 
> > quantum computer, no? while all encryption without structure, would be 
> > extremely vulnerable to quantum computers?
> 
> I am not sure what you mean by "structure" in this context. If any of
> my guesses are correct, then I do not think that is the issue.
> 
> > Basically, long story short, is Qubes at risk in the near future of real 
> > quantum computing decryption attacks? For example, has there already gone 
> > thoughts or even development into securing Qubes against type of attacks 
> > like these?
> 
> I'm on several crypto mailing lists & follow the field fairly closely,
> though I would not claim to understand everything I read, let alone
> everything going on. As far as I can see, more-or-less everyone in the
> field agrees quantum computers are a serious threat in the long term,
> but no-one is much worried about threats in the next few years. Of
> course they could be wrong; neither AI researchers nor Go players
> thought a program that could win against top human players would turn
> up for decades, but then Google produced Alpha Go which did just that.
> A real paranoid would worry about whether some government lab already
> had a quantum computer capable of breaking a lot of crypto; my guess
> is that is not a realistic fear, but who knows?
> 
> The most worrisome threat is that a large enough (a few thousand
> q-bits) quantum machine breaks RSA public key encryption. RSA relies
> on sufficiently large semi-primes (products of two primes) being hard
> to factor. See https://en.wikipedia.org/wiki/Integer_factorization for
> background. There are about a dozen known methods for finding the
> factors, but on classical computers none that are efficient in the
> general case. On a quantum computer, though, there is a known
> efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm
> so a big enough quantum machine breaks RSA.
> 
> That is a huge threat since RSA is very widely used. PGP, IPsec,
> Secure DNS, SSL & SSH (or at least most variants) all fall if RSA
> does. There are other public key methods that might replace RSA, but
> it is not clear they are safe either.

My bad, I made an important typo in the text above with the word 
possible/impossible, first two lines in second paragraph.  

"SO, by structure, I mean, what if the labyrinth is full of closed doors, where 
you need to solve puzzles that are possible to solve with numbers?"

Should be, 

"So, by structure, I mean, what if the labyrinth is full of closed doors, where 
you need to solve puzzles that are impossible to solve with numbers to get past 
it?"

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f68d2ad7-dc8f-4bb0-8598-208f6ae47fa2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Yuraeitha]

@ Sandy Harris
On Friday, November 10, 2017 at 10:29:48 PM UTC, Sandy Harris wrote:
> On Fri, Nov 10, 2017 at 1:45 PM, Yuraeitha  wrote:
> 
> > Either way, cryptography protected by "structure", should be safe against a 
> > quantum computer, no? while all encryption without structure, would be 
> > extremely vulnerable to quantum computers?
> 
> I am not sure what you mean by "structure" in this context. If any of
> my guesses are correct, then I do not think that is the issue.
> 
> > Basically, long story short, is Qubes at risk in the near future of real 
> > quantum computing decryption attacks? For example, has there already gone 
> > thoughts or even development into securing Qubes against type of attacks 
> > like these?
> 
> I'm on several crypto mailing lists & follow the field fairly closely,
> though I would not claim to understand everything I read, let alone
> everything going on. As far as I can see, more-or-less everyone in the
> field agrees quantum computers are a serious threat in the long term,
> but no-one is much worried about threats in the next few years. Of
> course they could be wrong; neither AI researchers nor Go players
> thought a program that could win against top human players would turn
> up for decades, but then Google produced Alpha Go which did just that.
> A real paranoid would worry about whether some government lab already
> had a quantum computer capable of breaking a lot of crypto; my guess
> is that is not a realistic fear, but who knows?
> 
> The most worrisome threat is that a large enough (a few thousand
> q-bits) quantum machine breaks RSA public key encryption. RSA relies
> on sufficiently large semi-primes (products of two primes) being hard
> to factor. See https://en.wikipedia.org/wiki/Integer_factorization for
> background. There are about a dozen known methods for finding the
> factors, but on classical computers none that are efficient in the
> general case. On a quantum computer, though, there is a known
> efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm
> so a big enough quantum machine breaks RSA.
> 
> That is a huge threat since RSA is very widely used. PGP, IPsec,
> Secure DNS, SSL & SSH (or at least most variants) all fall if RSA
> does. There are other public key methods that might replace RSA, but
> it is not clear they are safe either.

Let me try rephrase the structure part, I may not have understood it correctly, 
and I can tell you know more than I do about encryption, so let me try emphasis 
the quantum part, which may or may not be right. I'm curious whether or how it 
can fit into encryption, so this is kind of a thought experiment. The logic in 
this analogy I'm sure you already know, but I want to use the analogy's 
conclusion to make a point afterwards, so here goes. Using a massive labyrinth 
analogy to solve a decryption calculation, a traditional classic computer can 
only seek one path at a time (1/0 on/off transistor logic), and if it's a dead 
end, it has to return to try another path, each turn, or dead end, being a 
calculated 1/0 state of information. A quantum computer can do many or even all 
paths at once in a single calculation instant, with having multiple or 
exponentially many states between 1/0, thereby following multiple of paths, 
resulting in a lot of dead ends, but at the same time discovering the single 
path out of the massive labyrinth, all in a few or a single calculation, 
depending on how many qubits the quantum computer has available. 

It's a bit simplified, but enough to make the analogy point. SO, by structure, 
I mean, what if the labyrinth is full of closed doors, where you need to solve 
puzzles that are possible to solve with numbers? But instead use something like 
human thought logic pattern? This would require either a human or a 
sophisticated A.I. to solve, but it's also more akin to that of a traditional 
computer, patterns, structures, based in many 1/0 forming a structure, and the 
answer can only be found if maintaining this structure all at once. A quantum 
computer cannot do that, right? If I understood it correctly, a quantum 
computer may be truly scary in its insane calculative power, but, it's by no 
means capable of being "smart", at the very least, not on its own. 

Where my knowledge of how encryption works, truly falls apart, is regarding the 
need of near-perfect or the not reached difficult to archive, perfect entropy. 
The more entropy, or chaos without structure and order, the harder it becomes 
to predict anything, and the harder it becomes to crack an encryption. This 
much is correctly understood I assume? So, if putting in roadbloacks for the 
quantum computer, which it cannot calculate, it significantly slows down it's 
quantum speed. Even if introducing a classic computer or A.I. to work together 
with the quantum computer, if the road blocks are difficult enough, it would 
overall slow down the quantum computer enough to make it 

Re: [qubes-users] Qubes & Quantum decryption Immunity

[taii...@gmx.com]

In this case you should ask the luks/dmcrypt mailinglist as that is what 
qubes uses for disk crypto.


I doubt anyone here bar the internets favorite folk hero "kedward 
howden" would piss off some company/government enough for them to spend 
the hundreds of thousands of dollars one to rent such a machine.


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/51d69633-59ac-5811-8fa5-cb969c591d6a%40gmx.com.
For more options, visit https://groups.google.com/d/optout.

Re: [qubes-users] Qubes & Quantum decryption Immunity

[Sandy Harris]

On Fri, Nov 10, 2017 at 1:45 PM, Yuraeitha  wrote:

> Either way, cryptography protected by "structure", should be safe against a 
> quantum computer, no? while all encryption without structure, would be 
> extremely vulnerable to quantum computers?

I am not sure what you mean by "structure" in this context. If any of
my guesses are correct, then I do not think that is the issue.

> Basically, long story short, is Qubes at risk in the near future of real 
> quantum computing decryption attacks? For example, has there already gone 
> thoughts or even development into securing Qubes against type of attacks like 
> these?

I'm on several crypto mailing lists & follow the field fairly closely,
though I would not claim to understand everything I read, let alone
everything going on. As far as I can see, more-or-less everyone in the
field agrees quantum computers are a serious threat in the long term,
but no-one is much worried about threats in the next few years. Of
course they could be wrong; neither AI researchers nor Go players
thought a program that could win against top human players would turn
up for decades, but then Google produced Alpha Go which did just that.
A real paranoid would worry about whether some government lab already
had a quantum computer capable of breaking a lot of crypto; my guess
is that is not a realistic fear, but who knows?

The most worrisome threat is that a large enough (a few thousand
q-bits) quantum machine breaks RSA public key encryption. RSA relies
on sufficiently large semi-primes (products of two primes) being hard
to factor. See https://en.wikipedia.org/wiki/Integer_factorization for
background. There are about a dozen known methods for finding the
factors, but on classical computers none that are efficient in the
general case. On a quantum computer, though, there is a known
efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm
so a big enough quantum machine breaks RSA.

That is a huge threat since RSA is very widely used. PGP, IPsec,
Secure DNS, SSL & SSH (or at least most variants) all fall if RSA
does. There are other public key methods that might replace RSA, but
it is not clear they are safe either.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/CACXcFmkqCY1tPn21bnKKYGnzVBrUyOpFshKutJxg%2BswMWn97Tg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[qubes-users] Qubes & Quantum decryption Immunity

[Yuraeitha]

With news, like the 50-bit Quantum computer by IBM announced earlier today, for 
now only cable to run over over 90 seconds, concerns over the safety of 
encryption appears to be slowly increasing. 

https://www.technologyreview.com/s/609451/ibm-raises-the-bar-with-a-50-qubit-quantum-computer/?utm_campaign=Technology+Review_source=facebook.com_medium=social

Obviously there are encryption forums out there, and the encryption tools Qubes 
uses are developed and supported by third parties specializing in the field. 
However I'd like to see a discussion with Qubes in mind. 

>From a developers perspective, with insight into cryptography, what is your 
>take on this? Would the types of encryption Qubes uses be at risk of being 
>brute-forced by a quantum computer?

The way I understood it, 
Quantum computers cannot replace traditional computers, because the many 
simultaneous multiple state between 1/0 leaves no structure in the code, 
therefore it's impossible to make programs or code with it without structure. 
Quantum computers strive for entropy or "chaos", while traditional computing 
machine code strive for order and frameworks. So that supposedly means quantum 
computers are limited to solving large number problems, but cannot "create" or 
"decrypt" anything that is a large "structured" computing calculation. I may 
have gotten this wrong, but that's how I currently see it. I still do not 
perceive how encryption immune to quantum computers should work, i.e. how to 
implement structure into a large encryption calculation without giving it 
predictability or non-near-perfect / non-perfect entropy. It just seems 
contradictory, how is that even possible. 

Either way, cryptography protected by "structure", should be safe against a 
quantum computer, no? while all encryption without structure, would be 
extremely vulnerable to quantum computers? 

Basically, long story short, is Qubes at risk in the near future of real 
quantum computing decryption attacks? For example, has there already gone 
thoughts or even development into securing Qubes against type of attacks like 
these?

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f653eaba-3ca8-48a8-a3e4-1fdf62032389%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.