Qubes & Quantum decryption Immunity

182 views
Skip to first unread message

Yuraeitha

unread,
Nov 10, 2017, 1:45:17 PM11/10/17
to qubes-users
With news, like the 50-bit Quantum computer by IBM announced earlier today, for now only cable to run over over 90 seconds, concerns over the safety of encryption appears to be slowly increasing.

https://www.technologyreview.com/s/609451/ibm-raises-the-bar-with-a-50-qubit-quantum-computer/?utm_campaign=Technology+Review&utm_source=facebook.com&utm_medium=social

Obviously there are encryption forums out there, and the encryption tools Qubes uses are developed and supported by third parties specializing in the field. However I'd like to see a discussion with Qubes in mind.

From a developers perspective, with insight into cryptography, what is your take on this? Would the types of encryption Qubes uses be at risk of being brute-forced by a quantum computer?

The way I understood it,
Quantum computers cannot replace traditional computers, because the many simultaneous multiple state between 1/0 leaves no structure in the code, therefore it's impossible to make programs or code with it without structure. Quantum computers strive for entropy or "chaos", while traditional computing machine code strive for order and frameworks. So that supposedly means quantum computers are limited to solving large number problems, but cannot "create" or "decrypt" anything that is a large "structured" computing calculation. I may have gotten this wrong, but that's how I currently see it. I still do not perceive how encryption immune to quantum computers should work, i.e. how to implement structure into a large encryption calculation without giving it predictability or non-near-perfect / non-perfect entropy. It just seems contradictory, how is that even possible.

Either way, cryptography protected by "structure", should be safe against a quantum computer, no? while all encryption without structure, would be extremely vulnerable to quantum computers?

Basically, long story short, is Qubes at risk in the near future of real quantum computing decryption attacks? For example, has there already gone thoughts or even development into securing Qubes against type of attacks like these?

Sandy Harris

unread,
Nov 10, 2017, 5:29:48 PM11/10/17
to Yuraeitha, qubes-users
On Fri, Nov 10, 2017 at 1:45 PM, Yuraeitha <yura...@gmail.com> wrote:

> Either way, cryptography protected by "structure", should be safe against a quantum computer, no? while all encryption without structure, would be extremely vulnerable to quantum computers?

I am not sure what you mean by "structure" in this context. If any of
my guesses are correct, then I do not think that is the issue.

> Basically, long story short, is Qubes at risk in the near future of real quantum computing decryption attacks? For example, has there already gone thoughts or even development into securing Qubes against type of attacks like these?

I'm on several crypto mailing lists & follow the field fairly closely,
though I would not claim to understand everything I read, let alone
everything going on. As far as I can see, more-or-less everyone in the
field agrees quantum computers are a serious threat in the long term,
but no-one is much worried about threats in the next few years. Of
course they could be wrong; neither AI researchers nor Go players
thought a program that could win against top human players would turn
up for decades, but then Google produced Alpha Go which did just that.
A real paranoid would worry about whether some government lab already
had a quantum computer capable of breaking a lot of crypto; my guess
is that is not a realistic fear, but who knows?

The most worrisome threat is that a large enough (a few thousand
q-bits) quantum machine breaks RSA public key encryption. RSA relies
on sufficiently large semi-primes (products of two primes) being hard
to factor. See https://en.wikipedia.org/wiki/Integer_factorization for
background. There are about a dozen known methods for finding the
factors, but on classical computers none that are efficient in the
general case. On a quantum computer, though, there is a known
efficient algorithm https://en.wikipedia.org/wiki/Shor%27s_algorithm
so a big enough quantum machine breaks RSA.

That is a huge threat since RSA is very widely used. PGP, IPsec,
Secure DNS, SSL & SSH (or at least most variants) all fall if RSA
does. There are other public key methods that might replace RSA, but
it is not clear they are safe either.

Tai...@gmx.com

unread,
Nov 10, 2017, 5:51:08 PM11/10/17
to Yuraeitha, qubes-users
In this case you should ask the luks/dmcrypt mailinglist as that is what
qubes uses for disk crypto.

I doubt anyone here bar the internets favorite folk hero "kedward
howden" would piss off some company/government enough for them to spend
the hundreds of thousands of dollars one to rent such a machine.

Yuraeitha

unread,
Nov 11, 2017, 5:48:22 AM11/11/17
to qubes-users
@ Sandy Harris
Let me try rephrase the structure part, I may not have understood it correctly, and I can tell you know more than I do about encryption, so let me try emphasis the quantum part, which may or may not be right. I'm curious whether or how it can fit into encryption, so this is kind of a thought experiment. The logic in this analogy I'm sure you already know, but I want to use the analogy's conclusion to make a point afterwards, so here goes. Using a massive labyrinth analogy to solve a decryption calculation, a traditional classic computer can only seek one path at a time (1/0 on/off transistor logic), and if it's a dead end, it has to return to try another path, each turn, or dead end, being a calculated 1/0 state of information. A quantum computer can do many or even all paths at once in a single calculation instant, with having multiple or exponentially many states between 1/0, thereby following multiple of paths, resulting in a lot of dead ends, but at the same time discovering the single path out of the massive labyrinth, all in a few or a single calculation, depending on how many qubits the quantum computer has available.

It's a bit simplified, but enough to make the analogy point. SO, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are possible to solve with numbers? But instead use something like human thought logic pattern? This would require either a human or a sophisticated A.I. to solve, but it's also more akin to that of a traditional computer, patterns, structures, based in many 1/0 forming a structure, and the answer can only be found if maintaining this structure all at once. A quantum computer cannot do that, right? If I understood it correctly, a quantum computer may be truly scary in its insane calculative power, but, it's by no means capable of being "smart", at the very least, not on its own.

Where my knowledge of how encryption works, truly falls apart, is regarding the need of near-perfect or the not reached difficult to archive, perfect entropy. The more entropy, or chaos without structure and order, the harder it becomes to predict anything, and the harder it becomes to crack an encryption. This much is correctly understood I assume? So, if putting in roadbloacks for the quantum computer, which it cannot calculate, it significantly slows down it's quantum speed. Even if introducing a classic computer or A.I. to work together with the quantum computer, if the road blocks are difficult enough, it would overall slow down the quantum computer enough to make it impossible to crack the encryption. But doesn't roadblocks, or "structure" reduce the entropy? Thereby making it easier to crack? As such, is this not correctly understood? or is it instead a paradox akin to catch-22 paradox logic?

Perhaps such roadblocks, if they are feasible, does not hurt the entropy itself?

Thanks a lot for the info, real life cases, and wiki links btw, will definitely have to look into it further to learn more.


Tai...@gmx.com
Yes indeed, but as mentioned, I'm putting up the discussion here despite having mentioned more appropriate forums. I'm not only seeking answers, but also concerned about the collective awareness.

I'm not worried about today or even tomorrow, rather I'm worried about next year or the few short years to come. Consider this instead. Imagine the old story of the king asking the peasant what he'd like for reward from his good deeds to the king and the kingdom. The peasant then suggests, that he'd like a portion of corn every day for the duration of the number of chess plates on a chess game (8*8= 64 days total). The first chess plate has 1 corn, then the next is 2 corns, the third is 4, and the fourth is 8. The king thought to himself that this sounded quite fair, not to mention cheap. And so the payment went, over an exponential growth, day for day, reaching towards 8*8 = 64 days of payment, each day doubling up from the former day. As you might already imagine, this number becomes absolute massive already even before it reaches 64 pieces, or 64 days of payment. The peasant tricked the king, because it is normal for the human brain to think in linear patterns, and hard to think in other patterns, such as exponential growth, without insight and tools to do so.

Basically, quantum computers calculation power are absolutely insane compared to traditional computers. Following an exponential growth, it won't be long before it catches up to traditional computers. Therefore, quantum computers will likely disrupt the entire world, never mind Qubes or companies, individuals, if no one is prepared, everyone will in all likelihood get disrupted, just like the king in the story was.

We are not talking about some breakthrough here, it's just a matter of simple doubling of growth every year. It could go faster, it could even go slower. But we're already seeing the emergence of a pattern in growth in quantum computers. The time to raise the flags of concern, imho, is now, more than ever. Discussions are important, especially and even more so, outside quantum and encryption forums, in order to create awareness and discussions on a broader scale, being prepared, not getting disrupted.

At this time, the cost of decrypting anything not immune to quantum computing, is going to become relatively cheap. If the emerging pattern of growth is going to continue anything it has already historically shown, then this is a call for red flags. It's not speculation, it's not conspiracy or thinfoil hat, this is real risk analysis. One cannot hide from full circle logic based in empirical data, it can't be called speculation, it's science. To be fair, we have limited amount of data to show predictability in quantum computing growth, but other empirical data can be used to show that it's likely going to speed up, not maintain growth or slow down. It's likely to accelerate, especially due to its exponential nature. And all this, everything, is without considering yet unimagined technological breakthroughs that might further speed everything up. Knowing technology's trackrecord, it's likely to happen as well.
So I don't think it's fair to say only people with a lot of money and resources can crack encryption, we're talking about the near future here, where it's on the path to become much cheaper. Furthermore, this is not even including all the encrypted e-mails, encrypted chat messages, Tor network connection meta data, and so forth, everything, is easily stored on massive cloud servers, never to be deleted due to the economic of growth nature of Cloud servers. Basically, everything can be stored, and I'm not just talking about suspects here, I'm talking about everyone. Everything can be stored and saved. Now, if quantum computers eventually become cheap to perate, and everything points in that direction, then who will stop anyone storing all this data to decrypt everything they saved? Throw in an A.I. to analysis it all, and you got massive surveillance and a history record of people who thought they'd be safe for at least some years to come yet, but wasn't.
Imagine the magnitude of impact in countries with dictator leadership, or if someone like hitler or stalin raised again whom were sick regarding hunting certain people with certain beliefs, killing millions of people. Imagine power like this in such people's hands? Horrible people are everywhere, while also many good and nice people are everywhere. But it takes a single misstep to create another scenario like this, WWI and WWII is hardly ancient history, and we hardly fixed the cause of war, it can still happen, even today. So, people like that, even with encryption, they can see everything about you from your past. This may not concern everyone, but it certainly does impact a lot of people, it's a nightmare remaining to explode in the future.

Centralized technology is dangerous, it's increasingly moving power towards single organizations or single individuals. It's not very clear today, but it's a dangerous trend if it keeps up, especially after a few decades of technological development. Decentralized technology is key, to avoid few or single individuals to grasp power.

Now, if we speak about encryption proof quantum computers, don't you think it's a good idea to start now, rather than wait? To be proactive rather than reactive? After all, if they can't decrypt it now, as it stands now, nothing keeps them from doing it in a few years time when quantum computers become cheap. If anything, we need quantum proof encryption, long, long before quantum computing decryption becomes a reality, especially for the type of data that is easy to obtain and store on servers, like the internet connections.

If you do not worry for yourself, at the very least worry for the journalists, freedom and freedom of speech fighters, democracy advocates in places people are getting suppressed or worse, heavily suppressed.

Awareness also raises money, investment, creative thoughts, into finding new ways to stop the cracking of encryption. It's not enough for the encryption experts to think about it, we need investment and money to go into the field, as well as people seeking carriers and similar into this field of study, not to mention companies rising to help tackle the issue, or demonstration towards our politicians whom are almost always slow to adapt to new technological threats.

There are many reasons to discuss this outside encryption forums, there are many reasons to increase awareness, and to start discussions. Not to mention, also to warn people whom's life depend on encryption, not to be overly trusting in todays encryption keeping them safe, if their encryption data easily can be saved for later, to be cracked in the future. All this matters, and it should be discussed on all levels of society, not only inside the quantum labs and forums.

Yuraeitha

unread,
Nov 11, 2017, 5:53:47 AM11/11/17
to qubes-users
On Friday, November 10, 2017 at 10:29:48 PM UTC, Sandy Harris wrote:

My bad, I made an important typo in the text above with the word possible/impossible, first two lines in second paragraph.

"SO, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are possible to solve with numbers?"

Should be,

"So, by structure, I mean, what if the labyrinth is full of closed doors, where you need to solve puzzles that are impossible to solve with numbers to get past it?"

Chris Laprise

unread,
Nov 11, 2017, 7:44:54 AM11/11/17
to Tai...@gmx.com, Yuraeitha, qubes-users
On 11/10/2017 05:51 PM, Tai...@gmx.com wrote:
> In this case you should ask the luks/dmcrypt mailinglist as that is
> what qubes uses for disk crypto.
>

Would be simpler off the bat to limit discussion to asymmetric crypto,
as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
most other disk encryption uses symmetric crypto.

I believe qvm-backup crypto is also symmetric (although IIRC it may have
specific security issues that need to be addressed).

Finally, there is anti-evil-maid; I think it uses symmetric but not certain.

--

Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Yuraeitha

unread,
Nov 11, 2017, 8:31:33 AM11/11/17
to qubes-users

That's an interesting twist, and seems like a very good point.

Though does that mean asymmetric is more vulnerable due to it's nature of having two key systems (Private/Public) rather than a single private key? Lower entropy with two keys perhaps?
or is it because asymmetry is typically used more when send over the internet compared to symmetry which is more often used offline?

So then, asymmetric internet protocols going in and out of Qubes, or encrypted packages or whole encrypted files send over the internet, is the bigger concern? or the more immediate between the two one I assume. The question left to me, out of curiosity, is just "why is it the asymmetric security a bigger concern". Are any of the two guesses the right reason?


Also about another aspect, are there by any chance any kind of encryption between the ioslated qubes in Qubes? If true, then internet based attacks cannot attack dom0 no matter what happens in the area of encryption cracking? but it may be able to attack whatever is using encryption in the VM itself? But offline physical encryption crack attacks, albeit seemingly requiring stronger cracking capability, can reach dom0?

Specifically, if I understood this correctly, there is no immediate concern right now to protect with encryption in an offline physical machine, unless a copy is made of the data and stolen, or the entire drive is stolen, to be cracked in the future. So if a drive, or copy thereof, is stolen, it may be a future risk, but otherwise not a current risk.

Eventually all this seems to boil down to theft of data, or surveillance, which is left to be cracked in the future, instead of now. But internet encrypted data is significantly easier to steal.

This could be solved with the quantum network China made a big move towards recently though? One of the articles here about Quantum networks that goes into the pros and cons, as well as the feasibility and possible directions with the technology can take in the future. It seems this short brief article covers a bit of everything regarding this complex area https://www.wired.com/story/quantum-internet-is-13-years-away-wait-whats-quantum-internet/

Assuming quantum internet ever becomes a full scale replacement of our internet, perhaps this is the game changer we need to fix asymmetric encryption? After all, it wouldn't be a matter of hacking mathematics, it'd be increased to a level of hacking physics and the circumventing the laws of the universe. Anyone trying to read the signal, would apparently scramble it and make it unreadable.

But in contrast, this cannot be used in symmetric encryption of i.e. local files and drives? and it requires a proper medium, like light fiber cables or similar, to carry the quantum signals, which would mean a lot of our modern infrastructure is not usable for quantum networking.

It seems promising though, especially if it would arrive sooner rather than later to Linux/Qubes.

For example, the implications of combining quantum networking with the Tor network? It'd be potentially unhackable network/internet private connections?
Tor's weakness, one of the bigger ones, is traffic sniffting at the end nodes. A quantum based internet could fix that issue on Tor, making it impossible to both know what is send, as well as to whom it was from or to.

Would there be any loose ends though? For example the joint between Qubes OS itself, and a future quantum based Tor based network? The weakness could be the joints and exploiting these with malware/surveillance?
If the unit expected to receive the quantum signal itself is infected, then it could still surveillance any data/connections going through it?

Vít Šesták

unread,
Nov 11, 2017, 12:16:40 PM11/11/17
to qubes-users
QC is a potential threat for both symmetric and asymmetric cryptography, just the symmetric cryptography is threatened quite a bit more. And even asymmetric cryptography is important for QubesOS security because of update signatures.

Symmetric cryptography is threatened by Grover's algorithm. The algorithm can perform bruteforce search in N elements in O(sqrt(N)) time. In other words, it reduces O(2^n) time to O(2^(n/2)) time. What's great: There is some proof that this algorithm is optimal (probably under assumption that P≠NP). So, just using double-length keys should be sufficient. This could justify AES256 instead AES128. Doubling the key length could be an issue for password, but if you use a memory-intensive key derivation function, it might be infeasible to run it on quantum computers for some time.

Asymmetric crypto usually (always?) relies on problems that are believed to be easier than NP. Some of them (integer factorization and discrete logarithm problem) can be solved in polynomial time on QC (they belong to BQP class), which would be a real threat for cryptography like RSA and ECC. There are some “QC-proof”
asymmetric schemes that are believed to be secure against QC. But those aren't widely used yet. It could be useful to use them together with some old schemes like RSA or ECC.

Regards,
Vít Šesták 'v6ak'

Chris Laprise

unread,
Nov 11, 2017, 6:22:37 PM11/11/17
to Yuraeitha, qubes-users
On 11/11/2017 08:31 AM, Yuraeitha wrote:
> On Saturday, November 11, 2017 at 12:44:54 PM UTC, Chris Laprise wrote:
>> On 11/10/2017 05:51 PM, Tai...@gmx.com wrote:
>>> In this case you should ask the luks/dmcrypt mailinglist as that is
>>> what qubes uses for disk crypto.
>>>
>> Would be simpler off the bat to limit discussion to asymmetric crypto,
>> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
>> most other disk encryption uses symmetric crypto.
>>
>> I believe qvm-backup crypto is also symmetric (although IIRC it may have
>> specific security issues that need to be addressed).
>>
>> Finally, there is anti-evil-maid; I think it uses symmetric but not certain.
>>
>> --
>>
>> Chris Laprise, tas...@posteo.net
>> https://github.com/tasket
>> https://twitter.com/ttaskett
>> PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
> That's an interesting twist, and seems like a very good point.
>
> Though does that mean asymmetric is more vulnerable due to it's nature of having two key systems (Private/Public) rather than a single private key? Lower entropy with two keys perhaps?
> or is it because asymmetry is typically used more when send over the internet compared to symmetry which is more often used offline?
>
> So then, asymmetric internet protocols going in and out of Qubes, or encrypted packages or whole encrypted files send over the internet, is the bigger concern? or the more immediate between the two one I assume. The question left to me, out of curiosity, is just "why is it the asymmetric security a bigger concern". Are any of the two guesses the right reason?

There are some articles/talks that explain the difference, but its not
due to entropy. Its because the public key provides too much info about
the private key to a qc search algorithm. This was already the case with
regular computer searches, at least with RSA which uses much larger keys
than a symmetric cipher like AES to compensate for the issue.

A figure I heard was that qc can cut search time for symmetric key
merely in half, whereas its can cut time for asymmetric key by orders of
magnitude.

> Also about another aspect, are there by any chance any kind of encryption between the ioslated qubes in Qubes? If true, then internet based attacks cannot attack dom0 no matter what happens in the area of encryption cracking? but it may be able to attack whatever is using encryption in the VM itself? But offline physical encryption crack attacks, albeit seemingly requiring stronger cracking capability, can reach dom0?

> Specifically, if I understood this correctly, there is no immediate concern right now to protect with encryption in an offline physical machine, unless a copy is made of the data and stolen, or the entire drive is stolen, to be cracked in the future. So if a drive, or copy thereof, is stolen, it may be a future risk, but otherwise not a current risk.
>
> Eventually all this seems to boil down to theft of data, or surveillance, which is left to be cracked in the future, instead of now. But internet encrypted data is significantly easier to steal.

Most Internet encryption is based on asymmetric ciphers. That's the main
issue and Qubes is not special in any sense on this topic.

As for quantum networks, they are slightly more obtainable than, say,
moon rockets.

Yuraeitha

unread,
Nov 12, 2017, 4:43:26 AM11/12/17
to qubes-users
@ Chris Laprise
So you don't have a moon rocket in your backyard? Really? Everyone have that by now.

Joke aside xD I do actually think Quantum networks are much closer than we might think at first when first hearing about it, it's probably the quantum part that makes it seem so distant and futuristic. It's not as complex as quantum computing, and much less work has gone into it, yet prototypes are already up and working around the world as we speak. It's basically a simple transfer of data through light and not something of the scale of a whole quantum computer.

Given the fiber internet network might be able to carry these signals, it's not farfetched to imagine we'll start to have portions of Quantum internet in less than 10 years. It's a cheap technology too. While sure such research costs a lot to do, the technology itself should be relatively cheap, and a lot of the quantum computing research costs come from universities whom give away their research fore free mostly now a days (Open Science movement, kinda like Open Source movement).
So given we already partly have a infrstructure that can carry it, and given we currently have working prototypes, and given the technology itself appears relatively cheap. I don't think we actually have to wait long. But who knows, if anything is uncertain, it'd be the attempt to predict the future. It's just that the odds seems pretty favourable that we'll see it soon.
The Tor network doesn't even need to do much to transfer to this type of network, since this is technology running below the Tor layer protocols, I believe? I guess the biggest issue would be to ensure that there is light fibers all the way between A and B on the internet? Maybe Tor would have to tackle that issue.

Also, the Chinese went ahead with this big time, if the rest of the world does not catch up, then the Chinese will have a much safer internet compared to the rest of the world. Given all the cyber attacks and industry spionage, and war prevention, cyber threats are the reason of, I do not think it'll just come around slowly. It'll likely turn into a race, because no one wants to be the weak kid among the superpowers in the world. Albeit USA and Russia governments are a bit slow in the uptake atm, they will likely realize this soon enough.

Thanks for clearing up the asymmetric general security issue, it's been bothering me for a while. So the weakness is the key similarity, interesting.

.


@ Vít Šesták
urg... that's a scary point, if the updates become insecure and unreliable without proper signatures... hmm, in Qubes, the signature confirmation happens in dom0 or in the sys-net? It seems like an interesting duality, though I may be wrong regarding that. For exampple, similar to how Qubes e-mail split GPG works, or split Bitcoin VM's, the keys are kept in another offline VM. Is the same applied to Qubes dom0 and now the new Qubes 4 template updates? So the weak chain is not in Qubes, but Qubes may still be affected by man-in-the-middle-attacks over the internet or if the update server is attacked?
But in another contrast, infected packages getting into dom0 to get signature verified, would pose a risk? So one have to choose between the two security risks?

Doubling up the key length seems like an interesting prospect, but has the potential risk to fail in the future by quantum computing, if I understood you correctly. So as long no one steal our symmetric encrypted data or drives, and save it for a decade or more before trying to crack it with more powerful computing, we should be safe, I assume. So increasing the key as far as possible, and try avoid theft of symmetric encrypted data. Seems like a game plan?

I've wondered for a good while if splitting up an symmetric encrypted file in multiple of parts, say for example minimum two parts, and send one over the internet, and carry the other on yourself in person, that if only one part is stolen (for example someone steal your laptop with sensitive competitive business trade secrets), then it's still uncrackable? However it's mostly been a fun thought experiment, I never managed to confirm it, but I imagine businesses or even government agencies would want to use such approaches if its applicable? If it isn't already.

Wait, hold on, your last line, regarding that "some" asymmetric encryption is believed to be secure against future quantum computing? Is it possible to elaborate on that? Also if this turns out to indeed be quantum crack proof, whould it be feasible to use these for what we currently use symmetric encryption for?

Yuraeitha

unread,
Nov 12, 2017, 5:09:11 AM11/12/17
to qubes-users
I just ran into this article, it seems like Intel's response to yesterdays press release of IBM's quantum computer. Competition is certainly alive. Well, oligopoly dominance, but at least it's not a monopoly dominance.

https://futurism.com/17-qubit-chips-begins-quantum-revolution/?src=featured

It also seems like the first one to reach quantum computers that can do resonably more than a super server, or even desktops, appears very lucrative. There is probably a race going on here, which seems evident too by Intel's quick reponse to IBM only a day after too.

I gotta say though, looking in the article, that youtube video released by Intel developers seems interesting. The chip pretty much looks like a standard cliassic CPU unit, with some differences.

Presumeably, the only problem with throwing such a baby into a phone/laptop/stationary would be the cooling issue. But on the servers it should be less of an issue, exept for the cooling cost.

Now a 17 Qubit small sized commercial product from Intel, and a 50 Qubit experimental early test Quantum computer from IBM. If we imagine it doubles every year, say 40 in commercial next year, and 100 or maybe even more in experiments, then it won't be long till we see some pretty scaleable quantum computing.

Also, correct me if I'm wrong, but aren't there here two exponential effects, one ontop of the other? Which may be overlooked by us too. I mean, imagine the scale-ability of doubling the Qubits every day, it's not linier, it's exponential. But the Qubits themselves are exponential too.

So if these chips are double the size next year, and double again the year after, we'd start to see some pretty decent quantum computing already?

So what it all boils down to, is to find ways to try better predict how many Qubits these chips will grow every year (similar to how Moor's law tries to predit classic computing growth), and also to predict how many Qubits are needed, to surpass a standard classic computing chip on varies factors, for example hoew many Qubits to surpgass similar computing by power useage, or by solving issues, and so on.

And it may become more than just doubling every year, especially if there is a race going on between competitors to establish market share dominance, which may prompt companies to throw in bigger development expenses if they believe they can win over the other, and thereby take risk by speeding up development. After all, winning, or just getting a sizeable market-share, would be quite lucrative, a risk these companies very well may go and take, it already starts to look like they have, but its too early to say for sure.

So, how many quantum Qubits will these chips have in one year time?
Also if these become cheaper, both buying and operation (cooling costs) like similar pricing to that of CPU's, then there is also the worry that normal everyday hackers can get their hands on these quantum chips, never-mind businesses or governments easily making super quantum computers, substantially stronger than today's super computers.

This may not happen today or tomorrow, but it really does seem scary close now.

Perhaps a more realistic prediction would be to figure out how many Qubits we need to surpass the current CPU's? and how much until they can crack various standard encryption schemes? At the very least then we can compare the new Qubit release statements by Intel/IBM/etc. and know how far they've gotten.

Leo Gaspard

unread,
Nov 12, 2017, 8:01:50 AM11/12/17
to qubes...@googlegroups.com
On 11/12/2017 10:43 AM, Yuraeitha wrote:
>> As for quantum networks, they are slightly more obtainable than, say,
>> moon rockets.
>
> [...]
> Given the fiber internet network might be able to carry these signals, it's not farfetched to imagine we'll start to have portions of Quantum internet in less than 10 years. It's a cheap technology too. While sure such research costs a lot to do, the technology itself should be relatively cheap, and a lot of the quantum computing research costs come from universities whom give away their research fore free mostly now a days (Open Science movement, kinda like Open Source movement).
> [...]

The issue with all current quantum-physics-based encryption that I know
of is that it requires a direct fiber link between the source and the
destination. Also, the segment length is currently about ~4-5km if I
remember correctly, though it may just as well have changed since a few
years ago.

But this direct fiber link means quantum-physics-based encryption will
never be end-to-end between you and the website you are visiting. And if
this quantum-physics-based encryption is terminated by eg. your ISP (the
only one you have a physical fiber link to), then your ISP could use the
exact same techniques as before to spy on you.

Basically, quantum-physics-based encryption is nice in that it is
demonstrably secure (modulo Bell's inequalities, last time I checked on
this is getting quite old, so I'm not sure about every detail). But its
constraints of use are really huge, so it is not likely to ever get in
your house unless you're at the head of a billion-dollar-level entity,
be it a state or a company.

> I've wondered for a good while if splitting up an symmetric encrypted file in multiple of parts, say for example minimum two parts, and send one over the internet, and carry the other on yourself in person, that if only one part is stolen (for example someone steal your laptop with sensitive competitive business trade secrets), then it's still uncrackable? However it's mostly been a fun thought experiment, I never managed to confirm it, but I imagine businesses or even government agencies would want to use such approaches if its applicable? If it isn't already.
Such a scheme is Vernam cipher. It is the only other provably secure
cryptographic system that I know of (all the others are based on “we
think this problem is hard, so let's prove the cryptosystem is at least
as hard as this problem”).

Basically to encrypt a N-bit-long message, you generate a N-bit key
(with perfect randomness, which is a point where the issue usually
lies), you xor it with your message, and to decrypt the message you just
xor again the encrypted message with the key. You could then just send
the key and the encrypted message through the two means.

Funnily enough, Vernam ciphers are actually the basis for
quantum-physics-based encryption. The quantum channel is only used to
generate the random N-bit key in way so that it is shared by the two
protagonists and no eavesdropper could get a reasonable amount of bits
without being detected (in which case the transmission can be cancelled
without ever using the key)

Cheers & hope that helps,
Leo

Sandy Harris

unread,
Nov 12, 2017, 11:08:58 AM11/12/17
to qubes-users
On Sat, Nov 11, 2017 at 6:22 PM, Chris Laprise <tas...@posteo.net> wrote:

>>> Would be simpler off the bat to limit discussion to asymmetric crypto,
>>> as that is the type thought to be vulnerable to qc. LUKS/dmcrypt and
>>> most other disk encryption uses symmetric crypto.
>>>
>>> I believe qvm-backup crypto is also symmetric (although IIRC it may have
>>> specific security issues that need to be addressed).

>> or is it because asymmetry is typically used more when send over the
>> internet compared to symmetry which is more often used offline?

No.

> There are some articles/talks that explain the difference, but its not due
> to entropy. Its because the public key provides too much info about the
> private key to a qc search algorithm. This was already the case with regular
> computer searches, at least with RSA which uses much larger keys than a
> symmetric cipher like AES to compensate for the issue.
>
> A figure I heard was that qc can cut search time for symmetric key merely in
> half, whereas its can cut time for asymmetric key by orders of magnitude.

It is more complex than that, but that is a usable first approximation
for many cases.

> Most Internet encryption is based on asymmetric ciphers. That's the main
> issue and Qubes is not special in any sense on this topic.

Symmetric encryption is much faster & is used for nearly all
encryption of large chunks or streams of data -- messages in PGP,
connections in SSH or TLS or IPsec, disk or file contents in other
systems -- and in hash algorithms & variants using them like the HMAC
construction. These can provide one level of authentication; if
decryption succeeds then the recipient knows the the sender had the
right key & if HMAC succeeds he knows the message received is
(overwhelmingly likely to be) identical to what was sent or the file
read identical to what was stored.

Asymmetric encryption gives a different type of authentication,
proving the other player had a particular private key. This solves the
key management problem which is very difficult with symmetric crypto
alone. A major government can send a junior military officer to fly to
an embassy once a month to deliver keys, but without public key
(asymmetric) techniques anyone else has a real problem ensuring that
the right people have the keys & enemies do not.

It also gives digital signatures which are used in authenticating the
players for SSH, SSL, IPsec connections. With symmetric techniques
alone, you can know that only the receiver can read your messages, but
you need the public key stuff to know who you are talking to.
Signatures are also used to be sure the file you download was produced
by Qubes people, not by say a malicious government or some gang of
botnet builders.

One explanation of the roles of the two algorithm types:
http://en.citizendium.org/wiki/Hybrid_cryptosystem

eliott.te...@gmail.com

unread,
Nov 13, 2017, 4:13:36 AM11/13/17
to qubes-users
Speaking of quantum network, it is doable, for instance you can check araknet.eliott.tech

Vít Šesták

unread,
Nov 13, 2017, 2:29:40 PM11/13/17
to qubes-users
Hello,

I'll react to multiple questions and statements from multiple people.

> A figure I heard was that qc can cut search time for symmetric key merely in half, whereas its can cut time for asymmetric key by orders of magnitude. 

No. For symmetric key, it does not halve the time. It works like halving key length. It is asymptotic improvement. With classical computer adding one bit doubles time for brute-force. With QC, adding *two* bits doubles time for probabilistic brute-force. See Grover's algorithm as I mentioned above.

For asymmetric cryptography, “orders of magnitude” can be true, but it does not express that it is asymptotic improvement – you can resolve some problems in *polynomial* time. But there are some ciphers that are believed to be quantum-resistant, meaning that there is no such known attack.

> in Qubes, the signature confirmation happens in dom0 or in the sys-net?

Dom0 updates are verified in dom0, template updates are verified in templates. But that's not important if your adversary can factorize release signing key.

> Doubling up the key length seems like an interesting prospect, but has the potential risk to fail in the future by quantum computing

Why? Doubling key size is a asymptotic countermeasurement. Moreover, for bruteforce (but not necessarily for other types of attack), Grover's algorithm has been proven to be optimal, i.e., you can't go asymptotically bettter. Unless a QC can perform many many many more operations in the same time and at the same cost, it should suffice. Unless there is some extra breakthrough. Remember, virtually no cryptographic scheme has been proven to be secure (except some like SSSS and Vernam cipher – but those have limited applicability), so, someone might theoretically break AES tomorrow. We just rely on the fact many that people have failed with this, so this is unlikely. But this is a theoretical issue even without QC.

> I've wondered for a good while if splitting up an symmetric encrypted file in multiple of parts, say for example minimum two parts, and send one over the internet, and carry the other on yourself in person, that if only one part is stolen (for example someone steal your laptop with sensitive competitive business trade secrets), then it's still uncrackable?

Usually no, unless you use a scheme specially designed for that. You might be interested in secret sharing, which is even more powerful concept.

> Wait, hold on, your last line, regarding that "some" asymmetric encryption is believed to be secure against future quantum computing? Is it possible to elaborate on that?

For example, see https://en.m.wikipedia.org/wiki/NTRU .

> Also if this turns out to indeed be quantum crack proof, whould it be feasible to use these for what we currently use symmetric encryption for?

You could, but I see no reason for that. QC makes bruteforce considerably easier, but it is still considerably hard. With a proper key size, symmetric crypto will be still faster and have probably smaller keys for comparable security level.

For asymmetric ciphers, bruteforce is usually not much considered, because they are usually better attacks. But Grover's algorithm should be applicable even for asymmetric ciphers. It however does not make much sense (at least not without modifications), because they have much larger keys.

> Also, correct me if I'm wrong, but aren't there here two exponential effects, one ontop of the other? Which may be overlooked by us too. I mean, imagine the scale-ability of doubling the Qubits every day, it's not linier, it's exponential. But the Qubits themselves are exponential too.

AFAIU, this is a common misconception. Well, you need exponentially growing space for emulating QC on classic computer. But you don't get exponentially faster computer. You get a computer with more memory. Such computer can process larger tasks, e.g., factorize larger numbers. But once you have enough memory, adding more qubits make AFAIU no improvement.

Regards,
Vít Šesták 'v6ak'
Reply all
Reply to author
Forward
0 new messages