6792 stories
·
162 followers

The sad, bizarre tale of hype fanning fears modern cryptography was slain

1 Comment and 2 Shares

There’s little doubt that some of the most important pillars of modern cryptography will tumble spectacularly once quantum computing, now in its infancy, matures sufficiently. Some experts say that could be in the next couple decades. Others say it could take longer. No one knows.

The uncertainty leaves a giant vacuum that can be filled with alarmist pronouncements that the world is close to seeing the downfall of cryptography as we know it. The false pronouncements can take on a life of their own as they’re repeated by marketers looking to peddle post-quantum cryptography snake oil and journalists tricked into thinking the findings are real. And a new episode of exaggerated research has been playing out for the past few weeks.

All aboard the PQC hype train

The last time the PQC—short for post-quantum cryptography—hype train gained this much traction was in early 2023, when scientists presented findings that claimed, at long last, to put the quantum-enabled cracking of the widely used RSA encryption scheme within reach. The claims were repeated over and over, just as claims about research released in September have for the past three weeks.

A few weeks after the 2023 paper came to light, a more mundane truth emerged that had escaped the notice of all those claiming the research represented the imminent demise of RSA—the research relied on Schnorr’s algorithm (not to be confused with Shor’s algorithm). The algorithm, based on 2021 analysis of cryptographer Peter Schnorr, had been widely debunked two years earlier. Specifically, critics said, there was no evidence supporting the authors’ claims of Schnorr’s algorithm achieving polynomial time, as opposed to the glacial pace of subexponential time achieved with classical algorithms.

Once it became well-known that the validity of the 2023 paper rested solely on Schnorr’s algorithm, that research was also debunked.

Three weeks ago, panic erupted again when the South China Morning post reported that scientists in that country had discovered a “breakthrough” in quantum computing attacks that posed a “real and substantial threat” to “military-grade encryption.” The news outlet quoted paper co-author Wang Chao of Shanghai University as saying, “This is the first time that a real quantum computer has posed a real and substantial threat to multiple full-scale SPN [substitution–permutation networks] structured algorithms in use today.”

Among the many problems with the article was its failure to link to the paper—reportedly published in September in the Chinese-language academic publication Chinese Journal of Computers—at all. Citing Wang, the paper said that the paper wasn’t being published for the time being “due to the sensitivity of the topic.” Since then, the South China Morning Post article has been quietly revised to remove the “military-grade encryption” reference.

With no original paper to reference, many news outlets searched the Chinese Journal of Computers for similar research and came up with this paper. It wasn’t published in September, as the news article reported, but it was written by the same researchers and referenced the “D-Wave Advantage”—a type of quantum computer sold by Canada-based D-Wave Quantum Systems—in the title.

Some of the follow-on articles bought the misinformation hook, line, and sinker, repeating incorrectly that the fall of RSA was upon us. People got that idea because the May paper claimed to have used a D-Wave system to factor a 50-bit RSA integer. Other publications correctly debunked the claims in the South China Morning Post but mistakenly cited the May paper and noted the inconsistencies between what it claimed and what the news outlet reported.

Over the weekend, someone unearthed the correct paper, which, as it turns out, had been available on the Chinese Journal of Computers website the whole time. Most of the paper is written in Chinese. This abstract was fortunately written in English. It reports using a D-Wave-enabled quantum annealer to find “integral distinguishers up to 9-rounds” in the encryption algorithms known as PRESENT, GIFT-64, and RECTANGLE. All three are symmetric encryption algorithms built on a SPN—short for substitution-permutation network structure.

“This marks the first practical attack on multiple full-scale SPN structure symmetric cipher algorithms using a real quantum computer,” the paper states. “Additionally, this is the first instance where quantum computing attacks on multiple SPN structure symmetric cipher algorithms have achieved the performance of the traditional mathematical methods.”

Defining your terms

There’s a lot going on here, but what does it mean? To explain, here's a quick explanation of several important terms.

SPN: Short for substitution-permutation network, an SPN is a series of mathematical operations used in block cipher algorithms to increase their security. These algorithms take a block of plaintext and the encryption key as input and run them through a subprocess that repeats for a set number of rounds before outputting a finished ciphertext.

The best known block cipher is AES, short for Advanced Encryption Standard. Ciphertext produced with 128-bit, 192-bit, and 256-bit AES go through 10 rounds, 12 rounds, and 14 rounds respectively. Page 5 of this animation tutorial provides a useful visualization of this process.

Quantum annealing: This term is borrowed from annealing, a process that uses heat to alter the physical or chemical properties of a metal, glass, or plastic film to increase ductility and reduce hardness. Annealing works by heating materials above their recrystallization temperature, maintaining a certain temperature for a set amount of time, and then allowing them to cool slowly.

The “annealing” in quantum annealing is used metaphorically to describe a method for applying the principles of quantum mechanics to solve complex optimization problems. More on quantum annealing here and here.

In 2011, D-Wave produced the first commercial quantum annealer. Called the D-Wave One, it used a 128-qubit processor chipset. The D-Wave Advantage, the system used in the September research paper, has 5,000 qubits. D-Wave systems can solve only certain types of optimization problems, and the difficulty requires developers and scientists using D-Wave systems to break larger problems into smaller optimization problems before they can be solved with these systems.

PRESENT, GIFT64, and RECTANGLE: All three are lightweight block ciphers designed for use in “constrained” environments, such as those in embedded systems that require more speed and fewer computational resources than is possible using AES. All three are based on an SPN structure and are proposed academic designs. The related GIFT-128 is a component of GIFT-COFB, which was a finalist for the recent NIST lightweight crypto competition but lost out to an algorithm known as Ascon.

PRESENT, meanwhile, can be found in the ISO/IEC 29167-11:2014 and ISO/IEC 29192-2:2019, but it isn't used widely. It's not clear if RECTANGLE is used at all. Because all three algorithms were academic designs, they have been widely analyzed.

Integral distinguishers: In essence, finding integral distinguishers is a type of large-scale optimization problem that, when solved, provides a powerful tool for breaking encryption schemes used in block ciphers. A 2018 paper titled Finding Integral Distinguishers with Ease reported using classical computing to find integral distinguishers for dozens of algorithms. The research included 9-round distinguishers for PRESENT, GIFT64, and RECTANGLE, the algorithms studied in the September paper.

Mixed-integer linear programming: Typically abbreviated as MILP, mixed-integer linear programming is a mathematical modeling technique for solving complex problems. MILP allows some variables to be non-integers, a property that gives it flexibility, efficiency, and optimization over other methods.

The experts weigh in

The main contribution in the September paper is the process the researchers used to find integral distinguishers in up to nine rounds of the three previously mentioned algorithms. According to a roughly translated version of the paper (the correct one, not the one from May), the researchers wrote:

Inspired by traditional cryptanalysis methods, we proposed a novel computational architecture for symmetric cryptanalysis: Quantum Annealing-Classical Mixed Cryptanalysis (QuCMC), which combines the quantum annealing algorithm with traditional mathematical methods. Utilizing this architecture, we initially applied the division property to describe the propagation rules of the linear and nonlinear layers in SPN structure symmetric cipher algorithms.

Subsequently, the SPN structure distinguisher search problems were transformed into Mixed Integer Linear Programming (MILP) problems. These MILP models were further converted into D-Wave Constrained Quadratic Models (CQM), leveraging the quantum tunneling effect induced by quantum fluctuations to escape local minima solutions and achieve an optimal solution corresponding to the integral distinguisher for the cipher algorithms being attacked. Experiments conducted using the D-Wave Advantage quantum computer have successfully executed attacks on three representative SPN structure algorithms: PRESENT, GIFT-64, and RECTANGLE, and successfully searched integral distinguishers up to 9-round. Experimental results demonstrate that the quantum annealing algorithm surpasses traditional heuristic-based global optimization algorithms, such as simulated annealing, in its ability to escape local minima and in solution time. This marks the first practical attack on multiple full-scale SPN structure symmetric cipher algorithms using a real quantum computer.

Additionally, this is the first instance where quantum computing attacks on multiple SPN structure symmetric cipher algorithms have achieved the performance of the traditional mathematical methods.

The paper makes no reference to AES or RSA and never claims to break anything. Instead, it describes a way to use D-Wave-enabled quantum annealing to find the integral distinguisher. Classical attacks have had the optimized capability to find the same integral distinguishers for years. David Jao, a professor specializing in PQC at the University of Waterloo in Canada, likened the research to finding a new lock-picking technique. The end result is the same, but the method is new. He explained:

The paper is written for an audience of researchers, not for the general public. Researchers view "developing a better lockpick" as an actual attack, but if you're writing for the general public, the general public would think that an attack means "using the lockpick to pick the lock" which is not what happened here.

To continue the analogy, it's true that this paper uses quantum computers to develop lockpicks that match previously known lockpicks in efficiency. So it is true that they have "achieved the performance" of traditional methods, although note that they have not gone beyond that. In some cases (such as RECTANGLE), it is known that no better integral distinguishers exist, so matching the existing technology is the best that can be done using this approach.

Nadia Heninger, a professor studying cryptography at the University of California San Diego, agreed.

“I'd say it's more accurate to say that the researchers formulated a cryptanalysis problem as an optimization problem and ran it on simulated annealing and on quantum annealing and claim to have gotten comparable results. But the main result is to have ‘achieved the performance of traditional mathematical methods,’ so it sounds like maybe there are other classical/mathematical approaches that are better.”

Lastly, Xavier Bonnetain, a professor at the National Institute for Research in Digital Science and Technology in France, put it this way:

They claimed they reduced the search for what is called an integral distinguisher to a Mixed-Integer Linear Programming problem (something that's been standard for years in cryptography) and solved the problem for 3 block ciphers using their quantum annealer.

They did not find anything new, which is not especially surprising given that integral distinguishers on these ciphers were already looked for classically and were already proven optimal. They solved a problem for which we already knew the answers, using another approach.

After performing a quick search, Bonnetain found this 2018 paper that found integral distinguishers for all three of the algorithms covered in the September paper.

None of these experts are denigrating the research presented in the September paper. They are, however, noting that the claims presented in the original South China Morning Post article—and repeated in the ensuing media echo chamber afterward—go beyond mere exaggeration or embellishment. Instead, they're more comparable to fabrications. Even many of the articles debunking the claims—while well intentioned—missed the mark because they, too, cited the wrong paper.

This isn’t the first time the South China Morning Post has fueled undue panic about the imminent fall of widely used encryption algorithms. Last year’s hype train, mentioned earlier in this article, was touched off by coverage by the same publication that claimed researchers found a factorization method that could break a 2,048-bit RSA key using a quantum system with just 372 qubits. People who follow PQC should be especially wary when seeking news there.

The coverage of the September paper is especially overblown because symmetric encryption, unlike RSA and other asymmetric siblings, is are widely belived to be safe from quantum computing, as long as bit sizes are sufficient. PQC experts are confident that AES-256 will resist all known quantum attacks.

I emailed two of the co-authors of the September paper: Wang Chao, mentioned earlier, and Pei Zhi, a PhD. candidate at Shanghai University, asking for their help with this story. The only response I got was two auto-replies saying their inboxes were full.

As a reminder, current estimates are that quantum cracking of a single 2048-bit RSA key would require a computer with 20 million qubits running in superposition for about eight hours. For context, quantum computers maxed out at 433 qubits in 2022 and 1,000 qubits last year. (A qubit is a basic unit of quantum computing, analogous to the binary bit in classical computing. Comparisons between qubits in true quantum systems and quantum annealers aren't uniform.) So even when quantum computing matures sufficiently to break vulnerable algorithms, it could take decades or longer before the majority of keys are cracked.

The upshot of this latest episode is that while quantum computing will almost undoubtedly topple many of the most widely used forms of encryption used today, that calamitous event won’t happen anytime soon. It’s important that industries and researchers move swiftly to devise quantum-resistant algorithms and implement them widely. At the same time, people should take steps not to get steamrolled by the PQC hype train.

Read full article

Comments



Read the whole story
jepler
3 hours ago
reply
yay someone tracked down the paper underlying that sensationalistic article a few weeks ago. yes, it was a nothingburger.
Earth, Sol system, Western spiral arm
Share this story
Delete

KolibriOS: The Operating System That Fits on a 1.44 MB 3.5″ Floppy Disk

1 Comment

While most operating systems are written in C and C++, KolibriOS is written in pure x86 assembly and as a result small and lightweight enough to run off a standard 1.44 MB floppy disk, as demonstrated in a recent video by [Michael].

Screenshot of the KolibriOS desktop on first boot with default wallpaper.
Screenshot of the KolibriOS desktop on first boot with default wallpaper.

As a fork of 32-bit MenuetOS back in 2004, KolibriOS has since followed its own course, sticking to the x86 codebase and requiring only a modest system with an i586-compatible CPU, 8 MB of RAM and VESA-compatible videocard. Unlike MenuetOS’ proprietary x86_64 version, there’s no 64-bit in KolibriOS, but at this level you probably won’t miss it.

In the video by [Michael], the OS boots incredibly fast off both a 3.5″ floppy and a CD-ROM, with the CD-ROM version having the advantage of more software being provided with it, including shareware versions of DOOM and Wolfenstein 3D.

Although web browsers (e.g. Netsurf) are also provided, [Michael] did not get Ethernet working, though he doesn’t say whether he checked the hardware compatibility list. Quite a few common 3Com, Intel and Realtek NICs are supported out of the box.

For audio it was a similar story, with the hardware compatibility left unverified after audio was found to be not working. Despite this, the OS was fast, stable, runs DOOM smoothly and overall seems to be a great small OS for x86 platforms that could give an old system a new lease on life.

Read the whole story
jepler
3 hours ago
reply
I remember taking a custom single floppy disk Linux with me on a semester abroad in 1998. I used it at the student computer center, booting out of Windows into it. Of course, even then there were compromises; I think I'd loaded it with screen, irc & ssh? all text mode in any case.

As far as I recall, it worked by taking a list of files on your full Linux install you needed, and created a special floppy with the kernel and a compressed filesystem on it.

All long lost now, of course. As I type this I'm wondering at my good luck that I had the right network drivers for it to work.
Earth, Sol system, Western spiral arm
Share this story
Delete

DSA-5800-1 xorg-server - security update

1 Comment
Jan-Niklas Sohn discovered that a heap-based buffer overflow in the _XkbSetCompatMap function in the X Keyboard Extension of the X.org X server may result in privilege escalation if the X server is running privileged.

https://security-tracker.debian.org/tracker/DSA-5800-1

Read the whole story
jepler
1 day ago
reply
Xorg doesn't have many security bugs these days
Earth, Sol system, Western spiral arm
Share this story
Delete

Apple Updates the iMac With M4 Chip

1 Comment
Apple has updated the iMac lineup with an M4 chip. The new iMac, announced this morning, includes an M4 chip with an 8-core CPU and up to a 10-core GPU. The entry-level model costs $1,299 with two Thunderbolt USB-C 4 ports, while the higher-end models start at $1,499 and have four ports. The Verge: It's also bundled with accessories that now use USB-C charging ports instead of Lightning. Like the prior model, the new iMac has a 24-inch, 4.5K display. However, Apple is offering a new "nano-texture glass option" for $200 extra, which is supposed to help reduce reflections and glare.

Additionally, the iMac's base RAM has been doubled to 16GB over the prior model, with the ability to configure the higher-end option with up to 32GB. Apple's new iMac also comes with a 12MP webcam, along with new Apple Intelligence features that are starting to roll out today, such as AI-powered writing and editing features and a redesigned Siri.

Read the whole story
jepler
2 days ago
reply
any price savings on last-gen macs? I remain tempted to add a mac laptop to my household but then each time I look at the pricing and go "no".
Earth, Sol system, Western spiral arm
Share this story
Delete

FruitBox Sequencer: From the Adafruit Learning System Archives #MusicMonday

1 Comment

Here’s a fun project from the Adafruit Learning System archives. John Park whipped up a sequencer that uses our Circuit Playground Express’s built in capacitive touch sensors, plugged in to fruit, to create a unique instrument!

Who doesn’t love a fat drum beat? Nobody, that’s who! You can make your own awesome rhythms once you’ve built the FruitBox Sequencer! Use the Circuit Playground Express board’s built-in capacitive touch sensors plugged into pieces of fruit to program and trigger your beats, in a 16-step sequence. Play back sampled drum sounds in perfect time with the on-board speaker, or optionally, you can plug it into an amplified speaker to rock the crowd!

See project!

 

Read the whole story
jepler
2 days ago
reply
couldn't call it the fruit loop for reasons I guess
Earth, Sol system, Western spiral arm
Share this story
Delete

Wells

2 Comments and 3 Shares
You do have to be careful, though--sometimes, instead of water, you hit this free fuel that you can sell for a lot of money instead.
Read the whole story
JayM
2 days ago
reply
Heh.
Atlanta, GA
jepler
2 days ago
reply
I mean, like a lot of things it works for awhile. But maybe that's the joke.

> Since the 1940s, pumping from the Ogallala has drawn the aquifer down by more than 300 feet (90 m) in some areas
https://en.wikipedia.org/wiki/Ogallala_Aquifer#Accelerated_decline_in_aquifer_storage
Earth, Sol system, Western spiral arm
Lythimus
2 days ago
Yeah, it doesn't help water rights in the U.S. are so ridiculous. Capitalism only works well if things are appropriately valued. I just hope we don't stoop to geoengineering rain to fall here.
hobbified
1 day ago
Most places it works forever. Some places weren't meant for human habitation.
Share this story
Delete
Next Page of Stories