Jump to content
Main menu
Main menu
move to sidebar
hide
Navigation
Main page
Recent changes
Random page
Help about MediaWiki
Special pages
Niidae Wiki
Search
Search
Appearance
Create account
Log in
Personal tools
Create account
Log in
Pages for logged out editors
learn more
Contributions
Talk
Editing
Key size
(section)
Page
Discussion
English
Read
Edit
View history
Tools
Tools
move to sidebar
hide
Actions
Read
Edit
View history
General
What links here
Related changes
Page information
Appearance
move to sidebar
hide
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Effect of quantum computing attacks on key strength == The two best known quantum computing attacks are based on [[Shor's algorithm]] and [[Grover's algorithm]]. Of the two, Shor's offers the greater risk to current security systems. Derivatives of Shor's algorithm are widely conjectured to be effective against all mainstream public-key algorithms including [[RSA (algorithm)|RSA]], [[Diffie-Hellman]] and [[elliptic curve cryptography]]. According to Professor Gilles [[Gilles Brassard|Brassard]], an expert in quantum computing: "The time needed to factor an RSA integer is the same order as the time needed to use that same integer as modulus for a single RSA encryption. In other words, it takes no more time to break RSA on a quantum computer (up to a multiplicative constant) than to use it legitimately on a classical computer." The general consensus is that these public key algorithms are insecure at any key size if sufficiently large quantum computers capable of running Shor's algorithm become available. The implication of this attack is that all data encrypted using current standards based security systems such as the ubiquitous [[Transport Layer Security|SSL]] used to protect e-commerce and Internet banking and [[Secure Shell|SSH]] used to protect access to sensitive computing systems is at risk. Encrypted data protected using public-key algorithms can be archived and may be broken at a later time, commonly known as retroactive/retrospective decryption or "[[harvest now, decrypt later]]". Mainstream symmetric ciphers (such as [[Advanced Encryption Standard|AES]] or [[Twofish]]) and collision resistant hash functions (such as [[Secure Hash Algorithm|SHA]]) are widely conjectured to offer greater security against known quantum computing attacks. They are widely thought most vulnerable to [[Grover's algorithm]]. Bennett, Bernstein, Brassard, and Vazirani proved in 1996 that a brute-force key search on a quantum computer cannot be faster than roughly 2<sup>''n''/2</sup> invocations of the underlying cryptographic algorithm, compared with roughly 2<sup>''n''</sup> in the classical case.<ref name=bennett_1997>Bennett C.H., Bernstein E., Brassard G., Vazirani U., ''[http://www.cs.berkeley.edu/~vazirani/pubs/bbbv.ps The strengths and weaknesses of quantum computation]''. [[SIAM Journal on Computing]] 26(5): 1510-1523 (1997).</ref> Thus in the presence of large quantum computers an ''n''-bit key can provide at least ''n''/2 bits of security. Quantum brute force is easily defeated by doubling the key length, which has little extra computational cost in ordinary use. This implies that at least a 256-bit symmetric key is required to achieve 128-bit security rating against a quantum computer. As mentioned above, the NSA announced in 2015 that it plans to transition to quantum-resistant algorithms.<ref name=NSASuiteBphaseout /> In a 2016 Quantum Computing FAQ, the NSA affirmed: {{blockquote|"A sufficiently large quantum computer, if built, would be capable of undermining all widely-deployed public key algorithms used for key establishment and digital signatures. [...] It is generally accepted that quantum computing techniques are much less effective against symmetric algorithms than against current widely used public key algorithms. While public key cryptography requires changes in the fundamental design to protect against a potential future quantum computer, symmetric key algorithms are believed to be secure provided a sufficiently large key size is used. [...] The public-key algorithms ([[RSA (cryptosystem)|RSA]], [[Diffie-Hellman]], [[ECDH|[Elliptic-curve Diffie–Hellman] ECDH]], and [[Elliptic Curve Digital Signature Algorithm|[Elliptic Curve Digital Signature Algorithm] ECDSA]]) are all vulnerable to attack by a sufficiently large quantum computer. [...] While a number of interesting quantum resistant public key algorithms have been proposed external to NSA, nothing has been standardized by [[National Institute of Standards and Technology|NIST]], and NSA is not specifying any commercial quantum resistant standards at this time. NSA expects that NIST will play a leading role in the effort to develop a widely accepted, standardized set of quantum resistant algorithms. [...] Given the level of interest in the cryptographic community, we hope that there will be quantum resistant algorithms widely available in the next decade. [...] The AES-256 and SHA-384 algorithms are symmetric, and believed to be safe from attack by a large quantum computer."<ref name=cnsaquantum>{{cite web|url=https://ia801409.us.archive.org/26/items/cnsa-suite-and-quantum-computing-faq/CNSA-Suite-and-Quantum-Computing-FAQ.pdf |title=Commercial National Security Algorithm Suite and Quantum Computing FAQ |pages=6–8 |date=2016-01-01 |publisher=[[National Security Agency]] |access-date=2024-04-21}}</ref>}} In a 2022 press release, the NSA notified: {{blockquote|"A cryptanalytically-relevant quantum computer (CRQC) would have the potential to break public-key systems (sometimes referred to as asymmetric cryptography) that are used today. Given foreign pursuits in quantum computing, now is the time to plan, prepare and budget for a transition to [quantum-resistant] QR algorithms to assure sustained protection of [National Security Systems] NSS and related assets in the event a CRQC becomes an achievable reality."<ref name=cnsasuite>{{cite web|url=https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/nsa-releases-future-quantum-resistant-qr-algorithm-requirements-for-national-se/ |title=NSA Releases Future Quantum-Resistant (QR) Algorithm Requirements for National Security Systems |date=2022-09-07 |publisher=[[National Security Agency]] |access-date=2024-04-14}}</ref>}} Since September 2022, the NSA has been transitioning from the [[Commercial National Security Algorithm Suite]] (now referred to as CNSA 1.0), originally launched in January 2016, to the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0), both summarized below:<ref name=nsaCNSA>{{cite web|url=https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |archive-url=https://archive.today/20221121213740/https://media.defense.gov/2022/Sep/07/2003071834/-1/-1/0/CSA_CNSA_2.0_ALGORITHMS_.PDF |url-status=dead |archive-date=November 21, 2022 |title=Announcing the Commercial National Security Algorithm Suite 2.0, U/OO/194427-22, PP-22-1338, Ver. 1.0 |date=September 2022 |publisher=[[National Security Agency]]|website=media.defense.gov|access-date=2024-04-14|at=Table IV: CNSA 2.0 algorithms, p. 9.; Table V: CNSA 1.0 algorithms, p. 10.}}</ref>{{efn|See the complete tables and the transition timeline at [[Commercial National Security Algorithm Suite]] article.}} '''CNSA 2.0''' {| class="wikitable" |- ! Algorithm ! Function ! Parameters |- | Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | 256-bit keys |- | CRYSTALS-Kyber | Asymmetric algorithm for key establishment | Level V |- | CRYSTALS-Dilithium | Asymmetric algorithm for digital signatures | Level V |- | Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | SHA-384 or SHA-512 |- | Leighton-Micali Signature (LMS) | Asymmetric algorithm for digitally signing firmware and software | All parameters approved. SHA256/192 recommended. |- | Xtended Merkle Signature Scheme (XMSS) | Asymmetric algorithm for digitally signing firmware and software | All parameters approved |} '''CNSA 1.0''' {| class="wikitable" |- ! Algorithm ! Function ! Parameters |- | Advanced Encryption Standard (AES) | Symmetric block cipher for information protection | 256-bit keys |- | Elliptic Curve Diffie-Hellman (ECDH) Key Exchange | Asymmetric algorithm for key establishment | Curve P-384 |- | Elliptic Curve Digital Signature Algorithm (ECDSA) | Asymmetric algorithm for digital signatures | Curve P-384 |- | Secure Hash Algorithm (SHA) | Algorithm for computing a condensed representation of information | SHA-384 |- | Diffie-Hellman (DH) Key Exchange | Asymmetric algorithm for key establishment | Minimum 3072-bit modulus |- | [Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for key establishment | Minimum 3072-bit modulus |- | [Rivest-Shamir-Adleman] RSA | Asymmetric algorithm for digital signatures | Minimum 3072-bit modulus |}
Summary:
Please note that all contributions to Niidae Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
Encyclopedia:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Search
Search
Editing
Key size
(section)
Add topic
