Re: [qubes-users] Qubes & Quantum decryption Immunity
Hello, I'll react to multiple questions and statements from multiple people. > A figure I heard was that qc can cut search time for symmetric key merely in > half, whereas its can cut time for asymmetric key by orders of magnitude. No. For symmetric key, it does not halve the time. It works like halving key length. It is asymptotic improvement. With classical computer adding one bit doubles time for brute-force. With QC, adding *two* bits doubles time for probabilistic brute-force. See Grover's algorithm as I mentioned above. For asymmetric cryptography, “orders of magnitude” can be true, but it does not express that it is asymptotic improvement – you can resolve some problems in *polynomial* time. But there are some ciphers that are believed to be quantum-resistant, meaning that there is no such known attack. > in Qubes, the signature confirmation happens in dom0 or in the sys-net? Dom0 updates are verified in dom0, template updates are verified in templates. But that's not important if your adversary can factorize release signing key. > Doubling up the key length seems like an interesting prospect, but has the > potential risk to fail in the future by quantum computing Why? Doubling key size is a asymptotic countermeasurement. Moreover, for bruteforce (but not necessarily for other types of attack), Grover's algorithm has been proven to be optimal, i.e., you can't go asymptotically bettter. Unless a QC can perform many many many more operations in the same time and at the same cost, it should suffice. Unless there is some extra breakthrough. Remember, virtually no cryptographic scheme has been proven to be secure (except some like and Vernam cipher – but those have limited applicability), so, someone might theoretically break AES tomorrow. We just rely on the fact many that people have failed with this, so this is unlikely. But this is a theoretical issue even without QC. > I've wondered for a good while if splitting up an symmetric encrypted file in > multiple of parts, say for example minimum two parts, and send one over the > internet, and carry the other on yourself in person, that if only one part is > stolen (for example someone steal your laptop with sensitive competitive > business trade secrets), then it's still uncrackable? Usually no, unless you use a scheme specially designed for that. You might be interested in secret sharing, which is even more powerful concept. > Wait, hold on, your last line, regarding that "some" asymmetric encryption is > believed to be secure against future quantum computing? Is it possible to > elaborate on that? For example, see https://en.m.wikipedia.org/wiki/NTRU . > Also if this turns out to indeed be quantum crack proof, whould it be > feasible to use these for what we currently use symmetric encryption for? You could, but I see no reason for that. QC makes bruteforce considerably easier, but it is still considerably hard. With a proper key size, symmetric crypto will be still faster and have probably smaller keys for comparable security level. For asymmetric ciphers, bruteforce is usually not much considered, because they are usually better attacks. But Grover's algorithm should be applicable even for asymmetric ciphers. It however does not make much sense (at least not without modifications), because they have much larger keys. > Also, correct me if I'm wrong, but aren't there here two exponential effects, > one ontop of the other? Which may be overlooked by us too. I mean, imagine > the scale-ability of doubling the Qubits every day, it's not linier, it's > exponential. But the Qubits themselves are exponential too. AFAIU, this is a common misconception. Well, you need exponentially growing space for emulating QC on classic computer. But you don't get exponentially faster computer. You get a computer with more memory. Such computer can process larger tasks, e.g., factorize larger numbers. But once you have enough memory, adding more qubits make AFAIU no improvement. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/4c85ee7e-b7a2-4f25-be68-022132c517fd%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
Speaking of quantum network, it is doable, for instance you can check araknet.eliott.tech -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/3b9e9145-8a64-4530-9f39-0bf813ac73c6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On Sat, Nov 11, 2017 at 6:22 PM, Chris Laprisewrote: >>> Would be simpler off the bat to limit discussion to asymmetric crypto, >>> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and >>> most other disk encryption uses symmetric crypto. >>> >>> I believe qvm-backup crypto is also symmetric (although IIRC it may have >>> specific security issues that need to be addressed). >> or is it because asymmetry is typically used more when send over the >> internet compared to symmetry which is more often used offline? No. > There are some articles/talks that explain the difference, but its not due > to entropy. Its because the public key provides too much info about the > private key to a qc search algorithm. This was already the case with regular > computer searches, at least with RSA which uses much larger keys than a > symmetric cipher like AES to compensate for the issue. > > A figure I heard was that qc can cut search time for symmetric key merely in > half, whereas its can cut time for asymmetric key by orders of magnitude. It is more complex than that, but that is a usable first approximation for many cases. > Most Internet encryption is based on asymmetric ciphers. That's the main > issue and Qubes is not special in any sense on this topic. Symmetric encryption is much faster & is used for nearly all encryption of large chunks or streams of data -- messages in PGP, connections in SSH or TLS or IPsec, disk or file contents in other systems -- and in hash algorithms & variants using them like the HMAC construction. These can provide one level of authentication; if decryption succeeds then the recipient knows the the sender had the right key & if HMAC succeeds he knows the message received is (overwhelmingly likely to be) identical to what was sent or the file read identical to what was stored. Asymmetric encryption gives a different type of authentication, proving the other player had a particular private key. This solves the key management problem which is very difficult with symmetric crypto alone. A major government can send a junior military officer to fly to an embassy once a month to deliver keys, but without public key (asymmetric) techniques anyone else has a real problem ensuring that the right people have the keys & enemies do not. It also gives digital signatures which are used in authenticating the players for SSH, SSL, IPsec connections. With symmetric techniques alone, you can know that only the receiver can read your messages, but you need the public key stuff to know who you are talking to. Signatures are also used to be sure the file you download was produced by Qubes people, not by say a malicious government or some gang of botnet builders. One explanation of the roles of the two algorithm types: http://en.citizendium.org/wiki/Hybrid_cryptosystem -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CACXcFm%3D7YjkUJJEKhnsuCcvmvECBa3oDL0gkU%3DaPr%2B806z_bNA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On 11/12/2017 10:43 AM, Yuraeitha wrote: >> As for quantum networks, they are slightly more obtainable than, say, >> moon rockets. > > [...] > Given the fiber internet network might be able to carry these signals, it's > not farfetched to imagine we'll start to have portions of Quantum internet in > less than 10 years. It's a cheap technology too. While sure such research > costs a lot to do, the technology itself should be relatively cheap, and a > lot of the quantum computing research costs come from universities whom give > away their research fore free mostly now a days (Open Science movement, kinda > like Open Source movement). > [...] The issue with all current quantum-physics-based encryption that I know of is that it requires a direct fiber link between the source and the destination. Also, the segment length is currently about ~4-5km if I remember correctly, though it may just as well have changed since a few years ago. But this direct fiber link means quantum-physics-based encryption will never be end-to-end between you and the website you are visiting. And if this quantum-physics-based encryption is terminated by eg. your ISP (the only one you have a physical fiber link to), then your ISP could use the exact same techniques as before to spy on you. Basically, quantum-physics-based encryption is nice in that it is demonstrably secure (modulo Bell's inequalities, last time I checked on this is getting quite old, so I'm not sure about every detail). But its constraints of use are really huge, so it is not likely to ever get in your house unless you're at the head of a billion-dollar-level entity, be it a state or a company. > I've wondered for a good while if splitting up an symmetric encrypted file in > multiple of parts, say for example minimum two parts, and send one over the > internet, and carry the other on yourself in person, that if only one part is > stolen (for example someone steal your laptop with sensitive competitive > business trade secrets), then it's still uncrackable? However it's mostly > been a fun thought experiment, I never managed to confirm it, but I imagine > businesses or even government agencies would want to use such approaches if > its applicable? If it isn't already. Such a scheme is Vernam cipher. It is the only other provably secure cryptographic system that I know of (all the others are based on “we think this problem is hard, so let's prove the cryptosystem is at least as hard as this problem”). Basically to encrypt a N-bit-long message, you generate a N-bit key (with perfect randomness, which is a point where the issue usually lies), you xor it with your message, and to decrypt the message you just xor again the encrypted message with the key. You could then just send the key and the encrypted message through the two means. Funnily enough, Vernam ciphers are actually the basis for quantum-physics-based encryption. The quantum channel is only used to generate the random N-bit key in way so that it is shared by the two protagonists and no eavesdropper could get a reasonable amount of bits without being detected (in which case the transmission can be cancelled without ever using the key) Cheers & hope that helps, Leo -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/966f5e22-8a2c-6386-c2b5-ea2dcafb7eb7%40gaspard.ninja. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
@ Chris Laprise On Saturday, November 11, 2017 at 11:22:37 PM UTC, Chris Laprise wrote: > On 11/11/2017 08:31 AM, Yuraeitha wrote: > > On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote: > >> On 11/10/2017 05:51 PM, taii...@gmx.com wrote: > >>> In this case you should ask the luks/dmcrypt mailinglist as that is > >>> what qubes uses for disk crypto. > >>> > >> Would be simpler off the bat to limit discussion to asymmetric crypto, > >> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and > >> most other disk encryption uses symmetric crypto. > >> > >> I believe qvm-backup crypto is also symmetric (although IIRC it may have > >> specific security issues that need to be addressed). > >> > >> Finally, there is anti-evil-maid; I think it uses symmetric but not > >> certain. > >> > >> -- > >> > >> Chris Laprise, tas...@posteo.net > >> https://github.com/tasket > >> https://twitter.com/ttaskett > >> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 > > That's an interesting twist, and seems like a very good point. > > > > Though does that mean asymmetric is more vulnerable due to it's nature of > > having two key systems (Private/Public) rather than a single private key? > > Lower entropy with two keys perhaps? > > or is it because asymmetry is typically used more when send over the > > internet compared to symmetry which is more often used offline? > > > > So then, asymmetric internet protocols going in and out of Qubes, or > > encrypted packages or whole encrypted files send over the internet, is the > > bigger concern? or the more immediate between the two one I assume. The > > question left to me, out of curiosity, is just "why is it the asymmetric > > security a bigger concern". Are any of the two guesses the right reason? > > There are some articles/talks that explain the difference, but its not > due to entropy. Its because the public key provides too much info about > the private key to a qc search algorithm. This was already the case with > regular computer searches, at least with RSA which uses much larger keys > than a symmetric cipher like AES to compensate for the issue. > > A figure I heard was that qc can cut search time for symmetric key > merely in half, whereas its can cut time for asymmetric key by orders of > magnitude. > > > Also about another aspect, are there by any chance any kind of encryption > > between the ioslated qubes in Qubes? If true, then internet based attacks > > cannot attack dom0 no matter what happens in the area of encryption > > cracking? but it may be able to attack whatever is using encryption in the > > VM itself? But offline physical encryption crack attacks, albeit seemingly > > requiring stronger cracking capability, can reach dom0? > > > Specifically, if I understood this correctly, there is no immediate concern > > right now to protect with encryption in an offline physical machine, unless > > a copy is made of the data and stolen, or the entire drive is stolen, to be > > cracked in the future. So if a drive, or copy thereof, is stolen, it may be > > a future risk, but otherwise not a current risk. > > > > Eventually all this seems to boil down to theft of data, or surveillance, > > which is left to be cracked in the future, instead of now. But internet > > encrypted data is significantly easier to steal. > > Most Internet encryption is based on asymmetric ciphers. That's the main > issue and Qubes is not special in any sense on this topic. > > As for quantum networks, they are slightly more obtainable than, say, > moon rockets. > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 So you don't have a moon rocket in your backyard? Really? Everyone have that by now. Joke aside xD I do actually think Quantum networks are much closer than we might think at first when first hearing about it, it's probably the quantum part that makes it seem so distant and futuristic. It's not as complex as quantum computing, and much less work has gone into it, yet prototypes are already up and working around the world as we speak. It's basically a simple transfer of data through light and not something of the scale of a whole quantum computer. Given the fiber internet network might be able to carry these signals, it's not farfetched to imagine we'll start to have portions of Quantum internet in less than 10 years. It's a cheap technology too. While sure such research costs a lot to do, the technology itself should be relatively cheap, and a lot of the quantum computing research costs come from universities whom give away their research fore free mostly now a days (Open Science movement, kinda like Open Source movement). So given we already partly have a infrstructure that can carry it, and given we currently have working prototypes, and given the technology itself appears
Re: [qubes-users] Qubes & Quantum decryption Immunity
On 11/11/2017 08:31 AM, Yuraeitha wrote: On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote: On 11/10/2017 05:51 PM, taii...@gmx.com wrote: In this case you should ask the luks/dmcrypt mailinglist as that is what qubes uses for disk crypto. Would be simpler off the bat to limit discussion to asymmetric crypto, as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and most other disk encryption uses symmetric crypto. I believe qvm-backup crypto is also symmetric (although IIRC it may have specific security issues that need to be addressed). Finally, there is anti-evil-maid; I think it uses symmetric but not certain. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 That's an interesting twist, and seems like a very good point. Though does that mean asymmetric is more vulnerable due to it's nature of having two key systems (Private/Public) rather than a single private key? Lower entropy with two keys perhaps? or is it because asymmetry is typically used more when send over the internet compared to symmetry which is more often used offline? So then, asymmetric internet protocols going in and out of Qubes, or encrypted packages or whole encrypted files send over the internet, is the bigger concern? or the more immediate between the two one I assume. The question left to me, out of curiosity, is just "why is it the asymmetric security a bigger concern". Are any of the two guesses the right reason? There are some articles/talks that explain the difference, but its not due to entropy. Its because the public key provides too much info about the private key to a qc search algorithm. This was already the case with regular computer searches, at least with RSA which uses much larger keys than a symmetric cipher like AES to compensate for the issue. A figure I heard was that qc can cut search time for symmetric key merely in half, whereas its can cut time for asymmetric key by orders of magnitude. Also about another aspect, are there by any chance any kind of encryption between the ioslated qubes in Qubes? If true, then internet based attacks cannot attack dom0 no matter what happens in the area of encryption cracking? but it may be able to attack whatever is using encryption in the VM itself? But offline physical encryption crack attacks, albeit seemingly requiring stronger cracking capability, can reach dom0? Specifically, if I understood this correctly, there is no immediate concern right now to protect with encryption in an offline physical machine, unless a copy is made of the data and stolen, or the entire drive is stolen, to be cracked in the future. So if a drive, or copy thereof, is stolen, it may be a future risk, but otherwise not a current risk. Eventually all this seems to boil down to theft of data, or surveillance, which is left to be cracked in the future, instead of now. But internet encrypted data is significantly easier to steal. Most Internet encryption is based on asymmetric ciphers. That's the main issue and Qubes is not special in any sense on this topic. As for quantum networks, they are slightly more obtainable than, say, moon rockets. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a96c354a-19b9-2ba0-ad68-f39dffbac44a%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
QC is a potential threat for both symmetric and asymmetric cryptography, just the symmetric cryptography is threatened quite a bit more. And even asymmetric cryptography is important for QubesOS security because of update signatures. Symmetric cryptography is threatened by Grover's algorithm. The algorithm can perform bruteforce search in N elements in O(sqrt(N)) time. In other words, it reduces O(2^n) time to O(2^(n/2)) time. What's great: There is some proof that this algorithm is optimal (probably under assumption that P≠NP). So, just using double-length keys should be sufficient. This could justify AES256 instead AES128. Doubling the key length could be an issue for password, but if you use a memory-intensive key derivation function, it might be infeasible to run it on quantum computers for some time. Asymmetric crypto usually (always?) relies on problems that are believed to be easier than NP. Some of them (integer factorization and discrete logarithm problem) can be solved in polynomial time on QC (they belong to BQP class), which would be a real threat for cryptography like RSA and ECC. There are some “QC-proof” asymmetric schemes that are believed to be secure against QC. But those aren't widely used yet. It could be useful to use them together with some old schemes like RSA or ECC. Regards, Vít Šesták 'v6ak' -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba81205c-adfb-416a-8b70-27b01aa2b80c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote: > On 11/10/2017 05:51 PM, taii...@gmx.com wrote: > > In this case you should ask the luks/dmcrypt mailinglist as that is > > what qubes uses for disk crypto. > > > > Would be simpler off the bat to limit discussion to asymmetric crypto, > as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and > most other disk encryption uses symmetric crypto. > > I believe qvm-backup crypto is also symmetric (although IIRC it may have > specific security issues that need to be addressed). > > Finally, there is anti-evil-maid; I think it uses symmetric but not certain. > > -- > > Chris Laprise, tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 That's an interesting twist, and seems like a very good point. Though does that mean asymmetric is more vulnerable due to it's nature of having two key systems (Private/Public) rather than a single private key? Lower entropy with two keys perhaps? or is it because asymmetry is typically used more when send over the internet compared to symmetry which is more often used offline? So then, asymmetric internet protocols going in and out of Qubes, or encrypted packages or whole encrypted files send over the internet, is the bigger concern? or the more immediate between the two one I assume. The question left to me, out of curiosity, is just "why is it the asymmetric security a bigger concern". Are any of the two guesses the right reason? Also about another aspect, are there by any chance any kind of encryption between the ioslated qubes in Qubes? If true, then internet based attacks cannot attack dom0 no matter what happens in the area of encryption cracking? but it may be able to attack whatever is using encryption in the VM itself? But offline physical encryption crack attacks, albeit seemingly requiring stronger cracking capability, can reach dom0? Specifically, if I understood this correctly, there is no immediate concern right now to protect with encryption in an offline physical machine, unless a copy is made of the data and stolen, or the entire drive is stolen, to be cracked in the future. So if a drive, or copy thereof, is stolen, it may be a future risk, but otherwise not a current risk. Eventually all this seems to boil down to theft of data, or surveillance, which is left to be cracked in the future, instead of now. But internet encrypted data is significantly easier to steal. This could be solved with the quantum network China made a big move towards recently though? One of the articles here about Quantum networks that goes into the pros and cons, as well as the feasibility and possible directions with the technology can take in the future. It seems this short brief article covers a bit of everything regarding this complex area https://www.wired.com/story/quantum-internet-is-13-years-away-wait-whats-quantum-internet/ Assuming quantum internet ever becomes a full scale replacement of our internet, perhaps this is the game changer we need to fix asymmetric encryption? After all, it wouldn't be a matter of hacking mathematics, it'd be increased to a level of hacking physics and the circumventing the laws of the universe. Anyone trying to read the signal, would apparently scramble it and make it unreadable. But in contrast, this cannot be used in symmetric encryption of i.e. local files and drives? and it requires a proper medium, like light fiber cables or similar, to carry the quantum signals, which would mean a lot of our modern infrastructure is not usable for quantum networking. It seems promising though, especially if it would arrive sooner rather than later to Linux/Qubes. For example, the implications of combining quantum networking with the Tor network? It'd be potentially unhackable network/internet private connections? Tor's weakness, one of the bigger ones, is traffic sniffting at the end nodes. A quantum based internet could fix that issue on Tor, making it impossible to both know what is send, as well as to whom it was from or to. Would there be any loose ends though? For example the joint between Qubes OS itself, and a future quantum based Tor based network? The weakness could be the joints and exploiting these with malware/surveillance? If the unit expected to receive the quantum signal itself is infected, then it could still surveillance any data/connections going through it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c7fc324d-8fe2-43a8-9d56-34c9f1b29056%40googlegroups.com. For more options,
Re: [qubes-users] Qubes & Quantum decryption Immunity
On 11/10/2017 05:51 PM, taii...@gmx.com wrote: In this case you should ask the luks/dmcrypt mailinglist as that is what qubes uses for disk crypto. Would be simpler off the bat to limit discussion to asymmetric crypto, as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and most other disk encryption uses symmetric crypto. I believe qvm-backup crypto is also symmetric (although IIRC it may have specific security issues that need to be addressed). Finally, there is anti-evil-maid; I think it uses symmetric but not certain. -- Chris Laprise, tas...@posteo.net https://github.com/tasket https://twitter.com/ttaskett PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bd59baee-8a77-bf2e-20eb-c30965a0f3ad%40posteo.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On Friday, November 10, 2017 at 10:29:48 PM UTC, Sandy Harris wrote: > On Fri, Nov 10, 2017 at 1:45 PM, Yuraeithawrote: > > > Either way, cryptography protected by "structure", should be safe against a > > quantum computer, no? while all encryption without structure, would be > > extremely vulnerable to quantum computers? > > I am not sure what you mean by "structure" in this context. If any of > my guesses are correct, then I do not think that is the issue. > > > Basically, long story short, is Qubes at risk in the near future of real > > quantum computing decryption attacks? For example, has there already gone > > thoughts or even development into securing Qubes against type of attacks > > like these? > > I'm on several crypto mailing lists & follow the field fairly closely, > though I would not claim to understand everything I read, let alone > everything going on. As far as I can see, more-or-less everyone in the > field agrees quantum computers are a serious threat in the long term, > but no-one is much worried about threats in the next few years. Of > course they could be wrong; neither AI researchers nor Go players > thought a program that could win against top human players would turn > up for decades, but then Google produced Alpha Go which did just that. > A real paranoid would worry about whether some government lab already > had a quantum computer capable of breaking a lot of crypto; my guess > is that is not a realistic fear, but who knows? > > The most worrisome threat is that a large enough (a few thousand > q-bits) quantum machine breaks RSA public key encryption. RSA relies > on sufficiently large semi-primes (products of two primes) being hard > to factor. See https://en.wikipedia.org/wiki/Integer_factorization for > background. There are about a dozen known methods for finding the > factors, but on classical computers none that are efficient in the > general case. On a quantum computer, though, there is a known > efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm > so a big enough quantum machine breaks RSA. > > That is a huge threat since RSA is very widely used. PGP, IPsec, > Secure DNS, SSL & SSH (or at least most variants) all fall if RSA > does. There are other public key methods that might replace RSA, but > it is not clear they are safe either. My bad, I made an important typo in the text above with the word possible/impossible, first two lines in second paragraph. "SO, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are possible to solve with numbers?" Should be, "So, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are impossible to solve with numbers to get past it?" -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f68d2ad7-dc8f-4bb0-8598-208f6ae47fa2%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
@ Sandy Harris On Friday, November 10, 2017 at 10:29:48 PM UTC, Sandy Harris wrote: > On Fri, Nov 10, 2017 at 1:45 PM, Yuraeithawrote: > > > Either way, cryptography protected by "structure", should be safe against a > > quantum computer, no? while all encryption without structure, would be > > extremely vulnerable to quantum computers? > > I am not sure what you mean by "structure" in this context. If any of > my guesses are correct, then I do not think that is the issue. > > > Basically, long story short, is Qubes at risk in the near future of real > > quantum computing decryption attacks? For example, has there already gone > > thoughts or even development into securing Qubes against type of attacks > > like these? > > I'm on several crypto mailing lists & follow the field fairly closely, > though I would not claim to understand everything I read, let alone > everything going on. As far as I can see, more-or-less everyone in the > field agrees quantum computers are a serious threat in the long term, > but no-one is much worried about threats in the next few years. Of > course they could be wrong; neither AI researchers nor Go players > thought a program that could win against top human players would turn > up for decades, but then Google produced Alpha Go which did just that. > A real paranoid would worry about whether some government lab already > had a quantum computer capable of breaking a lot of crypto; my guess > is that is not a realistic fear, but who knows? > > The most worrisome threat is that a large enough (a few thousand > q-bits) quantum machine breaks RSA public key encryption. RSA relies > on sufficiently large semi-primes (products of two primes) being hard > to factor. See https://en.wikipedia.org/wiki/Integer_factorization for > background. There are about a dozen known methods for finding the > factors, but on classical computers none that are efficient in the > general case. On a quantum computer, though, there is a known > efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm > so a big enough quantum machine breaks RSA. > > That is a huge threat since RSA is very widely used. PGP, IPsec, > Secure DNS, SSL & SSH (or at least most variants) all fall if RSA > does. There are other public key methods that might replace RSA, but > it is not clear they are safe either. Let me try rephrase the structure part, I may not have understood it correctly, and I can tell you know more than I do about encryption, so let me try emphasis the quantum part, which may or may not be right. I'm curious whether or how it can fit into encryption, so this is kind of a thought experiment. The logic in this analogy I'm sure you already know, but I want to use the analogy's conclusion to make a point afterwards, so here goes. Using a massive labyrinth analogy to solve a decryption calculation, a traditional classic computer can only seek one path at a time (1/0 on/off transistor logic), and if it's a dead end, it has to return to try another path, each turn, or dead end, being a calculated 1/0 state of information. A quantum computer can do many or even all paths at once in a single calculation instant, with having multiple or exponentially many states between 1/0, thereby following multiple of paths, resulting in a lot of dead ends, but at the same time discovering the single path out of the massive labyrinth, all in a few or a single calculation, depending on how many qubits the quantum computer has available. It's a bit simplified, but enough to make the analogy point. SO, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are possible to solve with numbers? But instead use something like human thought logic pattern? This would require either a human or a sophisticated A.I. to solve, but it's also more akin to that of a traditional computer, patterns, structures, based in many 1/0 forming a structure, and the answer can only be found if maintaining this structure all at once. A quantum computer cannot do that, right? If I understood it correctly, a quantum computer may be truly scary in its insane calculative power, but, it's by no means capable of being "smart", at the very least, not on its own. Where my knowledge of how encryption works, truly falls apart, is regarding the need of near-perfect or the not reached difficult to archive, perfect entropy. The more entropy, or chaos without structure and order, the harder it becomes to predict anything, and the harder it becomes to crack an encryption. This much is correctly understood I assume? So, if putting in roadbloacks for the quantum computer, which it cannot calculate, it significantly slows down it's quantum speed. Even if introducing a classic computer or A.I. to work together with the quantum computer, if the road blocks are difficult enough, it would overall slow down the quantum computer enough to make it
Re: [qubes-users] Qubes & Quantum decryption Immunity
In this case you should ask the luks/dmcrypt mailinglist as that is what qubes uses for disk crypto. I doubt anyone here bar the internets favorite folk hero "kedward howden" would piss off some company/government enough for them to spend the hundreds of thousands of dollars one to rent such a machine. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/51d69633-59ac-5811-8fa5-cb969c591d6a%40gmx.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Qubes & Quantum decryption Immunity
On Fri, Nov 10, 2017 at 1:45 PM, Yuraeithawrote: > Either way, cryptography protected by "structure", should be safe against a > quantum computer, no? while all encryption without structure, would be > extremely vulnerable to quantum computers? I am not sure what you mean by "structure" in this context. If any of my guesses are correct, then I do not think that is the issue. > Basically, long story short, is Qubes at risk in the near future of real > quantum computing decryption attacks? For example, has there already gone > thoughts or even development into securing Qubes against type of attacks like > these? I'm on several crypto mailing lists & follow the field fairly closely, though I would not claim to understand everything I read, let alone everything going on. As far as I can see, more-or-less everyone in the field agrees quantum computers are a serious threat in the long term, but no-one is much worried about threats in the next few years. Of course they could be wrong; neither AI researchers nor Go players thought a program that could win against top human players would turn up for decades, but then Google produced Alpha Go which did just that. A real paranoid would worry about whether some government lab already had a quantum computer capable of breaking a lot of crypto; my guess is that is not a realistic fear, but who knows? The most worrisome threat is that a large enough (a few thousand q-bits) quantum machine breaks RSA public key encryption. RSA relies on sufficiently large semi-primes (products of two primes) being hard to factor. See https://en.wikipedia.org/wiki/Integer_factorization for background. There are about a dozen known methods for finding the factors, but on classical computers none that are efficient in the general case. On a quantum computer, though, there is a known efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm so a big enough quantum machine breaks RSA. That is a huge threat since RSA is very widely used. PGP, IPsec, Secure DNS, SSL & SSH (or at least most variants) all fall if RSA does. There are other public key methods that might replace RSA, but it is not clear they are safe either. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CACXcFmkqCY1tPn21bnKKYGnzVBrUyOpFshKutJxg%2BswMWn97Tg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Qubes & Quantum decryption Immunity
With news, like the 50-bit Quantum computer by IBM announced earlier today, for now only cable to run over over 90 seconds, concerns over the safety of encryption appears to be slowly increasing. https://www.technologyreview.com/s/609451/ibm-raises-the-bar-with-a-50-qubit-quantum-computer/?utm_campaign=Technology+Review_source=facebook.com_medium=social Obviously there are encryption forums out there, and the encryption tools Qubes uses are developed and supported by third parties specializing in the field. However I'd like to see a discussion with Qubes in mind. >From a developers perspective, with insight into cryptography, what is your >take on this? Would the types of encryption Qubes uses be at risk of being >brute-forced by a quantum computer? The way I understood it, Quantum computers cannot replace traditional computers, because the many simultaneous multiple state between 1/0 leaves no structure in the code, therefore it's impossible to make programs or code with it without structure. Quantum computers strive for entropy or "chaos", while traditional computing machine code strive for order and frameworks. So that supposedly means quantum computers are limited to solving large number problems, but cannot "create" or "decrypt" anything that is a large "structured" computing calculation. I may have gotten this wrong, but that's how I currently see it. I still do not perceive how encryption immune to quantum computers should work, i.e. how to implement structure into a large encryption calculation without giving it predictability or non-near-perfect / non-perfect entropy. It just seems contradictory, how is that even possible. Either way, cryptography protected by "structure", should be safe against a quantum computer, no? while all encryption without structure, would be extremely vulnerable to quantum computers? Basically, long story short, is Qubes at risk in the near future of real quantum computing decryption attacks? For example, has there already gone thoughts or even development into securing Qubes against type of attacks like these? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f653eaba-3ca8-48a8-a3e4-1fdf62032389%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.